Security means lots of things to lots of different people, at the end of the day it's about protecting people. What is security and how is it changing as more of our data is stored online and more of the systems that use it are powered by learning algorithms? Privacy, confidentiality, safety, security: learning from the frontlines.
Track: Trust, Safety, & Security
Location: Empire Complex, 7th fl.
Day of week: Tuesday
Track Host: Jarrod Overson
Software Engineer @ShapeSecurity
Jarrod is a Director of Engineering at Shape Security where he led the development of Shape's Enterprise Defense. Jarrod is a frequent speaker on modern web threats and cybercrime and has been quoted by Forbes, the Wall Street Journal, CNET among others. He’s the co-author of O’Reilly’s Developing Web Components, creator of Plato, a static analysis tool for web applications, and frequently writes and records topics about reverse engineering and automation.
10:35am - 11:25am
From Developer to Security: How I Broke into Infosec
I've spent roughly 18 years building sites and apps for the web and while I always did my best to apply the basics of security, I never truly understood the many ways systems could be hacked. That changed when Wannacry hit and I decided to refocus my career to help secure not only systems, but people. In this talk I'll discuss the impetus for my career change, the challenges I faced as a new person to the community, how I forged relationships that helped me pave a solid path in the right direction and how I eventually broke into this amazing & competitive field. I hope that sharing this will help newcomers better navigate the murky waters of this community.
Rey Bango, Senior Security Advocate @Microsoft
1:40pm - 2:30pm
Robot Social Engineering: Social Engineering Using Physical Robots
Physical robots, such as Roombas, Baxter, Pepper, and many others, can make use of social abilities such as authority, persuasion, empathy, and so on. These social abilities can be used by robots to social engineer humans into doing or saying things that are not in their best interest. This talk will cover some of the capabilities of physical robots, related human-robot interaction research, and the interfaces that can be used by a robot to social engineer humans. Come discuss the security, privacy, and ethical implications of social robots, the interfaces used to control them, and the techniques that can be used to prevent robot social engineering attacks.
Brittany Postnikoff, Computer Security and Privacy / Human-Robot Interaction Researcher
2:55pm - 3:45pm
Modern WAF Bypass Scripting Techniques for Autonomous Attacks
#Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, whether you're scraping data from a competitors website, or arbitraging March Madness bets. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and the philosophies behind how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python and Javascript to Selenium, Puppeteer and beyond.
Johnny Xmas, Blade Runner & Director of Field Engineering (NA / EU) @kasada_io
4:10pm - 5:00pm
Privacy Tools and Techniques for Developers
Most of us care about the protection of end users’ personal information, but isn’t this a problem for security and legal teams? How could developers help with privacy? This talk is a developer’s survey of privacy engineering, from foundational principles like privacy by design and the OWASP Top 10 Privacy Risks to advanced techniques such as federated learning and differential privacy in machine learning, as well as upcoming technologies like homomorphic encryption. Each tool or technique will have an introductory explanation and example use cases with a description of the benefits and limitations. Recommended sources for further learning about each concept will be provided.
Amber Welch, Privacy Technical Lead at Schellman & Company, LLC
5:25pm - 6:15pm
How Much Does It Cost to Attack You?
How much does it cost to attack you and what are attackers getting out of it? Attacks, breaches, exploits, and malware are nearly a daily occurrence. Why aren’t billion-dollar products solving the problems we’ve had for decades? The problem is two-fold, attacks are getting cheaper to perform and the value of an attack is increasing daily. This is leading to increasingly sophisticated tools attacking platforms that have not kept up.
In this session, Jarrod will describe the cost vs value justification of an attack, how it shifts over time, and why it means that silver bullets just don’t exist. We’ll walk through the evolution of one of the cheapest modern attacks, credential stuffing, and see what attackers do after they have data and access.
Attackers are clever fraudsters, when you see how cheap it is to exploit you and how much value they wring out of your data it will help you prioritize better protection for yourself and in the software you write.
Jarrod Overson, Software Engineer @ShapeSecurity