If your service needs to trust the clients, hold my Big Mac

SQL injections seem to be a solved problem; databases even have built-in support for prepared statements, leaving no room for injections. In this session, we will go a level deeper: instead of attacking the query syntax, we will explore smuggling attacks against database wire protocols, through which remote, unauthenticated attackers can inject entire (No)SQL statements into an application's database connection.

Back when this profession of ours was trying to find its place in the world, some smart people who thought the state of computing was shit got together and started to make some noise. The L0pht fellas testified in front of the US Congress, the cDc folks released tools that not only mocked Microsoft but pretty much made the company do something to at least save face, and hacker conferences were all the rage. Those were the days of smashing stacks for fun and profit, and the days some people realized that powerful technology companies were putting us all at risk for profit and no fun.
Some of those folks went on to start their own cybersecurity companies, some went on to work for governments, or work for the very companies they were ridiculing not too long ago. Some have tried to keep the flame alive and bring back that vibe. And, somewhere along the way, shit got weird.

In addition to being certified as a Forensic Locksmith and a Safe and Vault Technician, it sometimes surprises people to learn that I am a Life Safety NFPA & ADA Consultant and Fire Door Inspector. "Deviant, do you make a lot of money doing safety inspections like that?" I get asked. The answer is a resounding no. I didn't take this training for the money, however. I learned about fire doors and fire suppression systems so that I can speak knowledgeably about them if I'm using this field as a cover identity during a break-in job.
This presentation is a comprehensive crash course in the field of National Fire Prevention Association knowledge and building codes. The rundown offered will afford you a lot of useful tips, terminology, and insider knowledge that you can rattle off at an unsuspecting employee or guard who is curious as to what you're doing inside of their building.

What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives.

More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for 60 milliseconds?

This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud.

A few years ago, my cat gave me my most memorable middle of the night software engineering incident. I was working at a startup, and we didn’t have a formal on-call rotation yet. That was a deliberate decision, since being on-call is painful, and the team was good about just collectively keeping an eye out for urgent alerts. We eventually set up an on-call rotation, but before that happened, I had a fun night.

Hello friends! Hope your weekend plans did not go to shit because of some open source library you have no clue if it's being used in your environment or not because, well, let's face it: nobody fucking knows these things. Nobody has time for this. YoloOps is alive and well, boys!
Here's the thing that you will absolutely see written everywhere by some dumbass sycophant: "We need to secure the software supply chain!" Sure thing, bro. One problem, though: in order for a supply chain to be a supply chain, the chain must be comprised of suppliers. The masochist hero maintaining that library you just npm install without even thinking about it is not your fucking supplier.

In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.

Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes:
Last week, someone reached out to me with what they claimed was a Spoutible data breach obtained by exploiting an enumerable API. Just your classic case of putting someone else's username in the URL and getting back data about them, which at first glance I assumed was another scraping situation like we recently saw with Trello. They sent me a file with 207k scraped records and a URL that looked like this...

how one little joke can get so, so out of hand

The iMessage PQ3 protocol is an end-to-end encrypted messaging protocol designed for exchanging data in long-lived sessions between two devices. It aims to provide classical and post-quantum confidentiality for forward secrecy and post-compromise secrecy, as well as classical authentication. Its initial authenticated key exchange is constructed from digital signatures plus elliptic curve Diffie–Hellman and post-quantum key exchanges; to derive per-message keys on an ongoing basis, it employs an adaptation of the Signal double ratchet that includes a post-quantum key encapsulation mechanism. This paper presents the cryptographic details of the PQ3 protocol and gives a reductionist security analysis by adapting the multi-stage key exchange security analysis of Signal by Cohn-Gordon et al. (J. Cryptology, 2020). The analysis shows that PQ3 provides confidentiality with forward secrecy and post-compromise security against both classical and quantum adversaries, in both the initial key exchange as well as the continuous rekeying phase of the protocol.

For the last 6 years my colleagues and I have been tracking the activities of the cyber-mercenaries we call Dark Caracal. In this time, we have observed them make a number of hilarious mistakes which have allowed us to gain crucial insights into their activities and victims. In this talk, we will discuss the story of Dark Caracal, the mistakes they have made, and how they have managed to remain effective despite quite possibly being the dumbest APT to ever exist.

This post is dedicated to the memory of Niklaus Wirth, a computing pioneer who passed away January 1st. In 1995 he wrote an influential article called “A Plea for Lean Software”, and in what follows, I try to make the same case nearly 30 years later, updated for today’s computing horrors.

The most important lesson to figure out is why it is taking so long to restore services. That will tell us how to prevent such a calamity in other vital national institutions.

I run my own Matrix homeserver that I share with friends and family. Ever since I started working for Element back in February of 2020, I've learned a lot more about the Matrix protocol and what's possible to do with it. During a conversation with a few privacy minded friends that use my HS (HomeServer), I pointed out that the admin of a homeserver has a lot of power over their accounts and that they as users explicitly trust the admin. In this post, I want to explore and document the ways a malicious admin can mess with the privacy of a Matrix account. Note: malicious admin in this case can also mean a hacked admin.

Logs are a vital component for maintaining application reliability, performance, and security. They serve as a source of information for developers, security teams, and other stakeholders to understand what has happened or gone wrong within an application. However, logs can also be used to compromise the security of an application by injecting malicious content.
In this presentation, we will explore how ANSI escape sequences can be used to inject, vandalize, and even weaponize logfiles of modern applications. We will revisit old terminal injection research and log tampering techniques from the 80-90s, and combine them with new features to create chaos and mischief in the modern cloud cli's, mobile, and feature-rich DevOps terminal emulators of today....

Recently I came across a puzzling fact: the International Criminal Court hashes electronic evidence with MD5, even though MD5 is badly broken. So, why are lawyers using broken, outdated technology? The answer involves the common law system, cultural isolation, and a single man named Don L. Lewis.

We conduct the first large-scale user study examining how users interact with an AI Code assistant to solve a variety of security related tasks across different programming languages. Overall, we find that participants who had access to an AI assistant based on OpenAI's codex-davinci-002 model wrote significantly less secure code than those without access. Additionally, participants with access to an AI assistant were more likely to believe they wrote secure code than those without access to the AI assistant. Furthermore, we find that participants who trusted the AI less and engaged more with the language and format of their prompts (e.g. re-phrasing, adjusting temperature) provided code with fewer security vulnerabilities. Finally, in order to better inform the design of future AI-based Code assistants, we provide an in-depth analysis of participants' language and interaction behavior, as well as release our user interface as an instrument to conduct similar studies in the future.

Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello implementation allowed us to remotely steal all credentials from the vault without knowing the password or requiring biometric authentication. When we discovered this during a penetration test it was so unexpected for us that we agreed with our client to publish a blog post about it and tell the story.