Episode list

Watch the opening ceremony with the CypherCon Team. Find out how the 2022 badges were made from the badge team. There are special guests and speakers you don't want to miss. Time to kick off CypherCon 5.3 in style.

Keeping up with regular compliance tasks can be draining and feel unrewarding, causing many to be overlooked or ignored. Ignoring these tasks can negatively affect our organizations and impact our job security. But if we don't ignore them, we risk falling behind on other obligations and getting burned out. Rather than ignore these tasks and risk burnout, we need to find the sources of compliance burdens and hack them. What makes a hacker is not a hoodie, it is finding ways to accomplish tasks using creative and effort reducing methods. Hacking is not limited to the red-teamers of the world. Blue-teamers also need to hack the tasks preventing them from performing the more enjoyable parts of their workload. We can hack compliance by doing the following. - Use tools like the Unified Compliance Framework to create one control to rule them all. - Put automation and calendar reminders to work doing your job for you. - Spend time to understand requirements to avoid wasting time on controls that are not relevant. - Stop making the perfect the enemy of the good; something is (almost always) better than nothing. - Create enduring policies and dynamic procedures. Putting in a little extra effort up front will pay dividends in time, resources, and reduced stress.

Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. What holds us back from getting rid of passwords? Trust. In this session, we will propose a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor. We will share a path forward for increasing trust in passwordless authentication.

Wi-Fi Bustin' makes me feel good. This talk will showcase the first of its kind 'Pwnton Pack', a Ghostbuster's inspired take on a wireless penetration testing. Featuring hardware hacking, microcontrollers and wireless attack arsenals bundled into a unique package; come learn why such a pack exists and fun details around the build experience. This talk is meant to inspire newcomers to InfoSec, Arduino devices and provide a fun take on existing methodologies and toolsets. For your Wi-Fi security needs; Who you gonna' call?.

Sadly, climate change is progressing rapidly and is likely to be the greatest public health threat of this century according to the Lancet Commission on Climate Change and Health. Human emissions of greenhouse gas have already caused Earth's average temperature to rise by 1.8°F. This summer during the hottest June ever recorded, the hottest temperature ever recorded by scientific instruments occurred in Furnace Creek, Death Valley, California where the temperature was 130°F. During the same heat wave, Lytton, B.C., Canada recorded the hottest temperature ever in Canada at 121°F. Between 600-700 more people died (compared to normal death rate) in the northwestern United States during this Pacific heat wave and it is estimated that 2 billion sea organisms also died. A recent study (Science 374: 1558-160, October 8, 2021) revealed that a person 6 years old in 2020 will experience twice as many wildfires and tropical cyclones, three times more floods, four times more crop failures, five times more droughts, and 36 times more heat waves in his/her lifetime than a person of age 60 in 2020 if the average global temperature continues to increase at today's rate. Drastic reductions in greenhouse gas emissions are the hope for our future and those of our children and grandchildren. If greenhouse gas emissions can reach zero by 2050, most of the harmful consequences of climate destabilization can be avoided. Rapid emissions reductions to safeguard health have been recommended by the American Academy of Pediatrics, the American College of Physicians, and the American College of Obstetrics and Gynecology.

We've reached a tipping point with more apps being delivered from cloud services than from on-premises. OAuth 2.0 and OpenID Connect (OIDC) have become essential in federating access and handling strong authentication. But these are frameworks not standards, and these frameworks are based on dozens of RFCs. This has resulted in numerous approaches, confusing developers and security teams alike. In this presentation, participants will learn how to secure implementations.

An in-depth panel with the creators of this years unique CypherCon 5.3 electronic badge. They take questions from the audience, Discord and Twitter. Learn about the "behind the scenes" of hacker badge creation.

As a defender, I'm often asked "Is this message legitimate?" As attackers become more clever, determining the legitimacy of email messages can be a real challenge. This talk will examine e-mail headers and how to determine legitimate messages from those that could lead to fraud or identity theft.

Most organizations don't have enough budget to buy every tool nor hire every person they need. They also don't realize there are plenty of free tools, tactics and procedures available to the Blue Team. Here's a collection of tips and tricks learned from security professionals around the world about what you can do today to level up your People, Processes, and Technology - at little to no cost. You'll walk away with actionable tips to fill your security gaps and help reduce your attack surface.

This talk will explore the use of the Sonic Pi live coding environment as a means of using code to create music, as well as to provide an accessible gateway into more complex coding environments and applications.

Vehicle Manufacturers are slowly limiting access to easy connection points in vehicles. I'll walk you through how we at CanBusHack bypass vehicle gateway controllers by physically connecting to easy-to-reach access points. What information might be obtained at these areas. Also, give you some tools of the trade and that won't damage your car (or more importantly your spouse's car).

Even though the Cold War ended almost 30 years ago, there are still a lot of valuable lessons that can be learned from that era. One of the hallmarks of Civil Defense was to prepare yourself and your family for the coming Nuclear War. There were thousands of pamphlets, ads and movies created to teach people how to survive and thrive when Mutually Assured Destruction came to fruition. In this presentation, I will go over some of the more famous Civil Defense campaigns of the Cold War and how you can apply these tips to keep yourself and your companies safe in the modern world.

By definition, hackers make things work in unexpected and unintended ways. To many outside this community, hacking seems like a destructive process. However, anyone that has ever created or utilized an exploit in an imaginative way knows that, at its heart, hacking is all about making something new. This talk, full of technical examples taken from opposing disciplines in information security, shows how healthy competition between makers and breakers drives progress.

While we worked from home during COVID, a massive international crypto project exploded in WI that allowed people to put up IoT and now Cellular service from their homes and businesses. From what started as practically nothing in 2020 now has over 250,000 of these hotspots deployed in public as of October 2021 carrying production traffic for large companies such as Lime for Scooters, Salesforce, and even Victor Mouse Traps. As this project continues to grow using unlicensed spectrum such as CBRS on FCC certified equipment, I predict what we will see in the decade ahead to improve the coverage area, quality, and cost of ubiquitous wireless telecommunications. This talk goes over what this decentralized telecommunications project is, how it works which includes a live demonstration of data transfer from an IoT device, and who is behind the project pushing forward with the greatest decentralized international telecommunications project of all time.

This talk will explore the tools, risks, and rewards of automating the worst parts of your workday. This talk is for anybody who wants to reap low-hanging fruit in their tech stack and get some quick scripting wins.

The enemy of Digital Marketing is friction and IT Security creates lots of friction. Marketers are not just fighting their own IT Departments, they're fighting all of them. In this talk, Joe Cicero, Sr. Security Engineer, will discuss "Friction Red Flags" that Marketers unknowingly create and that he sees every day. If you are in IT Security and you deal with your Marketing department, this talk will help you develop a checklist to have more friction-less digital materials.

Ransomware is a financially motivated crime. The goal is to inhibit business systems in order to extract a payment. Historically, there's been plenty of financial gain from ransoming data as it resides in traditional onPrem systems. So the question is, will there be evolutionary pressure on attackers - forcing them to evolve tactics? In this talk, Kat will be demo-ing strategies threat actors might employ to affect availability of business data in the cloud.

H.T.T.P. Headers are an often overlooked, though very powerful way to improve the security of your application. We'll take a look at what headers can be used to find vulnerabilities in your site, look at some examples I've seen while scanning thousands of sites, and demo a live scan of a site.

The best incident response planning and preparation can be quickly derailed by an anxious executive seeking catharsis. Important characteristics of an effective incident response - such as discipline, organization, and foresight - all depend on an organization's ability to avoid panic. Once panic sets in, our attention must focus on protecting response procedures from thrashing and poor judgment. For security teams and scuba divers, it's not enough to know how to escape immediate danger. We must also learn to maintain workable risk levels by keeping others calm and informed. A panicked diver - or a panicked executive - is a risk to themselves and everyone around them. This session will introduce concepts learned as a rescue scuba diver and applied to security incident response for avoiding and navigating executive panic.

The single best way Humans transfer knowledge is through stories. We are a social species and there are no better stories than Star Trek episodes. Nearly every episode of Star Trek involves some sort of security incident. Everything from someone stealing data (or Data), insider threats, APT, malware, and more. There is a lot of content we can use as examples to help teach and learn.

We all have our favorite vendors and have those vendors we love to hate. Many places like trying to homogenize on a specific vendor or technology. What happens if you put all your eggs in one security vendor basket? Is it worth doing that? Does not knowing how a vendor's Machine Learning makes decisions hurt or help us? Let us travel down a real-world scenario as to why using multiple vendors and multiple threat feeds could be advantageous. Wait, is that Defense in Depth? Maybe it is, but not in a way you normally think of.

Security is often not funded because risk costs, as evaluated by an organization for its own benefit, has a ROI that is below other possible investments. However, there are multiple benefits of evaluating risk from an ethical perspective. This presentation proposes a maturity model for the ethics of risk, based on an evaluation of research related to ethical risk. The framework describes risk, management, legal, and engineering concerns appropriate to risk analysts, security staff, or software engineering professionals. The framework provides a list of actionable items for each of five levels of ethical risk maturity.

You are savvy enough to have a virtual private network aka VPN. Maybe you did a bit of research and bought one that lets you be "anonymous" and lets you stream your favorite streaming service from anywhere while you travel. How well do you trust your VPN provider? Have you considered that your VPN provider could be doing things you didn't expect? Consumer VPNs, free VPNs, even VPNs that pay you. We will dig into what some VPN providers are doing. We analyzed hundreds of VPNs and their services to give you a deeper understanding of what actually is happening behind the scenes. You could be supporting malware, or worse. This may be a talk you don't want to hear, but you will come out of it with a much better understanding of the world that says it is here to protect you.

We've all been there. You visit your favorite website only to be harassed by the virtual assistant. Being asked the same questions, in the same way...Over and Over. Never really getting the answers you need, or the direction required to move forward. This brings us to the power of AIML Driven Virtual Assistants. In this session I will introduce the concept of Conversational Driven Design and how to use open-source solutions to add "Intelligent" bots to your environment. We will review current options, security implications of AIML driven virtual assistants, and build a simple bot that participants can model and bring back to their organizations.

Numerous data governance laws and policies have been enacted to protect user privacy. Polices may define data retention (how long the data must be kept), data purging requirements (when the data must be destroyed), and data consent (whether the data can be used for a particular purpose). To comply with these requirements and to minimize liability, database systems (e.g., Oracle, Postgres) must offer built-in support to enforce storage and use policies. Instead, such compliance is currently achieved through a patchwork of manual solutions within each organization. In this talk, we will consider legal, policy, and technical perspectives to the challenges of enforcing data storage and use governance policies. We will discuss the current state-of-the-art approaches to facilitating compliance in organizations and the difficulties encountered in understanding and interpreting polices. We will present database implementation approaches that can enable policy compliance without disrupting current business processes. Although we will touch on all aspects of data governance, our primary focus will be on challenges that are yet to be clearly defined: 1) proof of retention compliance, 2) the inherent conflict between data backups (which archive and preserve data) and data purging requirements, and 3) the support for data consent compliance, which restricts the access to data depending on user's purpose in accessing that data.

There are dozens of great talks that will show you why you should be get a job in a cool info-sec niche, with spectacular selling points. Every job has downsides and challenging days, though, especially for specific personalities and learning styles. This talk digs into nine cool info-sec roles, then suggests why you might enjoy or dislike working in them based on the elements that aren't camera worthy or talked about gleefully. There's a cyber security job out there for everyone, and it's important to find the one that makes you happy and successful.

Meditation is becoming a buzz-word for "beating" stress but seems very complicated to learn. We will show how DIY (Do It Yourself) brain technology projects such as DIY EEG (electroencephalogram) and TDCS (Transcranial direct current stimulation) can actually work as training wheels for a relaxed and energized mind. Transcranial direct current stimulation (tDCS), is a non-invasive, painless brain stimulation treatment that uses direct electrical currents to stimulate specific parts of the brain. A constant, low intensity current is passed through two electrodes placed over the head which modulates brain activity.

In the lead-up to the 2020 US Presidential election, there were a lot of concerns from security professionals about the potential role that Deepfake media could play in shaping voter opinions. While these concerns were not unfounded, in the end there were no notable instances of deep-fakes being used to manipulate the election. Why not? What is the current status of Deepfake technology? Where are we headed next? Hacker and Security evangelist Alyssa Miller will answer these questions and talk about how the threat landscape will continue to evolve as we head into the future. In her keynote address, Alyssa will discuss how Generative Adversarial Networks (GAN) have been leveraged since 2018 to create convincing fake videos and audio. She will examine how the technology and approaches to creating deep-fakes have changed in the past two years, bringing the capability to an on-demand consumer market through mobile apps and websites. Further, she'll analyze the reasons why deep-fakes didn't play a greater role in the 2020 election and whether that attack vector still has potential. Alyssa will also discuss what other threats remain, what limitations the current technology has, and how the future threats could evolve with this technology. Join us and discover just how, if at all, are deep fake creators and attackers stealing our reality.

Blue Team Security is the hardest job in Information Security. It is not sexy, and it is always complicated to navigate between the people, processes, and technology of the organization. Why do companies, .govs and ONG's have breaches? Thinking they are solving problems with technology. This talk will cover Tactics, Techniques and Procedures that blue teams can use based from lessons learned from insurgents and counter-insurgent operations in history.

The last 50 years have witnessed the practical extinction of the natural nighttime environment from most of the inhabited places on our planet. The majority of people can no longer see the stars in the sky overhead at night from where they live. The reason? Light pollution; an incredible glut of wasted energy that we create, every second of every night, in levels that increase from year to year. The negative effects of light pollution (LP) reach far beyond that of having robbed us of our views of the universe. While awareness of this issue has grown, not much has been done to actually stem the tide of light pollution's advance. Why? Basically, while the general ideas of the nature of the sources of LP seem somewhat evident, not enough creativity and sensible thinking have been applied to really quantitatively understand and combat it. In his work of over 15 years in studying the issues, Drew has uncovered some shocking facts about the wild-west nature of outdoor lighting installation in the U.S. And he has seen a real need for the kind of effort that the members of the hacker community could help mount; developing creative solutions in research, tech, and digital work that could ultimately help bring light pollution under control. Prepare to be challenged.

The NIST Cybersecurity Framework ("CSF") from the "National Institute of Standards and Technology" provides organizations with a set of documented policies and procedures designed to help private companies "Identify, Protect, Detect, Respond and Recover" from cybersecurity incidents. It is widely recognized as industry best practice and the most comprehensive, in-depth set of controls of any framework. Let's discuss this framework.

Network defenders are accustomed to watching for malicious activity from the public internet as well as their own local network. What happens when an attack doesn't come from a typical avenue? This talk will dive into wireless attacks, defenses, and an unconventional multi-factor authentication bypass.

As your company winds down for the holiday season, like clockwork, another fresh CVE with publicly available exploit code drops. The Apache Log4j exploit (CVE-2021-44832), also dubbed as Log4Shell, had widespread fallout as a result of the exploit being made publicly available, and organizations are still dealing with the associated problems even months later. This talk will discuss three unique scenarios observed as a result of Log4j being exploited on VMWare Horizon servers and include 1) exploitation for persistent access via a webshell, 2) exploitation leading to a Cobalt Strike beacon, and 3) exploitation leading to a cryptocurrency miner. The talk will demonstrate the exploit chain, artifacts of each investigation, and how you can detect the activity in your network using commercially available tools such as Microsoft Defender ATP, CrowdStrike Falcon, Carbon Black, and FireEye HX. On top of that, sources for threat intelligence pertinent to these types of attacks will also be discussed, as well as prevention mechanisms.

Long before it became an infosec capture-the-flag staple, steganography had its birth in the Steganographia of Johannes Trithemius, an early 16th century book of magic and secret writing. Though it remains perhaps the most widely known, this is but one among countless examples of cryptography from the Renaissance and early modern eras used by alchemists, magicians, and dissidents to conceal their hidden knowledge from the prying eyes of the uninitiated. By applying the lens of cyber threat intelligence to the Steganographia and other examples of Renaissance and early modern cryptography, we can give ourselves greater insight into the motivations and threat models that drove subversive actors centuries before PGP was a gleam in Phil Zimmerman's eyes. As we explore these historical examples through a threat intel lens, I will show how modern-day incident responders and other infosec practitioners can enrich their investigations by applying this same approach to their daily work.

Daniel Creed has been an information security professional for more than 20 years, now working at a place shifting left at scale, 8 million servers, 200+Tbps and growing. Throughout his career he has worked across numerous sectors of private, governmental, and educational industries, performed thousands of advanced penetration tests, build and lead high performance red/purple/blue teams, and worked in every functional discipline within the information security landscape. In addition to numerous industry certifications, Daniel has a B.S. Cybersecurity and Information Assurance and a MBA in Information Technology Management.

Virtual Reality (VR), Augmented Reality (AR) and Mixed Reality (MR) together are now referred to as XR or Extended Reality... In 2022 XR devices already easily exceed over 10 MILLION XR headsets in both consumer and corporation user's hands today. From the Meta Quest 2 to the Microsoft Hololens 2, XR is changing how WE experience our own Reality. But what can go wrong? What about privacy concerns? Are every one of our gestures being recorded? Have you ever gotten VR sick? How can we trick our brains in beneficial ways? Together we'll assess the following XR topic: What is the current state of the leading XR technologies? We will look at both the technology and the psychology of XR, and how our human brains interact (sometimes quite badly) with XR experiences. We will explore the security and privacy concerns around having an XR device strapped to your head that sees everything you are seeing, and has the potential to digitally track every gesture and movement you are making. We will talk about the future of XR and what we will all need to watch out for, while at the same time taking advantage of the huge potential that XR offers to humanity as a whole. Travis Feirtag and Lance Larsen (Microsoft MVP) today to learn about evolving XR technologies.

The FINAL presentation of CypherCon 5.3 is closing ceremony featuring Michael Goetzman and the CypherCon Team.