Source Zero Con 2022 Video Hub

In this talk, Angelo reviews advanced database testing techniques such as timing attacks. He presents a few real-world findings where he successfully extracted PHI from a database through a web assessment using a database timing attack. Angelo also addresses other, more advanced side-channel attacks for databases. 

Active Directory (AD) presents one of the largest attack surfaces within an enterprise network when configured improperly. In this talk, we describe newly documented vulnerabilities within Active Directory Certificate Services (AD CS) brought to light recently by SpectreOps. We’ll also discuss the most prevalent misconfigurations in this service that Optiv has observed in enterprise environments. Attendants of this talk will take away a better understanding of AD CS, the risks it can pose to an organization and current TTPs being used by attackers.

Physical security is crucial to any organization, but as more and more enterprises shift to a primarily remote workforce, it can sometimes take a back seat. However, many companies still maintain a physical office presence, and protecting employees working from the office, along with other critical assets is vitally important. An attacker gaining access into a building through social engineering or other means of physical entry may access unattended workstations, open file cabinets, server rooms or other information inside the organization. Skilled attackers may only need a few moments to slip into a building and plant a remote access device on the network. Savannah and Ari discuss how attackers leverage various tools, tactics and procedures to physically breach a building. This session deep dives into reconnaissance, methods of entry, badge cloning, post exploitation and why a trip to the local thrift store along with twenty dollars can sometimes be more effective than any tool on the market.

Attackers employ sophisticated techniques to circumvent various organizations' technical controls for protection. As a result, defenders have a driving need to detect and prevent these attacks. Red teams are continually leveling up their tradecraft to evade ever-evolving defensive countermeasures. But how can you improve your tradecraft these days? Where do you start? This talk covers all the operational considerations, strategies and tradecraft theories that Matthew has developed, as well as a toolkit to help augment your loaders.

Thorough discovery and profiling techniques can enhance the success rate of a penetration test, regardless of whether the focus is on wireless, perimeter, internal networks, or even social engineering and other attempts to gain physical access to a target’s facility. Specifically, properly performed IP discovery and subdomain enumeration are key factors for identifying well-known and partially obfuscated assets, effectively "painting the picture" of the target's available attack surface. This is a continuation of our previous SZC OSINT talk, diving deeper into the specific TTPs used by professional pen testers to accurately identify a target’s internet-facing profile, and aiming to reduce the likelihood of false positives prior to conducting dedicated attacks.

The cyber threat landscape is constantly evolving. Traditional penetration testing is no longer sufficient to keep an organization updated with the latest cyber threats. It has become a necessity for organizations to start performing adversary-based simulations. This talk walks through the phases of a red team assessment, shining a light on the mindset of a red team and how they approach the task of compromising an organization covertly. This session aims to educate those wanting to get into red teaming, as well as organizations who wish to learn what to expect on their first red team engagement.

Internet-connected smart devices are becoming more prevalent in the home and the business. IoT devices cover a wide variety of products, including routers, security cameras, light bulbs and more with wired or wireless internet connectivity. These devices are often not adequately hardened by the manufacturer, which may allow access to privileged functionality, the underlying operating system or exposed data that the device should be protecting. This session covers how to fingerprint and attack IoT hardware.

During this presentation, we discuss the current state of Supervisory Command and Data Acquisition (SCADA) and Industrial Control Systems (ICS) devices around the world from an attacker’s perspective. Indeed, heavy focus and emphasis has been placed on nation-state sponsored attacks toward large environments, with the goals of these attacks to affect change within a geopolitical atmosphere. Attacks by actors that lack the same resource pool are also on the rise, however, targeting smaller organizations with the same success. We explore and demonstrate an attacker’s perspective within a simulated environment, from initial breach to lateral movement to finally ransoming a hypothetical organization controlling multiple SCADA/ICS devices with the threat of mass destruction. Along the way, we’ll discuss methods to combat these types of attacks at each phase, from a technological, ideological and industrial design standpoint.

Have you ever wondered what it's like to be a penetration tester? What off-the-wall funny stories do career pen testers have? Or how do you to get into the field of penetration testing? This panel of Optiv offensive security consultants will provide insight into what it's like working in offensive security professional services, based on audience questions sent to our Source Zero Twitter.

Eastern medicine uses two views when treating health problems: immediate treatment and systemic/holistic treatment. Application security should be approached in the same way —implementing both immediate treatments as well as viewing the system holistically to apply the best prescription for that company's circumstances, needs and "lifestyle." This talk breaks down the similarities, using Eastern medicine analogies and anecdotes to describe why holistic application security is the best course for longevity.

Cryptography is not magic ... though some developers consider it as such. It is, however, a useful tool for gaining more confidentiality and integrity for your application. Despite its benefits, cryptography can actually be a detriment to an application's security if not implemented correctly. Damian discusses some ways that he has seen cryptography implemented poorly and the attacks that can be performed against it. He also discusses how to implement cryptography in a correct fashion and avoid some of these pitfalls.

A defacto digital vaccine passport has emerged in the U.S. and Canada called Smart Health Cards. It is based on familiar web app technologies including JSON Web Tokens, JSON Web Keys, ECDSA public key signatures and more. Over 500 organizations including hospitals, pharmacies, states and provincial governments have adopted the standard and issue these credentials for their patients. By some estimates, over 300 million people have access to Smart Health Cards. In part because of the controversy over COVID and vaccines, there is plenty of criminal activity that has been documented in regard to COVID, such as vaccine card forgery. Like any other form of crime, this extends to the digital realm as well. Meanwhile the infrastructure supporting Smart Health Cards consists of hundreds of websites, over 75 smart phone applications and other pieces of code developed very quickly to respond to the COVID crisis. Are all these pieces of code free from security flaws exploitable by cybercriminals? A few flaws have been published and fixed on individual applications, but no publicly available security testing methodology for Smart Health Cards has been developed. In this presentation, Tim documents a testing methodology he has developed this year. He demonstrates how flaws in Smart Health Card applications can allow forgery and other attacks. He also documents some actual flaws in real implementations that have been detected.

Vandan has built a vulnerable application on the Android platform. This application can allow an attacker to practice their AppSec skills.

This workshop covers how to write a python script using the requests library to chain multiple vulnerabilities together found in a web application. After providing the basics of the requests library, the workshop allows attendees to exploit a loose comparison vulnerability in PHP followed by a file upload allowing for remote code execution on the server. After this workshop, attendees should have a better grasp on how to develop an exploit for web applications.

With increasing cloud migration and IoT device use, the number of APIs being developed has increased exponentially. The requirement to perform security testing on all new development before it can be moved to production has increased the workload for security testing teams, and simply “staffing up” to these challenges is not feasible. Doug discusses some strategies for discovering existing APIs and key attributes to consider when building an inventory. For example, with an inventory in place, how do you prioritize and identify how the APIs interact with other applications? How do you efficiently secure all those end points, how does SDLC hardening fit into this picture, what testing can be automated, and finally, how do you prioritize what end points need to be manually assessed?

This presentation looks at the current role security plays in the medical space. We start with how technology has enhanced the medical space and become woven into the fabric of care. Then we look at how it’s integrated as well as the friction points and compliance requirements it causes for medical professionals and administrative staff. Finally, we dive into methods of testing and verifying compliance and security posture, along with ways we can help shift security left in the ecosystem.

Application security begins and ends with the software development lifecycle (SDLC). All software products are going to have bugs and some of them might have security implications. The monetary and time impact on software security defects is significant, but these costs can be greatly reduced by mitigating security defects early. In this presentation, Brendon Collins and Sharon Millar will introduce SDLC hardening and its two distinct workflows, leveraging the OWASP SAMM model. This introduction includes the five security pillars, 15 security practices and their associated streams, as well as an outline of how a successful assessment is performed. The goal of this presentation is to emphasize how slight changes can impact an enterprise's security maturity level.

Security consultants who are extremely familiar with performing web application assessments may have little or no understanding of how vishing is done. While web application assessments and vishing assessments may seem totally disparate, there are many things that connect the two. By giving examples of common web application vulnerabilities and drawing a comparison to how they relate to techniques used in a vishing assessment, Eric draws parallels. While not a deep dive into vishing, web app work or vulnerabilities, this discussion will prove interesting for anyone who is only familiar with one of these two types of assessments.

Many organizations struggle to identify what’s most important when trying to apply security to their software development lifecycle (SDLC). With all the threats to their enterprise, where should they spend their energy and resources? What are they good at, what are they bad at, and most importantly, what don’t they know? In this session we look at practical applications of the OWASP SAMM framework to identify unknown risks within an organization. We consider organizations that are just starting on their secure SDLC, as well as mature organizations that are much further along. By applying this framework, organizations can analyze their programs and identify security measures they may not have considered. Identifying these blind spots can help organizations create awareness in what security gaps exist within their SDLC program and some practical steps to address them.

So, you wanna be a paid hacker — I mean — security consultant. Hacking is the easy part, but consulting? Sometimes…that’s not so easy. The first six to 12 months for someone brand new to consulting can be challenging and rage quit inducing. Being a solid security consultant is a mix of skills that requires technical knowledgeable in many different areas, as well as being able to communicate this knowledge to others in a clear and concise manner. Additionally, there are reports to write, clients to manage, meetings to attend, and the list goes on. In this talk, we’ll cover tips, tricks and sanity maintenance for aspiring or newly minted security consultants that will help you prepare for and better understand life as a consultant.

This presentation shares experiences from veterans on the Optiv Attack and Penetration team regarding transitioning from the military to civilian cybersecurity industry. Considering the COVID-19 pandemic and subsequent Great Resignation’s impact on the job market, the civilian work force is ripe for military members seeking civilian employment to put their best foot forward and seek positions that align with their passions and skill sets. Speakers cover common pitfalls, how to avoid them and best practices to learn new tools and TTPs. It’s important to note that this mentorship session is not limited to military members already in the cybersecurity field! Attendants of this talk will take away the importance of having a mentor, practicing tools and TTPs and some do’s/don’ts associated with the hiring process.

Heather Hall discusses how networking can be a source for your next opportunity. She'll share activities, lessons and steps she took that helped her gain knowledge, notoriety and roles. Networking is an avenue to meet people and help each other serve. The talk will emphasize how growing relationships through networking can help you reach unknown avenues.