Security BSides Las Vegas 2023 Call For Papers

BSides LV is accepting submissions for the following tracks at this time:


Breaking Ground

Common Ground

Ground Truth

Ground Floor

Hire Ground

I Am The Cavalry

PasswordCon

Training Ground

Underground


Proving Ground and Proving Ground Mentor CFP submissions are currently closed.

The general CFP will close Sunday, 4/16

(sometime around midnight, Pacific Time).

It's important to get SOMETHING in before then than it is to be perfect, but as a reminder, the more detailed your submission, the better chance we have to accurately appreciate your amazing idea and how it would enhance the experience of the other BSides participants.

Don't just say "Foo has these problems and this talk will propose solutions" or "this talk outlines a novel approach to fracturating user space Bar and Baz services." List out the solutions. Detail the approach. Outline your talk!

Your reviewers will be ecstatic not to have to guess whether something is really novel or effective or not. As you can see from the sample submission below, it's hard to be too detailed.

Submit early, Submit often!


Example Speaker Submission:

Submission Title:

Hacking Holograms: How to secure our security blankets

Author 1:

First Name: Jean-Luc
Last Name: Picardo
Organization: Concerned Citizen
Email: JLP@fakestemailhologram.com
Twitter Handle: @EMH2-FAKESUBMISSION
Phone Number: 212-555-4240
(Optional) Preferred Pronouns: Captain/My Captain/Sir

Bio:

Jean-Luc (aka Nacho Man Tandy SVG) is jack of many trades and master of none, well maybe just one: Hologram hacking. Jean has been doing security related things for nearly 10 years focusing on all things enterprise, from writing custom Nmap scripts, metasploit modules, BURP plugins, you name it he's done it. In the past 2 years he's taken a keen interest in the hologram security space and is aghast at what he's found. As is typical this over looked consumer (and military) space is rife with vulnerabilities and poorly understood threat models. Ever since Jean has taken it upon himself to raise awareness of the lack of security when it comes to holograms. In his spare time he enjoys 90's dubstep and home made beer.

Link to other talks:

https://www.youtube.com/watch?v=dQw4w9WgXcQ
https://www.youtube.com/watch?v=nzcOqUXXywo
https://slides.com/bsidesto_hologramslol

Abstract:

The Galactic Federation estimates that 7.4 million emergency medical holograms will be installed on all space faring vessels by 2345. However, holograms are not only on Federation ships, they also exist in homes and around us as toys, companions, assistants and serve various roles in our daily lives. In this talk we will talk about our journey to secure intelligent holograms on a galactic level. This talk is designed to appeal to a spectrum of different audiences including hackers, developers, testers, consumers, manufacturers to understand the threats to their products and guide enterprises towards building security from the start.

This talk will cover the software stack, operating system, and supply chain security challenges, cyber attacks, as well as our strategy to mitigate threats from ground up. We will walk attendees through (via live demos) Hologram OS attacks, AI JVM decompilation, vulnerability hunting, and an example attack scenario, all using opensource tools developed by us or others in this space.

Detailed Description:

This talk has been developed over the past 2 years as a passion project of mine. Holograms aren’t going to go away, once the gates unlocked it was game over. The problem is, most of the companies making holograms aren’t keeping up with security best practices. through years of research we’ve identified multiple vulnerabilities in commercially available products used by millions of people. This talk will specifically cover reviewing the EMCORP Hologram version 2.781.9 released last year. Using opensource tools (listed below) that either I’ve written, or enhanced, or created by others. We’ll step through and explain how the holograms works from the bottom up including reviewing the Operating System (a Linux derivation), mapping the hologram on the network, how to decompile a hologram and what to look for from an attacker standpoint (SQLi, malformed input, etc) then we’ll cover how to write a module to turn a hologram in to an always on listening device that forwards any and all audio to an AWS bucket we browse live during the session to show the sounds our hologram, in our hotel room with the TV on, picked up and sent to our bucket.

Also, the demos will be live, but i’ll pre-record them before coming in incase anything goes wrong.

Tools:

– AI OS Exploit finder: https://github.com/faketool/AIOSEF
– nmap
– AI JVM Decompiler: https://gaggle.com/decompilation
– Python scripts (small and varied): https://gist.github.com/AISUCKS/
– Custom code (attached) – malicious always on listener
research links:
– White paper: https://whitepaper.com/AIOSVULNS.PDF
– Blog/Articles
– Hologram CIS Benchmarks: https://fakesite.com/HOLOCIS
– AppScan Hologram Plugin: https://blog.cybercompany.com/holo_appscan

Outline:

I intend to cover the following in the talk:

Intro – 5 Minutes
– Who we are
– How we got here
Holograms – 5 Minutes
– History of hologorams in starfleet
– Cyber issues in the news
– Evolution to todays market
Attacking Holograms – 25 Minutes
– The operating system
– LIVE DEMO – OS level attacks
– The software stack
– DEMO – Decompiling AI JVM using opensource
– DEMO – Finding obvious vulnerabilities
– LIVE DEMO – Example attack – Hologram always listens even when off
– Supply Chain attacks, how they work and examples
– Examples of JS repo’s being taken over
Protecting Holograms – 5 Minutes
– Mitigating OS level attacks (SE Linux discussion)
– Secure Code development using OWASP-AI
– Supply Chain Hardening/Trust
Review/Close/Thank You – 5 Minutes
– Conclusions
– Where people can find more information
– Thanks/Kudos to previous researchers
– Questions?

Special Requirements:

– Extra power available for hologram in the room
– Internet for live demos
– Ability to project slides

You can enter proposals until 2023-04-16 23:59 (US/Pacific), 2 weeks, 1 day from now.