Day 1 Keynote - Why We Research

Marion Marschalek (@pinkflawd)

Why We Research

There is this picture of a security researcher in many people’s minds. Some dark clad figure dwells in a basement, surrounded by electronics, and then suddenly a few weeks later an ATM spits money at them. Wowz, lets go write exploits y’all. But is this how it works? Why do people go down these rabbit holes, how does big research come to life, and what if you’re not in a basement but back in some office, oh the horrors, and somebody says ‘time to production’? We’ll explore the question why security research matters, where the ideas come from and what motivates a proof of concept, and the big question: What comes after? Finding the bug is nice, but have you ever tried to patch 900 machines on a Friday night? Ever wondered how mitigations make it into a compiler, or how a machine learning model rolls to production? We’ll look at why research matters, and explore what makes it significant.

Marion is a security engineer at a large cloud provider, and enjoys reverse engineering and all things binary analysis. With some background in malware analysis, incident response and microarchitecture security, her interests are quite varied. In 2015 Marion founded BlackHoodie, a series of hacker bootcamps which successfully attracts more women to the security industry.

Day 2 Keynote

Kees Cook (@kees_cook)

A Decade of Low-Hanging Fruit in the Linux Kernel

The upstream Linux kernel’s security hardening efforts have made huge progress in a decade. We’ll look at how we got here, what CVE statistics show, and what’s coming next. Where is the industry going, and can we finally be done with memory unsafe languages?

Kees is involved with Free Software since 1994 and has been a Debian Developer since 2007. Currently, he works as a Linux kernel security engineer at Google, focusing on Android and Chrome OS. He previously served as the Ubuntu Security Team’s Tech Lead and remains on the Ubuntu Technical Board. Kees has contributed to a range of projects, including OpenSSH, Inkscape, Wine, MPlayer, and Wireshark, with a recent focus on Linux kernel security features.

What the Function: A Deep Dive into Azure Function App Security

Karl Fosaaen (@kfosaaen)

As organizations have evolved from the “Lift and Shift” cloud migration strategy to building “Cloud Native” applications, there has been a significant increase in the usage of Platform as a Service (PaaS) services in the cloud. The Azure Function App service is a commonly used resource in this space, as it provides easy to deploy application hosting. While the serverless service offers a wide variety of convenient features, it also comes with its own security challenges.

As a VP of Research, Karl is part of a team developing new services and product offerings at NetSPI. Karl previously oversaw the Cloud Penetration Testing service lines at NetSPI and is one of the founding members of NetSPI’s Portland, OR team. Karl has a Bachelors of Computer Science from the University of Minnesota and has been in the security consulting industry for over 15 years. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit (https://github.com/NetSPI/Microburst) to house many of the PowerShell tools that he uses for testing Azure. In 2021, Karl co-authored the book “Penetration Testing Azure for Ethical Hackers” with David Okeyode.

Leave your corporate masters and come work for government!

Jeff

Are you a cybersecurity pro weary from the endless grind of the private sector? Do you feel like you’ve been fighting the same battles day in and day out? It might be time for a change of scenery-one with different perks and a lot less burnout. Sure the pay is worse, but at least we’re union and may have pensions!

In this talk, we’ll explore why state and local governments are a new frontier for cybersecurity professionals. With a wave of retirements opening up key positions, there’s never been a better time to make the switch. Plus, the benefits are pretty cool: think solid job security, better work-life balance and the satisfaction of protecting your community from cyber threats. Also you can appear to be a cyber wizard! Local governments need our help now more than ever!

Join us for a humorous and informative dive into working in state and local government cybersecurity. We’ll discuss why trading in your corporate badge for a government one might just be the best career move you’ll ever make. Let’s face it- defending a city’s digital infrastructure sounds way more badass than boosting your firm’s quarterly profits by 5% this quarter.

Jeff Toth is a pentester, turned governmental cybersecurity shill. He is a co-founder of BsidesOrlando, taught lockpicking to most of the greater Florida hacker community and did a bunch of random career things. He likes building terrariums and growing plants.

BSidesPDX 2024 CTF

BSidesPDX CTF (Website)

The annual BSidesPDX 2024 CTF competition.

The group of individuals volunteering to bring the CTF challenge to BSidesPDX 2024.

Rudder Nonsense: Steering Smart Rowers Off Course

Shane Kell (LinkedIn)

Android is the most common platform worldwide, encompassing 24k distinct devices across nearly 1300 brands. Seeing the traffic being sent for internet connected embedded Android devices isn’t always easy. This talk illustrates one technique for proxying traffic on a smart rowing machine for the purpose of knowing what data is being sent, how authorizations are being handled for paywall features, as well as showcasing an efficient method for manipulating responses being received.

I live and work in the Portland Metro area, consulting on web and mobile app security for a living. When I am not working I am either hacking devices around my house, pretending I am good at gardening, baking and cooking (which I am actually good at), or spending time with my three tiny hackers.

Using Stardew Valley as a C2 client and infostealer

DrGecko (@drgecko_exe , Website)

Stardew Valley is a farming simulator with an open modding API written in C#, I used that modding API to write both an infostealer and C2 client.

Security researcher, student, volunteer at Packet Hacking Village @ Def Con and, Noon @ Def Con

Building Bulletproof AWS Environments with Secure CDK Constructs

Keegan Justis (Medium)

While most organizations are using infrastructure as code to manage cloud infrastructure, there are still gaps in security configurations. Lack of proper configuration of cloud resources is the most way an organization gets breached in terms of cloud security. By utilizing the Amazon CDK (but most concepts can be applied to Terraform CDK to any public cloud), developers can create secure cloud constructs configured with security best practices to allow engineers the ability to deploy code and develop cloud resource secure by default.

Keegan Justis is a seasoned Cloud Security Engineer with extensive experience in Site Reliability Engineering and Cloud Technologies. Currently serving at GuidePoint Security, Keegan leverages his expertise to enhance the security posture of organizations through innovative cloud-native solutions. He holds over a dozen active certifications, including the Prisma Cloud Certified Security Engineer and AWS Security Speciality. Outside work, Keegan enjoys reading, traveling, and enjoying nature in the Pacific Northwest with his wife.

Your vuln wasn’t patched: Life on the Blue Team or how I learned stopy worrying and love the risk

Tom Hansen

Join me as we go over how a rational and prudent organization assesses, manages, and prioritizes the risks they take. We’ll keep things interesting by mixing up some boring straight-laced discussions of risk-management with real-life examples an anecdotes. At this talk you’ll get a feel for what life is really like on the Blue team!

Principal Infrastructure Engineer at a Fortune 500 Fintech, CISSP, holds 3 patents.

Breaking Build: Red Teaming CI/CD Pipelines and GitHub Actions

Craig Wright (@werdhaihai , Medium , GitHub)

CI/CD pipelines are a major component of most modern organizations, enabling the movement of code from development to production, automating software builds and deployments, and even managing infrastructure changes. These pipelines also present a significant attack surface, making them prime targets for adversaries. As a red teamer, I’ll guide you through the structure and vulnerabilities of CI/CD systems, with a focus on GitHub Actions. Through real-world examples, personal case studies, and live demos, we discuss how these systems can be exploited as well as tips for hardening these environments.

Craig Wright is an Adversary Simulation Consultant at SpecterOps, specializing in red teaming and offensive security. Craig Wright enjoys hacking Active Directory, CI/CD systems, developing offensive tooling, and writing ridiculously long bash one-liners.

Signed, Sealed, Delivered: Ensuring Software Integrity

Kenneth Yang (@yangkenneth)

In today’s fast-paced DevOps environments, the rapid deployment of services often outpaces the scrutiny they require, leaving organizations vulnerable to supply chain security attacks. Many organizations deploy software without thoroughly validating the integrity of their containers nor the packages it consumes at runtime. This talk will delve into the critical importance of artifact signing and validation, offering a comprehensive overview of the risks associated with unchecked deployments. Additionally, we will introduce coinbase/baseca, an open source project that issues short-lived x.509 certificates that can perform code signing using ephemeral keys to sign and verify artifacts.

Kenneth is a Senior Software Engineer at Coinbase and ex-Airbnb Security Engineer focusing on Key Management systems. When he’s not getting paged and pulled into incidents he enjoys spending time with his two dogs and being in the outdoors.

Oops! … I did it again: Security Pitfalls and how to avoid them

Lea Snyder (LinkedIn)

Have you ever wondered why your security program, initiative, or even approach appears to fail? Having trouble meeting in the middle with the teams you support? Craving insights on why? Join me as I dissect the common pitfalls I’ve seen security teams make as well as some ideas on how to tackle them. This session will walk through common pitfalls security teams fall into and spark a ideas on the right tactics to get around them or better yet avoid them.

None

Clearing the FOG: Unveiling the Latest Ransomware Trickery

Sam Mayers (@xprotectszn)

FOG ransomware, a newly emerged threat in the cyber landscape, has been causing significant disruptions, especially within educational institutions. At Beazley Security Labs, our research team has been investigating this ransomware group since its appearance in May 2024 and we have conducted research to understand the tactics, techniques, and procedures (TTPs) employed by this new threat actor. In this talk, we will present our in-depth analysis and findings on FOG ransomware, shedding light on its origins, tactics, and the rabbit holes we have gone down.

Sam is a Security Researcher at Beazley Security with a focus on threat intelligence and cybercrime. In her spare time she works on her non profit clearsear.ch which equip CTI experts and law enforcement with a comprehensive threat intel data lake to level the playing field against adversaries.

Bobby is the Principal Security Researcher at Beazley Security.

What I Learned About Security from Auditing Data Centers

Kim Cote

Data centers employ some of the most robust physical security controls in the industry to protect the machines within. Technical Infrastructure Audit teams are the third-line of defense in ensuring physical assets are appropriately secured. In this talk I’ll walk through the physical security controls in place at data centers, and how they can be applied to any company’s information security defenses to strengthen overall security posture.

Kim Cote is a musician turned technical auditor with a passion for Cybersecurity. When she’s not auditing security infrastructure, she enjoys backpacking, playing Dungeons and Dragons, and long boarding.

Can LLMs Take Our Jobs? AI-Assisted Detection Research

Darin Smith (No additional social info)

The detection research process consists of performing behavior that will trigger existing detection rules, performing behavior that accomplishes the same adversary objective without triggering the rule (rule bypasses), and updating the rule to catch this behavior. This existing process requires significant security expertise and is quite time consuming even for those with the requisite knowledge. On the other hand, Large Language Models (LLMs) have the potential to assist with performing exactly this type of complex, time consuming task.

Leader for cloud native threat research @ Cisco Talos. Former Amazon threat hunting tech lead & FBI computer science. King’s College London, University of California at Davis.

Canary Tokens - why and how to implement them and related gotchas

Anon Hacker

Everyone agrees that Canary Tokens are excellent for high signal - low noise intrusion detection. However, no-one seems comfortable sharing concrete, pragmatic details. This talk will share what you need to know to implement canary tokens for both third party systems as well as your own internal systems.

Anon Hacker practices both Offensive and Defensive Security at an established SaaS with millions of customers.

Securing the Future: Tackling Q-day and Leap-day challenges with CodeQL

Tong Fu, Asha Maran

Ensuring the security and reliability of code is more important than ever. Quantum computing looms as a game-changing threat that could render existing cryptographic standards obsolete, while seemingly minor issues like leap year bugs can bring entire systems to a halt. Real-world vulnerabilities like these often require combining nuanced and disparate information to identify sources and sinks of vulnerable data flow in the source code, as well as understanding the conditions and guards along the way that may need to be hit or avoided. Static code analyses offer a solution to identify weaknesses in software continuously throughout its life cycle, both pre- and post-deployment. CodeQL stands out in the industry as a state-of-the-art enterprise static analysis solution, capable of analyzing large-scale, commercial software products. With CodeQL, security engineers have the flexibility to combine data from various sources, such as type information, control flow and inter-procedural dataflow, to detect underlying vulnerabilities. This presentation will focus on how static analysis, specifically CodeQL, can proactively identify vulnerabilities and safeguard code from these imminent risks before they become serious problems. We will focus on two current real-world examples: (1) preparing software systems for Post Quantum Cryptography (PQC), and (2) assessing systems for the presence of leap year vulnerabilities to ensure the world keeps running smoothly on that extra day every four years.

Tong Fu is a software engineer on the Security CAT (Code Analysis Technologies) team at Microsoft Security. She graduated from Duke University in 2020. At Microsoft, she helps teams across Microsoft adopt code security check to ensure comprehensive compliance with enterprise standards. Her daily work includes writing and maintaining static analysis tools to detect anti-patterns and security vulnerabilities in code, such as hardcoded credentials, weak cryptography, and dangling fully qualified domain names (FQDNs).

Asha Maran is a software engineer on the Security CAT (Code Analysis Technologies) team at Microsoft Security. In this role, she helps teams utilize CodeQL for static code analysis to ensure compliance with enterprise standards. Asha writes and maintains CodeQL queries to detect security flaws in large code repositories, including hardcoded credentials, SQL injection, and cryptography concerns.

CI/CD jobs don’t care about US budget cuts: why mirroring software vulnerability data matters

Terri, John ‘Warthog9’ Hawley (@terri) (@warthog9)

The National Vulnerability Database (NVD) is the biggest source of information about software vulnerabilities in the world. As more people have been using this data to help secure software supply chains, the servers behind the NVD have struggled to keep up. They implemented rate limiting and added an API to help people download less data at a time, but demand continued to grow, and continuous integration jobs didn’t care about US budget cuts affecting those running the service. But those same test and scanning jobs have managed not to completely over-run the servers that handle software updates for popular Linux distributions. What if rather than convincing people to slurp data more carefully (while somehow also convincing them that vulnerability scanning was great and they should do it), we reached out to some open source mirroring experts and made some magic happen? This is the story of how we mirrored the world’s vulnerability data and why.

John ‘Warthog9’ Hawley is a Linux kernel maintainer (ktest), FOSS mirror operator, wrangler of open source licensing, open hardware designer, and someone who believes in not only over engineering most things but that 12 gnomes in a trench coat sometimes works pretty darned well.

There is no Purple just a good relationship between Red and Blue

Michael Hoffman (@0x1nd0)

For red teams, cultivating a strong company culture is paramount for fostering a functional and contented red team, crucial not only for operational success but also for retaining skilled operators. However one often missed facet is the facilitating of a strong relationship with your blue teams. This talk will delve into the intricacies of crafting and sustaining team cultures with both your Red and Blue teams. Ensuring that as the programs progress both teams are working together to help secure the company.

Michael Hoffman (@0x1nd0) is a offensive security red team operator working for NVIDIA. He has interests in the creation of offensive malware development and security research in MacOS and Linux operating systems. Prior to NVIDIA, he worked as a red team operator for Oracle Cloud Infrastructure (OCI) as a penetration tester for PayPal, and a partner in a security startup. Recently, his main focus is writing golang malware and MacOS persistence mechanisms.

Building a Windows VMI System With No Windows Knowledge

Rowan Hart (@novafacing) (@novafacing)

Building a Virtual Machine Introspection system for Windows VMs and guests is a serious undertaking. It’s even more serious if you know absolutely nothing about Windows. Join me on a journey through the process. We will explore the prior art. We will locate the sources of un-documented knowledge. Finally, we will implement a system that actually collects information from a running machine or memory capture.

Rowan is an engineer at Intel working in system software fuzzing. He graduated from Purdue University in 2022 and is interested in fuzzing, program analysis, and security tool usability both at work and in his spare time.

Threat Actors Interest in AI - Separating Hype from Reality

Rachel James (LinkedIn)

As artificial intelligence (AI) continues to reshape the technological landscape, it has caught the attention of not only innovators and businesses but also malicious cyber actors. This talk presents cutting-edge cyber threat intelligence (CTI) research examining how threat actors are engaging with, exploiting, and targeting AI technologies - and how that is different than the hype and sensationalism in the media and from vendors. My research delves into:

• Trends in dark web discussions and marketplaces related to AI tools and vulnerabilities
• Analysis of the development of dark LLMS
• Emerging tactics, techniques, and procedures (TTPs) leveraging AI for malicious purposes
• The general skepticism and discussion observed from threat actors discussing AI

We will present findings from our year-long investigation, discuss newly discovered TTPs and the uneven AI uplift across types of threat actors. This presentation is crucial for cybersecurity professionals, cyber threat intelligence analysts, and AI researchers seeking to understand and mitigate the growing intersection of AI and cyber threats.

Rachel James is a cyber threat intelligence expert who co-chairs the CTI Program Development Working Group in Health-ISAC, and an active member of Curated Intel. With a rich tapestry of expertise spanning over a decade in cyber threat intelligence, threat hunting and incident response, Rachel stands at the forefront of defending against digital threats and enhancing security frameworks and has been recognized for her outstanding research into threat actors, cybersecurity and artificial intelligence.

Graphing the Insider: Innovative Applications of GNNs in Insider Threat Detection

Kartikeya Sharma

Insider threats represent some of the most complex and damaging risks to organizational security, often eluding traditional detection methods due to their subtle and intricate nature. This presentation explores the innovative application of Graph Neural Networks (GNNs) to enhance insider threat detection. By modeling users, devices, and activities as interconnected nodes and edges within a graph structure, GNNs effectively capture the complex relationships and behavioral patterns that conventional methods often miss. We will explore recent research and leading studies demonstrating how GNN-based models outperform traditional machine learning techniques in identifying insider threats. Through examining various GNN architectures and their real-world applications, this talk aims to provide cybersecurity professionals and researchers with deeper insights into the potential of GNNs to transform organizational security against insider threats.

Kartikeya Sharma did his undergraduate studies at Goshen College, double majoring in computer science and accounting while playing college tennis. After working as a data scientist in the manufacturing industry, he received Master’s in CS from the University of Oregon where he researched on using Graph neural networks to detect spam in social media. Now at Equinix, Kartikeya works as a Senior Associate Information Security Engineer, using his skills in Machine Learning to tackle cyber threats.

Beyond the Hacker Stereotype: Exploring Cybersecurity Careers You Didn’t Know Existed

Brian Myers (LinkedIn)

Cybersecurity is often portrayed as a world dominated by hackers and pen testers—but there’s so much more to it than that. From legal advice and privacy compliance to product support and partner integration, the cybersecurity workforce offers a wide variety of roles suited to many different skills and interests.

In this 20-minute talk, we’ll use the NIST NICE Framework to explore the range of cybersecurity opportunities. Whether you’re technical or not, cybersecurity has a place for you. Discover how you can contribute to cybersecurity and learn about the career paths that might lie ahead.

Brian Myers (PhD, CISSP, CCSK) has worked in software for over thirty years for such companies as Borland, Netscape, and WebMD. He’s been a technical writer, a software developer, a product manager, a program manager, a development manager, a security architect, and a HIPAA security officer. He wrote three of the first books on Windows programming. He started the first application security team at WorkBoard, a hypergrowth Silicon Valley startup, and then joined Leviathan Security Group as a Senior Security Advisor. Currently Brian works independently under the name SafetyLight LLC helping software businesses establish effective and compliant information security programs. He’s also on the leadership committee for the Portland chapter of OWASP and has helped product the annual OWASP AppSec Days Pacific Northwest conference since its inception four years ago.

ORDER NOW! Using Infomercials to Make Better Presentations

Brian Richardson (@siliconchef) (@siliconchef) (@siliconchef) (LinkedIn)

Has this ever happened to you… you’ve discovered a new and interesting hack, but have no idea how to turn it into an engaging presentation at your favorite conference.

Storytelling is the key to a great presentation, but the story doesn’t have to be complex. This session dissects the often despised yet unbelievably popular “infomercial” ad format to understand how its secrets can improve any technical presentation.

Infomercials are often used to promote products that most people never knew existed or would even consider necessary in their daily lives, but their success is due to a powerful story structure that works perfectly for presenting hacks, exploits, and bug fixes. Order now to learn this four-part story structure, and you’ll get more relatable presentations absolutely free!

Brian is an ex-firmware engineer who turned to marketing and storytelling, based on his experience with technical marketing, video production, and public speaking. His focus is creating easy-to-understand messages for complex systems.

Prior to his work in security marketing at Intel, Brian focused on the firmware that quietly boots billions of computers. He has presented at multiple technical conferences, including LinuxCon, FOSDEM, and Linaro Connect.

Brian is also an event host and celebrity panel moderator for Dragon Con, co-founder of DragonConTV, and joined the Bsides PDX board of directors in 2023.

Brian incorporates his interest in photography, video production, and event hosting at Dragon Con into his work in technical marketing. He also incorporates his interest in martial arts into his farm improvement projects by occasionally kicking things that don’t work properly.

Asymmetric Impact: Adventures in funding infosec research

Dean Pierce (@deanpierce)

There’s a lot of important work to be done in the world. Some of these things require funding. Funding requires sustainable funding mechanisms, which is a space I’ve been exploring a lot lately, and you can too!

Dean Pierce is a computer security researcher from Portland, Oregon. Dean enjoys making silly websites and has been involved in helping to organize Infosec related events in the Portland area for over two decades.

Bastardo Finale: Wrapping up years of OSINT work chasing professional criminals on the internet

Bryan Hance (@bikeindex) @abyssdomainxprt)

I’ll present a ‘wrap-up’ style talk on the back of last year’s talk, titled ‘Bastardo Grande: Hunting the biggest black market bike fence in the world’. This will be a bit of a final wrap-up talk to close out this investigation and cover the eventual fallout from this work. I will include some personal reflections on dealing with the press, the feds, and where this took my own personal infosec journey - including personal burnout and my decision to step away from the service I co-founded, BikeIndex.org.

Bryan Hance helped co-found BikeIndex.org because he had way too many bikes stolen - and he realized chasing and recovering stolen bikes was really fun. He works in maritime cyber security and applies OSINT methods and processes to chasing bad guys on the internet.

Free to a Bad Home / Who’s CTF is it Anyway?

Don Moncrief (@Name_Too_Long)

What’s a hacker to do when they accidently acquire more recently decommissioned, direct pull, wireless access points than they could possibly find uses for? Give them away to other hackers as part of a CTF, obviously!

Just some guy who keeps showing up

Modern Medium Data Pipelines for Breaches, Hacker Style

Magneto

You’ve got breach data. I’ve (maybe) got breach data. You’ve (probably) got a homelab. grep won’t cut it. Now what?

Security engineer and motorcycle rider. macOS & cloud security a specialty. Views do not reflect those of any employer or mine, hypothetical or otherwise.

I live in PDX and am a member of the community/RainSec/503HAX :)

The Badge Talk

Joe FitzPatrick (GitHub pdxbadgers)

This year’s BSidesPDX badge is based on a tried and true open-source badge design that was customized for BSidesPDX. We’ll talk about the design process, the gameplay, and how you can hack the badge (plus, the ways we’ve tried to stop you from hacking the badge). We’ll have time for some badge Q&A as well.

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.