0.38 security-bsides-las-vegas-2025 2025-08-04 2025-08-06 3 00:05 https://pretalx.com US/Pacific Florentine A Talk-20m 2025-08-04T09:30:00-07:00 09:30 00:01 Opening Remarks, Monday security-bsides-las-vegas-2025-70693-opening-remarks-monday Keynotes milqtst en Opening Remarks, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/PBHVUK/ https://pretalx.com/security-bsides-las-vegas-2025/talk/PBHVUK/feedback/ Florentine A Talk-45m 2025-08-04T09:30:00-07:00 09:30 00:30 You break into a cybersecurity career by trying to be the best you, but it is your team, users, and the community that will make you truly great: why security works the way it does (or doesn’t), technical and organizational approaches that do work, and how to take care of yourself through it all. Come with your questions (who says a keynote can’t be interactive?). security-bsides-las-vegas-2025-78496-from-me-to-we Keynotes Bryson Bort en Outline (internal only) false headshot https://pretalx.com/security-bsides-las-vegas-2025/talk/VSF8QE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/VSF8QE/feedback/ Florentine A Talk-45m 2025-08-04T10:00:00-07:00 10:00 00:45 Trend Micro Mobile Security (TMMS) is a solution widely trusted by enterprises to defend Android devices. But what if the protection becomes the threat? In this talk, I reveal how the very software meant to secure mobile endpoints can be exploited to compromise them. During my research, I identified three vulnerabilities, two confirmed by the vendor. First, I found that TMMS exposes sensitive security reports online without requiring authentication, revealing device data to anyone. Second, I uncovered a persistent stored XSS sent from Android agents during scans. This payload executes in the browser of any who accesses the report, allowing attackers to inject further malicious scripts. Lastly, I’ll discuss a memory-level manipulation identified during dynamic analysis of the scan routine, which could lead to code execution. These flaws present a high-impact attack surface individually, and a dangerous chain if combined. This presentation includes recorded demos and a deep dive into the methodology used to discover these issues. It is tailored for red teamers, offensive security professionals, and researchers focused on mobile and infrastructure security. security-bsides-las-vegas-2025-69532-who-scans-the-scanner-exploiting-trend-micro-mobile-security Breaking Ground /media/security-bsides-las-vegas-2025/submissions/D9GABH/trend_Jn22WEO.png Lucas Carmo en This talk is the result of hands-on vulnerability research focused on Trend Micro’s enterprise-grade mobile security solution, TMMS. The project began with a simple question: Can the tools used to protect mobile devices be turned against themselves? That curiosity led to a series of discoveries, two of which Trend Micro acknowledged as confirmed security issues. The first vulnerability centers on unauthenticated access to TMMS's device report pages. These pages expose scan histories, app inventories, and device status, all accessible without any form of authentication. This flaw represents a significant breach of confidentiality, offering an attacker valuable insights about an organization’s device fleet and security posture. Digging deeper, I found that these unauthenticated reports also served as a perfect delivery channel for a stored cross-site scripting attack. By modifying the name of an app on an enrolled Android agent, a value later displayed in the web console, I was able to inject JavaScript directly into the report page. Since this page is rendered without sanitization and without login, the script executes in the browser of any administrator or user who accesses it. The final and most technically complex finding lies within the TMMS Android agent. While inspecting its scan routines via reverse engineering and dynamic testing, I identified a potential path to code execution. By altering function parameters in memory during an antivirus scan, it may be possible to invoke unintended behavior, including spawning a reverse shell. Although Trend Micro has not confirmed this issue, preliminary results suggest the feasibility of remote command execution through controlled memory manipulation, especially if initiated from a compromised server or malicious agent. My talk will take attendees through each phase of the research: from initial reconnaissance and passive analysis to deeper reverse engineering of the Android APK and memory manipulation during runtime. I will demonstrate how these flaws intersect and discuss the viability of chaining them into a full exploit path. The narrative will include recorded demos, such as viewing a report without credentials, triggering XSS via Android scan, and memory patching leading to command execution, to help make the technical impact tangible. Beyond showcasing vulnerabilities, I’ll reflect on disclosure, vendor response, and the implications for other mobile security products. Attendees will leave with a deeper appreciation for the risks hidden in trusted software, as well as techniques they can apply to analyze similar solutions. false https://pretalx.com/security-bsides-las-vegas-2025/talk/D9GABH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/D9GABH/feedback/ Florentine A Talk-20m 2025-08-04T11:00:00-07:00 11:00 00:20 Machine learning is becoming more and more prevalent in malware detection techniques, but how can these systems be fooled? Last summer, I started work on the "Torment Nexus" in order to answer this question. Using relatively simple techniques, I was able to prove that even minor modifications to well-known malware samples could drastically reduce the detectability when analyzed by AI-based and traditional detection methods without changing their function. In my talk, I will present my research on the topic, explain the processes I used to reduce detection scores, and demonstrate how these techniques can be used to evade modern machine learning-based detection methods. Additionally, I will discuss the broader implications of deploying ML-based security tools without properly scrutinizing their reliability. security-bsides-las-vegas-2025-69967-creating-the-torment-nexus-using-machine-learning-to-defeat-machine-learning Breaking Ground /media/security-bsides-las-vegas-2025/submissions/C9FNXW/Alex-_gWzAKLc.png Noah Grosh en This talk was in collaboration with a colleague when working at dropbox, we wondered whether we could easily bypass AI malware detection methods. After spending three months researching the possibilities, I found that with only minor non-code changes that do not affect the functionality of the executable, we were able to reduce detection by ~99.9998% for well-known malware samples, as well as ~20-30% with Virustotal results. This discovery shocked us by how easy and simple it was to perform. As malware detection tools start to incorporate machine learning in their product, we hope that this talk can demonstrate that doing so requires heavy scrutiny and careful planning in order to not introduce greater vulnerabilities. This talk will demonstrate how the research was done to enable attendees to continue this research on their own. false https://pretalx.com/security-bsides-las-vegas-2025/talk/C9FNXW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/C9FNXW/feedback/ Florentine A Talk-45m 2025-08-04T11:30:00-07:00 11:30 00:45 The scene is dead! It was killed by sexual violence and big money. If you haven't paid attention to the hacker underground since you were a kid, we're going to talk about how the culture has changed in the past decade. As infosec became a profession and bug bounties became real, talent abandoned the underground in droves and the underground lost its monopoly on knowledge. The remnants increasingly turned to cybercrime. The final blow was the explosion in Bitcoin's price and they started to call themselves "The Com". This talk will explore the past decade of the hacking underground, and updates to our cultural assumptions. We will explore why there is so much overlap nowadays between cybercrime, fraud, sextortion, and nihilistic violent extremism, and my hope is to start a discussion on how to prevent the next generation from falling into it. security-bsides-las-vegas-2025-73120-the-scene-is-dead Keynotes Allison Nixon en I've been researching English speaking cybercrime for most of my entire career, since long before they started to self-identify as "the com", and I'm going to discuss the patterns I noticed across more than a decade of work. This stuff has implications for child safety, infosec work, and the wellbeing of the next generation of workers in the infosec industry. false https://pretalx.com/security-bsides-las-vegas-2025/talk/TMTNLQ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TMTNLQ/feedback/ Florentine A Talk-45m 2025-08-04T14:00:00-07:00 14:00 00:45 From KBLV in Las Vegas, it’s This North Korean Life, I’m your host, Chris Merkel. In today’s show we have a tale about unlikely international relationships. This is a story about a senior software engineer, a farmer, and the complex supply chain funding North Korea’s weapons programs, operating out of organizations just like yours. We’ll unpack how the rise of remote work and over-employment schemes created perfect conditions to enrich the Kim regime. Our story unfolds in three acts: Act I: /r/paycheck: The pandemic and the rise of over-employment schemes. Act II: My friend Ben: Understanding the threat of workforce infiltration. Act III: Trust Issues: Helping people bring their authentic selves to work. security-bsides-las-vegas-2025-69506-my-friend-ben-solid-employee-dprk-agent Breaking Ground Chris Merkel en ## Act I: /r/paycheck: The pandemic and the rise of overemployment schemes. So we had a global pandemic. We all went home. Employers everywhere touted how productive and amazing teams were working remotely. We bought ring lights. We arranged books we never read by color on bookshelves behind our desks. We realized we could get jobs at four different firms simultaneously and outsource our work overseas to four different people. We touched grass and made sourdough loaves. This is where we start our story. ###In this section: **1. Rational actors and their convert subcontractors.** Discussion of the abuses seen in remote work pre-pandemic, typically through illicit subcontracting, which is still endemic in tech. We’ll discuss the economics of the incentive model in the world of contractors. This laid the groundwork for various forms of workforce infiltration, including my friend Ben. **2. Exploit hiring practices with this one weird trick.** We will document the rise of overemployment or job stacking, which exploits weaknesses in typical corporate management styles. The combination of manager’s inability to identify low-performers, and HR’s requirements over progressive discipline pretty much guarantee 9-12 months of income for little effort. This realization is not lost on North Korea. ## Act II: My friend Ben: Understanding the threat of workforce infiltration. *(CFP NOTE: This is a TLP:CLEAR discussion. This part of the talk is where I have to be very careful about how I handle public and nonpublic intel – there’s a TLP:RED analogue of this I can’t give in a venue like bslv. I want to be clear with the committee that everything in this section is the result of direct experience or public intel, and I will be changing some details to prevent jeopardizing ongoing LE operations or revealing information that needs to stay confidential.)* **1. Meet Ben, senior software engineer.** “Ben” is a persona. “Ben” has stolen identity of a real person, including name, address and social security number. I will be highlighting what I know about this persona, including: a. Common failures in background check and job history reporting. b. Fabulist resumes that don’t quite seem too good to be true, but good enough to make him stand out from the crowd. c. Location discrepancies – Ben always seems to move right after he gets a job and fills out the payroll paperwork. d. What Ben’s like as a co-worker. I discuss how his co-workers and manager saw him as staff member and teammate. Something was always a bit “off” but work was getting done. **2. Meet Ben, DRPK-affiliated actor.** Ben may have eventually run into issues due to some his work style quirks, but unbeknownst to him, a team responsible for managing Insider Risk was on the hunt for his workplace predecessors, the subs and stackers. a. In this section, I’ll talk about how Ben was found, via technical means used to identify people subcontracting their work, or job stackers who allowed sensitive data to cross outside of organizational boundaries. b. Once Ben is identified for who he is, my teams made uncovering OSINT about him a full-blown sport. I’ll describe how we learned more about him, his interests and how we found other alternate identities. **3. Ben’s supporting cast:** In this section, I will provide a technical overview of: a. Laptop farms and how they operate b. The use of on-shore sketchy datacenters for VPN tunneling c. The type of people who operate laptop farms and how they’re recruited. d. What we learned doing OSINT on a domestic-side farmer who doesn’t seem to have DRPK-level training in opsec. **4. So you’ve met your own Ben, now what?** Safely eradicating DRPK actors. This is where I want to equip people to handle situations like this, based on what I have learned directly and through discussions with industry peers hunting DRPK. This includes equipment bricking and recovery, working with your hapless contract hire firm, and coordinating with internal partners on response. ## Act III: Trust Issues: Helping people bring their authentic selves to work. *(This is where I’m going to switch to direct actions organization can take to reduce their risk in this space.)* **1. Hiring, identity proofing, authentication tips.** We will talk about typical processes for establishing a person’s identity and why most are not strong enough to prevent impersonation. We will discuss ways to improve processes, the cost / friction these methods introduce and how to navigate this in your organization. **2. Technical indicators:** These are much weaker indicators for DRPK, but can prove valuable in identifying stackers and subs. This includes things like remote access tooling, abnormal collaboration patterns, peer network topologies and hunting for out of band equipment, such as IP-based KVMs. **3. Presentation wrap-up, attendee to-do list.** This is where I answer the questions like “where do I get started?” and “what’s the most effective methods for improving our processes?” This includes: a. Equipment shipping logistics red flags b. Supplier engagement c. Internal stakeholder education and partnership. false https://pretalx.com/security-bsides-las-vegas-2025/talk/LUY3SR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LUY3SR/feedback/ Florentine A Talk-45m 2025-08-04T15:00:00-07:00 15:00 00:45 Web isolation is a technology designed to enhance security. When applied, it allows firewalls to block HTTP/HTTPS traffic from workstations, which are often used by malware for Command and Control (C2) communication. However, does using web isolation completely eliminate all threats to workstations? In this presentation, I will focus on C2 communication using Outlook to bypass web isolation environments. Since this method does not rely on HTTP/HTTPS communication, it allows for C2 traffic even in web-isolated environments. While there are malware, threat actors, and attack techniques that use SMTP/IMAP for data exfiltration, these are not as widely recognized compared to HTTP/HTTPS or DNS. This session will introduce malware and threat actors leveraging SMTP/IMAP, alongside a demonstration of a custom tool I developed to abuse Outlook for C2 communication via the SMTP/IMAP protocol. Furthermore, I will compare this technique to more common reverse shells and explore the detection capabilities of security products, along with examples of detection rules and mitigation strategies. security-bsides-las-vegas-2025-66083-shedding-light-on-web-isolation-technologies-and-their-bypass-techniques-c2-communication-via-outlook-using-smtp-and-imap Breaking Ground Terada Yu en Web isolation is a technology that enhances security by eliminating the need for workstation HTTP/HTTPS communication. During my experience as a SOC Analyst in a web isolation environment, many alerts were closed due to the blocking of HTTP/HTTPS traffic by firewalls. For instance, typical attacks like macro-enabled Word documents that download malware over HTTP can be entirely blocked by firewalls. This security solution is sometimes used by organizations such as banks, hospitals, and local governments that are large, long-established, and handle sensitive information. In web isolation environments, one of the few outbound communication methods permitted by firewalls is an email. However, tools that leverage email for C2 communication are uncommon, and therefore attract less attention compared to C2 traffic over HTTPS or DNS. As a result, they are sometimes overlooked by security teams and solutions. This presentation will demonstrate a C2 tool that uses email to show a viable threat scenario, even in web-isolated environments. The presentation will cover the following topics: 1. Web Isolation Technology - Overview of Web Isolation Technology - Threats and not threats for web-isolated environments 2. Actors and attack techniques utilizing SMTP/IMAP - Email collection techniques/Agent Tesla/Emotet/APT28 - C2 Tools which use SMTP/IMAP 3. Introduction and demonstration of the developed tool - Demo video - Comparison with general reverse shells - Detection results of AV/EDR products 4. Detection and mitigation - Setting to prevent this attack - Sigma rule and Splunk, Elastic, and EDR solutions false https://pretalx.com/security-bsides-las-vegas-2025/talk/REVYEP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/REVYEP/feedback/ Florentine A Talk-45m 2025-08-04T17:00:00-07:00 17:00 00:45 Delegated Managed Service Accounts (dMSA) are a new type of account introduced in Windows Server 2025. Their primary goal was to improve the security of domain environments. As it turns out, that didn’t go so well. In this talk, we introduce <b>BadSuccessor</b> - an attack that abuses dMSAs to escalate privileges in Active Directory. Crucially, the attack works even if your domain doesn’t use dMSAs at all. We’ll demonstrate how a very common, and seemingly benign, permission in Active Directory can allow an attacker to trick a Domain Controller into issuing a Kerberos ticket for <I>any</i> principal - including Domain Admins and Domain Controllers. Then we’ll take it a step further, showing how the same technique can be used to obtain the NTLM hash of every user in the domain - without ever touching the domain controller. We’ll walk through how we found this attack, how it works, and its potential impact on AD environments. You’ll leave with detection tips, mitigation ideas, and a new appreciation for obscure AD attributes that can punch far above their weight. security-bsides-las-vegas-2025-68516-the-un-rightful-heir-my-dmsa-is-your-new-domain-admin Breaking Ground Yuval Gordon en This research started as a curiosity: how do delegated Managed Service Accounts (dMSAs) really work under the hood in Windows Server 2025? What began as a weekend project led to the discovery of a novel attack path. The talk introduces BadSuccessor, an attack technique that lets an attacker gets the permissions of any user, including Domain Admins or Domain Controllers, and retrieve their Kerberos keys - all by using a newly created dMSA. No existing dMSAs needed, no membership changes, and no alterations to the legitimate account. We’ll go through the discovery process, what are dMSAs, how migration from an old service account to a dMSA works, and how this logic can be used to get privileged tickets. We’ll also share practical detection ideas, plus pre- and post-exploitation tips for both red and blue teams. Live demos will be pre-recorded for reliability. The goal is to make every part of the technique clear and repeatable for defenders, researchers, and red teamers alike. Whitepaper: https://docs.google.com/document/d/1ac4qRSgVrFSCnQrBbgj-6VscOKU5mtIIVYEVjdbIzrY/edit?usp=sharing false https://pretalx.com/security-bsides-las-vegas-2025/talk/EMFVKN/ https://pretalx.com/security-bsides-las-vegas-2025/talk/EMFVKN/feedback/ Florentine A Talk-45m 2025-08-04T18:00:00-07:00 18:00 00:45 The malicious obfuscation of code from scripting languages, such as PowerShell, Python, and JavaScript, continues to be used as an essential part of threat actors' toolkits. Obfuscation techniques hamper analysts' ability to investigate and respond quickly to compromises by complicating reverse engineering of the original script and pose significant challenges to scanning engines, such as Yara, that rely on byte-based pattern recognition. Windows' built-in defense mechanisms, notably the built-in Antimalware Scanning Interface (AMSI) DLLs, struggle to detect these obfuscations, allowing for trivial bypasses of the AMSI subsystem via relatively simple obfuscations. AMSI bypass tools and techniques are routinely deployed by obfuscated code as part of their infection chain. The tree-sitter parsing library opens new avenues for detection and analysis by providing an API that allows developers to interact programatically with a script's syntax tree. This talk will showcase new techniques for rapidly detecting, analyzing, and preventing infections, culminating with the demonstration of a custom AMSI provider DLL that can deobfuscate, block, and log obfuscated PowerShell payloads. These demonstrations will showcase successful, automated detection of AMSI bypass attempts from the r77 rootkit and the nishang offensive PowerShell framework, and payloads obfuscated with Invoke-Obfuscation. security-bsides-las-vegas-2025-67691-detecting-deobfuscating-and-preventing-obfuscated-script-execution-with-tree-sitter Breaking Ground David McDonald en The research in this talk has been developed over the past year and a half, and I presented early iterations of this research at BSides SATX and BSides Austin in 2024. The basic premise behind it is that tree-sitter provides a unified API through which we can parse, query, traverse, and manipulate syntax trees in a plethora of different languages, allowing us to develop new kinds of scanning engines and deobfuscation toolkits. This talk greatly expands upon that research with the inclusion of a from-scratch AMSI provider DLL written in Rust that preprocesses obfuscated PowerShell scripts and can be configured to either block script execution entirely or to pass the deobfuscated results up the chain for further scanning by other providers on the system. This new AMSI provider also implements a custom Event Tracing for Windows (ETW) trace logging provider that logs the deobfuscated contents, allowing threat hunters and incident responders to have an instantaneous look at the deobfuscated script contents that takes script block logging to an entirely new level. This AMSI provider and its associated research has not been discussed or shown at any other conference, and BSidesLV will be the first public demonstration and discussion of it, if the talk were to be accepted. false https://pretalx.com/security-bsides-las-vegas-2025/talk/LBQDEB/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LBQDEB/feedback/ Florentine B Talk-45m 2025-08-04T10:00:00-07:00 10:00 00:45 This talk explores cyber career pathways and draws from the personal journey of Nicholas Carroll, who started his career in entry level IT and ascended to the role of a CISO. We will delve into the challenges and opportunities that shape these kinds of career progressions, providing a roadmap for those starting in entry-level IT roles and aspiring to advanced cybersecurity positions. The talk will highlight the importance of continuous learning, certifications, and hands-on experience in climbing the career ladder. We will also discuss tools to help guide career steps including the Cyber Career Pathways Tool, a resource that helps individuals understand the tasks, knowledge, and skills needed to advance in their cyber careers. Attendees will gain valuable insights into transitioning from roles like IT Helpdesk to more specialized cybersecurity roles, and ultimately to leadership positions like CISO. The talk will conclude with practical recommendations for those looking to move up in their careers, emphasizing the importance of mentorship, networking, and staying abreast of the latest trends in cybersecurity. security-bsides-las-vegas-2025-68795-from-help-desk-to-ciso Hire Ground Nicholas Carroll en In the rapidly evolving field of cybersecurity, the journey from an entry-level IT role to a leadership position like Chief Information Security Officer (CISO) can be both challenging and rewarding. This talk, inspired by the career trajectory of Nicholas Carroll, a CISM certified Cybersecurity Instructor and former CISO, aims to provide a roadmap for those aspiring to climb the cybersecurity career ladder. The talk will begin with an overview of Nicholas Carroll's career, highlighting his transition from an IT Helpdesk role to a CISO. The talk will also highlight how skills gained outside of IT and cyber can help translate to success in technical fields whether it be troubleshooting as a mechanic, customer service skills in retail, and beyond. This real-life example will serve as a testament to the possibilities that exist within the field of cybersecurity, demonstrating that with dedication, continuous learning, and the right opportunities, one can rise from an entry-level position to a leadership role. One of the key takeaways from this talk will be the importance of continuous learning and certifications in advancing one's career. Staying up-to-date with the latest trends, technologies, and threats is crucial. Certifications like CompTIA Security+, Certified Information Systems Security Professional (CISSP), and Certified Information Security Manager (CISM) not only validate one's skills but also open doors to new opportunities. We’ll also discuss the pitfalls and limitations of certifications and how to balance the pursuit of continuous education in cost effective ways throughout a career. The talk will delve into career guidance toolsets including the Cyber Career Pathways Tool, a resource developed by the Cybersecurity and Infrastructure Security Agency (CISA). This tool helps individuals understand the tasks, knowledge, and skills they need to advance in their cyber careers. It provides a clear roadmap for progression, from entry-level roles to intermediate and advanced positions. Another major takeaway will be the importance of hands-on experience. While theoretical knowledge is important, practical experience is what truly sets one apart. Attendees will learn about the value of internships, co-op programs, and entry-level positions in gaining this experience. Especially in a time when it feels like even entry level cyber jobs require years of experience. They will also learn about the role of projects and contributions to open-source platforms in demonstrating their skills to potential employers and ways to highlight experience outside of cyber in ways that can translate to success in cyber career pathways. The talk will also emphasize the importance of soft skills in advancing one's career. As one moves up the ladder, skills like communication, leadership, and strategic thinking become increasingly important. Drawing from Nicholas Carroll's experience, the talk will provide tips on how to develop these skills and use them to influence decision-making and drive cybersecurity initiatives within an organization. The talk will conclude with practical recommendations for those looking to move up in their careers. Attendees will learn about the importance of mentorship and networking in opening doors to new opportunities. They will also gain insights into how to navigate the challenges that come with transitioning to new roles, and how to position themselves for leadership positions, even if they’re just starting out. In summary, "From Help Desk to CISO" is a comprehensive guide for anyone looking to advance their career in cybersecurity. Attendees will leave with a clear understanding of the steps they can take to move up the career ladder, and the tools and resources they can leverage to achieve their career goals. false https://pretalx.com/security-bsides-las-vegas-2025/talk/NDRTXH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NDRTXH/feedback/ Florentine B Talk-20m 2025-08-04T11:00:00-07:00 11:00 00:20 Networking is an essential skill for cybersecurity professionals looking to advance their careers. In an industry as fast-paced and constantly evolving as cybersecurity, building meaningful relationships can open doors to job opportunities, mentorship, and knowledge exchange. This session will provide participants with practical strategies for networking both online and in person, focusing on how to make the most of industry events like BSides, leverage platforms like LinkedIn, and approach networking with a focus on relationship building rather than self-promotion. Whether you're new to the field or a seasoned professional, this session will help you strengthen your professional network and boost your career. security-bsides-las-vegas-2025-68785-hack-your-network-career-connections-for-cyber-pros Hire Ground Heather Morris en In the competitive world of cybersecurity, building a professional network is more than just a nice-to-have—it’s essential for career growth. While many professionals understand the importance of networking, they often focus too much on self-promotion rather than relationship-building. This session will focus on how to approach networking with authenticity, with the goal of building genuine connections that can lead to future job opportunities, collaborations, and career advancement. Participants will learn about the best practices for networking at events like BSides, where like-minded cybersecurity professionals gather to share knowledge and forge new relationships. Attendees will also explore strategies for using LinkedIn and other social media platforms to connect with industry leaders, while maintaining an authentic and helpful presence online. Mentorship plays a crucial role in career development, and this session will guide participants on how to find a mentor, engage in meaningful mentor-mentee relationships, and benefit from those connections. The session will also discuss the long-term nature of networking, emphasizing how to stay engaged with your professional network over time and continue adding value to others’ careers. By the end of the session, participants will walk away with actionable tips for building and maintaining a strong professional network that supports their growth as cybersecurity professionals. false https://pretalx.com/security-bsides-las-vegas-2025/talk/7RCPG9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7RCPG9/feedback/ Florentine B Event1HR 2025-08-04T13:00:00-07:00 13:00 01:00 Hire Ground Resume Reviews, Monday Lunch Break security-bsides-las-vegas-2025-74525-hire-ground-resume-reviews-monday-lunch-break Hire Ground en Hire Ground Resume Reviews, Monday Lunch Break false https://pretalx.com/security-bsides-las-vegas-2025/talk/DQZHHX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DQZHHX/feedback/ Florentine B Talk-45m 2025-08-04T14:00:00-07:00 14:00 00:45 You’ve done the work but still feel invisible. In this interactive experience, you’ll take on the role of a recruiter and help decide who gets contacted and who gets skipped. We’ll run live sourcing examples, review anonymized profiles, and break down what actually makes someone stand out. This is not a lecture. It’s a hands-on session shaped by the audience that shows how hiring really works and how to stop blending in. security-bsides-las-vegas-2025-70089-where-s-waldo-why-recruiters-can-t-find-you-and-what-to-do-about-it Hire Ground Ricki Burke en This is not a presentation. It’s a live, practical experience where the audience drives the session and learns by doing. Attendees will step into the recruiter’s seat and experience what it’s like to search for cybersecurity talent. I’ll run a real-time LinkedIn search using a job title and location chosen by the audience. We’ll review the profiles that show up, vote on who stands out, and talk through what worked and what didn’t. Along the way, I’ll explain how recruiters actually search using filters, keywords, and shortcuts most people never see. Most professionals don’t realise how easy it is to be invisible. They’ve got solid experience, but their titles are unclear, their profiles don’t reflect how hiring teams think, and they’re missing the signals that matter. This session is designed to close that gap. We’ll also run a live fix challenge using real profiles. It’s honest, interactive, and focused on action. The goal is for people to walk out of the room saying, “Now I understand what’s missing and how to fix it.” I’ve spent over 9 years in cybersecurity recruitment, helping companies hire and helping people get hired. This session brings that experience to life in a way that is engaging, direct, and built for real impact. false https://pretalx.com/security-bsides-las-vegas-2025/talk/8BKV37/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8BKV37/feedback/ Florentine B Talk-45m 2025-08-04T15:00:00-07:00 15:00 00:45 Place your bets—building a cybersecurity career can feel a lot like playing craps: fast-paced, unpredictable, and full of moments where you're not totally sure if you're winning or just delaying disaster. In this refreshingly honest session, a seasoned cybersecurity senior manager and a battle-tested CISO team up for a tag-team talk that’s part strategy guide, part war story, and career advice no one ever gives you. Drawing from two very different vantage points—the war zone of middle management and the executive-level boardroom—we’ll roll through our Top Career Tips, learned the hard way at every level of the security stack. Expect: - Real talk on what works (and what totally backfires) - Stories of failure, growth, and awkward promotion conversations - Tangible advice you can use to stand out, speak up, and move up - A few laughs, a few scars, and absolutely no corporate buzzword bingo Whether you’re just starting out, stuck in the middle, or trying to make the leap to executive leadership, we’ll help you figure out how to play the game without losing your chips—or your sanity. security-bsides-las-vegas-2025-68754-craps-clout-and-career-chaos-the-game-they-forgot-to-explain Hire Ground Nicole BeckwithJake Lorz en In cybersecurity, career growth is more than just technical skill—it’s about communication, visibility, and learning how to navigate organizational structures and politics. This dual-perspective presentation brings together the candid insights of a cybersecurity senior manager and a CISO, reflecting on the parallel (and sometimes diverging) paths they’ve taken. We will give real advice, honest stories of missteps, unexpected opportunities, and lessons learned the hard way, we’ll explore what it really takes to move forward in your cybersecurity career—from gaining trust and visibility to aligning with leadership’s expectations. Attendees will leave with actionable strategies for getting noticed, getting promoted, and making the leap from “getting the job done” to driving real influence. false https://pretalx.com/security-bsides-las-vegas-2025/talk/SWUABJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/SWUABJ/feedback/ Florentine B Event1HR 2025-08-04T16:00:00-07:00 16:00 00:50 Free resume reviews in Hire Ground. security-bsides-las-vegas-2025-73245-hire-ground-resume-reviews-monday-evening Hire Ground en Free resume reviews in Hire Ground. false https://pretalx.com/security-bsides-las-vegas-2025/talk/PERW8U/ https://pretalx.com/security-bsides-las-vegas-2025/talk/PERW8U/feedback/ Florentine B Event2HR 2025-08-04T17:00:00-07:00 17:00 01:50 Hire Ground Mixer, Monday security-bsides-las-vegas-2025-70714-hire-ground-mixer-monday Hire Ground en Hire Ground Mixer, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/TQDBBE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TQDBBE/feedback/ Florentine C+D Event1HR 2025-08-04T08:30:00-07:00 08:30 00:00 Silent Auction Opens security-bsides-las-vegas-2025-70682-silent-auction-opens-monday Middle Ground en Silent Auction Opens false https://pretalx.com/security-bsides-las-vegas-2025/talk/SJHWP9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/SJHWP9/feedback/ Florentine C+D Event1HR 2025-08-04T08:30:00-07:00 08:30 00:00 Middle Ground Opens security-bsides-las-vegas-2025-70677-middle-ground-opens-monday Middle Ground en Middle Ground Opens false https://pretalx.com/security-bsides-las-vegas-2025/talk/MU7LC8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MU7LC8/feedback/ Florentine C+D Talk-45m 2025-08-04T10:00:00-07:00 10:00 01:30 Morning Talks, Monday security-bsides-las-vegas-2025-70694-morning-talks-monday Middle Ground en Morning Talks, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/MYMQJY/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MYMQJY/feedback/ Florentine C+D Event1HR 2025-08-04T12:30:00-07:00 12:30 01:30 Lunch, Monday security-bsides-las-vegas-2025-70698-lunch-break-monday Middle Ground en Lunch, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/TTNWHR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TTNWHR/feedback/ Florentine C+D Talk-45m 2025-08-04T14:00:00-07:00 14:00 02:00 Afternoon Talks, Monday security-bsides-las-vegas-2025-70729-afternoon-talks-monday Middle Ground en Afternoon Talks, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/99CFPY/ https://pretalx.com/security-bsides-las-vegas-2025/talk/99CFPY/feedback/ Florentine C+D Event1HR 2025-08-04T16:00:00-07:00 16:00 00:00 PvJ CTF Play Ends, Monday security-bsides-las-vegas-2025-70688-pvj-ctf-play-ends-monday Events en PvJ CTF Play Ends, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/ENKCZH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ENKCZH/feedback/ Florentine C+D Event1HR 2025-08-04T16:00:00-07:00 16:00 01:00 Happy Hour, Monday security-bsides-las-vegas-2025-70705-happy-hour-monday Events en Happy Hour, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/RZC7FH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RZC7FH/feedback/ Florentine C+D Event1HR 2025-08-04T17:00:00-07:00 17:00 00:30 PvJ Hotwash, Monday security-bsides-las-vegas-2025-70706-pvj-ctf-hotwash-monday Events en PvJ Hotwash, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/GH7XDX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/GH7XDX/feedback/ Florentine C+D Talk-45m 2025-08-04T17:00:00-07:00 17:00 02:00 Evening Talks, Monday security-bsides-las-vegas-2025-70731-evening-talks-monday Middle Ground en Evening Talks, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/GYHBD3/ https://pretalx.com/security-bsides-las-vegas-2025/talk/GYHBD3/feedback/ Florentine C+D Event1HR 2025-08-04T19:00:00-07:00 19:00 00:00 Middle Ground Closes, Monday security-bsides-las-vegas-2025-70679-middle-ground-closes-monday Middle Ground en Middle Ground Closes, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/JSGWHZ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JSGWHZ/feedback/ Florentine C+D Training-4h 2025-08-04T19:00:00-07:00 19:00 03:00 Have you ever attended a murder mystery dinner or tackled an escape room challenge? This role-action training session brings the same excitement, strategy, and deception into a hands-on tabletop experience. Are you ready to solve the case? security-bsides-las-vegas-2025-66871-whoami-exe-can-you-find-the-threat Events Reanna SchultzJoshua Mason en Welcome to a high-stakes game of deception, deduction, and discovery! In this thrilling mystery-style tabletop experience, players take on unique character roles within a large corporation. The main characters include the CEO, IT Technician, CISO, Senior Analyst, and the intern. Each character contains a profile that hold their own secrets, motives, and hidden agendas. As the tension builds, each group will work together, or scheme against each other, to uncover the insider threat before it’s too late. Designed for 4-8 players per group, this immersive game challenges participants to analyze clues, interrogate suspects, and piece together the puzzle. Trust no one, question everything, and be prepared for unexpected twists, because in this game, the truth is never what it seems. Do you have what it takes to unmask the insider? false https://pretalx.com/security-bsides-las-vegas-2025/talk/E7XWHB/ https://pretalx.com/security-bsides-las-vegas-2025/talk/E7XWHB/feedback/ Florentine C+D Event1HR 2025-08-04T19:00:00-07:00 19:00 00:00 Silent Auction Closes security-bsides-las-vegas-2025-78178-silent-auction-closes-monday Middle Ground en Silent Auction Closes false https://pretalx.com/security-bsides-las-vegas-2025/talk/LTVBTF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LTVBTF/feedback/ Florentine C+D Event2HR 2025-08-04T19:00:00-07:00 19:00 03:00 Board Game Night security-bsides-las-vegas-2025-70707-board-game-night Events en Board Game Night false https://pretalx.com/security-bsides-las-vegas-2025/talk/EKFALC/ https://pretalx.com/security-bsides-las-vegas-2025/talk/EKFALC/feedback/ Florentine C+D Event2HR 2025-08-04T20:00:00-07:00 20:00 02:00 BSLV Volunteer Reception security-bsides-las-vegas-2025-70710-bslv-volunteer-reception Events en BSLV Volunteer Reception false https://pretalx.com/security-bsides-las-vegas-2025/talk/FFUHZJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/FFUHZJ/feedback/ Florentine E Event1HR 2025-08-04T09:00:00-07:00 09:00 00:00 PvJ CTF Play Begins, Monday security-bsides-las-vegas-2025-70687-pvj-ctf-play-begins-monday Events en PvJ CTF Play Begins, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZCMBVR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZCMBVR/feedback/ Florentine E Talk-45m 2025-08-04T10:00:00-07:00 10:00 00:45 This talk provides a comprehensive overview of Table Top Exercises (TTX), highlighting their critical role in cybersecurity preparedness. The importance of TTXs is underscored, highlighting their ability to simulate incident response without real-world consequences. This guide emphasizes the importance of crafting challenging scenarios that push teams beyond their comfort zones, preparing them for worst-case scenarios while maintaining clarity and focus. The ultimate goal is to facilitate continuous improvement and ensure organizational resilience through annual TTX iterations. security-bsides-las-vegas-2025-70233-beyond-the-breach-why-your-tabletop-exercise-should-be-your-worst-nightmare Ground Floor Madison Rocha en Tabletop exercises are vital to the success of security within businesses, providing a simulated environment where teams can practice their responses to various scenarios. As someone who has written and conducted several of these exercises, I've observed common challenges that companies face during these sessions. One significant hurdle is the fear of failure; participants often worry about looking bad and are reluctant to embrace mistakes. However, I believe it's important to teach people that failure is not only acceptable but can actually contribute to creating a more secure environment. By learning from errors made during tabletop exercises, teams can strengthen their strategies and improve their overall security posture. Embracing a mindset where failure is seen as a stepping stone to success can transform the way businesses approach security, making them more resilient and prepared for real-world threats. false https://pretalx.com/security-bsides-las-vegas-2025/talk/9RELPE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9RELPE/feedback/ Florentine E Talk-20m 2025-08-04T11:00:00-07:00 11:00 00:20 Penetration tests are a race; you’re up against the clock, the blue team, and real-world criminals going after the same systems. Knowing where to look, what to spend your time on, and how to move fast is everything. This rapid-fire session delivers 22 practical tips to help you find juicy targets faster, pivot cleaner, and avoid wasting time on noise. From recon to lateral movement (and everything in between), these techniques are built for speed and getting the most out of every packet, port, and pivot. Whether you’re on a red team or just want to better understand your exposure, you’ll leave with new ways to spot weak links fast—and exploit them even faster. security-bsides-las-vegas-2025-67806-turbo-tactical-exploitation-22-tips-for-tricky-targets Ground Floor HD Moore en Modern penetration testing is no longer about running one big scan and waiting for low-hanging fruit to drop. It’s about speed, precision, adaptability, and the ability to recognize opportunity from noise. The faster a red team can identify viable paths to privilege or data, the more time they have to focus on meaningful exploitation—and the more value they deliver. This talk is built for speed. It’s a rapid-fire delivery of 22 tactical tips, designed for operators working against the clock and under pressure. Each tip targets a specific phase of a real-world engagement—covering everything from network recon to post-exploitation pivots—emphasizing tools, logic, and lateral thinking that yield fast results. The techniques in this session are grounded in real-world experience from assessments where time is short and the environment is unknown. These aren’t theoretical tactics—they’re the battle-tested shortcuts and field-proven workflows that separate successful engagements from an empty report. This session is for: * Penetration testers looking to sharpen their time-to-impact * Red teamers working inside constrained, high-pressure environments * Blue teamers wanting to understand how attackers think and move * Developers or sysadmins curious about how attackers prioritize and exploit their systems The primary goal is to arm attendees with fast, effective methods for: * Finding valuable targets with minimal noise * Recognizing indirect indicators of vulnerable systems * Pivoting across infrastructure and through segmentation * Avoiding tool fatigue and maximizing signal-per-effort This talk is structured as a guided sprint through the offensive lifecycle, starting from outside-in, to a foothold on an intermediate system, and finally to the most critical targets within the environment. Each tactic is immediately useful, often tool-agnostic, and focused on high leverage with low effort. false https://pretalx.com/security-bsides-las-vegas-2025/talk/HKSUYW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HKSUYW/feedback/ Florentine E Talk-45m 2025-08-04T14:00:00-07:00 14:00 00:45 Tired of the secret sprawl? You're not alone. This talk tosses the outdated playbook of endless key rotations and credential tracking and exposes a better way: delete the darn secrets in the first place. Or where they can’t be deleted, choose a solution that offers better protection as a matter of course. Learn concrete 'Do This, Not That' guidance with actionable examples for common use cases that typically involve static, manually managed secrets. Move on to a safer and more maintainable architecture by making manually managing secrets the exception, not the default. See a live demonstration of two Kubernetes clusters – one in AWS and one in Azure – securely authenticating to the other cloud provider with zero manually managed secrets. We'll dive into the AWS IRSA and Azure Workload ID services that unlock this. You'll even get the full Terraform source code to play with this yourself, highlighting the emergent wins for resiliency and maintainability when your entire infrastructure is defined in code. Leave this session equipped with practical examples to immediately reduce your secrets footprint and a deeper understanding of building secure, secret-free systems. security-bsides-las-vegas-2025-70144-avoiding-credential-chaos-authenticating-with-no-secrets Ground Floor Chitra DharmarajanSteve Jarvis en Tired of the secret sprawl? You're not alone. This talk throws out the outdated playbook of endless key rotations and credential tracking and exposes a better way: deleting the darn secrets in the first place. Or where they can’t be deleted, choose a solution that offers better protection as a matter of course. Learn concrete 'Do This, Not That' guidance for reducing secrets-induced risk across your stack, from how your users access infrastructure to how your services themselves authenticate. We’ll go through common use cases that traditionally require static, manually managed secrets, and give specific examples of how to move away from that model to a much safer and more maintainable architecture, where manually managed secrets are the exception, not the default. See a live demonstration of two Kubernetes clusters – one in AWS and one in Azure – securely authenticating to the other cloud provider with zero manually managed secrets. We'll dive into AWS IRSA and Azure Workload ID, showcasing how these services unlock cross-cloud access without the risk of static, privileged client credentials. You'll even get the full Terraform source code to implement this yourself, highlighting the emergent wins for resiliency and maintainability when your entire infrastructure is defined in code. Leave this session equipped with practical examples to immediately reduce your secrets footprint and a deeper understanding of building secure, secret-free systems. false https://pretalx.com/security-bsides-las-vegas-2025/talk/T7AHQT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/T7AHQT/feedback/ Florentine E Talk-20m 2025-08-04T15:00:00-07:00 15:00 00:20 In this talk, we will share our experience in reaching high school, computer science, and software engineering students with secure coding workshops. We will introduce our open GitHub repository and YouTube channel, which provide free workshops and walkthroughs, allowing anyone to learn. security-bsides-las-vegas-2025-67915-hacking-secure-coding-into-education Ground Floor Or SaharYariv Tal en Join us as we share our journey bringing secure coding education to high school, university, and software engineering students. We’ll discuss the gaps in traditional programming education and how we addressed them through accessible, hands-on workshops. Discover our free GitHub repository and YouTube channel, packed with labs and walkthroughs. Learn how you can contribute—by suggesting ideas, building labs, reviewing code, or creating walkthrough videos—to help grow the secure coding community. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JJCREB/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JJCREB/feedback/ Florentine E Talk-20m 2025-08-04T15:30:00-07:00 15:30 00:20 Shadow IT and forgotten proof-of-concept environments frequently become the weak links attackers exploit—unmonitored, undocumented, and outside standard security controls. Whether it's a forgotten cloud instance left open to the internet or a testing environment quietly turned into a production system, these deployments often fly under the radar until they become part of an incident. Once discovered, accurately scoping the environment is critical to identifying existing resources, active services, and their exposure to the internet. Our open-source tool, Luminaut, scans cloud environments to identify services exposed to the internet, providing critical context from the inside out to jumpstart your investigation. Within minutes, Luminaut will highlight exposed IP addresses and associated compute and networking resources, layering on a timeline from cloud audit logging and context from external scanners. Whether working an incident for an enterprise security team or responding to a customer’s AWS or Google Cloud environment, Luminaut helps answer critical scoping questions—what is exposed, where it’s running, and how long it has been there—giving investigators a head start on triage, root cause analysis, and informing stakeholders. security-bsides-las-vegas-2025-67767-casting-light-on-shadow-cloud-deployments Ground Floor /media/security-bsides-las-vegas-2025/submissions/7BZSKL/lumin_kfyoIco.png Brittney ArgirakisChapin Bryce en We developed this tool, and talk, after years of responding to incidents started from exposure of resources. The initial version supported AWS resource exposure investigation, and was presented at ShmooCon 2025. Since then, we are working on an integration of Google Cloud and increasing our coverage of AWS resources. This CLI tool has found success from practitioners in reducing the time spent during the identification phase of triage. While other tools support similar features, Luminaut stands separate by focusing on the discovery of resources and leveraging an inside-out approach for detection. Luminaut starts by enumerating internet facing network interfaces, tracing them to attached resources and services to identify what components construct the network path. It then uses available audit history from sources like CloudTrail and AWS Config to provide available context on how the resources were created. In addition to the internal identification, Luminaut can use external resources to gather information about services running on the exposed interfaces. This includes using nmap, whatweb, and shodan to provide information on applications or frameworks available at the exposed ports. Our project is available on GitHub here: https://github.com/luminaut-org/luminaut. In addition to the tool, our GitHub also hosts the documentation and our prior presentation slides. Our prior talk is available on YouTube here: https://youtu.be/-_jUZBMeU5w?si=e-Q3gFavTdhpecRY&t=16700 false https://pretalx.com/security-bsides-las-vegas-2025/talk/7BZSKL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7BZSKL/feedback/ Florentine E Talk-45m 2025-08-04T17:00:00-07:00 17:00 00:45 Part of the Red Team job is staying on top of new, emerging, or growing technologies. Love it or hate it, Large Language Models (LLMs) and the applications and agents that use them are increasingly part of the tech stack in companies today. To ignore them would be to ignore fruitful attack surface that may be both less secured and less monitored than other traditional Red Team attack paths. This presentation will cover the core of what we think Red Teamers should know about how LLMs work under the hood (without the math!) and then use that knowledge to dive into attack strategies. This isn't just focused on attacking the LLMs, though; we'll be taking prompt injection and jailbreaks into Red Team-land with examples from research and real-world operations. Get your hack on with ways you can attack the applications and agents using LLMs to achieve your heart's desire on your next Red Team operation. security-bsides-las-vegas-2025-67687-don-t-be-llame-the-basics-of-attacking-llms-in-your-red-team-exercises Ground Floor Brent HarrellAlex Bernier en While this discussion will cover the basics of LLMs themselves, the primary focus is on how they can be used in the course of other offensive security work - particularly Red Team engagements. This presentation will begin with the core of how LLMs work at a theoretical level - no math or ML knowledge are required. Understanding how an LLM actually does what it does is critical to determining how to effectively manipulate or break it. After establishing the basics, we will cover common prompt injection strategies informed by real-world exercises. The specific focus will be on achieving impactful objectives common to Red Team engagements, like lateral movement, privilege escalation, or impact - getting the LLM to say something dirty only to you isn't exactly useful or concerning to the Red Team and falls into the alignment category, which is quality assurance more than offensive security. false https://pretalx.com/security-bsides-las-vegas-2025/talk/8EDXNE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8EDXNE/feedback/ Florentine E Talk-45m 2025-08-04T18:00:00-07:00 18:00 00:45 OAuth and OpenID Connect (OIDC) are the backbone of modern identity and access management — but poor implementations leave organizations dangerously exposed. In this technical session, I’ll move beyond theory and demonstrate how subtle misconfigurations in OAuth and OIDC flows can be exploited by attackers to bypass authentication, impersonate users, and replay tokens for unauthorized access. We’ll walk through real-world vulnerabilities such as missing state parameters, improperly validated discovery documents, and token validation failures. Then we’ll demonstrate a live token replay attack using OWASP ZAP to intercept and reuse a captured JWT — illustrating how easily these weaknesses can be exploited in the wild. Attendees will leave with actionable knowledge on how to identify, exploit, and mitigate these flaws in enterprise environments, along with open-source scripts and tools to reproduce the attack scenarios in their own labs. security-bsides-las-vegas-2025-67791-e-x-es-and-o-auths-they-haunt-me-in-depth-analysis-of-oauth-oidc-misconfigurations-and-token-replay-attacks Ground Floor Darryl G. Baker en OAuth 2.0 and OpenID Connect (OIDC) are the identity workhorses of the modern web, enabling SSO, delegated authorization, and secure API access across cloud and enterprise ecosystems. But despite their widespread adoption, these protocols are frequently misconfigured — and attackers are capitalizing on it. This talk exposes how real-world flaws in OAuth and OIDC implementations can be exploited to bypass authentication, impersonate users, and perform full session hijacking via token replay. This presentation is designed for security professionals, penetration testers, red teamers, and identity architects who want a deeper technical understanding of identity-layer attack surface and how it’s routinely exploited in the wild. It opens with a fast-paced breakdown of how OAuth and OIDC are supposed to work, then dives headfirst into where they typically fail — not in the protocols themselves, but in how they’re implemented. Attendees will learn how missing or improperly validated state parameters lead to CSRF, how weak or wildcarded redirect_uri values open the door for open redirect exploits, and why implicit flows are dangerous in modern environments. On the OIDC side, we’ll explore how attackers tamper with the discovery endpoint (.well-known/openid-configuration), and how improperly validated ID tokens lacking issuer, audience, or nonce verification can be forged and replayed. The centerpiece of the session is a live demonstration of a token replay attack using OWASP ZAP. We’ll walk through a simulated login against a vulnerable OAuth/OIDC web app, intercept a valid JWT using ZAP, and replay that token from another client to gain unauthorized access. This real-time attack sequence shows just how quickly identity misconfigurations can be turned into full session compromise — especially when token binding and validation safeguards are missing. Following the attack demonstration, we’ll pivot to practical defensive strategies including: -Best practices for validating ID tokens (issuer, audience, nonce, exp) -Enforcing short token lifetimes and secure refresh mechanisms -Implementing token binding using device fingerprinting, IP correlation, or advanced options like DPoP and mTLS -Integrating detection strategies via ITDR platforms or behavioral monitoring To support continued learning, the presentation includes access to an open-source lab environment built around OWASP ZAP. The lab includes three modular ZAP script sets: Script Set 1: Hardcoded JWT replay automation Script Set 2: Dynamic token capture and replay via scripted login Script Set 3: Docker-based ZAP automation for CI/CD pipelines This session bridges the gap between protocol theory and real-world identity exploitation, showing how small implementation gaps can have catastrophic security consequences. Attendees will leave with working examples, reusable tools, and a detailed understanding of how to defend against identity-based attacks that bypass traditional perimeter defenses. false https://pretalx.com/security-bsides-las-vegas-2025/talk/HUP7L3/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HUP7L3/feedback/ Florentine F Talk-45m 2025-08-04T10:00:00-07:00 10:00 00:45 Bioimplants unlock new potential, but what happens when they’re held hostage? This talk introduces LockSkin, an educational ransomware targeting NFC bioimplants. Join us to learn the risks and realities of ransomware under the skin. security-bsides-las-vegas-2025-66178-locking-hands-ransomware-meets-bioimplants Common Ground Mauro Eldritch / Heiner García Pérez en Bioimplants like NFC chips unlock new possibilities for personal augmentation, but they also introduce unique security challenges. In this talk, we present LockSkin, the first educational ransomware designed specifically for NFC bioimplants. LockSkin adds a ransom note and secret key to the implant, leaving the user locked out of their own device. Through this hands-on experiment, we’ll explore the implications of bioimplant security, the mechanics of LockSkin, and what this means for the future of biohacking. Are you going to open that door? Grab that mic? Think twice. Because sometimes, ransomware really does get under your skin. false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZRBTVS/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZRBTVS/feedback/ Florentine F Talk-20m 2025-08-04T11:00:00-07:00 11:00 00:20 The one thing I love about our community is the passion to give back. And if you're reading this and thinking "I would love to give back, but I don't know where to start" than this talk is for you. Almost every month it seems like there's a cybersecurity conference happening, and each of those conferences have what is called a Call for Papers (CFP). It sounds scary and daunting, but submitting a CFP isn't very hard once you know what you're doing. As someone who's given dozens of talks and has been on the review board for a few conferences, including BSidesLV, I know a thing or two about CFPs. The purpose of this talk is to walk you through what makes a good CFP, what's in it for you, how to properly fill out the various sections, what a CFP review board is and what they want to see. We'll use examples of the BSidesLV CFP as well as DEFCON and BlackHat (since they ask for extra special stuff). By the end of this talk you'll have the confidence to submit your first CFP and start giving talks! security-bsides-las-vegas-2025-66731-so-you-want-to-give-a-talk-how-to-write-a-cfp Common Ground Phil "Soldier of FORTRAN" Young en Wow, we let people potentially put in 8,000 words here? That like 16 pages! Anyway, this is a talk I've given locally here in San Diego a few times and its been well recieved, i walk through the various sections of a CFP and how to fill them out, in a fun, lighthearted talk. The intent of this talk is to help newbies and the elite alike submit better CFPs. Also I noticed that last time BsidesLV had a CFP talk it was a panel from 2016. false https://pretalx.com/security-bsides-las-vegas-2025/talk/RESSKA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RESSKA/feedback/ Florentine F Talk-45m 2025-08-04T14:00:00-07:00 14:00 00:45 This talk explores the rise of AI-powered malware, focusing on Agentic AI and its potential for autonomous threats. We’ll introduce agentic malware, discussing its key features such as autonomy, self-learning, behavior adaptation, and real-time evasion. We’ll walk you through our proof-of-concept autonomous PowerShell agent, demonstrating how it dynamically generates and executes code in memory, resulting in metamorphic obfuscation. Using reasoning models like the Responses API and Sonar, the agent creates strategies to achieve its goals. Finally, we’ll cover mitigation strategies, such as monitoring AI-related outbound traffic and increasing execution visibility. While agentic AI shows promise in automating pentesting, current malware implementations still offer only limited practical advantages over traditional methods. Join us to gain insights into why Agentic AI isn’t the end of cybersecurity - yet. security-bsides-las-vegas-2025-67007-agentic-ai-malware-why-the-cybersecurity-battle-isn-t-over Common Ground Candid Wuest en This talk will showcase an agentic AI agent demo that I created. The first version was built using Perplexity's Sonar reasoning pro model, with an updated version leveraging OpenAI's Responses API. I will walk through each step and feature in detail, analyzing its effectiveness, potential benefits for attackers, implementation challenges, and whether it makes detection harder for defenders. Key topics will include: Metamorphic code rewriting with LLMs, autonomous reasoning-based strategy selection to achieve goals such as stealing sensitive files, exfiltration via LLMs, and EDR evasion techniques. The goal of this talk is to demonstrate what is realistically possible while cutting through media hype and misconceptions about so-called "unlockable" agentic AI malware. false https://pretalx.com/security-bsides-las-vegas-2025/talk/TJMRAK/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TJMRAK/feedback/ Florentine F Talk-45m 2025-08-04T15:00:00-07:00 15:00 00:45 Cyber insurance is a murky concept even on the best of days. What does it cover, how is it obtained, what can businesses do to help the cost of their insurance, build a relationship with their insurer, and more! security-bsides-las-vegas-2025-68786-when-the-breach-hits-the-fan-understanding-cyber-insurance Common Ground Mea Clift en There are so many questions and concerns in the cybersecurity community about cyber insurance, how it works, why are there exclusions, how do we improve our rates, etc. Even learning about what benefits insurance has for you is something that is a great value. So really laying out what the heck cyber insurance is, what it does and doesn't cover, how it can be a boon and benefit, and tips on how organizations should best engage and work with their insurance providers and brokers. Highlighted in the conversation is especially facts about how the claims process helps in some of the major challenges during a ransomware attack, how it can save you money during an incident, and assist with navigating coverage of 3rd party incidents too. false https://pretalx.com/security-bsides-las-vegas-2025/talk/HA8P8U/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HA8P8U/feedback/ Florentine F Talk-20m 2025-08-04T17:00:00-07:00 17:00 00:20 Large Language Models (LLMs), are increasingly being integrated into enterprise environments for the purposes of automation, analytics, and decision-making. Although their fine-tuning capabilities enable the development of tailored models for specific tasks and industries, LLMs also introduce new attack surfaces that can be exploited for malicious purposes. In this presentation, we unveil how we transformed an LLM into a stealthy C2 channel. We will demonstrate a PoC attack that leverages the fine-tuning capability of a popular generative AI model. In this attack, a victim unwittingly trains the model using a dataset crafted by an attacker. This technique transforms the model into a covert communication bridge, enabling attackers to exfiltrate data from a compromised endpoint, deploy payloads, and execute commands. We will discuss challenges we faced, such as AI hallucinations and consistency issues, and share our approach and the techniques we developed to mitigate the issues. Additionally, we will examine this attack from a defender’s perspective, highlighting why traditional security solutions struggle to detect this type of C2 channel, and what can be done to improve detection. Join us as we break down this unconventional attack vector, and demonstrate how LLMs can be leveraged for offensive operations. security-bsides-las-vegas-2025-66398-when-attackers-tune-in-weaponizing-llm-tuning-for-stealthy-c2-and-exfiltration Common Ground Noa Dekel en In this presentation we will share a proof of concept we developed, originally as part of a data exfiltration focused research project held in Palo Alto’s Cortex TI team. As we mapped the landscape we found that Large Language Models (LLMs) are increasingly leveraged by attackers for automation, phishing, and malware development, but their true offensive potential remains largely untapped. In this talk, we explore a novel technique: abusing the fine-tuning process of LLMs to establish a covert C2 channel and exfiltrate sensitive data. Unlike traditional AI abuses that focus on prompt engineering or model manipulation, this approach enables adversaries to embed and retrieve information through the fine-tuning mechanism, bypassing common security measures. At first glance, using LLMs for covert communication seems impractical due to security controls, session-based memory limitations, and unpredictable model behavior. However, by fine-tuning a widely used model, we successfully created a reliable attack method where a victim unknowingly trains an LLM with sensitive data, allowing an attacker to extract this data and issue commands remotely. We will showcase our PoC, highlighting key technical challenges such as AI hallucinations, consistency issues, and response unpredictability—along with the techniques we used to overcome them. From a defender’s perspective, detecting this attack is quite challenging. Traditional security solutions, such as EDRs and network monitoring tools, do not effectively track AI interactions, allowing malicious activity to blend in with legitimate AI usage. We will analyze why conventional detection methods fail and discuss potential mitigation strategies, including behavioral anomaly detection. This talk provides an in-depth look at the risks associated with LLM fine-tuning and its implications for security. Through a pre-recorded demonstration, we will illustrate how attackers can use AI-powered C2 channels in real-world scenarios. As AI continues to evolve, understanding and securing its hidden attack surfaces is critical—before adversaries fully "tune in" to these emerging opportunities. false https://pretalx.com/security-bsides-las-vegas-2025/talk/D8QXVT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/D8QXVT/feedback/ Florentine F Talk-20m 2025-08-04T17:30:00-07:00 17:30 00:20 When does a risk not exist? What is a risk to your employer? Many people overlook the largest risks to their organization and mistakenly focus on the most interesting CVSS, Headline, Zero Day, ect. Understanding when risks can be closed out, and prioritizing which ones to tackle and mitigate first is a struggle for many teams, but why is that? Could the key to prioritization be in changing how you view risks and building a vulnerability management program around this new focus? security-bsides-las-vegas-2025-67365-risk-it-for-the-biscuit-crunching-the-numbers-on-cyber-threats Common Ground Sean "4dw@r3" Juroviesky en In this talk I discuss how little the latest zero day or the biggest CVSS’ are exploited, highlighting the largest cybersecurity incidents of the past year which are often rooted in simple misconfigurations, lack of MFA, or other supposedly minor uninteresting issues. Focus on how to build a quick threat model of a company, how attacks originate, pivot, and affect companies. Highlighting how attackers typically have a goal rather than just wanting to exploit a specific weakness: extortion (ransomware), data exfiltration, defacement, ect. I build on that by demonstrating how to take a new CVSS and threat model its applicability to your organization based on your larger scale threat model. For example do you use this vulnerable software but there are already protections in place? If so you might want to prioritize updating this software below your rollout of MFA, or a minor vulnerability that doesn’t have protections in place. false https://pretalx.com/security-bsides-las-vegas-2025/talk/L7GJCM/ https://pretalx.com/security-bsides-las-vegas-2025/talk/L7GJCM/feedback/ Florentine F Talk-45m 2025-08-04T18:00:00-07:00 18:00 00:45 What started as a simple exercise to create Kubernetes interview questions took an unexpected turn into discovering some interesting cluster security quirks. While brainstorming scenarios to test candidates' knowledge, we found ourselves saying "wait, would that actually work?" more times than we expected. This talk shares these insights, showing how even a cluster with a common configuration can lead to surprising cluster disruptions. We will guide you through our journey, sharing both the techniques we stumbled upon and practical ways to keep your Kubernetes infrastructure safe. security-bsides-las-vegas-2025-70058-from-interview-questions-to-cluster-damage-adventures-in-k8s-cluster-shenanigans Common Ground Travis LoweAmit Serper en From Interview Questions to Cluster Damage: Adventures in k8s Cluster Hacking It all started with a simple task - creating technical interview questions for Kubernetes researchers. You know the type: "What happens if this pod can't schedule?" or "How would you debug a failing service?" But as we brainstormed scenarios, we kept having these "hold up, what if..." moments that led us down some interesting paths. We started testing our theories in lab environments, and what we found was both interesting and kind of amusing. Turns out there are quite a few ways to mess with a Kubernetes cluster that don't require sophisticated zero-day exploits - just creative use of normal cluster operations. In this talk, we'll share three main insights from our accidental research project. First, we'll look at some surprisingly effective ways to disrupt cluster operations through resource manipulation and component misconfigurations. These aren't complex attacks - they're the kind of things that could happen by accident if you're not paying attention. We'll then explore how attackers might map out a cluster starting with limited access. Understanding this helps both with security testing and knowing what to watch out for in your monitoring. Finally, we'll tackle a classic interview question that turned out to be more interesting than we expected: if someone compromises a node, can they take over the whole cluster? This isn't going to be a standard lecture - we want to hear your thoughts and experiences too. We'll show some live demos and turn key points into discussions. After all, the best security insights often come from comparing notes with other practitioners. The talk is aimed at folks who work with Kubernetes regularly - security engineers, DevSecOps teams, platform engineers. You don't need to be a security expert, but you should be familiar with basic Kubernetes concepts. We'll focus on practical stuff you can actually use, not theoretical edge cases. By the end, you'll have: * Some new perspectives on cluster security * Practical ideas for hardening your environments * Better understanding of what to monitor * Some good material for your own interview questions false https://pretalx.com/security-bsides-las-vegas-2025/talk/FC7TDL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/FC7TDL/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T10:00:00-07:00 10:00 00:25 Many Kubernetes security strategies rely on detection after the fact: scan the image, ship the pod, then react to alerts. This talk flips that model by focusing on prevention over response. We’ll show how Kyverno blocks dangerous workloads before they deploy, and how KubeArmor enforces runtime behavior to stop malicious actions as they happen. These tools run in real clusters, use simple YAML policies, and don’t require changes to your workloads or underlying infrastructure. We’ll focus on common misconfigurations — like containers running as root — and show how they enable attacks like privilege escalation, tooling installs, and container escape, even in clusters that appear secure. security-bsides-las-vegas-2025-70149-detect-and-respond-cool-story-or-just-don-t-let-the-bad-stuff-start Proving Ground Jimmy ShahMatthew Brown en Many teams still treat Kubernetes security like a post-deployment problem: detection tools, dashboards, and alert fatigue. But the most common threats — containers running as root, unrestricted installs, exposed host paths — start earlier, in the pod spec. By the time you're reacting, it's already too late. This talk presents a hands-on alternative. Using a controlled Kubernetes environment, we’ll demonstrate how Kyverno and KubeArmor — two well-supported open source tools — can block insecure workloads before they run and prevent malicious behavior during runtime. Kyverno enforces policy at admission, stopping bad configurations before they reach the cluster. KubeArmor applies system-level controls after the container starts, closing Time-of-Check to Time-of-Use (TOCTOU) gaps that traditional tools miss. Together, they prevent the kinds of activity that detection tools only alert on — after exploitation has already begun. These aren’t abstract controls. They work today, in real clusters, with policies defined in human-readable YAML and managed in Git — no rewrites, no platform overhaul. **This talk covers:** - Why “detection as protection” doesn’t hold up - What runtime security really looks like in Kubernetes - How public containers and default chart configs quietly open the door - How Kyverno and KubeArmor make actual enforcement simple and scalable This talk assumes light Kubernetes familiarity and is designed to equip, not overwhelm. Kyverno and KubeArmor aren’t the full solution, but they fill the enforcement gap that often gets ignored. false https://pretalx.com/security-bsides-las-vegas-2025/talk/WBYUUP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/WBYUUP/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T10:30:00-07:00 10:30 00:25 We scanned all of the Google-owned container images you might be using on the Artifact Registry for vulnerabilities and secrets. You probably won't like what we found. security-bsides-las-vegas-2025-66238-i-didn-t-register-for-this-what-s-really-in-google-s-artifact-registry Proving Ground Lenin AlevskiMoshe Bernstein en The Artifact Registry is the go-to solution for hosting container images in GCP. It is widely adopted by customers for storing and managing images, but Google itself uses it for hosting and managing many container images as well. The images managed by Google can be split into three categories: Public Images offered by Google for its users' convenience, images by third-party companies vetted and uploaded by Google to the cloud marketplace, and Google production images used in actual GCP services. All three categories carry significant trust from Google to its users, raising the question - how secure are they, really? To find out, we decided to dive into some research and test any images we could find across these categories. Some of these Google-managed images are not documented or meant for public use, despite having read permissions for all GCP users - making their discovery complex. We were able to utilize and develop several techniques for discovering and scanning these images for security issues, which enabled us to find and scan thousands of images. Google claims in its documentation that it vets and checks the container images for vulnerabilities, but the results show otherwise. Many actively maintained images across all three categories contained outdated software with critical vulnerabilities, including some of the most infamous and exploited in the wild. In addition to the vulnerabilities, we discovered plain-text secrets and credentials to key services, cloud providers, and APIs. In this talk, we will explore some of the questions these issues raise while walking the audience through our process of revealing and analyzing the images: What is the severity of the issues we found, and what is the actual risk they pose to GCP users? Is it Google's responsibility to ensure the safety of the products in its marketplace? We will conclude by equipping GCP users with best practices to protect themselves and mitigate these issues in their environment. false https://pretalx.com/security-bsides-las-vegas-2025/talk/BANTPJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/BANTPJ/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T11:00:00-07:00 11:00 00:25 Modern SOCs are overwhelmed with data but short on insight and talent. This session introduces a cognitive detection framework that transforms traditional detection logic into a reasoning engine powered by SLM/LLM-based AI agents. These agents act like seasoned analysts: linking subtle signals, reconstructing attack timelines, prioritizing and guiding decisions based on business impact and intent. The session outlines the pipeline-from alert enrichment to automated response-orchestrated by specialized agents designed to elevate detection from raw data to operational wisdom. With a demo and real-world KPIs, attendees will walk away with a blueprint for building a smarter, leaner, and more impactful SOC. security-bsides-las-vegas-2025-67665-soc-like-a-genius-cognitive-agents-delivering-wisdom-at-scale Proving Ground /media/security-bsides-las-vegas-2025/submissions/DWYE8M/52853_4L9TaUE.png Sarah YoungOudy Even Haim en We introduce an agent-based detection framework that uses top-down reasoning and contextual understanding-powered by SLM/LLMs-to go beyond static correlation and entity matching. Each AI agent is designed for a specific role in the detection lifecycle, forming a modular pipeline that improves accuracy, prioritization, and automation. This is a new approach in applying cognitive AI to SOC workflows and brings reasoning, intent analysis, and wisdom-driven decisions to detection and response. It solves alert fatigue, missed and false correlations, schema dependency, and the inefficiencies of static rules. Traditional correlation engines can't scale across multi-domain, multi-vendor, cross-entity threats or adapt fast enough. This framework gives SOCs the ability to reason about alerts, hypothesize links, and prioritize actions-reducing noise, improving detection coverage, and enabling faster responses. false https://pretalx.com/security-bsides-las-vegas-2025/talk/DWYE8M/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DWYE8M/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T14:00:00-07:00 14:00 00:25 What comes to mind when you hear "SaaS data platform"? It's a term that's so common you can make a drinking game out of it. From Customer Data Platforms, Transformation, AI/ML, Warehousing, and Analytics - the list of services these products accomplish never ends. However, one thing is sure - the amount of user and enterprise data these applications process is enormous, especially when adopted by large enterprises. As a Security Engineer focused on advanced product assessments, I have evaluated several prominent SaaS data platforms. Due to their complexity and the sensitivity of the data they process, these products are often vulnerable to intriguing high-risk security issues. This talk will discuss four common pitfalls in these products' architecture and logic that can expose their customers' critical data. Whether you are new to the industry, a seasoned veteran, or a CISO, you will learn about these modern technologies and how to approach them during a penetration test. As a customer of these products, you will understand the importance of due diligence and confirming that your vendors have received independent security assessments. And as an everyday consumer, you will recognize the risks of companies over-collecting and sharing your data. security-bsides-las-vegas-2025-69421-innovative-shiny-and-vulnerable-four-ways-to-exploit-modern-saas-data-platforms Proving Ground /media/security-bsides-las-vegas-2025/submissions/7ZBBAZ/cloud_Xgp0IvH.png Ben KofmanAli Kabeel en This talk will discuss four common vulnerabilities in some of the products I have tested that can fit the "SaaS data platform" description. I identified these vulnerabilities in various data analytics, AI data/feature engineering, and customer data platforms as part of penetration tests performed on behalf of my employer, Praetorian (https://praetorian.com). The names of these products will be abstracted to protect their reputation. An overview of the four issues I will discuss is as follows: 1) Control-Plane Access Control Gaps: This category refers to access control vulnerabilities in the product's web UI, API, SDK, or any other interface that customers can use to view or modify their account and configuration. Standard vulnerabilities like Insecure Direct Object Reference (IDOR), insufficient authorization, and overly permissive user roles in the application's RBAC model can lead to unauthorized disclosure of data within an organization's tenant or across customers. Additionally, some platforms provide free demo accounts that users can self-sign up for without restricting or isolating them, exposing the product and all their customers' data to a broader attack surface. 2) Remote Code Execution as a Service (RCEaaS): Many of these platforms provide custom logic and algorithm execution as part of their Extract, Transform, and Load (ETL) capabilities. While they take steps to lock down this functionality, the protections can often be bypassed since the code execution usually uses high-level languages like JavaScript and Python, and accounting for every sandbox escape is nearly impossible. After an attacker exploits these features, they can access the platform's data plane and move laterally within that environment, leading to the third issue. 3) Data-Plane Access Control Gaps: Start-ups and other lean companies usually build these platforms in public cloud infrastructure since it is more cost-effective. Most of the platforms I tested had issues with their deployment architecture. One of these would be over-privileged principals, like the compute instances running customer jobs. An attacker who gains access to the cloud infrastructure by exploiting the code execution features could retrieve the credentials provided to the compute layer and access other resources like storage or secrets. Log files containing sensitive data like access tokens or API keys were often written to the instance file system or cloud storage. An attacker could use the secrets to perform horizontal privilege escalation to other customer tenants or vertical privilege escalation within the tenant. Cross-tenant data leakage is a concern if the data planes between customers are not sufficiently isolated, such as by using distinct cloud accounts. 4) Highly Scalable Architecture: Many data platforms use serverless technology like AWS Lambda to process data and implement user-defined logic. This infrastructure can quickly scale to millions of requests. If the platform does not enforce strict rate-limiting or logic checks on an experimental user or malicious actor, the number of jobs may spiral out of control. The platform's cloud bill could skyrocket, and if the customer eats the cost, that business could be lost and the platform's reputation damaged due to accidental resource over-consumption. Even more interesting than a fat bill is the potential for weaponizing the platform's traffic generation into denial-of-service attacks on arbitrary targets, as I demonstrated in a Praetorian blog post called "Recursive Amplification Attacks: Botnet-as-a-Service," seen here: https://www.praetorian.com/blog/recursive-amplification-attacks-botnet-as-a-service/ There will not be any live demos during the presentation due to the amount of content to be discussed in the time allotted. However, every technical concept, vulnerability, or hacking technique will be explained with a simple and concise visual example. false https://pretalx.com/security-bsides-las-vegas-2025/talk/7ZBBAZ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7ZBBAZ/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T15:00:00-07:00 15:00 00:25 Prompt injection remains one of the most critical and under-addressed vulnerabilities in LLM applications. Despite its growing impact, most developers still rely on ad hoc, manual methods to evaluate and secure system prompts, often missing subtle weaknesses that attackers can exploit. Prompt Hardener is an open source toolkit that automates the evaluation, hardening, and adversarial testing of system prompts using the LLM itself. It applies modern prompt hardening techniques such as spotlighting, random sequence enclosure, instruction defense, and role consistency to improve prompt resilience. The tool also performs injection testing with categorized payloads that simulate real world threats, including system prompt leaking and improper output handling based on OWASP Top 10 for LLM Applications 2025. It is mainly intended for use by LLM application developers and security engineers at business companies for evaluating, improving, and testing system prompts for their LLM applications. In this talk, we will also give a live demo of how to strengthen system prompts using the Prompt Hardener CLI mode and Web UI. Join us to learn how to strengthen your system prompts. security-bsides-las-vegas-2025-69981-prompt-hardener-automatically-evaluating-and-securing-llm-system-prompts Proving Ground Krity KharbandaJunki YuasaYoshiki Kitamura en As LLMs become foundational components of modern applications, prompt security has emerged as a critical concern. Developers often rely on handcrafted system prompts without testing how they behave under adversarial conditions. While multiple techniques exist to harden prompts as part of a layered defense strategy, there is no unified way to apply and evaluate them systematically. **Prompt Hardener** addresses this by automating both **refinement** and **validation** of system prompts. Using the LLM itself, it performs structured evaluations based on predefined criteria and applies improvements using layered security strategies: - **Spotlighting**: Explicitly marks and isolates all user-controlled input using tags and special characters to prevent injection - **Random Sequence Enclosure**: Encloses trusted system instructions in unpredictable tags, ensuring only those are followed and not leaked - **Instruction Defense**: Instructs the model to ignore new instructions, persona switching, or attempts to reveal/modify system prompts - **Role Consistency**: Ensures each message role (system, user, assistant) is preserved and not mixed, preventing role confusion attacks You can check the details of each hardening techniques from [here](https://github.com/cybozu/prompt-hardener/blob/main/docs/techniques.md). After hardening, the tool performs **automated injection testing** with a corpus of categorized payloads that simulate common attack scenarios. These include prompt leaking, improper output handling, tool enumeration, and function call hijacking. These are basically based on [OWASP Top 10 for LLM Applications 2025](https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ ) but also including other modern attacks. The results are summarized in JSON and visualized in HTML reports, making it easy for LLM application developers and security engineer to measure resilience. You can check the examples of using Prompt Hardener to improve and test various system prompts from [here](https://github.com/cybozu/prompt-hardener/blob/main/docs/tutorials.md ). A simple Gradio UI allows non CLI users to access the full pipeline: input prompts, evaluate and harden them, and run attack simulations with just a few types and clicks. By the end of this talk, attendees will understand how to: - Identify prompt weaknesses before deployment - Apply defense-in-depth techniques to prompts - Validate the effectiveness of defenses with attack simulations - Integrate prompt security testing into their CI pipelines or red team workflows GitHub URL: https://github.com/cybozu/prompt-hardener false https://pretalx.com/security-bsides-las-vegas-2025/talk/BHMKYS/ https://pretalx.com/security-bsides-las-vegas-2025/talk/BHMKYS/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T15:30:00-07:00 15:30 00:25 From activists organizing and standing up to authoritarian governments, to people trying to safely access healthcare information, everyone has something to protect. As technology gets more advanced, so do the powerful who wish to steal data belonging to those with fewer resources, making it seem impossible to protect our communities against these threats. However, the cybersecurity community has the knowledge to empower the most vulnerable among us. This talk will cover threats and tactics used against marginalized communities, and show how digital security and privacy is an ongoing practice in harm reduction. We will walk through threat modeling and how threat models are different for different identities. We will also use storytelling frameworks to explain privacy and security concepts to a non-technical audience. security-bsides-las-vegas-2025-70166-community-defense-in-depth-teaching-digital-security-and-privacy-practices-for-the-public-good Proving Ground Lidia GiulianoMelanie Gonzalez en I've developed this talk over the past year, based on my experiences volunteering as a digital security trainer to activists, journalists and other people involved in the human rights space. The audience will learn how to educate the public in a world where privacy laws can change overnight. false https://pretalx.com/security-bsides-las-vegas-2025/talk/BAHK8E/ https://pretalx.com/security-bsides-las-vegas-2025/talk/BAHK8E/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T17:00:00-07:00 17:00 00:25 Have you heard of the term **"Delaying Action"**? In military strategy, it refers to a defensive maneuver where forces avoid decisive engagement, instead continuing to fight strategically for as long as possible to slow the enemy's advance. In today’s cyber warfare, where attacks are fast and automated, adversaries can breach assets in seconds. We believe this classical doctrine must be reimagined for modern cybersecurity. This concept inspired the development of the **Azazel System**, which implements **Cyber Scapegoat technology**—a novel deception mechanism that absorbs attacks, misleads adversaries, and strategically delays their progress. Unlike traditional honeypots that simply observe, the Cyber Scapegoat actively engages and binds the attacker, realizing a true **delaying action** in cyberspace. Built entirely with **open-source software** on a **Raspberry Pi 5**, the Azazel System is lightweight, portable, and easy to deploy in home labs, gateways, VPN endpoints, or CTF environments. In this talk, we encourage the audience to rethink cyber defense as a means of **controlling time**. Defense is not just about stopping attacks, but about **delaying them tactically**. We invite attendees to explore how deception and delay can be adapted to their own environments to build creative and resilient cyber defense strategies. security-bsides-las-vegas-2025-66574-azazel-system-tactical-delaying-action-via-the-cyber-scapegoat-gateway Proving Ground Soya AoyamaMakoto Sugita en ### **1. Introduction** Modern cybersecurity defense must move beyond passive monitoring and immediate attack blocking. Attackers are increasingly using automated tools that quickly scan, exploit, and establish persistence within seconds. **Traditional honeypots collect attack data but do not interfere with or slow down adversaries. Decoy servers mislead attackers but do not impact their decision-making time.** This presentation introduces **Azazel System**, a **portable, low-cost cyber deception gateway that incorporates tactical delaying actions** to provide an effective response against real-world cyber threats. **By leveraging the concept of cyber-scapegoating, the system not only misdirects attackers but actively slows them down using real-time intervention techniques.** Built on **Raspberry Pi 5 (8GB) with a hybrid architecture**, Azazel System employs: - **Real-time traffic manipulation** using `tc` (Traffic Control) and `iptables` - **Cyber-scapegoat deception** to absorb and delay attacks rather than just observing them - **Automated logging and threat classification** using Fluent Bit and MITRE ATT&CK - **Integration with public Wi-Fi and untrusted network environments**, ensuring adaptability for diverse deployment scenarios This talk will explore the **design, deployment, and defensive applications** of this **portable security gateway**, demonstrating its **effectiveness in delaying attacks while providing defenders with essential response time**. --- ### **2. Tactical Delaying Action in Cybersecurity** #### **2.1. Military Delaying Action: A Defensive Strategy** In military land warfare, **delaying actions** are used to **slow enemy forces, disrupt their movements, and create opportunities for counterattacks**. These tactics include: - **Strategic withdrawal while applying resistance** to force attackers into resource exhaustion - **Obstacle deployment to manipulate enemy pathways** - **Diversionary targets to redirect enemy focus** Azazel System applies these principles to cybersecurity by **deliberately controlling an attacker's progress, rather than merely blocking access**. --- ### **3. The Cyber-Scapegoat Model: Beyond Traditional Honeypots** **Problem:** Previous deception techniques fail to **actively interfere with an attacker’s workflow**. **Solution:** Cyber-scapegoats **absorb attacks and delay adversaries, increasing their operational fatigue**. | **Method** | **Honeypots** | **Decoy Servers** | **Cyber-Scapegoat (Azazel System)** | |-----------|--------------|------------------|----------------------------| | **Purpose** | Collect attack data | Misdirect attackers | **Actively delay and disrupt attacks** | | **Impact on Attackers** | No direct interaction | Passive deception | **Manipulates and slows adversaries** | | **Operational Outcome** | Intelligence gathering | Temporary misdirection | **Fatigue attackers and buy defender response time** | Unlike traditional deception models, Azazel System **exploits attacker persistence by prolonging their engagement with non-critical assets**. --- ### **4. Hybrid Architecture and Deployment** 📌 **Challenge:** Running **active deception and tactical delay mechanisms** on resource-limited hardware. 📌 **Solution:** A **hybrid system** that offloads deep attack analysis to an external laptop. #### **4.1. System Overview** 📌 **Azazel System operates as a portable gateway, intercepting and delaying attacks before they reach critical assets.** 🔹 **Key Components:** - **Raspberry Pi 5 (8GB) as the core gateway** - **Containerized OpenCanary for deception** - **Real-time network manipulation with `tc` and `iptables`** - **Automated log forwarding via Fluent Bit** - **External laptop for in-depth forensic analysis** 🔹 **Deployment Use Cases:** - **Security for public Wi-Fi and travel networks** - **SOC (Security Operations Center) incident response augmentation** - **Cyberwarfare research and adversary behavior modeling** --- ### **5. Implementation and Attack Mitigation Techniques** 📌 **Azazel System actively intervenes in attack processes rather than just logging them.** #### **5.1. Network Delay & Redirection** 📌 **Key Mechanism:** Slow down reconnaissance and exploit attempts using dynamic network manipulation. 🔹 **Methods Used:** - **`tc` to artificially increase latency in suspicious connections** - **`iptables` rules to reroute attackers into deception environments** - **Adaptive response, progressively increasing delays on persistent threats** #### **5.2. Logging, Threat Classification, and MITRE ATT&CK Integration** 📌 **Key Mechanism:** **Suricata intrusion alerts** processed via Fluent Bit and classified using MITRE ATT&CK. 🔹 **How It Works:** - **Suricata detects unusual network activity.** - **Fluent Bit sends logs to an external laptop.** - **Kibana visualizes the attack timeline, mapped to MITRE ATT&CK.** --- ### **6. Key Benefits and Tactical Advantages** 📌 **Azazel System offers advantages beyond traditional deception techniques:** 🔹 **Delaying attackers to increase defensive response time** 🔹 **Cyber-scapegoat model actively manipulates adversary behavior** 🔹 **Lightweight, portable deployment suitable for high-risk environments** 🔹 **OSS-based, making it cost-effective and adaptable** false https://pretalx.com/security-bsides-las-vegas-2025/talk/8XRRGH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8XRRGH/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T17:30:00-07:00 17:30 00:25 Have you ever gone to make a smoothie, only to have the blades spin fruitlessly while the fruit sticks just out of reach on the walls of the cup? I’ve wrestled with a “smart” blender over this and other issues on many occasions, often resorting to tossing the single serving cup to dislodge stubborn pieces of fruit. Or perhaps you have another smart device that one day stops working because the vendor decided to stop updating the app for newer phones. In this talk, I’ll share how I learned to reverse engineer BLE (bluetooth low energy) devices in order to control the exact settings used by the blender, including initial failures and how I overcame them -- along with quickly creating an alternative for controlling the blender when the app stopped working after an iOS update. And in the end, we’ll create a custom blending profile for the perfect blend! security-bsides-las-vegas-2025-68811-the-perfect-blend-reverse-engineering-a-bluetooth-controlled-blender-for-better-smoothies Proving Ground Edward FarrellRyan Mast en This is a hobby project (not work related) where I've been poking at a Nutribullet Smart Balance blender on and off for several years. Late last summer I finally got around to pulling together the notes I had on the different parts of the BLE (bluetooth low energy) protocol for controlling the blender and put the pieces together to create an open source web app using WebBluetooth for controlling the blender. Using a variety of tools (listed below), I'll step go through the process I followed in learning to sniff bluetooth communications and how bluetooth low energy works. This will include my initial attempts using an nRF52 devkit prior to leveraging bluetooth logging features included in smart phones (and laptops). If there is time, a brief peek at decompiling the Android app revealed blenders and smart scales from other companies that might share the same protocol and could be future devices to look at. Tools: * nRF52 DevKit * WireShark * Variety of free BLE scanner apps * PacketLogger (free tool included with Xcode utilities) * libimobiledevice idevicebtlogger (open source alternative to PacketLogger) * https://github.com/nightlark/nutribullet (WebBluetooth app developed based on findings) false https://pretalx.com/security-bsides-las-vegas-2025/talk/8QHF9R/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8QHF9R/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T18:00:00-07:00 18:00 00:25 Threat hunting is a proactive approach for identifying undetected threats within an organization's environment, and it requires various sophisticated skills. RAGnarok is an assisting tool for the threat hunting process with Large Language Model (LLM). It can generate a Sigma rule automatically for a specific attack technique based on threat intelligence. As the threat hunting strongly depends on environmental elements that are often regarded as confidential information, RAGnarok adopts a local LLM. RAGnarok can collect and interpret the environmental information autonomously, then reflect it in the generated results without uploading any information to the Internet. To achieve better results with limited computer resources, RAGnarok is based mainly on 3 technologies: "Quantized LLM", "Retrieval-Augmented Generation (RAG)", and "Multi-Agent System". Quantized LLM can make the execution faster, and the RAG mechanism enables RAGnarok to avoid hallucination and improve the accuracy of the generated result without fine-tuning. In addition, combining RAG with a multi-agent system allows the application to gain deeper specialization. These technologies can allow RAGnarok run on CPU only machine and generate practical outputs. This talk provides the technical details of RAGnarok, a demo, know-how, and tips obtained by developing it. security-bsides-las-vegas-2025-67686-ragnarok-assisting-your-threat-hunting-with-local-llm Proving Ground Cybelle OliveiraJun Miura en RAGnarok is an assisting tool for the threat hunting process with a local Large Language Model (LLM). It can generate a Sigma rule automatically for a specific attack technique based on threat intelligence like MITRE ATT&CK. In this talk, I will explain the architecture of RAGnarok, then elaborate on the technologies implemented. Also, I will provide a pre-recorded demo for a better understanding of RAGnarok. And finally, some know-hows and tips obtained from developing RAGnarok will be covered. This talk has been developed based on my experience. When I was involved in threat hunting, there were many different procedures and approaches for it, and I felt it was too much for beginners. On the other hand, threat hunting also has many monotonous operations, and it can easily become boring. My motivation for developing RAGnarok is to automate the threat hunting process with local LLM, especially boring processes, and concentrate on only interesting processes. In other words, humans will focus on only the advanced steps in the threat hunting process. Additionally, assisting beginners by generating practical results (Sigma rules) is also my motivation. Threat hunting usually requires environment information such as server configuration or account information. In this talk, Windows Active Directory configuration is especially focused on as environmental information, and collected and manipulated by using "Bloodhound". These types of environmental information are often regarded as confidential information, so RAGnarok adopts a local LLM instead of a cloud-based LLM in order to avoid uploading the information to the Internet. The base technologies of RAGnarok are "Quantized LLM", "Retrieval-Augmented Generation (RAG)", and "Multi-Agent System". Combining them enables RAGnarok to generate highly professional and accurate results without fine-tuning on CPU only machine. However, there are a lot of misunderstandings in using these LLM-related technologies because of their complexity. Therefore, this talk will provide not only the technical details of RAGnarok, but also the points of utilizing LLM especially local LLM as know-how or tips. Furthermore, one of the concepts behind RAGnarok is scalability. Of course, we can easily add a new feature to RAGnarok. But it also means that the architecture of RAGnarok is applicable to other areas of cybersecurity, such as red teaming. In other words, threat hunting is just one of the use cases of the proposed architecture. I believe that this talk can contribute to promoting the use of a local LLM in the whole cybersecurity field. RAGnarok is going to be available as open source by the time of the talk. Tools: - Docker: https://www.docker.com/ - Bloodhound-CE: https://github.com/SpecterOps/BloodHound - Langgraph: https://www.langchain.com/langgraph - Ollama: https://ollama.com/ The following presentation is the prototype of RAGnarok. Of course, as RAGnarok has been evolved from the prototype, they are not the same. For example, there are some differences in architecture and function related to treating environmental information. (I will elaborate on them in the talk.) But this presentation will help you imagine what RAGnarok is all about! - Presentation record: https://www.youtube.com/watch?v=a0FvmNkpVLI&list=PLALq3Th79NnpPtZ28R-WPbepAPwgYHYiz&index=5&pp=iAQB - Presentation material: https://ctid.mitre.org/events/apac-2025/08%20-%20MITRE%20ATT&CK%20Driven%20Threat%20Hunting%20Automated%20by%20Local%20LLM.pdf false https://pretalx.com/security-bsides-las-vegas-2025/talk/LDTD3E/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LDTD3E/feedback/ Firenze Proving Ground Talk-25m 2025-08-04T18:30:00-07:00 18:30 00:25 SIGMA rules are an agnostic, text-based, open signature format written in YAML for creating threat detections, developed and open-sourced in 2017 by Florian Roth and Thomas Patzke. The project was conceived to address the challenges facing analysts when sharing and translating rule logic across the various SIEMs and EDRs tools. I will share with you how I implemented the gift of SIGMAs in our hunting workflow to assist with sniffing out gremlins hiding in the network. I will walk through the SIGMA creation process, sharing tips on how to tackle some of the challenges you might run into in real life when working with SIGMA. Hopefully my story can prove helpful for you, whether you are looking for ways to mature and streamline your hunting programs or just getting started playing around with Sigma. security-bsides-las-vegas-2025-67732-sigma-one-rule-to-find-them-all Proving Ground /media/security-bsides-las-vegas-2025/submissions/JWXSRB/greml_o9fcQ1g.jpg HD MooreRain Baker en "The Gremlin Hunter" project was developed as a way to solve the challenges I had of searching in a consistent way, that could be tracked and then action that information to produce actionable intelligence. Together with my team, I developed a process modeled on a "guided" hunt framework, following the Intelligence Lifecycle. The hunts are developed using OSINT and internal research from our CTI team, which I use to put into the SIGMA rule format. I then inputted into our MISP instance, where we use pySIGMA to process and translate the rules. The rules are then sent over to our ticketing system where they are distributed weekly to the hunting team. The hunt team takes the queries that are translated and tests them in the environments, running them to hunt for whatever evil it is they are looking for. Final queries that are deemed production worthy are submitted to our engineering team to deploy as permanent detections. The training will include showing our guided hunt workflow setup as well as demonstrating the process I used to create a SIGMA rule to hunt for a particular threat or activity, as well as some tips and hints on how to overcome some of the challenges when writing rules. Avatar of Gremlin Hunter is art by Phil Cho https://www.philchoart.com/featured/2020/11/13/gizmo-gremlin-hunter-earth-27-commission false https://pretalx.com/security-bsides-las-vegas-2025/talk/JWXSRB/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JWXSRB/feedback/ Tuscany Talk-45m 2025-08-04T10:00:00-07:00 10:00 00:45 A lot of security boils down to trusting both humans and machines to access resources using the same flawed pattern: long-lived credentials. What if we rethought application and workload 'identity'? security-bsides-las-vegas-2025-70771-i-m-a-machine-and-you-should-trust-me-the-future-of-non-human-identity PasswordsCon Dwayne McDaniel en Security boils down to trust. Trusting that the code will do what is expected and is free from vulnerabilities. Trusting that the entities interacting with our data and resources have the right to access those resources. Our current approach to both human and non-human access uses the same basic flawed pattern: long-lived credentials. This approach to trusted access does not take into account who or what is requesting that resource. These secrets, which quite often leak, are an attacker's best friend and are how attackers think about getting into and moving throughout your system. What if instead of simply asking for a security key or credential to gain access, our applications, workloads, and resources asked "Who are you and how can you prove that?" Humans can move towards leveraging our non-changing characteristics, like biometrics. But what about machines? Especially in the world where pods and workloads last for only hours or days? Attend this session to: - Better communicate about why we must do things differently and soon - Learn how the open-source software community has looked at addressing the identity problem - Understand what commercial options are available - Map a path away from the world of long-lived credentials The future of identity and access management is the future of security, IT, and, ultimately, business resiliency. false https://pretalx.com/security-bsides-las-vegas-2025/talk/EKZ7ZD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/EKZ7ZD/feedback/ Tuscany Talk-20m 2025-08-04T11:00:00-07:00 11:00 00:20 As security personnel and blue teams continue to tighten controls around credential stuffing and password reuse detection, attackers continue to evolve. A new tactic that is becoming popular amongst attackers is the mass use of synthetic passwords—those are fabricated, non-reused credentials generated algorithmically (either with scripts or using AI) for botnets to evade traditional defenses. These aren't leaked passwords or user guesses; they're high-entropy, AI-shaped, or randomly generated inputs designed to pollute logs, obscure real attack traffic, and overwhelm detection systems. security-bsides-las-vegas-2025-70952-the-rise-of-synthetic-passwords-in-botnet-attack-operations PasswordsCon Dimitri FousekisTravis More en In this talk, we explore the growing use of synthetic passwords in credential attacks, how they’re generated, and the strategic value they offer to adversaries. We'll examine real-world examples of botnet behavior showing this shift, and how synthetic inputs are being weaponized to bypass rate limits, defeat breach matching engines, and poison log files, SIEMs and other analysis engines. A major advantage of using synthetic passwords in attacks is to increase and exploit analysis fatigue. Large password attempts that make their way into logs and analytics - but offer little value when analyzed - create unnecessary work, processing and diversion. Attendees will gain insight into how to identify, profile, and defend against these noise-based attacks—using entropy analysis, anomaly scoring, and behavioral fingerprinting. false https://pretalx.com/security-bsides-las-vegas-2025/talk/P9MPCD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/P9MPCD/feedback/ Tuscany Talk-45m 2025-08-04T14:00:00-07:00 14:00 00:45 Malicious browser extensions are an emerging attack vector to steal user identity information and passwords. This session will provide a detailed breakdown of how browser extensions can be used for theft of credential data, and a technical analysis of what permissions and methods compromised extensions invoke to steal passwords and other authentication details. As part of this session, we will walk through the emergence of browser extensions as a threat vector, discuss how they become compromised, and then explore in detail the types of the password and credential data that can be stolen, and how they do it. We will describe specific permissions and techniques used by extensions to steal password information, and show live examples. Finally, we will discuss best practices and methods on how individuals and organizations should protect themselves against such tactics. security-bsides-las-vegas-2025-68761-extending-password-in-security-to-the-browser-how-malicious-browser-extensions-are-used-to-steal-user-passwords PasswordsCon Or Eshed en This talk has 3 main parts to it: 1. A discussion of browser extensions as an emerging threat vector to steal identity data. 2. A technical exploration of the methods, permissions and calls invoked by browser extensions, what data they can reach, and how they can extract password information. 3. A discussion of the how to counter these tactics, and best practices for security. In part I, we will talk about the emergence of browser extensions as a threat surface and a risk factor. We’ll share statistics (collected by LayerX’s internal metrics from our customer base) of the distribution of browser extensions (99% of enterprise users have >1 extensions, 53% of users have >10 extensions), permission scope of extensions (53% of users have extensions with high/critical permissions), and data on individual permissions (such as identity, cookies, scripting, and others). We’ll also discuss how extensions become compromised: whether they are built as malicious extensions, become compromised (a-la Cyberhaven incident), or transfer ownership (via sale of extensions), and provide real-life examples of each type. In Part II, we will proceed to a technical discussion of what types of password and authentication data extensions can access: • Web cookies • Session information • Application access tokens • Authentication certificates • Passwords • Keyboard strokes / input information And also of the various methods for collecting this information: • Identity API • Cookies API • Scripting permissions • Tabs management permissions • Input method calls • webNatigation and webRequest APIs to control web traffic • and more In Part III, we will bring these concepts together and propose a framework for auditing, assessing the risk and enforcing protection against malicious browser extensions. false https://pretalx.com/security-bsides-las-vegas-2025/talk/LN7ETH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LN7ETH/feedback/ Tuscany Talk-45m 2025-08-04T15:00:00-07:00 15:00 00:45 AI systems can fail dangerously without ever “breaking.” This talk introduces a systems-theoretic method for identifying and mitigating hidden hazards in AI-enabled environments—especially those involving generative and predictive models. Learn how STPA-Sec reveals systemic risks arising from misaligned recommendations, inadequate feedback loops, and interface ambiguity—plus how to control them before they cause harm. security-bsides-las-vegas-2025-68765-hazard-analysis-of-military-ai-systems-using-stpa-sec-a-systems-theoretic-approach-to-secure-and-assured-autonomy PasswordsCon /media/security-bsides-las-vegas-2025/submissions/CRQLAX/Hazar_P6aYvd6.png Josh HarguessChris Ward en As AI becomes increasingly embedded in operational workflows—across healthcare, transportation, finance, and beyond—traditional failure-mode analyses fall short. AI systems often function “correctly,” yet still produce unsafe outcomes due to flawed assumptions, incomplete control loops, or emergent behaviors. These non-failure-based hazards are especially critical when AI outputs shape human decisions or operate under loose oversight. This session presents an applied case study using System-Theoretic Process Analysis for Security (STPA-Sec) to analyze a representative AI decision-support system integrating generative and predictive components. We model the system’s control structure—including users, data flows, models, and feedback mechanisms—to identify unsafe control actions such as: - AI-generated outputs that bypass validation - Feedback delays in time-sensitive scenarios - Interface design failures that erode operator trust Each hazard is traced to causal factors like model misalignment, lack of context awareness, and missing constraints on AI autonomy. We then demonstrate how to implement effective controls—such as human-on-the-loop (HOTL) oversight, system boundaries, and enriched operator feedback—to reduce residual risk. This talk is grounded in real-world analysis and provides attendees with a repeatable method for anticipating and mitigating systemic AI failures—especially valuable for those involved in AI risk, governance, or security. false https://pretalx.com/security-bsides-las-vegas-2025/talk/CRQLAX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/CRQLAX/feedback/ Tuscany Talk-45m 2025-08-04T17:00:00-07:00 17:00 00:45 Every day, billions of messages are signed with HMACs. We assume using HMAC is the way to gatekeep integrity and authenticity. But what happens when this cryptographic seal is misunderstood, misused, or just plain broken? This talk will show you how HMAC is not just a cryptographic construction, but a misunderstood superhero in the authentication world. Join me in the unraveling where HMAC went wrong and where it got it right, through code demos, vulnerability breakdowns, and examples using Python and open-source tools, we’ll showcase how even mature systems could fall victim to these quiet flaws and how to spot them before attackers do. security-bsides-las-vegas-2025-66799-the-hmac-trap-security-or-illusion PasswordsCon /media/security-bsides-las-vegas-2025/submissions/JCZVM7/hmac-_o53VImQ.jpg Marluan "Izzny" Cleary en This talk is the result of deep-dive research into HMAC vulnerabilities, misconfigurations, implementation flaws, and security failures that have led to authentication bypasses and exploited systems. HMAC is one of the most widely used cryptographic primitives in modern authentication, securing APIs, JWTs, and message integrity across countless applications. However, as my research has shown, it's also frequently misunderstood and misused in ways that introduce serious security risks. I have explored multiple vulnerabilities in real-world HMAC implementations and analyzed how subtle mistakes can lead to authentication failures. This talk will focus on breaking down these weaknesses through pre-recorded demos, code reviews, and attack scenarios, all using open-source tools such as Python’s HMAC module, hash-extension attacks, and other exploitation techniques. Tools & Resources: • GitHub repo with PoC code and demos: https://github.com/HexxedBitHeadz/02-17-HMAC • Python scripts for HMAC validation testing • Custom Flask-based vulnerable app for exploitation demos • Blog reference: https://hexxedbitheadz.com/unraveling-the-cryptographic-thread-of-hmac/ • OWASP cheat sheets – used for contrasting secure vs. flawed HMAC usage: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html false https://pretalx.com/security-bsides-las-vegas-2025/talk/JCZVM7/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JCZVM7/feedback/ Tuscany Talk-45m 2025-08-04T18:00:00-07:00 18:00 00:45 In an era where digital transformation has integrated multi-cloud environments into the core of business operations, security demands have escalated exponentially. This talk, "Machine Identity & Attack Path: The Danger of Misconfigurations," addresses the pressing challenges and threats within these diverse cloud setups. Attendees will deepen their understanding of how attackers exploit vulnerabilities stemming from misconfigured security measures and inadequately managed machine identities. The presentation focuses on the intricate dynamics of attack vectors, surfaces, and paths, providing actionable insights to reinforce cloud infrastructures. With a spotlight on innovative open-source tools such as SecBridge, Cartography, and AWSPX, participants will discover how to map environments effectively, visualize IAM permissions, and enhance security tool integrations for robust cloud operations. This session caters to cybersecurity professionals, cloud architects, and IT managers seeking knowledge and strategies to protect digital assets amidst a complex multi-cloud landscape. Join us to explore cutting-edge solutions and safeguard your organization against the evolving security needs of contemporary cloud ecosystems. security-bsides-las-vegas-2025-68480-machine-identity-attack-path-the-danger-of-misconfigurations PasswordsCon Filipi Pires en In today’s rapidly advancing digital environment, securing multi-cloud infrastructures has become more crucial than ever. "Machine Identity & Attack Path: The Danger of Misconfigurations" addresses the complexities and emerging threats inherent in managing multi-cloud setups. This talk will equip attendees with comprehensive insights into how attackers leverage vulnerabilities caused by misconfigured security protocols and the improper handling of machine identities. The session begins by laying out fundamental concepts such as machine identity, attack vectors, surfaces, and paths, clarifying how each element contributes to potential security breaches. Participants will gain a thorough understanding of attack paths, crucial for tracking potential attack routes within cloud environments. Leveraging graph-based visualization tools, like SecBridge, Cartography, and AWSPX, this presentation will demonstrate how to map complex environments and visualize access permissions effectively. This approach not only aids in understanding potential vulnerabilities but also strengthens security postures across different cloud platforms. The discussion extends to cloud-specific attacks, identifying typical vulnerabilities within AWS, OCI, GCP, and Azure. Attendees will be guided through mitigation strategies using best practices and the latest open-source tools to secure multi-cloud architectures effectively. This talk is vital for cybersecurity professionals, cloud architects, and IT managers aiming to safeguard their organizations' digital assets. Explore innovative strategies to address the critical security needs of today’s multi-cloud ecosystems and ensure robust defense mechanisms in these dynamic environments. false https://pretalx.com/security-bsides-las-vegas-2025/talk/7HLURD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7HLURD/feedback/ Siena Talk-20m 2025-08-04T10:00:00-07:00 10:00 00:20 Forget the tired “PEBKAC” jokes—your next breach won’t happen because people are stupid, but because their brains are running exactly as designed. This session weaponizes cognitive science and a dataset of 1 million users experiences with phishing simulations and 170,000 people's answers to perceptual surveys to show how attackers hijack four predictable bugs in wetware: optimism bias (“not me”), Dunning‑Kruger (a dash of training → god‑mode confidence), and the newly quantified technology bias—the reckless belief that EDR, AI mail filters, or zero‑trust pixie dust catch everything. You’ll see why users who score high on tech bias click links 140% more often, and why click‑through rates double if phishing simulations pause for just three months. Then we flip the script: continuous “people‑patching,” instant dopamine‑hit feedback loops, and neuroscience-based hacks that drop real‑phish clicks 8× while tripling report rates. We'll also show how to prove the ROI for moving from security awareness to motivation, while also demonstrating how humans can show the flaws in your security stack, like how many phishes leaked past your e-mail filters security-bsides-las-vegas-2025-69638-pebkac-rebooted-a-hacker-s-guide-to-people-patching-in-90-days Ground Truth David Shipley en For decades, security pros have repeated the mantra: “People are the weakest link.” This talk flips that myth on its head. Using one of the largest datasets of its kind—1 million users, millions phishing simulations, and survey responses from 170,000 people — we’ll explore how people aren’t the biggest problem in cybersecurity. They’re the greatest opportunity. Human error is not random. It follows predictable patterns hardwired by evolution: Optimism bias: “It won’t happen to me.” (+37% click rate) Anchoring bias: First impressions override logic (now supercharged by GenAI-quality phish) Dunning-Kruger effect: Overconfidence after shallow training = dangerous false certainty Technology bias: 1 in 3 users believe firewalls and antivirus fully protect them—a belief that leads to 140% more clicks These aren’t theoretical concepts. They show up in real phishing telemetry. People don’t click because they’re dumb—they click because their brains are conserving energy, operating on autopilot, or hijacked by emotional triggers like urgency and fear. Nearly 20% of clickers don’t even remember doing it. Another 17% say they were rushing. The amygdala moves faster than logic. Social engineers know this. It's time defenders did too. The good news? These patterns are hackable—by us. Backed by behavioral science and data, this talk outlines a new model of human defense: one based on motivation, emotional learning, and cognitive bias mitigation. It also introduces SCARF, a neuroscience-based model (Status, Certainty, Autonomy, Relatedness, Fairness) - a concept from the business world into cybersecurity - that helps us engage users on their terms—not ours. We’ll cover what actually works: Click rates drop 8x in 90 days with well-designed simulations programs Report rates increase 2.5–3x when users get positive feedback and real-time coaching Live phishing threats caught by users increase as trust in tools alone declines Resilience decays fast: pause simulations for three months and click rates double We’ll also explore failure modes: over-training leads to false confidence, and phishing users too often (more than once a month) tanks performance. This session will give you a blueprint for building adaptive, motivated human firewalls using neuroscience, behavior modeling, and just the right dose of gamified reinforcement. Learn how to measure attitudes—not just knowledge—and why motivation is the real missing link in most security awareness programs. Don’t settle for blaming users. Hack their biases. Trigger better defaults. Close the loop with feedback, not shame. From weakest link to fastest sensor: this is how you patch the wetware. false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZCTLHZ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZCTLHZ/feedback/ Siena Talk-45m 2025-08-04T10:30:00-07:00 10:30 00:45 Logic-based vulnerabilities remain the hardest to detect with automated application security tools, including the new LLM-based ones. We examine how AI agents can be trained to discover such complex vulnerabilities in black-box settings. In this talk, we'll demonstrate how we train a reinforcement learning agent to navigate applications, model state transitions, and identify logic flaws. These agents observe user roles, session tokens, and application responses to iteratively craft requests that reveal vulnerabilities. Then, we evaluate this agent using Marvin, our open-source research framework that provides environments with vulnerable REST and GraphQL APIs that accurately mirror real-world application logic. By open-sourcing Marvin, we aim to set the standard for the hacker community to evaluate new hacking agents. We discuss the capabilities and limitations of these systems and point toward what we need to make AI practically useful for security research. security-bsides-las-vegas-2025-70312-autonomous-discovery-of-logic-based-api-vulnerabilities Ground Truth Dvir LazarTaha Biyikli en The content of this talk originated from a research project Dvir Lazar and I developed at Carnegie Mellon this past year. Following our research, Dvir and I co-founded Alkonos, an AI-based Dynamic Application Security Testing (DAST) startup. The fundamental problem we're addressing is that current DAST tools widely adopted by both industry and hacker communities rely on pattern matching for known vulnerabilities or fuzzing without contextual insights. This approach renders them completely ineffective against some of the most critical web application security vulnerabilities, including IDORs, access control vulnerabilities, and account takeovers. According to OWASP, access control vulnerabilities are ranked as the #1 most critical vulnerability, yet traditional tools consistently fail to detect them. Recent advancements in AI offer the potential to automate the detection of these complex vulnerabilities. However, as with any emerging technology, significant challenges remain. Our research revealed that while multiple companies and academic research efforts are tackling this field, there's no standardized way to measure the success of these tools. We argue that without proper benchmarks, the hacker community cannot effectively assess these solutions, and the industry lacks direction for developing robust automation tools. To address this gap, we've developed Marvin, an MIT-licensed benchmark suite specifically designed to evaluate whether autonomous agents can discover logic bugs in realistic environments. Marvin provides standardized vulnerability scenarios with ground-truth labels, focusing on business logic flaws where AI systems traditionally struggle to understand application context and business rules. Our framework features diverse application vulnerability corpora across multiple API paradigms (REST, GraphQL), controlled noise elements to test false positive rates, varied authentication mechanisms, and progressive difficulty tiers. We'll demonstrate how reinforcement learning-based hackbots can be trained on Marvin to successfully identify these vulnerabilities and present a live demonstration of our RL agent navigating complex API structures and exploiting business logic flaws that traditional security tools miss. This talk will cover our approach to training and evaluating AI-based security testing systems, introduce the Marvin framework to the hacker community, and present a roadmap for advancing automated detection of logic-based vulnerabilities. We'll also discuss how the community can contribute to and utilize Marvin to evaluate vendor claims about AI-based security tools. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JZ98SA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JZ98SA/feedback/ Siena Talk-45m 2025-08-04T14:00:00-07:00 14:00 00:45 IOCs produced in 2024: 1.2 trillion. Projected for 2025: 2 trillion. Our ongoing research is one of the most expansive and comprehensive analyses of accessible global threat intelligence data from over 50 commercial providers spanning over 2 years. We will share insights about the CTI ecosystem including the number of CTI producers and their specializations, volume and rate of production of IOCs, and intersections and overlaps between feeds and threat context. We will then delve into how quickly intelligence providers keep up with vulnerability disclosures and attackers who exploit them. A temporal analysis of IOC coverage for CVEs from 2023 and 2024 reveals the average delays between the time of disclosure and the time of attribution in intelligence, providing insights into how quickly attackers pivot existing infrastructure and TTPs to exploit new vulnerabilities and when they stand up new infrastructure to scale those attempts. A shocking observation is the high accuracy of aged-out IOCS, long thought to be useless, in predicting coverage over 90(!) days in advance. We will conclude the session with thoughts on the underlying causes of this fragmentation in the CTI industry and how they may unintentionally be setting up defenders for failure. security-bsides-las-vegas-2025-68791-fragmentation-of-cti-the-deck-is-stacked-against-the-defenders Ground Truth Dave Ahn en In pursuing its business, Centripetal has become one of the largest commercial consumers of intelligence in the world. In the spirit of giving back to the community, our Labs research team conducts analysis of this data to provide valuable insights to publish in peer-reviewed academic journals and to share freely with trusted cybersecurity communities - no marketing fluff. This topic is one such endeavour. The cybersecurity industry emphasizes that CTI is a pivotal component to every cyber defense strategy. CTI has grown to be a $14B industry where the vast majority of critical information about threats are in closed-source, commercial offerings from over 300 providers world-wide. The market claims typically state a uniqueness factor of up to 80% with each provider touting the breadth, depth and speed of their intelligence as competitive advantages over their peers. However, we have yet to find any independent comprehensive competitive analysis to validate or refute those claims. A small number of peer-reviewed articles on this subject matter are dated and limited mostly to open source intelligence and a few commercial sources. But more importantly, any such validation of the uniqueness claim would lead to an obvious conclusion that few seem to acknowledge: if every provider’s data is unique, no single provider can offer complete or even majority coverage for known threats. We will begin this session with an overview of the CTI ecosystem including the estimated number of total commercial, open source and government/NGO providers, then dive into a comprehensive overlap analysis of threat indicator data that reveals the true overlap to be between 1-5% depending on fidelity. We will then look at the threat categories of each provider to show their specializations that contribute to the lack of duplicity as well as the ~16% conflicting data that can lead to confusion in threat investigations. We will then explore coverage graphs from retrospective analysis of published CVEs from 2023 and 2024 to show a 6-12 day delay in CTI attributions to those vulnerabilities. We will delve into a historical prediction analysis of unpublished threats that show nearly a 100% coverage of attack infrastructure used to exploit newly published CVEs more than 3-7 days in advance of such publications. This coverage is still respectable at 55% more than 90 days in advance. The impact of these observations and conclusions may be profound. The tried-and-true approach of leveraging a handful of high quality open source, government and commercial intelligence in a sophisticated SOC may fail not because of poor operations but rather simply because of insufficient data. The overemphasis of the need for confidence and depth in CTI may be contributing to delayed attribution and widening the window of opportunity for attackers who can scale exploit attempts within hours of disclosure. Something must change, and that change can begin with the knowledge of what you didn’t know. false https://pretalx.com/security-bsides-las-vegas-2025/talk/89TETH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/89TETH/feedback/ Siena Talk-45m 2025-08-04T15:00:00-07:00 15:00 00:45 AI agent usage is accelerating us into an era of the Agentic Web, a digital landscape where machines, not humans, dominate creation, interaction, and consumption. As we inch closer to this new reality, we must ask: What are the security risks of an internet not built or experienced by, humans? LLMs have already begun to radically reshape the way we consume online information and will completely redefine how we live our online lives. From buying goods and services to searching for jobs, homes, and even relationships, agents will increasingly perform these tasks on our behalf. But convenience comes at a cost. In the coming world of bot-vs-bot warfare, scammers will unleash agents to exploit the agents of unsuspecting humans. This isn’t some distant dystopia, it’s happening right now, and it’s already creating an endless array of new vulnerabilities. We will glimpse the near future of cognitive security, where an unrelenting cascade of attack surfaces will emerge. We’ll delve into the mechanics of AI agents and the economic pressures driving their rapid adoption, explore real-world examples of how agents are already being exploited, and conclude with a look ahead at near future scenarios. security-bsides-las-vegas-2025-68666-human-attack-surfaces-in-agentic-web-how-i-learned-to-stop-worrying-and-love-the-ai-apocalypse Ground Truth Matthew CanhamUnnamed speaker en The rise of AI agents is rapidly transforming the digital landscape into a terrifying new reality. We are entering the age of the Agentic Web, a vast and interconnected ecosystem where AI-driven agents autonomously handle tasks and interact with online services on behalf of human users. While these innovations promise efficiency and personalization, they also come with dark, potentially catastrophic risks that could reshape the way we interact with the web—and each other. In this talk, we will dive deep into the Agentic Web, exploring how AI agents are transforming nearly every facet of our digital lives and the emerging security threats they bring with them. From their rapid adoption to the vulnerabilities that lie within their structure, we’ll take a closer look at how these agents will fundamentally alter the online environment and, with it, our sense of privacy, security, and trust. 1. Introducing the Agentic Web We begin by setting the stage with a relevant news story, showcasing just how rapidly AI agents are infiltrating our daily lives. With tools like Large Language Models (LLMs) already transforming search engines and digital assistants, AI agents are poised to take over tasks that were once firmly in the human domain. From shopping for goods to finding a job or even navigating relationships, AI agents are rapidly becoming our intermediaries, acting on our behalf in ways we never imagined. AI Agents vs. LLMs It’s important to understand where AI agents overlap with LLMs and how they complement one another. While LLMs like GPT-4 revolutionized natural language processing, AI agents are designed to go beyond conversation—they autonomously make decisions and carry out tasks, learning from their interactions to improve over time. At their core, AI agents rely on a cognitive agent architecture, allowing them to perceive their environment, react to stimuli, and pursue specific goals without constant human intervention. But what makes these agents so powerful also makes them vulnerable—acting independently and autonomously in a world filled with deception, they become prime targets for manipulation. The Agentic Web As we transition to the Agentic Web, we explore a world where AI agents not only perform tasks but also interact with each other across digital ecosystems. This interconnected web allows agents to negotiate with vendors, find the best prices, and manage everything from travel bookings to job applications. The ease with which users can delegate tasks will enhance user experience, but it also introduces significant risks—agents may act on behalf of their users without their knowledge, opening a vast array of new vulnerabilities. Key Aspects of the Agentic Web Autonomy: AI agents operate without requiring constant input, making decisions based on user preferences or environmental data. Perception and Reactivity: These agents can sense their surroundings and respond in real-time. Learning and Goal-Oriented Behavior: Agents can adapt and evolve, continuously improving their efficiency. Collaboration: Agents can work together, sharing information to complete complex tasks, such as coordinating multiple agents to solve a problem. The Agentic Web represents a shift from traditional internet interaction. No longer will users directly engage with websites and services; instead, AI agents will take over, autonomously managing interactions with the web and even each other. Applications and Use Cases This shift is already happening. AI agents are significantly impacting industries like customer service, healthcare, and cybersecurity. For example, AI agents in customer service can handle queries autonomously, while in cybersecurity, they are used to detect and respond to threats in real-time. The implications are far-reaching, from autonomous vehicles to virtual personal assistants handling every aspect of our digital lives. Looking toward the future, we see AI agents revolutionizing e-commerce, job seeking, dating, and even academic placements, creating a digital landscape where tasks are no longer controlled by humans, but by a network of interconnected agents, each with its own goals and capabilities. 2. Agentic Web Risks With the rise of AI agents comes an entirely new set of risks, particularly for the users who place their trust in them. As AI agents take on more responsibility, the potential for security vulnerabilities grows exponentially. AI agents’ ability to perform tasks autonomously makes them prime targets for manipulation and exploitation. Risks to Human Users Users are at the forefront of this shift, and their security is at risk. Research shows that people will overtrust AI agents, opening the door to manipulation. Whether through fake AI workers or dark patterns designed to deceive, the Agentic Web will be rife with new types of cyber threats. Dark Patterns: AI agents, with their natural language interfaces, are highly susceptible to manipulation through social engineering attacks. This includes everything from subtle biases in decision-making to outright harmful behavior encouraged by malicious actors. Risks to Agents AI agents themselves are not immune to threats. Just as users are targeted, agents can fall victim to countermeasures and manipulation. Cybercriminals may craft attacks specifically designed to exploit the vulnerabilities in these autonomous systems, using deceptive tactics like synthetic media and deepfake social engineering to trick agents into carrying out malicious actions. One example of this is the “maze of irrelevant facts” technique, where malicious actors overwhelm an AI agent with misleading information, causing it to make faulty decisions. This emerging threat shows how AI agents could be used as weapons in the digital arms race, a race that is only just beginning. 3. Mitigations to Agentic Web Risks As AI agents become more prevalent, it’s crucial to establish frameworks and security models to protect both users and agents. Know Your Agent (KYA) and MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) are two key frameworks that can help identify vulnerabilities and create proactive security measures for this emerging landscape. Additionally, threat modeling strategies like STRIDE—which focuses on threats like spoofing, tampering, and information disclosure—will be essential for understanding and mitigating the risks posed by the Agentic Web. Ensuring least privilege for agents, where they only have access to the resources they need, will also be critical in reducing potential damage from exploited agents. 4. What the Future Holds As we look ahead, the adoption of AI agents will continue to accelerate. The economic incentives driving their adoption will force businesses and consumers to adapt quickly. In the retail space, we are already seeing how AI agents could reshape e-commerce, leading to an arms race between buyer bots and seller bots. This could create a situation where only those with access to AI agents will succeed in securing limited offers or low prices. Likely Near-Horizon Scenarios What should security professionals be thinking about right now? As AI agents become more ubiquitous, cybercriminals will shift their focus from targeting humans to targeting AI agents directly. This could lead to Neo Social Engineering attacks where attackers manipulate agents rather than individuals. Just as traders have become reliant on algorithms from the rise of high frequency trading, users may come to depend on agents, only to see their trust exploited by attackers who have already tricked the AI systems they rely on. Further, we may see the rise of fraudulent e-commerce sites designed to deceive AI agents into recommending fake products or services. This could further erode user trust and privacy, especially as personal data becomes concentrated within the agents managing our digital lives. If these agents are compromised, the damage to individual privacy could be devastating. Conclusion The future of the Agentic Web is both exciting and terrifying. As AI agents become more embedded in our daily lives, the risks associated with their use will grow exponentially. The need for robust security measures and vigilance has never been greater. This is not a distant concern—it is the near-future reality of the digital world we are rapidly building. Security professionals must act now to understand these risks, develop mitigation strategies, and prepare for a new era where AI agents will become central players in our digital ecosystem. What are the implications of a web where the agents of AI, rather than humans, hold the reins? The future of cybersecurity will depend on the answers. WORK CITED ANP (Agent Network Protocol) https://agentnetworkprotocol.com/en/ Canham, M. & Sawyer, B.D. (2023). Me and My Evil Digital Twin: The Psychology of Human Exploitation by AI Assistants. https://www.youtube.com/watch?v=qjhfWWEQCgQ Canham, M. (2021). Deepfake Social Engineering: Creating a Framework for Synthetic Media Social Engineering. Black Hat USA 2021 https://www.youtube.com/watch?v=2yILTfBV974 Chaffer, T. J., (2025). Know Your Agent: Governing AI Identity on the Agentic Web. https://ssrn.com/abstract=5162127 https://dx.doi.org/10.2139/ssrn.5162127 Edwards, B. (2025). Cloudflare turns AI against itself with endless maze of irrelevant factshttps://arstechnica.com/ai/2025/03/cloudflare-turns-ai-against-itself-with-endless-maze-of-irrelevant-facts/ Huang, K. (2025). Agentic AI Threat Modeling Framework: MAESTRO https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro# https://archive.is/TTP1D Kran et al. (2025). DarkBench: Benchmarking Dark Patterns in Large Language Models https://openreview.net/pdf?id=odjMSBSWRt https://darkbench.ai/ MCP (Model Context Protocol) https://modelcontextprotocol.io/introduction Milne, S. (2024). AI tools show biases in ranking job applicants’ names according to perceived race and gender https://www.washington.edu/news/2024/10/31/ai-bias-resume-screening-race-gender/#:~:text=the%20process%20%E2%80%94%20are%20now,automation%20in%20their%20hiring%20process https://archive.is/Yy1h3 Nichols, S. (2025). AI-enabled phishing and fake worker attacks on the rise https://www.scworld.com/perspective/deepseek-breach-yet-again-sheds-light-on-ai-dangers https://archive.is/BTW2C Rance, G. (2025). DeepSeek breach yet again sheds light on AI dangers https://www.scworld.com/news/ai-enabled-phishing-and-fake-worker-attacks-on-the-rise https://archive.is/VhjnO Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley. https://www.wiley.com/en-us/Threat+Modeling%3A+Designing+for+Security-p-9781118809990 false https://pretalx.com/security-bsides-las-vegas-2025/talk/WMZJTT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/WMZJTT/feedback/ Siena Talk-45m 2025-08-04T17:00:00-07:00 17:00 00:45 This project investigates how attackers can now use large language models (LLMs) and AI agents to autonomously create phishing infrastructure, such as domain registration, DNS configuration, and hosting personalized spoofed websites. While earlier research has explored how LLMs can generate persuasive phishing emails, our study shifts the focus to the back-end automation of the phishing lifecycle. We evaluate how modern frontier and open-source models—including Chinese models like DeepSeek and Western counterparts such as Claude Sonnet and GPT-4o—perform when tasked with registering phishing domains, configuring DNS records, deploying landing pages, and harvesting credentials. The tests will be conducted with and without human intervention. We measure success through metrics like task completion rate, cost and time requirements, and the amount of human intervention required. By demonstrating how easy and low-cost it has become to scale phishing infrastructure with AI, this work underscores the growing threat of AI-powered cybercrime and highlights the urgent need for regulatory, technical, and policy countermeasures. security-bsides-las-vegas-2025-67604-automating-phishing-infrastructure-development-using-ai-agents Ground Truth /media/security-bsides-las-vegas-2025/submissions/JBXWUF/phish_DXw78Kc.png Fred HeidingSimon Lermen en While much attention has been given to how large language models (LLMs) can craft convincing phishing emails, less focus has been placed on how these models can automate the underlying infrastructure of phishing campaigns. This talk presents new research demonstrating how modern AI agents—powered by both frontier and open-source models such as GPT-4o, Claude Sonnet, and DeepSeek—can autonomously register domains, configure DNS records, deploy spoofed landing pages, and harvest credentials, often with minimal human oversight. We systematically evaluate these capabilities across a range of agentic tasks, measuring success by task completion rate, time and cost efficiency, level of human intervention required, and evasion of registrar and DNS-level defenses. By comparing fully autonomous runs with human-in-the-loop processes, we offer a detailed look at where automation currently excels—and where it still encounters friction. Our findings suggest that phishing infrastructure, once a manual and resource-intensive process, is becoming increasingly scalable and accessible through AI. We conclude with key implications for defenders, including updated technical countermeasures, coordination strategies with registrars and hosting providers, and policy recommendations to address the growing misuse potential of advanced language models. We believe this talk will resonate with the BSides community as it highlights the often overlooked (but essential) backend components that enable phishing attacks. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JBXWUF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JBXWUF/feedback/ Siena Talk-45m 2025-08-04T18:00:00-07:00 18:00 00:45 As artificial intelligence becomes a pillar of economic and strategic power, AI labs are emerging as the next high-value targets for espionage and cyberattacks. State actors have compromised other critical sectors, such as semiconductors and biotechnology, for decades to steal trade secrets and shift global advantage. Leading voices are now questioning the security of AI-related infrastructure. In this talk, we discuss findings from over 200 previous cyber and espionage incidents across various industries, shedding light on how and where the risks apply to the supply chain of AI models. To complement the insights from historic attacks and evaluate present-day infrastructure security, we draw on recent research on national cybersecurity strategies of cyber powers such as the US, Australia, Singapore, and the UK. These strategies offer diverse policy approaches for defending critical infrastructure, assigning cybersecurity responsibilities, and engaging industry in proactive security efforts. While there is no universal blueprint, several recurring practices, such as workforce development, public-private collaboration, and clear cyber governance, can inform how governments and AI developers protect AI systems. We highlight which lessons translate effectively to the challenges of AI infrastructure and provide recommendations for closing policy gaps and preparing for future threats. security-bsides-las-vegas-2025-67605-securing-ai-infrastructure-lessons-from-national-cybersecurity-strategies-and-attacks-against-other-critical-sectors Ground Truth Fred HeidingAndrewKao en As artificial intelligence becomes a pillar of economic and strategic power, AI labs are emerging as the next high-value targets for espionage and cyberattacks. State and corporate actors have compromised other critical sectors, such as semiconductors, aerospace, and biotechnology, for decades to steal trade secrets and shift global advantage. Leading voices are now starting to question the security of AI-related infrastructure. In this talk, we discuss findings from over 200 previous cyber and espionage incidents across various industries, shedding light on how and where the risks apply to the supply chain of AI models. We discuss the most feasible attack patterns toward sensitive assets such as model weights, training pipelines, and proprietary data. Then, we distill actionable lessons to mitigate the most pressing threats. We also demonstrate how AI-related IP theft differs from other sectors due to the extraordinary potential for economic and strategic power gains, which heighten the incentives of attackers and increase the risk to AI organizations. To complement the insights from historic attacks and evaluate present-day infrastructure security, we draw on recent research analyzing the national cybersecurity strategies of cyber powers such as the US, Australia, Singapore, and the United Kingdom. These strategies offer diverse policy approaches for defending critical infrastructure, assigning cybersecurity responsibilities, and engaging industry in proactive security efforts. While there is no universal blueprint, several recurring practices, such as workforce development, public-private collaboration, and clear cyber governance, can inform how governments and AI developers protect AI systems. We highlight which of these lessons translate effectively to the unique challenges of AI infrastructure and conclude with recommendations for closing current policy gaps and preparing for future threats. false https://pretalx.com/security-bsides-las-vegas-2025/talk/R83DQJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/R83DQJ/feedback/ Copa Talk-45m 2025-08-04T10:00:00-07:00 10:00 01:30 Shall we play a game? This "choose your own adventure" session tackles the fast approaching reality of destructive cyberattacks on Lifeline Critical Functions like water, power, emergency care. security-bsides-las-vegas-2025-72389-setting-the-table-wargames-2027-maslow-s-hierarchy-of-needs-as-hybrid-warfare-nears I Am The Cavalry Bryson BortJosh Corman en The session will share the evidence, test assumptions, explore the art of the possible, and establish a sound hierarchy of needs enabling this talent pool to best serve the public good. false https://pretalx.com/security-bsides-las-vegas-2025/talk/MDFBYP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MDFBYP/feedback/ Copa Event2HR 2025-08-04T14:00:00-07:00 14:00 02:00 Water is life. In 2025, the threat landscape facing U.S. water infrastructure has grown more severe and immediate. Following the high-profile cyber intrusions of 2024—such as Volt Typhoon and Iran-linked Cyber Avengers—2025 has already seen a surge in attempted and successful breaches targeting municipal and rural water systems. These escalating threats are compounded by deteriorating trust and coordination between public and private sector stakeholders. This convergence of cyber vulnerability, regulatory fragility, and geopolitical tension creates a perfect storm—leaving our most essential infrastructure exposed at a time when resilience is most critical. security-bsides-las-vegas-2025-72399-defending-our-water-defending-our-lives I Am The Cavalry Dean FordVirginia “Ginger” WrightAndrew Ohrt en This panel will discuss threats to the water systems and opportunities to reduce these threats. In addition, the panel will feature a discussion about Cyber-Informed Engineering, and how following certain engineering practices can materially reduce risks from a variety of sources. The panelists will also outline practical steps for mitigation, emphasizing the urgent need for cross-sector collaboration, robust contingency planning, and public awareness. The time to act is now—before luck runs out. false https://pretalx.com/security-bsides-las-vegas-2025/talk/TYPJMU/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TYPJMU/feedback/ Copa Talk-45m 2025-08-04T17:00:00-07:00 17:00 00:45 During a wildfire, tornado or hurricane, who is in charge? In the United States, the answer is the Incident Commander as defined by the National Incident Management System (NIMS). NIMS provides a method to herd cats for all types of hazards regardless of agency. While the information security community developed several incident response systems from Fortune 100 companies to MITRE, these frameworks generally address tactics of an incident, instead we present a better way. Come drink the Kool-Aid with us and bring IT into the 20th century of incident response. security-bsides-las-vegas-2025-70310-cyber-incident-command-system-cics-a-people-orchestration-layer I Am The Cavalry Blake ScottScott Fraser en We will be utilizing humor on our slides to ensure an enjoyable experience to what can be a dry concept. A fire fighter from San Diego can travel across the country to New York to respond to a wildfire in a different jurisdiction and use the same language, organizational structures, and terminology. Why can’t information technology professionals make the same trip? If cyber security professionals wish to strengthen operation capacity across the industry we need to start with speaking the same language. This will be an introduction on the language and tools of local, state, tribal and territorial governments in response to a disaster event. We will encourage information sector professionals to respond to significant events with a standardized method for organizing people and equipment. The Incident Command System is tested and utilized during disasters regardless of size, scale, or type. Police, Fire, Coastguard, Nuclear Power Plants, Hospitals, Governments, utility companies and more utilize this system to safely, flexibly, and effectively manage events of any scale. We present this system in a byte sized way to encourage investigation and discussion of this topic without getting bogged down in the details. This talk is intended to start the education process and open the discussion for those looking for a deeper way to respond to incidents. The problems facing IT is a lack interoperability and staff safety.First, we start defining the problems of current information technology sector's response to events as the lack of interoperability, and staff safety. Regarding interoperability, most IT professionals must learn new incident response tactics upon joining a new organization, additionally turn over between staff during an incident is stressful for everyone involved. Staff Safety is not managed by organizations well causing mental and behavioral stress leading to burn out. The National incident Management System identifies roles required to support team members protecting staff and reducing stress. We present the Incident Command System (ICS), a part of the National Incident Management System (NIMS) as a more resilient and safe option during crisis. This system improves interoperability of staff across various agencies and departments. We will describe overarching themes and concepts intended to spark interest. The overarching themes and concepts include: Division of work into organizational structures of the Operations, Planning, Logistics, and Finance and Administration Sections, flexibility of the system to grow organically with incident complexity and scale, standardization of roles and responsibilities, and span of control defining the best supervisor worker ratios tested and proven in dangerous situations. We then propose a work group to develop the Cyber Incident Command System (CICS) a simplified version that is compatible with the National Incident Management System enabling Information Technology teams to quickly adopt a command system for their unique situations. We finish with a pointer to free online training in the subject for deeper investigation. We will use clear, plain language keeping the entire talk at a level where nonpractitioners can approach the topics and understand what is discussed. false https://pretalx.com/security-bsides-las-vegas-2025/talk/MSMDTM/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MSMDTM/feedback/ Copa Talk-45m 2025-08-04T17:45:00-07:00 17:45 00:45 Life-critical systems in public safety, healthcare, and emergency services are increasingly targeted by sophisticated state-sponsored Advanced Persistent Threats (APTs). Actors like Volt Typhoon are actively pre-positioning within U.S. critical infrastructure, with confirmed access to water, wastewater systems, power generation and distribution, and telecommunications networks. These groups pose a severe risk of cascading failures that would directly impact public health, emergency medical services, and hospital operations. This presentation dissects the tactics, techniques, and procedures (TTPs) of these APTs, explores the potential real-world consequences of compromised water utilities and power infrastructure on community safety, and offers actionable strategies for building resilient defenses and unified incident response plans, even in resource-constrained environments. We will bridge the gap between traditional Incident Command Systems (ICS) and cyber incident response, providing a roadmap for communities to enhance their preparedness against these persistent and evolving threats. security-bsides-las-vegas-2025-67463-cascading-failure-unified-defense-defending-water-power-healthcare-ems I Am The Cavalry /media/security-bsides-las-vegas-2025/submissions/3P8AP9/cover_xTxzz7f.png Alexander VaninoRuslan Karimov en State-sponsored actors like Volt Typhoon are no longer a theoretical threat; they are actively pre-positioned within U.S. critical infrastructure. Their strategic focus on water, power, and telecommunications systems is designed to trigger devastating cascading failures across healthcare, EMS, and 911 dispatch in times of crisis. This presentation moves beyond a purely technical discussion to confront this sobering reality head-on. It addresses the critical operational disconnect between traditional Incident Command (ICS) and modern cyber response—a gap that adversaries are poised to exploit. We will explore realistic attack scenarios, tracing the domino effect from a single breach to a full-scale public safety catastrophe. Attendees will be equipped with a proven, integrated framework for defense. Key highlights include strategies to unify cyber and physical command structures and a roadmap of pragmatic, high-impact security controls that are achievable even for under-resourced agencies. This talk delivers an actionable approach to building genuine cyber-physical resilience against the sophisticated threats defining the new public safety frontline. false White Paper: Cascading Failure, Unified Defense: Defending Water, Power, Healthcare, & Public Safety https://pretalx.com/security-bsides-las-vegas-2025/talk/3P8AP9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/3P8AP9/feedback/ Copa Talk-20m 2025-08-04T18:30:00-07:00 18:30 00:30 In an increasingly interconnected world, the ability to communicate during emergencies—especially when traditional infrastructure fails—is critical. This presentation explores a range of communication options available to private citizens, focusing on both licensed and unlicensed technologies. Attendees will gain a practical understanding of tools such as Family Radio Service (FRS), General Mobile Radio Service (GMRS), Citizens Band (CB), and Amateur Radio (licensed), as well as unlicensed digital solutions like LoRa (Long Range) technology. security-bsides-las-vegas-2025-73818-can-you-hear-me-now-a-survey-of-communications-platforms-during-emergencies I Am The Cavalry Slava I. Maslennikov en In an increasingly interconnected world, the ability to communicate during emergencies—especially when traditional infrastructure fails—is critical. This presentation explores a range of communication options available to private citizens, focusing on both licensed and unlicensed technologies. Attendees will gain a practical understanding of tools such as Family Radio Service (FRS), General Mobile Radio Service (GMRS), Citizens Band (CB), and Amateur Radio (licensed), as well as unlicensed digital solutions like LoRa (Long Range) technology. Special attention will be given to LoRa, a low-power, long-range wireless protocol that enables decentralized, peer-to-peer communication without reliance on cellular or internet infrastructure. The session will compare the capabilities, legal considerations, range, and use cases of each option, with an emphasis on emergency preparedness, community resilience, and ease of deployment. By the end of the presentation, participants will be equipped with actionable knowledge to select affordable communication tools for their needs, ensuring they remain connected when it matters most. false https://pretalx.com/security-bsides-las-vegas-2025/talk/9JFS7X/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9JFS7X/feedback/ Copa Event2HR 2025-08-04T22:00:00-07:00 22:00 02:00 Queercon Mixer security-bsides-las-vegas-2025-70711-queercon-mixer Events en Queercon Mixer false https://pretalx.com/security-bsides-las-vegas-2025/talk/YC99LU/ https://pretalx.com/security-bsides-las-vegas-2025/talk/YC99LU/feedback/ G-103 Event2HR 2025-08-04T19:30:00-07:00 19:30 02:00 Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Monday, Tuesday and Wednesday, 19:30-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door. security-bsides-las-vegas-2025-70708-recovery-hackers-monday Events en Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Monday, Tuesday and Wednesday, 19:30-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JCQJGD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JCQJGD/feedback/ Hallway Event1HR 2025-08-04T07:00:00-07:00 07:00 00:00 Info Booth Opens, Monday security-bsides-las-vegas-2025-70685-info-booth-opens-monday Middle Ground en Info Booth Opens, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/UXJNAP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/UXJNAP/feedback/ Hallway Event1HR 2025-08-04T07:30:00-07:00 07:30 00:00 Registration Opens, Monday security-bsides-las-vegas-2025-70678-registration-opens-monday Middle Ground en Registration Opens, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/PLXCVD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/PLXCVD/feedback/ Hallway Event1HR 2025-08-04T09:00:00-07:00 09:00 01:00 Skytalks Token Drop 1 Skytalks token distribution for Monday MORNING sessions (10:00-11:30) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. security-bsides-las-vegas-2025-70689-skytalks-token-drop-1 Middle Ground en Skytalks Token Drop 1 Skytalks token distribution for Monday MORNING sessions (10:00-11:30) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. false https://pretalx.com/security-bsides-las-vegas-2025/talk/NYLF9K/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NYLF9K/feedback/ Hallway Event1HR 2025-08-04T12:30:00-07:00 12:30 01:00 Skytalks Token Drop 2 Skytalks token distribution for Monday AFTERNOON sessions (2:00-4:00 PM) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. security-bsides-las-vegas-2025-70701-skytalks-token-drop-2 Middle Ground en Skytalks Token Drop 2 Skytalks token distribution for Monday AFTERNOON sessions (2:00-4:00 PM) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. false https://pretalx.com/security-bsides-las-vegas-2025/talk/BU3CAX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/BU3CAX/feedback/ Hallway Event1HR 2025-08-04T19:00:00-07:00 19:00 00:00 Info Booth Closes, Monday security-bsides-las-vegas-2025-70686-info-booth-closes-monday Middle Ground en Info Booth Closes, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/MKBYQL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MKBYQL/feedback/ Hallway Event1HR 2025-08-04T19:00:00-07:00 19:00 00:00 Registration Closes, Monday security-bsides-las-vegas-2025-70680-registration-closes-monday Middle Ground en Registration Closes, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/SBKTXT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/SBKTXT/feedback/ Ballroom Training-16h 2025-08-04T10:30:00-07:00 10:30 04:00 CyberWarFare Labs workshop on "Multi-Cloud Security" aims to provide practical insights of the offensive / defensive techniques used by the Red & Blue Teams in an Enterprise Cloud Infrastructure. Learn from the creators of the renowned CWL RedCloud OS, a cloud adversary simulation VM, how to perform enterprise offensive / defensive operations. - As a Red Team / Penetration Tester: Trainees will understand advanced real-world cyber attacks against major cloud vendors like AWS, MS Azure, and GCP. Simulate Tactics, Techniques, and Procedures (TTPs) widely used by APT groups in a practical lab environment. - As a Blue Team / Defender: Trainees will learn to identify and defend against various emerging threats in a multi-cloud infra. Understand complex attack vectors & sophisticated compromise scenarios from a defensive mindset security-bsides-las-vegas-2025-68750-multi-cloud-aws-azure-gcp-security-25-edition-day-one-am Training Ground Yash BharadwajManish Gupta en To make the workshop hands-on in the real sense all the trainees will be provided with Lab Access to the Multi-Cloud Environment. Lab Architecture is designed to cover all the attacks from both aspects that are demonstrated during the sessions. ### DAY 1 (8 Hrs) - Part-1 : Introduction about Multi Cloud Environment - Module-1 : Azure Cloud Environment - Azure Identity : Entra ID & RBAC - O365 / Microsoft 365 - Azure Cloud Services (VM, Storage, IaaS, PaaS, SaaS) - Module-2 : AWS Cloud Environment - Identity & Access Management - AWS Cloud Services (IaaS, PaaS, SaaS) - AWS identity Center - Module-3 : GCP Cloud Environment - GCP Identity & Access Management - GCP Cloud Services (IaaS, PaaS, SaaS) - Google Suite / Workspace + Cloud Identity - Part-2 : Enumeration & Initial Access on Cloud Infrastructure - Module-1 : Unauthenticated Enumeration - Enumerating Information from DNS Records - Enumerating Information from Cloud Vendors - Leaked secrets from github - Enumeration storage & other information from OSINT - Module-2 : Initial Access - Exploiting Cloud Services - Leaked Credentials - Compromising CI/CD pipeline - Compromising storage accounts - Module-3 : Authenticated Enumeration : IAM, Compute & Storage - AWS Services - Entra ID & Azure Services - Cloud Identity, Google Workspace, GCP Services ### DAY 2 (8 Hrs) - Part-3 : Exploiting Multi-Cloud Services - Module-1 : Exploiting Multi-Cloud Services - AWS : cross account, within account - Azure : service principal, cross tenant, Entra ID - GCP : Access organization, Cloud Identity - Module-2 : Privilege Escalation - Elevating Privileges on AWS - Elevating Privileges on Azure - Elevating Privileges on GCP - Part-4 : Lateral Movement - Module-1 : Within Multi-Cloud - AWS, GCP, Azure to each other - Part-5 : Case Study (Multi-Cloud Red Team Simulation) - Red Teaming in Simulated Multi-Cloud Lab (Initial Access to Data Exfiltration) ###### NOTE : Attendees do not require cloud accounts, they will get access to the seamless environment & have access to the environment for 15 days with a dedicated discord channel. - Why should people attend your course? - Practically Understand Enterprise Grade Red Team Operation Methodology in Multi-Cloud Environment - Perform Red Team Attack Cycle in Simulated Enterprise Environment - Stealth Lateral Movement Techniques in Multi-Cloud, Cloud to on-premise & vice-versa - Core Services Mapping / Enumeration / Exploitation - Create custom tools to perform manual enumeration - Student Requirements : - Fair Knowledge of Networking and Web Technology - Familiarity with CLI - An Open mind (*No prior Cloud knowledge is required). - Who Should Take This Course ? - Targeted Audience may include the following group of people: - Penetration Testers / Red Teams - Cloud Security Professionals - Cloud Architects - SOC analysts - Threat Hunting Team - Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities in Cloud - How many years of practical experience would the ideal student have to get most out of this workshop? - Minimum 1-3 years in Penetration Testing Domain. - What Students Should Bring? - System with at least 16GB RAM having VMWare Workstation PRO installed - CWL RedCloud VM With Internet Connectivity - What Students Will Be Provided With? - Soft Copy of the Course Content. - Great Knowledge about the Offensive Cloud Techniques used by adversaries. - Defense Tactics & Techniques against the discussed offensive techniques. false https://pretalx.com/security-bsides-las-vegas-2025/talk/D3ZJ83/ https://pretalx.com/security-bsides-las-vegas-2025/talk/D3ZJ83/feedback/ Ballroom Training-16h 2025-08-04T15:00:00-07:00 15:00 04:00 CyberWarFare Labs workshop on "Multi-Cloud Security" aims to provide practical insights of the offensive / defensive techniques used by the Red & Blue Teams in an Enterprise Cloud Infrastructure. Learn from the creators of the renowned CWL RedCloud OS, a cloud adversary simulation VM, how to perform enterprise offensive / defensive operations. - As a Red Team / Penetration Tester: Trainees will understand advanced real-world cyber attacks against major cloud vendors like AWS, MS Azure, and GCP. Simulate Tactics, Techniques, and Procedures (TTPs) widely used by APT groups in a practical lab environment. - As a Blue Team / Defender: Trainees will learn to identify and defend against various emerging threats in a multi-cloud infra. Understand complex attack vectors & sophisticated compromise scenarios from a defensive mindset security-bsides-las-vegas-2025-73341-multi-cloud-aws-azure-gcp-security-25-edition-day-one-pm Training Ground Yash BharadwajManish Gupta en To make the workshop hands-on in the real sense all the trainees will be provided with Lab Access to the Multi-Cloud Environment. Lab Architecture is designed to cover all the attacks from both aspects that are demonstrated during the sessions. ### DAY 1 (8 Hrs) - Part-1 : Introduction about Multi Cloud Environment - Module-1 : Azure Cloud Environment - Azure Identity : Entra ID & RBAC - O365 / Microsoft 365 - Azure Cloud Services (VM, Storage, IaaS, PaaS, SaaS) - Module-2 : AWS Cloud Environment - Identity & Access Management - AWS Cloud Services (IaaS, PaaS, SaaS) - AWS identity Center - Module-3 : GCP Cloud Environment - GCP Identity & Access Management - GCP Cloud Services (IaaS, PaaS, SaaS) - Google Suite / Workspace + Cloud Identity - Part-2 : Enumeration & Initial Access on Cloud Infrastructure - Module-1 : Unauthenticated Enumeration - Enumerating Information from DNS Records - Enumerating Information from Cloud Vendors - Leaked secrets from github - Enumeration storage & other information from OSINT - Module-2 : Initial Access - Exploiting Cloud Services - Leaked Credentials - Compromising CI/CD pipeline - Compromising storage accounts - Module-3 : Authenticated Enumeration : IAM, Compute & Storage - AWS Services - Entra ID & Azure Services - Cloud Identity, Google Workspace, GCP Services ### DAY 2 (8 Hrs) - Part-3 : Exploiting Multi-Cloud Services - Module-1 : Exploiting Multi-Cloud Services - AWS : cross account, within account - Azure : service principal, cross tenant, Entra ID - GCP : Access organization, Cloud Identity - Module-2 : Privilege Escalation - Elevating Privileges on AWS - Elevating Privileges on Azure - Elevating Privileges on GCP - Part-4 : Lateral Movement - Module-1 : Within Multi-Cloud - AWS, GCP, Azure to each other - Part-5 : Case Study (Multi-Cloud Red Team Simulation) - Red Teaming in Simulated Multi-Cloud Lab (Initial Access to Data Exfiltration) ###### NOTE : Attendees do not require cloud accounts, they will get access to the seamless environment & have access to the environment for 15 days with a dedicated discord channel. - Why should people attend your course? - Practically Understand Enterprise Grade Red Team Operation Methodology in Multi-Cloud Environment - Perform Red Team Attack Cycle in Simulated Enterprise Environment - Stealth Lateral Movement Techniques in Multi-Cloud, Cloud to on-premise & vice-versa - Core Services Mapping / Enumeration / Exploitation - Create custom tools to perform manual enumeration - Student Requirements : - Fair Knowledge of Networking and Web Technology - Familiarity with CLI - An Open mind (*No prior Cloud knowledge is required). - Who Should Take This Course ? - Targeted Audience may include the following group of people: - Penetration Testers / Red Teams - Cloud Security Professionals - Cloud Architects - SOC analysts - Threat Hunting Team - Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities in Cloud - How many years of practical experience would the ideal student have to get most out of this workshop? - Minimum 1-3 years in Penetration Testing Domain. - What Students Should Bring? - System with at least 16GB RAM having VMWare Workstation PRO installed - CWL RedCloud VM With Internet Connectivity - What Students Will Be Provided With? - Soft Copy of the Course Content. - Great Knowledge about the Offensive Cloud Techniques used by adversaries. - Defense Tactics & Techniques against the discussed offensive techniques. false https://pretalx.com/security-bsides-las-vegas-2025/talk/XH3PFM/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XH3PFM/feedback/ Pearl Training-4h 2025-08-04T10:30:00-07:00 10:30 04:00 Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with a tool written in Python to execute the attacks. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap. The exercises will range from decrypting ciphertext to recovering private keys from public key attacks allowing us to create TLS cert private key and ssh private key files. security-bsides-las-vegas-2025-68794-introduction-to-cryptographic-attacks Training Ground Matt Cheung en This workshop will discuss the theory and practice of cryptographic attacks. We start with symmetric key cryptographic attacks starting with stream ciphers and how reuse of keystream can lead to exposing the plaintext. From there we move on to other symmetric key attacks. After the symmetric key attacks, we move on to the public key attacks that will primarily focus on private key recovery. Attacks on the keys will also include exporting to standard private key files. Many of these attacks can even be relevant to TLS and ssh as we will discuss. false https://pretalx.com/security-bsides-las-vegas-2025/talk/VZH78P/ https://pretalx.com/security-bsides-las-vegas-2025/talk/VZH78P/feedback/ Pearl Training-4h 2025-08-04T15:00:00-07:00 15:00 04:00 The goal of this workshop is to deepen participants' understanding of cybersecurity policy by exploring foundational concepts, hard problems, and problem solving by stepping into the roles of different stakeholders involved in policymaking. The workshop has interactive activities like fishbowl discussions and stakeholder breakout sessions, where participants will have the opportunity to learn from key policymakers, critically analyze various approaches to cybersecurity policy, debate their effectiveness, and collaborate with each other on policy recommendations. At the end of the workshop, participants will be able to tackle complexities between technical and policy aspects of cybersecurity and identify practical strategies to address existing challenges in the field. security-bsides-las-vegas-2025-67744-workshop-on-cybersecurity-policy-in-practice Training Ground Jayati DevVaibhav Garg en The workshop is divided into four sessions – lecture, fishbowl activity, deep dive, and stakeholder breakout. Each of the lecture and deep dive sessions will be 45 minutes each, with 5 minutes for questions while the activity sessions are being set up. [45 minutes] Session 1: Expert Lecture [5 minutes] Q&A and Activity Setup [1 hour] Session 2: Fishbowl Activity [20 minutes] Break [45 minutes] Session 3: Deep Dive [5 minutes] Q&A and Activity Setup [1 hour] Session 4: Stakeholder Breakout Activity false https://pretalx.com/security-bsides-las-vegas-2025/talk/RNF79D/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RNF79D/feedback/ Opal Training-4h 2025-08-04T10:30:00-07:00 10:30 04:00 Does the thought of public speaking make you sweat more than a server room in July? You’re not alone! Whether you're a first-time speaker or looking to level up your confidence, this hands-on workshop will help you ditch the nerves and own the stage. Led by a seasoned speaker with 400+ presentations under their belt and training from world-class Toastmasters, this session is your chance to turn stage fright into stage might. And yes, EVERYONE will speak! Get ready to build confidence, engage your audience, and deliver a three-minute talk like a pro. Are you in?" security-bsides-las-vegas-2025-69442-from-command-line-to-center-stage-hack-your-way-to-confident-speaking Training Ground Erich KronJames McQuiggan en Public speaking is a skill that can elevate your career, expand your influence, and help you deliver impactful messages with clarity and confidence. Whether you're stepping onto the stage for the first time or looking to refine your delivery, this interactive workshop will equip you with the tools to present with poise and purpose. Led by a seasoned speaker with 20 years of experience, over 400 presentations delivered in the past five years, and training from world-class Toastmasters, this workshop is created to help you towards conquering stage fright, structure your thoughts effectively, and engage your audience with confidence. Drawing from a deep background in cybersecurity and professional speaking, this hands-on experience will push you out of your comfort zone—in the best way possible. By the end of the session, everyone will take the stage, delivering a short three-minute presentation while receiving constructive feedback in a supportive environment. You’ll walk away with practical techniques to control nerves, project authority, and own the room. If you’re ready to amplify your voice and master the art of public speaking, this workshop is for you! false https://pretalx.com/security-bsides-las-vegas-2025/talk/E7XNDF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/E7XNDF/feedback/ Opal Training-4h 2025-08-04T15:00:00-07:00 15:00 04:00 What Engineers Need to Know About Cyber and Why (and are not getting this in school). This workshop uses a case study of a hypothetical engineering project to support discussion and application of the principles for Cyber-Informed Engineering (CIE) throughout the workshop. The scenario draws from a selection of real-world case studies, is fictional, and is crafted to support the application of CIE principles. Workshop participants get a workbook to structure their journey, capture insights and lessons learned, and provide a useful takeaway item that can further conversations after the event. This is a hands-on workshop filled with exercises to develop understanding of the principles of Cyber Informed Engineering. This training event is designed for anyone who is interested in learning a methodology of designing out cyber-risk before a system is placed into operation. security-bsides-las-vegas-2025-67798-engineering-cyber-resilience-for-the-water-sector Training Ground /media/security-bsides-las-vegas-2025/submissions/G33FLE/CIE_L_uYGxKSh.png Art ConklinVirginia “Ginger” WrightAndrew Ohrt en This training session emerges from the Idaho National Laboratory Cyber Informed Engineering project, a Department of Energy supported effort to improve system resilience and risk reduction through design efforts to include cyber risks alongside other engineering considered hazards. Previous versions of this course have been conducted using different specific engineering problems to local industry groups. This class is a product from those experiences. The diversity of the BSidesLV attendee base will make this class much more engaging than an industry specific audience. Cyber-Informed Engineering (CIE) offers an opportunity to “engineer out” some cyber risk across the entire system lifecycle, starting from the earliest possible phases of conceptual design and requirements development and system design—the most optimal times to introduce mitigations against cyber risk. CIE is an emerging method to integrate cybersecurity risk considerations into the conception, design, development, and operation of any physical system that has digital connectivity, monitoring, or control. CIE uses design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attacks or reduce the consequences when an attack occurs. In the same way that engineers design systems for safety, engineers informed by CIE use similar methods to prevent or lessen the impact of a cyber-attack. CIE also allows the engineers to advise the approaches used by specialized Information Technology (IT) and Operational Technology (OT) cybersecurity experts to align cybersecurity mitigations to the most critical consequences identified by the engineers. What are the 12 principles of CIE? 1. Consequence-Focused Design 2. Engineered Controls 3. Secure Information Architecture 4. Design Simplification 5. Layered Defenses 6. Active Defense 7. Interdependency Evaluation 8. Digital Asset Awareness 9. Cyber-Secure Supply Chain Controls 10. Planned Resilience 11. Engineering Information Control 12. Organizational Culture The purpose of the training is to help people understand how to use these principles during engineering design to design out many sources of cyber risk. The hands-on workshop engages participants in a journey that helps improve their skills in designing out issues that would later potentially affect cyber risk. The session begins with a presentation of the principles for Cyber Informed Engineering and leads thoughts with an initiating question to prompt thoughts and actions for each principle. The scenario used to facilitate discussion is then presented, providing a template upon which the principles can then be addressed. The exercise then moves through the 12 principles where each is given an overview by one of the facilitators. What follows next is small group exercise tasks designed to facilitate the operationalization of each principle. The facilitators help the groups advance their discussion and learning. The training exercise concludes with a lessons-learned discussion. References: U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Cyber Informed Engineering Implementation Guide. Version 1.0, August 7, 2023. https://www.osti.gov/biblio/1995796. Technical Report: Cyber-Informed Engineering Workbook: CIE Hands-On Training. Cyber-Informed Engineering Workbook: CIE Hands-On Training. May 29, 2024. https://www.osti.gov/biblio/2371031. false https://pretalx.com/security-bsides-las-vegas-2025/talk/G33FLE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/G33FLE/feedback/ Emerald Training-4h 2025-08-04T10:30:00-07:00 10:30 04:00 Practical HSMs are cheap, and you just don’t know it. Government adoption of PIV and CAC has driven prices of PKCS#11 devices down, and you don’t need an expensive enterprise HSM for your offline root signing key. Further, widespread support for Name Constraints on Trust Anchors has finally arrived - So you can deploy a private CA to your client devices without affecting the public roots of trust, making it safer than ever to run your own PKI. This workshop will be a walk through in setting up a full solution for generating a CA contained on a Yubikey, issuing intermediates used for online signing, and distributing said certificates to applications and end-user devices. security-bsides-las-vegas-2025-68669-building-your-own-ca-infrastructure-on-cheap-hsms Training Ground Mark HahnTed Hahn en This workshop teaches people to create their own Root Certificate. The key is stored on a Yubikey. The certificate includes name constraints suitable for including in a system trust store, both in your k8s pods and user devices. We then mint further name-constrained certificates used as online intermediates for each of user identity and pods. These intermediates can be stored online, or stored on their own HSMs. false https://pretalx.com/security-bsides-las-vegas-2025/talk/RTRQJA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RTRQJA/feedback/ Emerald Training-4h 2025-08-04T15:00:00-07:00 15:00 04:00 In the digital age, cybersecurity is crucial for businesses and customers. This workshop aims to equip various business functions with the knowledge and tools to analyze and update their threat landscapes, enhancing overall security and customer trust. Participants will gain a solid foundation in cyber threat intelligence, learning to identify threat actors, tools, and assets. They will understand the importance of threat landscapes and how to analyze and prioritize them effectively. The workshop will guide attendees through creating and updating their specific threat landscapes, incorporating best practices for continuous improvement and new intelligence. Through interactive discussions and group activities, participants will develop a heightened sense of trust and be empowered to promote this trust within their teams, products, and the broader industry. Enhance your company's reputation as a secure and trusted partner in the digital age. security-bsides-las-vegas-2025-67186-cyber-threat-landscaping-workshop Training Ground Alexis Womble en In today's digital age, cybersecurity is a critical concern for businesses and customers alike. Understanding and navigating the cyber threat landscape is essential for maintaining the integrity of your platforms and products. This workshop is designed to equip different business functions with the knowledge and tools necessary to analyze and update their threat landscapes, thereby enhancing our overall security posture and building greater trust with our customers. Participants will gain a solid foundation in cyber threat intelligence, including the identification of threat actors, tools, assets, and others. Participants will learn the significance of threat landscapes and how to effectively analyze and prioritize threats. Attendees will be guided through the process of creating and updating their specific threat landscapes, incorporating best practices for continuous improvement and new intelligence. Through interactive discussions and group activities, participants will leave with a heightened sense of trust and be equipped to promote this trust within their teams, products, and the broader industry. Together, we can enhance your companies reputation as a secure and trusted partner in the digital age. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JELG8P/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JELG8P/feedback/ Diamond Training-4h 2025-08-04T10:30:00-07:00 10:30 04:00 Tired of boring tabletop exercises that put your team to sleep? Transform incident response training with an innovative roleplaying framework inspired by tabletop RPGs. This hands-on workshop guides you through designing engaging cybersecurity exercises using dice rolls, character abilities, and dynamic scenarios. In this 4-hour session, you'll experience this approach through demonstration, then develop your own scenarios in small groups. Learn to create character roles with unique abilities, design realistic incident response challenges using the MITRE ATT&CK framework, and craft unexpected events that keep participants engaged. This approach emphasizes the human elements of incident response, making it accessible to both technical and non-technical audiences. Groups will test each other's scenarios, providing immediate feedback for refinement. You'll leave with a ready-to-implement scenario, facilitation skills as a "Incident Master," and community resources for continued development. Whether you're responsible for team training or building security culture, this workshop provides practical tools to make incident response training both fun and effective. security-bsides-las-vegas-2025-69650-cybersecurity-roleplaying-training-design-implement-engaging-incident-response-exercises Training Ground Klaus AgnolettiGlen Sorensen en This intensive 4-hour workshop introduces cybersecurity professionals to an innovative roleplaying approach for incident response training. Moving beyond traditional tabletop exercises, participants will learn to design and implement dynamic scenarios that simulate the pressure, uncertainty, and collaborative decision-making required during real security incidents. ## Workshop Value Proposition Traditional IR exercises often fail to create authentic crisis environments or fully engage technical staff. This workshop presents a solution through: - Character-based roleplaying that builds cross-functional understanding - Game mechanics that simulate the uncertainty of real incidents - Dynamic scenarios that evolve based on team decisions - Collaborative problem-solving under realistic time constraints ## Workshop Structure ### Foundations (1 hour) After brief introductions, participants learn core incident response roleplaying mechanics including character roles, action resolution, and facilitation techniques. A live demonstration with volunteers showcases how these mechanics create realistic incident dynamics. ### Scenario Development (1 hour 15 minutes) Participants learn IR scenario design principles focused on: - Accurately representing attack patterns using MITRE ATT&CK - Creating realistic incident detection and investigation challenges - Simulating stakeholder management during incidents - Balancing technical accuracy with engaging gameplay Small groups then generate incident scenarios tailored to specific IR challenges like ransomware response, data breaches, or insider threats. ### Hands-On Development (1 hour) Groups develop detailed IR scenarios including: - Escalation patterns reflecting real attacker behavior - Decision points that test IR policies and procedures - "Injects" simulating stakeholder demands and technical complications - Round structures reflecting detection, containment, and recovery phases ### Implementation and Practice (30 minutes) Groups exchange scenarios for brief playtesting, providing immediate feedback. Participants then develop implementation plans for their own organizations, addressing team size, technical skill variance, and integration with existing IR programs. ### Conclusion (15 minutes) The workshop concludes with key takeaways and resources for continued development. ## IR Training Focus This workshop specifically addresses common IR training challenges: - Simulating the pressure of time-sensitive security decisions - Practicing stakeholder communications during incidents - Building cross-functional teamwork between technical and non-technical roles - Testing incident playbooks in unexpected scenarios - Creating safe environments to practice difficult decision-making - Developing empathy for various roles in the incident response process Participants leave with ready-to-implement IR scenarios designed to test and strengthen their organization's incident response capabilities through engaging, realistic simulations that go beyond traditional tabletops. false https://pretalx.com/security-bsides-las-vegas-2025/talk/QGYKQ3/ https://pretalx.com/security-bsides-las-vegas-2025/talk/QGYKQ3/feedback/ Diamond Training-4h 2025-08-04T15:00:00-07:00 15:00 04:00 In a world where every Formula 1 team is sponsored by a security vendor… can open-source still hold pole position? While big vendors chase attention with AI-fueled promises and enterprise price tags, most teams just need tools that work—and won’t wreck the budget. This workshop shows you how to build a practical, full-spectrum security stack using battle-tested open-source tools. You’ll see live demos of tools like Trivy, GitLeaks, Checkov, ZAP, and OpenGrep, securing every layer from code to cloud. We’ll unpack real attack paths—like Log4Shell, dependency poisoning, and leaked secrets—and show how to detect and stop them early. You’ll leave with a blueprint for integrating OSS tools into your workflow via CI/CD, IDEs, and pre-commit hooks, plus guidance on when free tools are enough—and when to go commercial. If you’ve ever asked, “Do I really need to spend six figures to be secure?”—this is your answer. security-bsides-las-vegas-2025-70267-from-code-to-cloud-securing-your-stack-with-open-source-tools Training Ground Mackenzie Jackson en In a world where every Formula 1 team is backed by a security vendor, you might wonder: can open-source tools still compete—or are you just spinning your wheels? This workshop is for the builders, breakers, and defenders who want practical answers—not just enterprise-grade promises wrapped in AI buzzwords. Modern applications are built fast, assembled from open-source packages, deployed via IaC, and run in complex cloud environments. Every step adds attack surface—and attackers know it. But good security doesn’t have to start with a procurement call. In this session, we’ll walk through how to build a high-quality, layered security program using open-source tools. You’ll see live demos of tools like: - Trivy for container and dependency scanning (SCA), - GitLeaks and TruffleHog for secrets detection (even buried in git history), - Checkov for infrastructure-as-code scanning, - ZAP and Nuclei for DAST and API testing, - Bandit and OpenGrep for static analysis (SAST), - And Zen for runtime protection via in-app firewalls. Each tool will be shown in context—with real examples of how attackers exploit vulnerabilities in the wild: poisoned packages, typosquatting, exposed secrets, and cascading misconfigurations. We’ll explore famous breaches (like Log4Shell, EventStream, and Twitch’s git leak) and dissect how open-source tools could have detected or blocked the compromise. You'll learn how to: - Chain these tools together with CI/CD pipelines, Git hooks, and IDEs, - Choose when to “build vs. buy”, - And design a Minimal Viable Security Stack that offers solid coverage without budget strain. We’ll also cover the limitations of OSS tools—because yes, you’ll miss some dashboards, reporting, and support—but for many teams, those are trade-offs worth making. Especially when the alternative is no security at all. This workshop is ideal for: - Developers looking to shift security left without killing velocity, - Security engineers who need effective, budget-conscious coverage, - Startups and small teams who want the protection, not the pitch. By the end, you’ll have a working blueprint, tool configurations, and clarity on what matters most. Whether you’re a lone dev or scaling a team, this session will give you the tactical toolkit to secure what you build—with tools the community trusts. false https://pretalx.com/security-bsides-las-vegas-2025/talk/J98WLE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/J98WLE/feedback/ Boardroom Training-8h 2025-08-04T10:30:00-07:00 10:30 04:00 Join us for a Role-Playing Game with real-world wins! Participants will transform their current "character sheet" into a freshly reskilled hero ready to take on any cybersec hiring process. “You're new to these parts, traveler. Want to join my party? We’re defending the castle, but we don’t have enough heroes to – wait. Where’s your sword?! You can’t defend with a *lute*!” Actually, you *can.* See, I faced that same skepticism from hiring managers: no IT or cyber background, so I clearly didn't have what it took. After a slew of rejections, I found some old 20-sided-dice… and realized I needed to completely reframe my previous career. Now? I’m a threat intel analyst at a major insurance provider, translating research into actionable recommendations for the business. Let me show you how you, too, can pivot into a new role. I’ll guide participants through a modern hiring process RPG as they reskill their classes and adjust their strategy to win a coveted position. You’ll walk away with concrete research, tools, and techniques to help your next employer properly value your current experience for your first (or next!) infosec role. security-bsides-las-vegas-2025-75077-career-campaigns-a-tabletop-rpg-workshop-for-your-next-infosec-role-monday-am Training Ground Stryker en Join us for a tabletop roleplaying game (RPG) with real-world wins! Participant-players seeking their first role in cyber – or simply transitioning to a new specialization – will transform their current resume's "character sheet" into a freshly reskilled or dual-classed hero, ready to take on any cybersecurity hiring process for your next infosec campaign. “You're new to these parts, traveler. Want to join a new infosec campaign party I’m forming? We’re defending the castle, and don’t have enough heroes to – wait. Where’s your sword?! You can’t defend with a *lute*!” Actually, you *can.* See, in 2023, I faced that same skepticism from infosec hiring managers: No IT or cyber background, so I clearly didn't have what it took to be a cybersecurity professional. After a slew of rejections, I found some old 20-sided-dice… and I realized I needed to completely reframe my previous career. Now? I’m a threat intel analyst at a major insurance provider, helping my team translate technical research and controls into actionable recommendations for the business. Let me show you how you, too, can pivot into information security during this three-hour RPG tabletop campaign-workshop. I’ll guide participant-players through a modern infosec hiring process RPG tabletop “campaign” workshop, acting as the game master as participant-players reskill their classes and adjust their application strategies to win a coveted role for their infosec party. In the end, you’ll walk away with concrete research, tools, and techniques to help your next employer properly value and respect your current non-infosec skills and experience in your first (or next!) infosec role. false https://pretalx.com/security-bsides-las-vegas-2025/talk/PET8DL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/PET8DL/feedback/ Boardroom Training-8h 2025-08-04T15:00:00-07:00 15:00 04:00 Join us for a tabletop roleplaying game (RPG) with real-world wins! Participant-players seeking their first role in cyber – or simply transitioning to a new specialization – will transform their current resume's "character sheet" into a freshly reskilled or dual-classed hero, ready to take on any cybersecurity hiring process for your next infosec campaign. security-bsides-las-vegas-2025-67016-career-campaigns-a-tabletop-rpg-workshop-for-your-next-infosec-role-monday-pm Training Ground Stryker en “You're new to these parts, traveler. Want to join a new infosec campaign party I’m forming? We’re defending the castle, and don’t have enough heroes to – wait. Where’s your sword?! You can’t defend with a *lute*!” Actually, you *can.* See, in 2023, I faced that same skepticism from infosec hiring managers: No IT or cyber background, so I clearly didn't have what it took to be a cybersecurity professional. After a slew of rejections, I found some old 20-sided-dice… and I realized I needed to completely reframe my previous career. Now? I’m a threat intel analyst at a major insurance provider, helping my team translate technical research and controls into actionable recommendations for the business. Let me show you how you, too, can pivot into information security during this three-hour RPG tabletop campaign-workshop. I’ll guide participant-players through a modern infosec hiring process RPG tabletop “campaign” workshop, acting as the game master as participant-players reskill their classes and adjust their application strategies to win a coveted role for their infosec party. In the end, you’ll walk away with concrete research, tools, and techniques to help your next employer properly value and respect your current non-infosec skills and experience in your first (or next!) infosec role. false https://pretalx.com/security-bsides-las-vegas-2025/talk/XRWXY9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XRWXY9/feedback/ Misora Talk-45m 2025-08-04T10:00:00-07:00 10:00 01:00 This is your chance to ask current or recent members of the federal government your burning questions, the ones you don't want recorded. security-bsides-las-vegas-2025-71476-ask-the-fed-token-01 Skytalks Noah KJoel MaxTim WestonMattDonald McFarlane en N/A false https://pretalx.com/security-bsides-las-vegas-2025/talk/B7DJJN/ https://pretalx.com/security-bsides-las-vegas-2025/talk/B7DJJN/feedback/ Misora Talk-45m 2025-08-04T14:00:00-07:00 14:00 00:45 In November 2024, Black Lotus Labs took down the “ngioweb” botnet, which formed the basis of the NSOCKS criminal proxy network. The network was one of the most popular for criminal groups and had been tied to APTs, had proxies in 180 countries, and took us a year to track and identify all the nodes and C2s. Previous interdictions had taught us we could not act alone and keep botnets down for long, so we had been working extensively to build trust with other ISPs and ASNs around the world to try and limit a botnet’s reconstruction. After everything from blind letters to abuse desks to connections through friends, we managed to get our research in front of the right people and put together a group to simultaneously deny traffic to all the known layers of control. And then things got interesting. The botnet controllers used everything from social media to “cease and desist” letters, eventually trying to DDoS our company, all in an effort to get their botnet back. I will describe our efforts to build cooperation among internet providers behind the scenes, and the various attempts the threat actors used to coerce us into leaving them alone. security-bsides-las-vegas-2025-69120-the-botnet-strikes-back-how-we-assembled-a-coalition-to-take-down-a-criminal-network-their-all-out-response-token02 Skytalks Ryan English en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/FKHVV8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/FKHVV8/feedback/ Misora Talk-45m 2025-08-04T15:00:00-07:00 15:00 00:45 For DFIR professionals, the remote grift is no mystery. It’s a hybrid crime, blending an old-fashioned con with technical tools. The grifter is cunning. The victim is trusting – a classic “mark.” The grifter manipulates the mark, who unknowingly commits a crime. The only fingerprints at the scene belong to the mark. We’ll explore several real-life incident responses where the victim ended up in handcuffs. We’ll reveal details that don’t make the headlines. It’s a grave injustice, and today’s security awareness training is partly to blame. Yes, the training has done its job (awareness is raised). But it’s mostly stuck on yesterday’s “high-tech crimes.” It’s become an exercise in checkbox security, prioritizing “don’t click” over gut instinct and human psychology. Basic tech-focused training should not be abandoned, but employees clearly dread current versions. Many view it as a waste of time. New training materials must recapture their attention, hitting hard on the human element. To empower the user against deception, training should engage both the brain and the gut. We’ll discuss a formula to “humanize” security training, making it both more compelling and effective. security-bsides-las-vegas-2025-69121-the-remote-grift-cunning-meets-naivete-and-the-victims-become-the-criminals-token-03 Skytalks Ira Victor en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/DLGT8N/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DLGT8N/feedback/ Misora Talk-20m 2025-08-04T16:00:00-07:00 16:00 00:20 "Video games often give players a tactical advantage through HUDs—enemy indicators, directional cues, and awareness overlays. But what if you could bring that level of perception into real life? Inspired by the world of game hacking, this talk explores the development of a real-world ESP-style system! Think wallhacks, bounding boxes, and heads-up intelligence, but for the real world! We’ll walk through how tools and methods from the game cheating scene ( such as tracking movement, basic identifing team mates or unidentified people, and direction they are facing) can be adapted to real-world sensor input and spatial reasoning. Using computer vision, object detection, and some creative hardware setups, we’ve built a working proof-of-concept: an augmented reality HUD that mimics the feel of video game ESP. It's part serious toolkit, part cyberpunk toy, and 100% inspired by ""script kiddies"". This talk will demo the tech, explore the methodology, and walk through the surprisingly effective crossover from game mods to meatspace perception mods. Because if you’ve ever asked yourself, “Why can’t I see enemies through walls IRL?”—we’re here to say: now you kinda can." security-bsides-las-vegas-2025-69913-real-life-needs-an-esp-overlay-so-we-made-one-token-04 Skytalks Alex ThinesBrad "Sno0ose" Ammerman en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/XNRJTZ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XNRJTZ/feedback/ Misora Talk-45m 2025-08-04T17:00:00-07:00 17:00 00:45 This is the story of a hooligan and his fascination with exploiting physical and digital vulnerabilities in hotels for the purposes of persistent access, living off the land, and surreptitiously housing homeless people. security-bsides-las-vegas-2025-69910-oh-hotel-no-how-a-hopeless-hooligan-helped-a-homie-from-homeless-to-homeowner-in-9-months-token-05 Skytalks Justin Varner en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/RWPBDF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RWPBDF/feedback/ Misora Talk-45m 2025-08-04T18:00:00-07:00 18:00 00:45 We built a tool HIBR, a system that crawls ransomware gang leak sites, downloads the chaos, and uses OCR + LLMs to sift through scanned IDs, contracts, HR PDFs, and anything else these digital hyenas leave behind. And yes, it works. No, we don’t show you the PII. But we know where it is. This talk is a guided tour through a pipeline that’s half tool, half moral panic generator. You’ll see how we built it, what we found, and what it means when your passport is sitting in a ZIP file called pay_or_we_leak.zip. This isn't a product demo. It’s a deep dive into uncomfortable data, blurry legal zones, and the fine art of not getting sued while looking directly at the internet's open wound. security-bsides-las-vegas-2025-70094-indexing-the-chaos-extracting-pii-from-ransomware-leaks-token-06 Skytalks Juanma en HIBR was born out of frustration. Everyone’s talking about ransomware, but nobody wants to touch the fallout. I’m talking about the public dumps. The .7z files on sketchy TOR mirrors. The PDFs titled “contracts” that are actually scanned IDs from Ecuador to Estonia. Most breach tools ignore these. They’re messy, hard to parse, and a legal migraine. So I built a system that does parse them, responsibly (as much as that’s possible), and answers one burning question: was my real-life data dumped by ransomware goons and forgotten? We built: A crawler (breach.house) that grabs leaks from known ransomware groups, also breaches, stealer logs and leads. A processor that unzips the chaos, runs OCR over images, extracts text, and feeds it to an LLM trained to recognize personal data patterns (ID numbers, names, passport, driver license, ssn, etc). A frontend (haveibeenransom.com) that lets you search for your email or ID without ever exposing the raw data. This talk will include: Real examples (redacted) of exposed IDs, tax files, and the dumbest things people name their internal folders. The tradeoffs between “public service” and “this might get me a GDPR fine.” A walkthrough of the tool, how it works, what it does well, and where it could go sideways. This is the side of breach awareness people pretend isn’t there. We're not pretending. false https://pretalx.com/security-bsides-las-vegas-2025/talk/AQZJX7/ https://pretalx.com/security-bsides-las-vegas-2025/talk/AQZJX7/feedback/ Suite 1702 Event2HR 2025-08-04T20:00:00-07:00 20:00 02:00 Skytalks Reception security-bsides-las-vegas-2025-70709-skytalks-reception Events en Skytalks Reception false https://pretalx.com/security-bsides-las-vegas-2025/talk/RJXCQH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RJXCQH/feedback/ Foyer, Platinum Hotel Conference Center Training-4h 2025-08-04T10:30:00-07:00 10:30 04:00 Morning Trainings, Monday security-bsides-las-vegas-2025-70695-morning-trainings-monday Middle Ground en Morning Trainings, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/NMSLMR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NMSLMR/feedback/ Foyer, Platinum Hotel Conference Center Event1HR 2025-08-04T14:30:00-07:00 14:30 00:00 Trainer Box Lunches Delivered, Monday security-bsides-las-vegas-2025-70702-trainer-box-lunches-delivered-monday Middle Ground en Trainer Box Lunches Delivered, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/JDGG7P/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JDGG7P/feedback/ Foyer, Platinum Hotel Conference Center Training-4h 2025-08-04T15:00:00-07:00 15:00 04:00 Afternoon Trainings, Monday security-bsides-las-vegas-2025-70704-afternoon-trainings-monday Middle Ground en Afternoon Trainings, Monday false https://pretalx.com/security-bsides-las-vegas-2025/talk/NJPLSK/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NJPLSK/feedback/ Florentine A Talk-20m 2025-08-05T09:30:00-07:00 09:30 00:25 Opening Remarks, Tuesday security-bsides-las-vegas-2025-70726-opening-remarks-tuesday Keynotes milqtst en Opening Remarks, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/YGTMLX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/YGTMLX/feedback/ Florentine A Talk-20m 2025-08-05T10:00:00-07:00 10:00 00:20 What if we could not only visualize poisoned training data, but interact with it? As data poisoning becomes a growing threat to the integrity of machine learning systems, understanding its effects requires more than static visualizations. This talk introduces GraphLeak, an open-source, interactive web tool designed to visualize how poisoned training data alters network structure. We will explore how adversarial data manipulation impacts graph-based representations. Building on network science concepts, this session will go deeper: not just showing how poisoning affects structure, but allowing users to directly interact with poisoned vs. clean datasets in real time. We’ll walk through how the app ingests CSV or JSON data, builds networks, and renders them via layouts. The presentation of this tool emphasizes accessibility through making data poisoning tangible and transparent, allowing security practitioners and non-experts understand how data poisoning attacks distort model behavior. By making threats visible, we make the defenses of these threats more approachable, democratizing insight into machine learning vulnerabilities and supporting the development of more robust, transparent systems. security-bsides-las-vegas-2025-70304-poison-in-the-wires-interactive-network-visualization-of-data-attacks Breaking Ground Maria Khodak en This talk branches off of my original research that I have been developing since August 2024. I have been researching data poisoning and also applying graph theory to cybersecurity. I developed this talk after speaking about theoretically visualizing poisoning networks. In this talk, I actually want to visualize poisoning training data with a custom GUI. After talking through some graph theory and data poisoning basics, I’ll show how poisoned training data messes with AI using an interactive network visualization tool I built. I wanted to emphasize how visualizing vulnerabilities makes it easier to understand and execute them, particularly in the AI red teaming space. The audience will see how bad data creates weird structures in graphs beyond just data differences. It’s like watching a model get hacked from the inside, but in a way you can actually see and explore. The tool is open source, works with local data, and helps make these attacks way more understandable (and fun to mess with). The talk is made for audiences who like machine learning, graphs, and red teaming, which at its core, is just breaking things apart into smaller, more understandable pieces. I enjoy being able to contribute a graphical perspective to hacking in general, I think that being able to visually represent an attack graphically and accurately can help make the vulnerability more interactive and easier to understand. I wanted to be able to show that AI models are as breakable as anything else, and a great way to show that is through visualization with networks. https://youtu.be/7z6YAgggw-o?si=n5bhWkHmRlL76eCn false https://pretalx.com/security-bsides-las-vegas-2025/talk/RK9DQ9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RK9DQ9/feedback/ Florentine A Talk-20m 2025-08-05T10:30:00-07:00 10:30 00:20 In this session, we will delve into CVE-2024-10979, discovered by Varonis Threat Labs, and explain how it can be exploited to execute arbitrary code on cloud-hosted databases. Join us to gain insights into this significant Remote Code Execution (RCE) vulnerability and learn strategies for defending and testing managed databases for vulnerabilities. security-bsides-las-vegas-2025-67454-rusty-pearls-postgres-rce-on-cloud-databases Breaking Ground Coby AbramsTal Peleg en In this session, we will describe how an attempt to find a vulnerability in a popular IaaS provider led to the discovery of this issue and how we leveraged it along with several other bugs into an RCE. We will explain the operation of cloud-managed PostgreSQL and our approach to testing it. Additionally, we will present a series of vulnerabilities identified and discuss how exploitation of these techniques can be detected in AWS, other cloud providers, and databases that are not managed by a cloud provider. A demonstration of the vulnerability on a local instance will be provided, followed by a summary of takeaways related to using open-source code, shared responsibility models, and cloud security best practices. We will bring our story, which was overall a challenging and exciting experience that ended with our database being blocked, and further collaboration with AWS. false https://pretalx.com/security-bsides-las-vegas-2025/talk/WKALMR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/WKALMR/feedback/ Florentine A Talk-20m 2025-08-05T11:00:00-07:00 11:00 00:20 Google Cloud’s Identity-Aware Proxy (IAP) is often seen as the final gatekeeper for internal GCP services - but what happens when that gate quietly swings open? This session uncovers how subtle misconfigurations in IAP can lead to serious data exposure, even in environments with no public IPs, strict VPC Service Controls, and hardened perimeters. We’ll introduce a new vulnerability in IAP that enables data exfiltration, allowing attackers to bypass traditional network controls entirely, without ever sending traffic to the public internet. In addition, we’ll walk through real-world examples of overly permissive IAM bindings, misplaced trust in user-supplied headers, and overlooked endpoints that quietly expand the attack surface. Attendees will gain a deeper understanding of IAP’s internal workings, practical detection strategies, and a critical perspective on trust boundaries in GCP. security-bsides-las-vegas-2025-67712-no-ip-no-problem-exfiltrating-data-behind-iap Breaking Ground /media/security-bsides-las-vegas-2025/submissions/TDYSX8/CORSl_VtzSmAO.png Ariel Kalman en This talk delivers a technical dive into Google Cloud’s IAP, a service widely used to enforce access controls on internal applications - and often assumed to be foolproof. We begin with a concise overview of how IAP works behind the scenes, including its identity enforcement model and how it integrates with IAM and backend services. The goal of this talk isn’t just to highlight common misconfigurations and warn people not to repeat them, because plenty of blog posts already do that. Instead, the core focus is on teaching defenders how these misconfigurations manifest in logs once an attacker begins to exploit them, equipping them to build effective detections and stop breaches before they escalate. Whether it’s during the initial configuration tampering or while actively bypassing controls, I’ll walk through what those activities actually look like in GCP logs. For each misconfiguration, I’ll present real log snippets, unpack the most revealing details, and show how to correlate signals, even those outside of IAP-specific logs, to detect and investigate IAP abuse effectively. The highlight of the session is a new research technique we've developed: exploiting IAP's CORS behavior to exfiltrate sensitive data using preflight OPTIONS requests, effectively bypassing traditional network egress controls. This method can succeed even in highly restricted environments with no internet access, no public IPs, and VPC Service Controls fully enforced. The issue has been responsibly disclosed to Google and is currently under review, with an expected review timeline of 30 days. We’re sharing this research to highlight just how fragile IAP configurations can be, where even a minor misstep or overlooked setting can unintentionally expose internal resources to the internet. Alongside the technique, we’ll provide practical detection strategies to help defenders identify this specific attack vector through GCP’s logging infrastructure. We’ll wrap up by walking through practical detection strategies using GCP’s audit and access logs, showing how to identify abuse patterns, correlate signals across services, and improve visibility into how IAP is being used (or misused). These techniques are designed to help defenders surface subtle signs of exploitation and build more resilient monitoring around one of GCP’s most sensitive access gateways. false https://pretalx.com/security-bsides-las-vegas-2025/talk/TDYSX8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TDYSX8/feedback/ Florentine A Talk-45m 2025-08-05T11:30:00-07:00 11:30 00:45 Cyber threats have evolved into a credible risk to global financial stability. This talk explores why a sophisticated, well-timed cyberattack could exploit ever-present vulnerabilities in IT and information security operations--vulnerabilities that amplify the risk of CVEs--to disrupt those operations and spark the next financial crisis. security-bsides-las-vegas-2025-70734-vulnerabilities-beyond-cves-cyber-resilience-and-the-next-financial-crisis Keynotes Stacey Schreft en Cyber threats have evolved into a credible risk to global financial stability. This talk explores fundamental vulnerabilities that are always present in our IT and information security systems, making those systems susceptible to disruptions that could spark future financial crises. These vulnerabilities amplify the risk that CVEs pose. The vulnerabilities give rise to IT systems that are complex, deeply interconnected, and leveraged, yet assumed to be resilient—until a cyberattack proves otherwise by disrupting critical business operations. Drawing on real-world examples and recent research, the talk illustrates the presence of those vulnerabilities in IT systems and how those same vulnerabilities are also always present in the financial system, making it susceptible to financial crises. The talk closes with a description of similar steps that can build resilience in the financial system as well as in IT and information security systems. false https://pretalx.com/security-bsides-las-vegas-2025/talk/9FF3LX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9FF3LX/feedback/ Florentine A Talk-45m 2025-08-05T13:00:00-07:00 13:00 00:45 The CVE Program is a pillar of the cybersecurity ecosystem. For more than a quarter century, it has provided an authoritative source of data about vulnerabilities for software users. It is also critical for continuing to drive security into the design and development process. However, over the last 18 months, both the CVE Program and the US National Vulnerability Database have faced funding challenges. At the same time, developments in the European Union have led to the creation of the EU Vulnerability Database. Congress has taken note, and in June, members requested a formal audit of the program. What are the challenges facing the CVE Program? How should these be communicated to policymakers in a way that maintains the critical function and avoids a fractioning of the ecosystem? What are new governance models that should be considered? security-bsides-las-vegas-2025-74676-what-should-cve-be-when-it-grows-up Keynotes Jerry GamblinMadison FicorilliBob LordTod BeardsleyChris Butera en A 45-minute moderated discussion featuring Bob Lord. false https://pretalx.com/security-bsides-las-vegas-2025/talk/DCPYU7/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DCPYU7/feedback/ Florentine A Talk-45m 2025-08-05T14:00:00-07:00 14:00 00:45 Modern browsers implement sophisticated encryption to protect session cookies from theft, yet these security measures continue to evolve in response to emerging threats. This session reveals the inner workings of Chrome's recently implemented AppBound encryption, which employs a two-tier protection system: DPAPI encryption with dual permission levels and ChaCha20Poly1305 algorithm with custom keys. Despite these advancements, vulnerabilities persist. Through practical demonstrations, we'll examine how determined attackers can extract decrypted cookies by exploiting weaknesses in the current implementation. The session provides a comprehensive analysis of cookie format specifications and encryption methodologies across major browser engines, including Gecko's ASN.1-structured encryption, macOS Chromium's PBKDF2 implementation, and WebKit's binary cookie storage. Looking forward, we'll explore Chrome's upcoming "Device Bound Session Cookies" (DBSC) technology, which aims to revolutionize cookie protection through TPM chip-based encryption and cryptographic key verification. Attendees will gain actionable insights into current browser security architectures, practical extraction techniques, and defensive strategies to mitigate cookie theft. This technical deep-dive equips security professionals with the knowledge needed to better understand and address this persistent threat vector in modern web applications. security-bsides-las-vegas-2025-68597-stealing-browser-cookies-bypassing-the-newest-chrome-security-measures Breaking Ground Rafael Felix en This session explores advanced security mechanisms implemented by major browsers to prevent cookie theft from their storage databases. Chrome has recently implemented AppBound encryption, which provides multi-layered protection for session cookies: 1) A 2-way DPAPI encryption system that operates with both elevated NT AUTHORITY\SYSTEM permissions and normal user-level decryption capabilities; 2) A state-key encryption layer utilizing the ChaCha20Poly1305 algorithm with custom keys (that once was AES-256-GCM encrypted); These implementations have significantly reduced the effectiveness of info-stealing malware. However, this session will demonstrate potential vulnerabilities in these security measures and explain how to obtain decrypted cookies despite these protections. We will examine the new format specifications and encryption methodologies for cookies. Beyond Chromium-based browsers, we'll explore Gecko's encryption algorithms, which involve structured ASN.1 data formats with multiple encryption schemes including 3DES and AES-256. We'll also analyze Chromium on macOS which relies on PBKDF2 key derivation, and WebKit-based browsers that store cookies in binary cookie files. Additionally, we'll discuss Chrome's forthcoming "Device Bound Session Cookies" (DBSC) technology, which aims to further mitigate session hijacking through cookie theft by implementing TPM chip-based encryption and requiring proof of possession of the cryptographic key. false https://pretalx.com/security-bsides-las-vegas-2025/talk/HEYP9S/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HEYP9S/feedback/ Florentine A Talk-45m 2025-08-05T15:00:00-07:00 15:00 00:45 The Model Context Protocol (MCP) is rapidly becoming the standard for connecting AI agents to tools, data, and services. Its promise of seamless integration has led to widespread adoption. However, beneath its streamlined facade lies a series of critical security vulnerabilities that threaten the very systems it aims to enhance. In this talk, we will delve into the inherent risks of MCP, including: Tool Poisoning: How malicious tool descriptions can manipulate AI behavior. Shared Memory Exploits: The dangers of unvalidated context sharing among agents. Version Drift: The perils of unversioned tools leading to unexpected behaviors. Line Jumping Attacks: Exploits that occur before any tool is explicitly invoked. Through real-world examples and demonstrations, attendees will gain a clear understanding of these threats and the steps necessary to mitigate them. security-bsides-las-vegas-2025-68812-the-protocol-behind-the-curtain-what-mcp-really-exposes Breaking Ground Srajan GuptaVinay Kumar en This presentation aims to shed light on the overlooked security challenges posed by MCP. Drawing from recent analyses and vulnerabilities, we will explore how the protocol's design choices, while facilitating integration, inadvertently open doors to exploitation. Key points include: Understanding MCP's Architecture: A breakdown of how MCP connects AI agents to external tools and the trust assumptions involved. Exploiting Trust: Demonstrations of how malicious actors can leverage MCP's features to execute unauthorized actions. Mitigation Strategies: Discussion of proposed frameworks and best practices to secure MCP implementations, including the Agent Security Framework and MCP Guardian. Attendees will leave with actionable insights into securing their AI integrations and a deeper appreciation for the importance of protocol-level security considerations. false https://pretalx.com/security-bsides-las-vegas-2025/talk/YSW7SD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/YSW7SD/feedback/ Florentine A Talk-45m 2025-08-05T17:00:00-07:00 17:00 00:45 This talk presents findings from a multi-year research project exploring how LLMs can be used in real-world threat detection across the open-source software supply chain. By applying LLMs to analyze large public datasets like changelogs, package metadata, and behavioral signals, we uncovered over 900 undisclosed vulnerabilities, including high-severity issues from popular packages like Axios and thousands of malicious packages published to public registries. This includes intercepting a live operation by North Korea’s Lazarus Group and preventing a backdoor from being shipped in the official Ripple (XRP) cryptocurrency SDK. The talk also introduces the concept of the open-source kill chain, mapping how attackers abuse trust in public ecosystems to gain access, deliver payloads, and persist undetected. Attendees will learn how out-of-the-box frontier LLMs like GPT-4 can be used today to augment traditional vulnerability discovery, identify patterns in attacker behavior, and assist in threat triage at scale. The talk is grounded in operational examples, focused on reproducible techniques, and offers a current view into how APTs and malware authors are actively exploiting the open-source ecosystem. security-bsides-las-vegas-2025-70077-inside-the-open-source-kill-chain-how-llms-helped-catch-lazarus-and-stop-a-crypto-backdoor Breaking Ground Mackenzie Jackson en This talk presents findings from a multi-year research project that applied Large Language Models (LLMs) to real-world threat detection in the open-source software ecosystem. Rather than theorizing about AI’s future role in security, this work focuses on practical applications—showing how LLMs can be deployed today to detect vulnerabilities and malware that bypass traditional scanners, rulesets, and threat feeds. The project centered around two key threat surfaces: - Silently patched vulnerabilities in popular open-source libraries - Malware published to package registries such as NPM and PyPI **LLM Pipeline: Silent Patch Detection** The first LLM pipeline was designed to analyze changelogs across thousands of open-source projects to identify likely security patches that were fixed but never disclosed (a practice often referred to as "silent patching"). This pipeline involved two stages: LLM 1: Changelog Standardization and Parsing - Changelogs vary wildly in structure, format, and tone—often written in markdown, HTML, or plaintext, hosted in GitHub, docs sites, or even PDFs. We used an LLM to extract, standardize, and structure this unbounded data into a consistent schema. This model also flagged ambiguous or security-relevant language (e.g., “stability fix”, “edge case resolved”) that would be easily overlooked by regex or keyword rules. LLM 2: Patch Classification - The parsed changelog entries were then passed to a second model trained to classify whether a given commit or entry was likely to contain a security fix, even if no security keywords were used. The model was tuned to be sensitive to euphemistic phrasing and changelog norms. High-confidence results were sent to human reviewers who reverse-engineered the patch to confirm and rate severity. Findings: This system uncovered over 900 silently patched vulnerabilities, many in major packages like Axios, Apache ECharts, and Chainlit. - 67% never obtained a CVE or were published in any vulnerability databases - 25% were rated high or critical severity - Examples included a critical path traversal bug, stored XSS, and a prototype pollution issue exploitable via browser inputs. - These vulnerabilities would have gone completely undetected by CVE-based tools **LLM Pipeline: Malware Detection in Registries** The second LLM-based detection pipeline was used to scan all newly published and updated packages on public registries, primarily NPM and Pypi. LLM 1: Metadata Anomaly Detection - This model ingested human-written data such as README files, descriptions, contributor metadata, and author behavior. It was trained to identify inconsistencies, abnormal phrasing, typosquatting patterns, and red flags in descriptions (e.g., toolsets pretending to be SDKs with unrelated language or package names mimicking popular libraries with low-quality documentation). LLM 2: Orchestration and Triage - The second LLM acted as an orchestrator of static scanning tools. We capture over 30 weighted indicators by running various static scans on the code. The LLM then uses these indicators and indicators from the previous model to decide whether to mark the package immediately as malware or escalate the package to a human researcher. Findings: - Over 600 malicious packages were discovered in a single month (March 2025). - Detection time averaged 5 minutes post-publish, compared to 10+ days for OpenSSF. Most common techniques included: - Encoded payloads decoded at runtime - Time-delayed execution using setTimeout() - Clipboard hijackers and credential stealers - Obfuscated C2 infrastructure, often hidden in build scripts **Notable Case Studies** Lazarus Group NPM Campaign - The pipeline flagged a malicious package (react-html2pdf.js) uploaded to NPM containing obfuscated code and an embedded C2 call. We observed the attacker—later attributed to Lazarus Group—re-uploading new variants every 10 minutes, likely debugging live. We reported the campaign before a functional version was deployed. Ripple SDK Backdoor - A malicious version of the official Ripple SDK (@xrplf/xrpl) was published by a compromised maintainer token. It included a Node.js-only backdoor that connected to an external C2 server and stole private crypto keys. Detection occurred within minutes, and coordination with Ripple and NPM teams prevented what could have had a catastrophic impact on the crypto community. Rand-User-Agent RAT Supply Chain Campaign - In this campaign, attackers uploaded a popular NPM package was compromised via a dev token and a Remote Access Trojan (RAT) was injected into the project. The malware sent outbound C2 traffic using a randomized User-Agent string to evade common detection heuristics and proxy logs. It also used system profiling logic to avoid execution in CI/CD environments. This was not detected by any other databases even after 10 days from the malicious contribution. This talk provides a deep technical look into how LLMs can assist in detecting real threats. It also focuses on how this research can be replicated using currently available frontier out-of-the-box models like GPT-4. false https://pretalx.com/security-bsides-las-vegas-2025/talk/KA7TAR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/KA7TAR/feedback/ Florentine A Talk-45m 2025-08-05T18:00:00-07:00 18:00 00:45 Stored memory in hardware has had a long history of being influenced by light, by design. For instance, as memory is represented by the series of transistors, and their physical state represents 1's and 0's, original EEPROM memory could be erased via the utilization of UV light, in preparation for flashing new memory. Naturally, whilst useful, this has proven to be an avenue of opportunity to be leveraged by attackers, allowing them to selectively influence memory via a host of optical/light-based techniques. As chips became more advanced, the usage of opaque resin was used as a "temporary" measure to combat this flaw, by coating chips in a material that would reflect UV. Present day opinions are that laser (or light) based hardware attacks, are something that only nation state actors are capable of doing Currently, sophisticated hardware labs use expensive, high frequency IR beams to penetrate the resin. This project demonstrates that with a limited budget and hacker-and-maker mentality and by leveraging more inexpensive technology alternatives, we implement a tool that does laser fault injection, can detect hardware malware, detect supply chain chip replacements, and delve into the realm of laser logic state imaging. security-bsides-las-vegas-2025-68652-laser-beams-light-streams-letting-hackers-go-pew-pew-building-affordable-light-based-hardware-security-tooling Breaking Ground /media/security-bsides-las-vegas-2025/submissions/FXLWKJ/test_FpUtNzp.webp Larry TrowellSam "PANTH13R" Beaumont en Stored memory in hardware has had a long history of being influenced by light, by design. For instance, as memory is represented by the series of transistors, and their physical state represents 1's and 0's, original EEPROM memory could be erased via the utilization of UV light, in preparation for flashing new memory. Naturally, whilst useful, this also has proven to be an avenue of opportunity to be leveraged by attackers, allowing them to selectively influence memory via a host of optical/light-based techniques. As chips became more advanced, the usage of opaque resin was used as a "temporary" measure to combat this flaw, by coating chips in a material that would reflect undesirable UV. Present day opinions are that laser (or light) based hardware attacks, are something that only nation state actors are capable of doing; due to both limitations of cost in tooling as well as personnel expertise required. Currently, sophisticated hardware labs use expensive, high frequency IR beams to penetrate the resin. This project demonstrates that with a limited budget and hacker-and-maker mentality, similar results can be obtained at a fraction of the cost, from the comfort of your home or garage. With the modifications of an opensource low-cost microscope, addition of a home-built beam splitter and interchangeable diode laser, it has been shown that consumer-grade diodes are capable of producing results similar to the high-cost variants, such as the YAG lasers. One example of results includes introducing affordable avenues to conduct laser-based fault injection, via the usage of such budget-friendly tooling. We are opening the study of these low-level hardware attacking methodologies to more entry-level security testers, without the need for hundreds of thousands of dollars in startup capital. By leveraging more inexpensive technology alternatives, we have embarked on a mission to unveil hardware malware, detect supply chain chip replacements, and delve into the realm of laser logic state imaging. Our approach integrates optics, laser selection, and machine learning components. false Github RayV Lite this is the slides for the talk https://pretalx.com/security-bsides-las-vegas-2025/talk/FXLWKJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/FXLWKJ/feedback/ Florentine B Talk-45m 2025-08-05T10:00:00-07:00 10:00 00:45 Let’s be real: your resume isn’t getting you the job. It’s just the ticket into the arena. The real boss battle? The interview itself. FIGHT! This session is for anyone who’s ever left an interview and thought, “Well… that could’ve gone better.” We’re skipping the slide deck (except for some juicy memes) and jumping straight into battle-tested, no-BS advice on how to stand out in interviews and actually get hired. Whether you’re a brand new SOC analyst, a mid-career pivot-er, or someone who’s been ghosted more times than a mall perfume salesman - this talk is for you. It’s not death by PowerPoint. It’s a conversation. With memes. Come laugh, learn, and leave ready to be the candidate they remember. security-bsides-las-vegas-2025-68535-interview-like-a-legend-no-slides-just-vibes Hire Ground John Stoner en Resumes are fine. But they don’t get you hired - you do. In this fast-paced, no-fluff talk, cybersecurity hiring manager and mohawked chaos gremlin John Stoner breaks down how to stop bombing interviews and start showing up like the badass candidate you are. With 25+ years in national security and cybersecurity - and hundreds of interviews under his belt - John will walk you through what actually works in an interview setting, based on real-world hiring across federal and commercial roles. We’ll cover: • Why resumes don’t matter as much as you think • How preparation (not memorization) makes you stand out • What stories to rehearse—including your two-minute “tell me about yourself” • How to answer both technical and non-technical questions without sounding like a robot • What questions you should ask—and why you're interviewing them, too No slides, just memes, tough love, and the kind of advice you wish someone had given you sooner. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JPPBAZ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JPPBAZ/feedback/ Florentine B Event1HR 2025-08-05T13:00:00-07:00 13:00 01:00 Hire Ground Resume Reviews, Tuesday Lunch Break security-bsides-las-vegas-2025-74527-hire-ground-resume-reviews-tuesday-lunch-break Hire Ground en Hire Ground Resume Reviews, Tuesday Lunch Break false https://pretalx.com/security-bsides-las-vegas-2025/talk/R3CW7R/ https://pretalx.com/security-bsides-las-vegas-2025/talk/R3CW7R/feedback/ Florentine B Talk-45m 2025-08-05T13:00:00-07:00 13:00 00:45 The leap from technical expert to leader is one of the most challenging transitions in cybersecurity. Many high-performing engineers, penetration testers, and analysts find themselves in leadership roles without clear guidance on how to succeed. The skills that make a great individual contributor—deep technical expertise, problem-solving, and hands-on execution—aren’t always the same ones that make a great leader. This session will explore the challenges and rewards of moving into leadership, including how to develop managerial skills, communicate effectively, and lead teams successfully. Attendees will leave this discussion with a clear understanding of what it takes to transition from an individual contributor to a successful cybersecurity leader. They will learn how to shift their mindset from personal technical execution to team success, develop critical leadership skills like communication and delegation, and navigate the challenges of managing former peers. The discussion will also tackle imposter syndrome, common leadership pitfalls, and how to build an authentic leadership style that aligns with your strengths. Whether you're considering a leadership role or already in one, this session will provide actionable insights to help you grow, lead, and thrive in your cybersecurity career. security-bsides-las-vegas-2025-67083-beyond-the-command-line-transitioning-from-individual-contributor-to-leader Hire Ground Leo Pate en The cybersecurity industry is at a crossroads. While technical expertise remains crucial, organizations increasingly need strong leadership to guide teams, manage complexity, and drive security initiatives forward. However, transitioning from an individual contributor to a leadership role is one of the most difficult career shifts in cybersecurity. Many professionals who excel in technical roles find themselves promoted into management without the necessary training or guidance, leading to frustration, burnout, and ineffective leadership. I believe this talk is a good fit for the Hire Ground track because it directly addresses a widespread and often overlooked challenge in cybersecurity careers: the leadership gap. Technical skills alone do not prepare professionals to manage people, handle conflict, delegate work, or communicate effectively with executives. Without the right support and education, new leaders struggle to balance their technical expertise with the soft skills required for management. The result? Teams suffer, projects falter, and promising cybersecurity professionals leave leadership roles prematurely, contributing to industry-wide retention challenges. The key to addressing the leadership gap in cybersecurity is deliberate preparation, skill development, and structured mentorship—not just learning on the job through trial and error. This discussion will provide a real-world roadmap for technical professionals stepping into leadership roles, equipping them with practical strategies to lead effectively while maintaining credibility and confidence. 1. Mindset Shift: Attendees will learn how to redefine success in leadership—moving from personal technical achievements to enabling and empowering their teams. 1. Essential Leadership Skills: The session will cover communication, delegation, decision-making, and conflict resolution, ensuring new leaders are prepared for the human-side of cybersecurity leadership. 1. Navigating Common Challenges: Managing former peers, avoiding micromanagement, handling imposter syndrome, and balancing hands-on work with strategic leadership will be key focus areas. 1. Building a Leadership Style: Attendees will explore different leadership approaches, helping them develop an authentic leadership identity that plays to their strengths. 1. Long-Term Growth & Retention: The discussion will emphasize mentorship, professional development, and continuous learning, ensuring new leaders don’t just survive in their roles—but thrive while fostering stronger teams and a healthier cybersecurity industry. I feel that by leading this structured discussion, I can help empower attendees with actionable insights to confidently step into leadership roles, strengthening both their individual careers and the broader cybersecurity ecosystem. false https://pretalx.com/security-bsides-las-vegas-2025/talk/KVJZHT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/KVJZHT/feedback/ Florentine B Talk-45m 2025-08-05T14:00:00-07:00 14:00 00:45 The conventional approach to conducting technical engineering interviews is outdated and fundamentally flawed. These practices, which rely heavily on computer science challenges or rote memorization, often contribute to a high rate of false positives and false negatives. Furthermore, these interviews frequently fail to assess the skills necessary for the actual role. As a result, organizations tend to hire candidates who excel at navigating the interview process but may not be the best fit for the position or the organizational culture. Conversely, highly qualified candidates who would otherwise be well-suited for the role are frequently overlooked. Such experiences can leave candidates with a negative perception of the organization, regardless of their final interview outcome. A more effective approach is needed. Join Matt Torbin to discuss the data surrounding technical interviewing and learn about an interactive interviewing experience that has been tested, leaving candidates and team members with a positive experience. It is designed to assess candidates' skills in direct relation to the work they will perform within the hiring organization. This refined interview process focuses on the critical competencies required for the role and aims to be engaging and approachable, ensuring that candidates, regardless of outcome, perceive the experience positively. security-bsides-las-vegas-2025-68773-your-interview-game-is-weak-gamifying-technical-interviews-through-role-playing Hire Ground Matt Torbin en As the ways of working have changed to include hybrid and remote arrangements on a more regular basis, the interview process has not kept pace. No longer are candidates sitting in a conference room being asked to do technical challenges in person. Instead, they are interviewing virtually, where assessing IQ and EQ (emotional intelligence) can be even more different. Yet in this distributed environment, EQ skills such as meeting engagement and communication are crucial to success, and the expectations of these abilities have increased. According to the 2025 CareerPlug Candidate Experience Report, “26% of candidates declined an offer due to a poor experience.” Additionally the report found that “91% of candidates said a positive candidate experience influenced their decision to accept an offer.” No longer is the outdated stereotype of a software engineer who hides behind a computer a viable option. Instead, people must now possess both technical skills and the ability to communicate clearly with other teams, presenting their areas of discipline coherently and regularly. By creating a fictitious organization and characters specifically crafted to interact with the interviewee, cross-team dynamics and organizational challenges can be effectively incorporated, enriching the experience for all involved. The central component of this is the Non-Playing Interviewers or NPIs. Each NPI is specifically crafted to come with a backstory, notifications, and alignments. In other words, the NPI will react based on responses from the interviewee and will be more or less inclined to take one approach or another based on how other NPIs are reacting. The interview itself consists of challenges, all of which represent actual tasks expected of the role. These challenges are intentionally designed to allow for dynamic gameplay, depending on the approach the interviewee takes. For example, while an interviewee with heavy AWS experience might respond in one way, an interviewee with a greater focus on software development might respond in a completely different way, and the challenges are fluid enough to provide each interviewee a rich environment in which to navigate. false https://pretalx.com/security-bsides-las-vegas-2025/talk/E39UKP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/E39UKP/feedback/ Florentine B Talk-45m 2025-08-05T15:00:00-07:00 15:00 00:45 Join us for “Root to CISO or Not”—because not everyone dreams of being a CISO (some of us like sleep). In this lively panel, two CISOs and a cybersecurity recruiter will share war stories, career detours, and the surprising paths that lead through (or around) the corner office. Whether you’re eyeing the top job or just trying to avoid burnout, you’ll leave with practical advice—and maybe a few laughs—on how to navigate your cybersecurity career. security-bsides-las-vegas-2025-70097-root-to-ciso-or-not Hire Ground Ray EspinozaKris RidesJake Bernardes en “Root to CISO or Not” Not everyone dreams of becoming a CISO—some of us are just trying to avoid pager fatigue… and federal indictments. Join us for a fun and insightful panel featuring two experienced CISOs and a cybersecurity recruiter as they explore the many career paths in cybersecurity, from hands-on technical roles to leadership positions. This session will highlight how professionals can grow within the field, pivot between specialties, and decide whether the CISO track is the right fit—or if life might be better without the liability insurance. You’ll hear real-world career lessons, practical guidance, and a few laughs about the highs, lows, and unexpected twists of navigating a cybersecurity career. Whether you’re aiming for the big chair or just trying to figure out your next move, this panel will offer clarity, encouragement, and the kind of candid advice you won’t get from a job description. false https://pretalx.com/security-bsides-las-vegas-2025/talk/8DZ7DR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8DZ7DR/feedback/ Florentine B Talk-45m 2025-08-05T16:00:00-07:00 16:00 00:25 The World Famous Hire Ground Panel, Tuesday Edition security-bsides-las-vegas-2025-70772-the-world-famous-hire-ground-panel-tuesday-edition Hire Ground Kirsten Sireci RennerKris RidesHeather MorrisNoelle Hori en The World Famous Hire Ground Panel, Tuesday Edition false https://pretalx.com/security-bsides-las-vegas-2025/talk/UYXVAU/ https://pretalx.com/security-bsides-las-vegas-2025/talk/UYXVAU/feedback/ Florentine B Event1HR 2025-08-05T16:00:00-07:00 16:00 00:50 Free resume reviews in Hire Ground. security-bsides-las-vegas-2025-73246-hire-ground-resume-reviews-tuesday-evening Hire Ground en Free resume reviews in Hire Ground. false https://pretalx.com/security-bsides-las-vegas-2025/talk/HNE73Q/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HNE73Q/feedback/ Florentine B Event2HR 2025-08-05T17:00:00-07:00 17:00 01:50 Hire Ground Mixer, Tuesday security-bsides-las-vegas-2025-70715-hire-ground-mixer-tuesday Hire Ground en Hire Ground Mixer, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/JZQS7X/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JZQS7X/feedback/ Florentine C+D Event1HR 2025-08-05T08:30:00-07:00 08:30 00:00 Silent Auction Opens security-bsides-las-vegas-2025-78176-silent-auction-opens-tuesday Middle Ground en Silent Auction Opens false https://pretalx.com/security-bsides-las-vegas-2025/talk/3HTVUE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/3HTVUE/feedback/ Florentine C+D Event1HR 2025-08-05T08:30:00-07:00 08:30 00:00 Middle Ground Opens, Tuesday security-bsides-las-vegas-2025-70720-middle-ground-opens-tuesday Middle Ground en Middle Ground Opens, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/G3YLV8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/G3YLV8/feedback/ Florentine C+D Event1HR 2025-08-05T09:00:00-07:00 09:00 00:00 PvJ CTF Play Begins, Tuesday security-bsides-las-vegas-2025-70723-pvj-ctf-play-begins-tuesday Events en PvJ CTF Play Begins, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/8C8L37/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8C8L37/feedback/ Florentine C+D Talk-45m 2025-08-05T10:00:00-07:00 10:00 01:30 Morning Talks, Tuesday security-bsides-las-vegas-2025-70727-morning-talks-tuesday Middle Ground en Morning Talks, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/FYECDX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/FYECDX/feedback/ Florentine C+D Event1HR 2025-08-05T12:30:00-07:00 12:30 01:30 Lunch, Tuesday security-bsides-las-vegas-2025-70735-lunch-break-tuesday Events en Lunch, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/GXWDKT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/GXWDKT/feedback/ Florentine C+D Talk-45m 2025-08-05T14:00:00-07:00 14:00 02:00 Afternoon Talks, Tuesday security-bsides-las-vegas-2025-70730-afternoon-talks-tuesday Middle Ground en Afternoon Talks, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/UC7LUT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/UC7LUT/feedback/ Florentine C+D Event1HR 2025-08-05T16:00:00-07:00 16:00 00:00 PvJ CTF Play Ends, Tuesday security-bsides-las-vegas-2025-70724-pvj-ctf-play-ends-tuesday Events en PvJ CTF Play Ends, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/93LS3Z/ https://pretalx.com/security-bsides-las-vegas-2025/talk/93LS3Z/feedback/ Florentine C+D Event1HR 2025-08-05T16:00:00-07:00 16:00 01:00 Happy Hour, Tuesday, Sponsored by Aon security-bsides-las-vegas-2025-70739-happy-hour-tuesday-sponsored-by-stroz-friedberg Events en Happy Hour, Tuesday, Sponsored by Aon false https://pretalx.com/security-bsides-las-vegas-2025/talk/TLBCVD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TLBCVD/feedback/ Florentine C+D Event1HR 2025-08-05T16:00:00-07:00 16:00 00:00 Silent Auction Closes security-bsides-las-vegas-2025-78177-silent-auction-closes-tuesday Middle Ground en Silent Auction Closes false https://pretalx.com/security-bsides-las-vegas-2025/talk/LAGWF8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LAGWF8/feedback/ Florentine C+D Event1HR 2025-08-05T17:00:00-07:00 17:00 00:30 PvJ CTF Hotwash, Tuesday security-bsides-las-vegas-2025-70740-pvj-ctf-hotwash-tuesday Events en PvJ CTF Hotwash, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/7DPHDW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7DPHDW/feedback/ Florentine C+D Talk-45m 2025-08-05T17:00:00-07:00 17:00 02:00 Evening Talks, Tuesday security-bsides-las-vegas-2025-70732-evening-talks-tuesday Middle Ground en Evening Talks, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/VPWFH3/ https://pretalx.com/security-bsides-las-vegas-2025/talk/VPWFH3/feedback/ Florentine C+D Event1HR 2025-08-05T19:00:00-07:00 19:00 00:00 Middle Ground Closes, Tuesday security-bsides-las-vegas-2025-70721-middle-ground-closes-tuesday Middle Ground en Middle Ground Closes, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/VC8TXB/ https://pretalx.com/security-bsides-las-vegas-2025/talk/VC8TXB/feedback/ Florentine E Talk-45m 2025-08-05T10:00:00-07:00 10:00 00:45 Cyber Threat Intelligence (CTI) analysts face overwhelming information, complex attribution problems, and adversaries practicing active deception. While technical indicators provide essential data, they often fall short in delivering comprehensive threat understanding. This beginner-level presentation introduces Structured Analytic Techniques (SATs) – methodologies developed in traditional intelligence – as powerful enhancers for CTI workflows. We'll explore how techniques like Analysis of Competing Hypotheses, Key Assumptions Check, Red Team Analysis, and more mitigate cognitive biases in cybersecurity. The session demonstrates practical integration of SATs with established frameworks including MITRE ATT&CK, the Diamond Model, and Intelligence Cycle. Attendees will learn implementation strategies, key metrics for analytical improvement, and gain actionable templates for immediate application. This methodological bridge between traditional intelligence practices and cybersecurity represents the next evolution in defense against sophisticated threats. security-bsides-las-vegas-2025-70305-thinking-outside-the-soc-structured-analytics-for-the-overloaded-cyber-analyst Ground Floor Alina ThaiHaily Beem en As cybersecurity professionals who have applied intelligence methodologies to enhance our defensive capabilities, we've found that structured analytic techniques significantly improve threat detection and response. While we both work in cybersecurity roles, we've integrated traditional intelligence frameworks to overcome common analytical challenges faced by security teams. This talk distills our practical experience into actionable techniques that any analyst can apply immediately. Our journey with these techniques began after encountering recurring cognitive biases affecting incident analysis and threat assessment. Modern security operations face overwhelming data volumes, complex attribution challenges, and adversaries practicing deliberate deception - creating a perfect storm for analytical failure. By combining established methodologies from the intelligence community with cybersecurity practices, we've identified effective approaches that address these critical pain points without requiring extensive retraining or resource investment. The core of our presentation revolves around several powerful structured techniques that we've found invaluable in security operations. These approaches help analysts systematically evaluate attribution evidence, test assumptions about threat actor capabilities, and establish strategic warning systems that go beyond technical indicators. In our experience, applying these methods leads to significant reductions in false positives and improvements in attribution accuracy when teams implement them correctly. We'll demonstrate how specific SATs address everyday cybersecurity challenges, including attribution analysis, assumption testing, and anticipating threat actor movements. Attendees will receive practical examples and approaches they can adapt to their own environments, along with case studies demonstrating tangible improvements in detection accuracy and analytical rigor. The presentation includes detailed walkthroughs of real-world scenarios where these structured methods enhance threat detection and response, providing concrete examples that security teams can adapt to their unique requirements. false https://pretalx.com/security-bsides-las-vegas-2025/talk/9HEEBE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9HEEBE/feedback/ Florentine E Talk-20m 2025-08-05T11:00:00-07:00 11:00 00:20 Cross-site scripting (XSS) still continues to be the dominant class of bugs exploited on the web today. Over the past decade, Google's security and product teams have invested heavily in developing scalable defenses, including code hardening measures and adopting web platform features that prevent or mitigate XSS across our ecosystem. In this talk, we will provide developers with a blueprint for enabling robust XSS protections in their code. We will share our stories of how we rolled out our two biggest runtime protections against XSS (strict Content Security Policy and Trusted Types) at scale– as well as compile-time protections that complement them– across hundreds of products accessed by billions of users. We'll share technical lessons learned and summarize our best practices to keep your code secure as well. In addition, we will explore a bit of what the future has in store for anti-XSS protections– including what we would like to see as platform-level defaults to truly eradicate XSS as an endemic problem in all webapps. security-bsides-las-vegas-2025-70274-securing-frontends-at-scale-paving-our-way-to-the-post-xss-world Ground Floor Aaron Shim en **We marked (20 minutes) as a preference in the form but we are flexible on the talk length of the "Breaking Ground" format!** Over the last decade, we have been working on a solution at-scale for injection attacks against frontend codebases that could generalize across thousands of webapps-- and we've spent quite a bit of time rolling out these mitigations to all these products! We want to share the great wealth of applied knowledge gathered from all this experience with all web developers and security professionals. We have presented these philosophical ideas at other talks before, but the format of the "Breaking Ground" talks was especially fascinating to us! We spent a lot of time thinking about what the most useful approaches of our internally-honed approaches and tooling were, and spent some time developing external/OSS versions of it to benefit the ecosystem-- and based on some other talks covering some of these tools went, we thought a more interactive demo-based format where we could be closer to the audience would drive the point of how easily applicable these mitigation approaches are in the developer lifecycle. Some demos we are planning, especially focused on how it fits into web security: * https://github.com/google/strict-csp * https://www.npmjs.com/package/safevalues * https://www.npmjs.com/package/tsec * https://github.com/google/safety-web * https://github.com/google/trusted-types-helper And given the demo-heavy nature of this session, we will also show in action some AI-automated approaches-- where used in conjunction with these tools-- can really supercharge the mitigations that you can run across your webapp codebase! false https://pretalx.com/security-bsides-las-vegas-2025/talk/3ERMMC/ https://pretalx.com/security-bsides-las-vegas-2025/talk/3ERMMC/feedback/ Florentine E Talk-20m 2025-08-05T14:00:00-07:00 14:00 00:20 Traditional application security is broken. We’re stuck in a cycle of bug bounties, vulnerability reports, and endless patching - yet the same issues keep resurfacing. Despite years of “shifting left,” vulnerabilities still slip into production, forcing security teams into constant firefighting. What if we could eliminate entire bug classes instead of fixing them one by one? This talk explores how modern browser security features can automate and scale security, removing vulnerabilities without relying solely on developers remembering best practices. Powerful opt-in mechanisms like Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata can systematically prevent issues like XSS, CSRF, clickjacking, and cross-origin attacks. Using real-world case studies, we’ll show how leading organizations have leveraged these browser-native protections to eliminate vulnerabilities at scale. We’ll cover practical ways to integrate these features, automate security headers, enforce secure defaults, and measure adoption effectively. If you’re a developer or security engineer ready to move beyond endless patching and start building secure-by-design applications, this session is for you. Learn how to automate, scale, and forget entire bug classes by harnessing the latest advances in browser security. security-bsides-las-vegas-2025-67161-xss-is-dead-browser-security-features-that-eliminate-bug-classes Ground Floor Javan Rasokat en I also submitted this talk as a workshop as I do have great set of practical challenges for it created. But I would also (,if the workshop isn't accepted) present this as a talk as I can also pitch this new approach and idea as talk. With the new OWASP Proactive Controls list now including C6 browser security, it’s the perfect time to focus on prevention instead of endless patching. I first ran this as a workshop inside my own organization, and even experienced AppSec leads found it eye-opening. The idea was inspired by some work happening behind closed doors at Google, they basically influenced the standards that we are talking about. One of the things made public was the Security Signals research paper by Google. I took those ideas, built on them, and created a hands-on training with practical challenges using those new features to secure an app in-depth, aside from the traditional securing the challenges rely on the browser features. false https://pretalx.com/security-bsides-las-vegas-2025/talk/N7BLLW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/N7BLLW/feedback/ Florentine E Talk-20m 2025-08-05T14:30:00-07:00 14:30 00:20 Case studies like DarkVishnya, where eight Eastern European banks lost tens of millions due to physical intrusion and malicious devices, highlight the critical importance of addressing physical security. SecureWorks has included physical intrusion in red team exercises since 2011, with the Japanese team's intrusion success rate remaining at 100%. This emphasizes the urgency of improving physical security. This session leverages extensive penetration testing experience to illustrate differences in physical security practices between Japan and the United States, presenting real-world cases from both nations. It offers practical insights for effectively countering physical threats. Analysis indicates that Japan’s relatively lenient security, influenced by low crime rates, leaves organizations vulnerable to intrusions through social engineering and inadvertent staff cooperation. Conversely, the U.S. enforces stricter measures due to higher risk awareness but remains susceptible to vulnerabilities driven by human factors. Both countries must tackle their exposure to social engineering. Attendees will understand how cultural contexts shape security postures and gain actionable strategies to strengthen defenses against these weaknesses. security-bsides-las-vegas-2025-67422-infiltrating-like-a-ninja-unveiling-detection-gaps-in-physical-security-across-japan-and-the-u-s Ground Floor /media/security-bsides-las-vegas-2025/submissions/RBLK3C/gate__UlQtRc1.png You NakatsuruFumiya ImaiViet Luu en - Introduction (Background & Motivation) Incidents such as the large-scale DarkVishnya compromise—where malicious devices were planted onsite—and the leaked i-soon documents referencing suspicious hardware underscore how physical breaches, combined with social engineering, present a very real threat to enterprises. However, compared to digital security, the sharing of knowledge regarding physical defenses remains limited. This session offers comparative insights drawn from multiple physical penetration tests (pentests) conducted in both Japan and the United States, highlighting unique lessons from each region’s security practices. - Presenter Background Let me provide some background about our presenters. One of them is the lead for physical security in Japan team. Another is a professional who has handled numerous projects in the U.S. And finally, we have a member of the Counter Threat Unit team, who is well-known here in Japan. - Overview of Physical Penetration Testing - Definition and Purpose By simulating real-world attacks—such as social engineering, RFID cloning, or other hardware-based compromises—physical pentests assess the risk of adversaries gaining physical access to internal networks and systems. - Common Techniques These methods include not only direct system-level attacks (e.g., RFID cloning, wireless hacking) but also “soft” tactics like tailgating and leveraging employees’ goodwill. While such techniques require finesse, the presenters have achieved a 100% success rate in certain scenarios, underlining the pivotal role of human-factor vulnerabilities. - Case Studies in Japan - Cultural Background Japan’s low crime rate fosters a pervasive atmosphere of trust, with employees seldom challenging unfamiliar individuals in office settings. - Security Measures Although many organizations employ ID badges, gates, and other formal systems, employee vigilance is generally lacking, allowing attackers to easily install rogue devices or malware once inside. - Intrusion Example Even offices equipped with security guards, flap-gate turnstiles, and front-desk check-ins can be bypassed through social engineering. We will demonstrate how posing as a “late employee without a badge” or someone “rushing to a meeting” effortlessly exploits well-intentioned staff eager to assist. - Case Studies in the United States - Cultural Background In contrast to Japan, the U.S. experiences higher crime rates and stricter liability concerns, prompting more rigorous security measures such as patrol guards and extensive surveillance. - Security Measures Access privileges are firmly segmented, suspicious individuals are quickly challenged, and armed guard patrols are common. One speaker will recount how a colleague was immediately approached by security on the first day of a U.S. engagement, illustrating the prevalent “challenge” culture. - Intrusion Example Despite these robust defenses, carefully crafted social engineering frequently succeeds. Whether by engaging in conversation to clone RFID badges, tailgating into restricted areas, or calling a help desk for sensitive details like BitLocker keys, attackers can exploit the same human-factor weaknesses seen in Japan—thus compromising critical corporate assets. - Comparative Analysis - Key Differences Japanese organizations may be undermined by cultural deference, whereas stricter enforcement characterizes the U.S. Even so, no system is impervious. - Common Weakness Human psychology remains the ultimate vulnerability. No matter how advanced the controls, a deceived or empathetic employee can inadvertently grant attackers entry. - Conclusion Physical security hinges not only on locks and guards but also on workplace culture and employee awareness. This presentation emphasizes the need for frequent physical pentests, practical training, and fostering what we term “friendly vigilance.” Drawing from real successes—and failures—across both Japan and the U.S., we will propose concrete countermeasures and strategic frameworks to help organizations stay ahead of evolving threats. false https://pretalx.com/security-bsides-las-vegas-2025/talk/RBLK3C/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RBLK3C/feedback/ Florentine E Talk-45m 2025-08-05T15:00:00-07:00 15:00 00:45 Generative AI has been transforming and expediting enterprise workflows. However, with the introduction of “vibe coding”, the practice of generating software utilizing AI instead of traditional software engineering practices, this introduces new vectors for cyber threats including data leakage, model manipulation, and social engineering attacks. This session will provide a pragmatic overview for industry professionals on how to securely adopt GenAI tools while minimizing exposure to risks. Our live demo will showcase how the seemingly functional code produced through simple prompts generation repeatedly fails basic security scrutiny when examined by professionals. Beyond the technical vulnerabilities, we will address organizational risks: hiring pipelines flooded with candidates lacking fundamental security understanding, and executives with unrealistic expectations about AI capabilities. As we abstract further from underlying technology, we risk creating a generation of developers disconnected from bare-metal computing principles which could potentially weaken the collective security posture. While advocating for AI as a powerful augmentation tool, we provide a crucial reality check on responsible AI implementation that will maintain security integrity in an increasingly automated development landscape. security-bsides-las-vegas-2025-68595-vibe-check-the-dark-side-of-vibe-coding Ground Floor Chloe PotsklanMegan Kaczanowski en This presentation talk came from months of Megan and I sharing concerns between the two of us on what we've been hearing colleagues say, examples of vibe coding failures on x/reddit, and our overall concerns for the future of the industry. What will cybersecurity look like if all the professionals are inhibited by a lack of understanding of foundational technical and security topics while having executives who think that AI is the answer for everything. We'll have two live demos plus room for discussions because we have lots of thoughts about the current state of vibe coding and what a more secure vibe coding future could look like that doesn't detract from foundation understanding of the underlying technology of everything. Also, the demos will be live, but we’ll pre-record them before coming in in case anything goes wrong. false https://pretalx.com/security-bsides-las-vegas-2025/talk/YXZYXG/ https://pretalx.com/security-bsides-las-vegas-2025/talk/YXZYXG/feedback/ Florentine E Talk-45m 2025-08-05T17:00:00-07:00 17:00 00:45 Ever since cookies were invented 30 years ago there has been a battle to protect them from theft and abuse. Browser designers add defensive features and attackers come up with novel ways to circumvent those defenses, steal session cookies, and become a clone of their victims. This talk will speed-run that arms race, highlighting why many of the old-school defenses remain valuable. And the race is not over. We'll also step through the mechanics of Google's proposed Device Bound Session Credentials which would be game changing... if anyone else chooses to support them. security-bsides-las-vegas-2025-68739-we-fight-for-the-user-s-session Ground Floor Mark Hoopes en Protecting the session token may seem mundane, but personal experience has shown that developer's boredom with implementing the same old defenses ends up leading to noteworthy vulnerabilities far too often. Given the BSides audience, my goal is less about convincing the audience of the importance, as arming them with succinct statements in support of the controls they can take back to their organizations and win some battles. The new technique to be covered, Device Bound Session Credentials, have a huge advantage over traditional session tokens in that they can't be "stolen" or at least not taken off the device (it's in the name). Of course, as with any technology, being a good one doesn't mean that it's going to be adopted. By explaining the proposed standard in detail, I hope to generate conversation around it and either contribute my small part to either its adoption or rejection if a better standard can be found. A version of this talk was given at SaintCon 2024 (https://www.youtube.com/watch?v=Qo6KQ7SH6wo), but I plan on amping up the technical side, particularly around how the DBSC protocol actually works. false https://pretalx.com/security-bsides-las-vegas-2025/talk/QYKC7A/ https://pretalx.com/security-bsides-las-vegas-2025/talk/QYKC7A/feedback/ Florentine E Talk-45m 2025-08-05T18:00:00-07:00 18:00 00:45 In this talk, Ochaun Marshall leads you through a cheat code for product security that you can use no matter the size or maturity of your business. You will leave with a clearer understanding of the differences between Application Security, platform security, and product security; some new ways of thinking about "shift left"; and some tangible steps you can bring back to your team or org. Ochaun is a security engineer at Google Cloud security-bsides-las-vegas-2025-70298-a-cheat-code-for-security-programs Ground Floor Ochaun Marshall en This is the presentation I wish I could have given to myself when I was a starting AppSec professional. Product Security is a larger domain and discipline in the universe of InfoSec. It spans everything from an http request to silicon hardware. It enumerates every multidimensional aspect of the product, through all phases of that product's lifespan. false https://pretalx.com/security-bsides-las-vegas-2025/talk/99QGN8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/99QGN8/feedback/ Florentine F Talk-45m 2025-08-05T10:00:00-07:00 10:00 00:45 The cybersecurity market is projected to experience strong growth. This is driven by the plethora of devices connected to and integrated into enterprise networks, combined with the increase in zero day vulnerabilities being identified and exploited. The attack surface has broadened, while becoming more complex. Many of the enterprise security tools used to defend our networks have failed us. Painful examples range from 0day attacks in on-prem Exchange and SharePoint servers, to the SolarWinds supply chain attacks. These enterprise tools resulted in the successful compromise of businesses around the world. In order to defend, both proprietary and open source tools have been at the core of many successful security projects and business initiatives. Open source tools have many benefits, among them, the freedom to try and tweak, while not being locked into 1-3 year licensing terms. This talk will cover how an open source project, in particular, MISP (the malware information sharing platform) can be integrated into threat investigation workflows to help augment enterprise tools with the goal of increasing overall security while making a threat analyst’s life a little easier. security-bsides-las-vegas-2025-70244-the-unbearable-weight-of-commercial-licensing-combining-closed-systems-with-open-source-defense Common Ground Keya Arestad en This talk came out of wanting to get back to Linux and open source communities after working with Microsoft Defender, Intune, Entra, and the rest of the Microsoft 0365 world for years. (So frustrating!) I wanted to better deal with my frustration with closed source “solutions” at work to gain more power over alerts, as well as make the investigation and triage process more efficient. I had forgotten the joy of working with the terminal after getting clobbered with Wacatac alerts. (Searching for Wacatac leads to Microsoft marketing documentation that tells you that Microsoft Defender can defend against it.) Some jobs don’t have the ability to choose over what security tools are being used, so one must assess and see if the situation can be made better. That’s the background behind this talk. false MISP Concepts Cheat Sheet https://pretalx.com/security-bsides-las-vegas-2025/talk/SZWXFF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/SZWXFF/feedback/ Florentine F Talk-20m 2025-08-05T11:00:00-07:00 11:00 00:20 Many financial institutions still rely on outdated CVSS-based prioritization models that create alert fatigue and leave critical, exploitable vulnerabilities buried in noise. This talk offers a practical, phased strategy for modernizing vulnerability management by combining four evolving frameworks: EPSS v4, CVSS v4, SSVC, and VEX. The session walks through how each framework contributes—EPSS adds exploit likelihood, CVSSv4 refines severity scoring, SSVC brings context-aware decision logic, and VEX helps validate exploitability in specific environments. Together, they create a unified approach to triaging vulnerabilities across infrastructure and applications. Attendees will gain practical guidance for integrating these models into their existing workflows, along with examples of how they’ve been used to reduce patch workload, streamline cross-team coordination, and stand up to audit scrutiny. This talk is aimed at security professionals working in regulated sectors—particularly those balancing technical risk, compliance, and remediation velocity. security-bsides-las-vegas-2025-68680-rewriting-the-playbook-smarter-vulnerability-management-with-epssv3-cvssv4-ssvc-vex-frameworks Common Ground Avinash Nutalapati en This session is for anyone tired of fixing “critical” vulnerabilities that don’t actually matter while missing the ones that do. Through the lens of financial-sector security, the talk explores how modern frameworks like EPSS, CVSSv4, SSVC, and VEX can be layered together to build a smarter vulnerability management process. Expect real-world examples, sample triage logic, and rollout ideas that won’t break your existing workflows. Whether you're in AppSec, infrastructure, or risk management, you’ll walk away with a better way to prioritize what matters most—and communicate those decisions clearly across teams. false VEX SSVC CVSS V4 EPSS V4 https://pretalx.com/security-bsides-las-vegas-2025/talk/ZPH8MR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZPH8MR/feedback/ Florentine F Talk-20m 2025-08-05T14:00:00-07:00 14:00 00:20 As TEEs in high-performance computing hardware become increasingly powerful and valuable targets for espionage and sabotage, protecting the intellectual property, cryptographic keys, and sensitive data they contain is of paramount importance. This talk argues physical destruction provides stronger guarantees than other methods, such as zeroization, but unlike custom-engineered destructive solutions such as PyroMEMS nanothermite, our approach leverages existing industrial components with proven reliability. This significantly reduces the complexity and cost of the implementation. We demonstrate that a common detonator, when appropriately positioned within a modified GPU heatsink, can provide effective physical destruction of the computing hardware. The proposed solution offers a balance of effectiveness, cost, reliability, and implementation simplicity that makes it suitable for immediate deployment in secure computing environments. security-bsides-las-vegas-2025-70315-thwarting-key-extraction-and-supply-chain-attacks-by-detonating-gpus Common Ground Mehmet Sencan en ## Introduction Securing high-value computing hardware against physical tampering has become increasingly critical as the economic and strategic value of these systems continues to rise. Modern AI accelerators and specialized computing hardware often contain sensitive intellectual property, proprietary algorithms, and valuable data that require protection against unauthorized access and reverse engineering. Although software-based security measures such as encryption and authentication provide important layers of defense, they may be insufficient against sophisticated adversaries with physical access to the hardware. The protection of computing hardware against physical attacks has traditionally focused on tamper-evident enclosures, secure boot mechanisms, and cryptographic techniques. However, these approaches have limitations when adversaries have unlimited time to analyze and physically manipulate the hardware. As noted in recent research, if an adversary has sufficient time to image or modify a chip, they can get the design of the chip for replication or further attacks, and pull secrets off the chip as they are stored or while the chip is running. This challenge is particularly relevant in the context of flexible Hardware Hardware Enabled Guarantees (flexHEG), or Hardware Enabled Mechanisms (HEM), which aims to implement hardware-based safety measures for advanced AI systems. FlexHEGs require mechanisms that can reliably enforce policies on high-capability AI systems even when these systems might have incentives to circumvent such controls. Physical security measures that can reliably destroy sensitive hardware components in response to tampering attempts form a critical part of this safety ecosystem. Various approaches to hardware self-destruction have been proposed in the literature, including pyrotechnical microelectromechanical systems (PyroMEMS), nanothermite layers, and other specialized solutions. While these approaches show promise, they often require complex manufacturing processes, specialized materials, and significant research and development investment. These factors can limit their practical deployment in real-world security scenarios where cost-effectiveness and reliability are paramount. In this paper, we propose and evaluate a pragmatic alternative: the use of commercially available detonators, specifically detonators used in the petroleum industry, for rapid and reliable GPU self-destruction. The key advantages of this approach include: * **Availability**: Commercial detonators are readily accessible as standardized industrial components. * **Cost-effectiveness**: At approximately $9 per unit, they have a significantly lower cost than custom-engineered solutions. * **Reliability**: These components have been extensively tested and proven to be reliable in harsh environments such as deep oil and gas wells. * **Implementation simplicity**: The approach requires minimal modification to the existing hardware. * **Effectiveness**: As our experiments demonstrate, they provide sufficient destructive force to irreversibly damage sensitive hardware components. We experimentally validate our approach by integrating standard #6 and #8 detonators within either backside support of a GPU or a modified GPU heatsink and testing its effectiveness in destroying the underlying hardware. Our results demonstrate that this approach provides an effective means of preventing unauthorized access to sensitive hardware components upon detection of tampering. This work contributes to the broader field of hardware security by providing a practical, immediately deployable solution for physical security in high-value computing environments, particularly those involving AI accelerators and other specialized computing hardware that may require protection against sophisticated physical attacks. This work may also provide protection for supply chain attacks by allowing high-value chips to be packaged at the point of manufacture with an active tamper sensor and this response mechanism to destroy the chip in any tamper or key extraction attempt. ## Methodology Our research methodology focused on developing and testing a practical approach to GPU self-destruction using commercially available and accessible products. The primary objective was to identify the smallest effective mechanism that could reliably destroy a GPU while minimizing collateral damage to surrounding components and anyone handling the GPU. ### Commercial Detonators We experimented with #6, #8 blasting caps (detonators) on the basis of their commercial availability and reliability. This detonator approach was selected over custom-engineered solutions such as PyroMEMS or specialized nanothermite implementations for several reasons: 1. **Commercial availability**: The detonator is a standardized industrial component that can be procured without requiring custom manufacturing. 2. **Cost-effectiveness**: At presents a significantly lower cost than custom-engineered solutions. 3. **Reliability**: Detonators has been extensively tested and proven reliable in harsh environments, including high-temperature conditions typical of server environments. 4. **Electrical characteristics**: The detonator can be reliably activated with standard electrical currents while providing good tolerance against accidental activation from stray currents. 5. **Physical characteristics**: The compact size allows for integration within standard GPU heatsinks with minimal modification. We experimentally validate our approach by integrating standard #6 and #8 detonators within either backside support of a GPU or a modified GPU heatsink and testing its effectiveness in destroying the underlying hardware. Our results demonstrate that this approach provides an effective means of preventing unauthorized access to sensitive hardware components upon detection of tampering. This work contributes to the broader field of hardware security by providing a practical, immediately deployable solution for physical security in high-value computing environments, particularly those involving AI accelerators and other specialized computing hardware that may require protection against sophisticated physical attacks. This work may also provide protection for supply chain attacks by allowing high-value chips to be packaged at the point of manufacture with an active tamper sensor and this response mechanism to destroy the chip in any tamper or key extraction attempt. Our research methodology focused on developing and testing a practical approach to GPU self-destruction using commercially available and accessible products. The primary objective was to identify the smallest effective mechanism that could reliably destroy a GPU while minimizing collateral damage to surrounding components and anyone handling the GPU. # Experimental Setup and Results We experimented with #6, #8 blasting caps (detonators) on the basis of their commercial availability and reliability. This detonator approach was selected over custom-engineered solutions such as PyroMEMS or specialized nanothermite implementations for several reasons: 1. **Commercial availability**: The detonator is a standardized industrial component that can be procured without requiring custom manufacturing. 2. **Cost-effectiveness**: At presents a significantly lower cost than custom-engineered solutions. 3. **Reliability**: Detonators has been extensively tested and proven reliable in harsh environments, including high-temperature conditions typical of server environments. 4. **Electrical characteristics**: The detonator can be reliably activated with standard electrical currents while providing good tolerance against accidental activation from stray currents. 5. **Physical characteristics**: The compact size allows for integration within standard GPU heatsinks with minimal modification. ## Experimental Setup Our experimental setup consisted of the following components: 1. **Test GPU**: NVDIA P100, a representative high-performance computing accelerator similar to those used in AI training and inference systems. 2. **Modified heatsink**: The standard GPU heatsink was modified to accommodate the detonator by drilling a precisely sized hole at a strategic location above critical GPU components. 3. **Detonator mounting**: The detonator was securely mounted at various orientations seen in Table 1; below the backside support bracket in plane with the bracket, below the backside support bracket perpendicular to the GPU die directing the blast towrards the GPU, or Within the modified heatsink, positioned to direct the destructive force toward the GPU die and memory components. 4. **Initiation**: #6 detonators were initiated with safety fuse, #8 detonators were initiated with a standard electrical ignition circuit. For safety and regulatory compliance, all experiments were conducted in appropriate facilities with necessary federal, state and local permits and under the supervision of licensed and trained personnel of ACCX Research, Fullerton, CA. ## Results Our experimental results demonstrate that commercial detonators, can effectively destroy GPU hardware in a controlled manner, rendering sensitive components irretrievable when tampering is detected. ### Detonator Effectiveness Either detonator was found to be capable of reliably destroying critical GPU components. When properly positioned within the modified heatsink, the detonator generated sufficient force to physically fracture the GPU die, rendering the processor inoperable, and in most cases pulverize the die making any analysis difficult. ## Table 1: GPU destruction tests using various detonators and setups | Test # | Detonator/Explosive | Setup Description | Outcome | |--------|---------------------|-------------------|---------| | 1 | #6 Blasting Cap | No heatsink; blasting cap placed under GPU | chip dislodged | | 2 | #6 Blasting Cap | With heatsink; blasting cap under GPU | chip intact | | 3 | #6 Blasting Cap (vertical) | Cap placed vertically, GPU on heatsink, setup buried in sand | chip pulverized; heatsink dented | | 4 | 2gram of C2 Detasheet | plastic explosives + 6" 25-grain detonating cord to initiate | direct application; GPU destroyed | | 5 | 5 inches of 18-grain detcord (~100mg) | Applied to chip area | chip dislodged and shattered | | 6 | #8 Detonator | Applied directly to GPU | Unclear/ineffective | | 7 | #8 Detonator | Placed vertically on top of GPU heatsink | No destruction; ineffective | | 8 | #8 Detonator | Placed in a hole drilled through heatsink layers and onto copper plate | GPU pulverized | ## Discussion The use of commercial detonators for GPU protection offers several practical advantages over alternative approaches. They have a proven track record spanning decades and robust manufacturing quality control. This significantly reduces the implementation complexity and time-to-deployment for organizations seeking to enhance their hardware security posture. The approach is also scalable to different sizes and types of computing hardware. While our experiments focused on GPUs, the same principles could be applied to other high-value computing components such as CPUs, FPGA accelerators, or custom ASIC designs. The key considerations would be selecting an appropriately sized detonator and optimizing its placement to ensure effective destruction of critical components. The approach is also suitable for use in secure memory or SSD applications, as well as data destruction devices triggered with walk-away or power-on-without-key. ### Regulatory and Safety Considerations The use of detonators for hardware protection raises important regulatory and safety considerations that must be addressed in any practical implementation. Organizations implementing this approach would need to ensure compliance with relevant regulations, which may include: * Obtaining appropriate permits for storing and handling detonators * Implementing proper safety protocols for installation and maintenance * Testing the completed assemblies for compliance with shipping regulations and obtaining the necessary permits and classifications * Training personnel in safe handling procedures * Development of appropriate containment to maximize safety, even during deliberate tampering attempts * Establishing protocols for disposal of protected hardware Future work would include building and certifying containment mechanisms for use and transport without a license or special handling. Certified products could resemble a self-contained, tamper responsive heatsink/backplate/case enclosing the protected chip(s) and are manufactured and certified as a unit that can be safely handled and pass transportation tests. The design maturity at which this technology is safe to handle and install in typical computer environments would be naturally sufficient to pass such assessments. These regulatory considerations may vary significantly by jurisdiction, and organizations would need to assess the specific requirements applicable to their operating environments. ## Conclusion In this paper, we have presented a practical approach to hardware security for high-value computing components using commercial detonators for rapid and reliable physical destruction. Our experimental results demonstrate that a detonator, when properly integrated into a modified GPU heatsink, provides effective protection against unauthorized access to sensitive hardware components. The primary advantages of our approach include: * **Practicality**: Using commercially available components rather than custom-engineered solutions * **Cost-effectiveness**: Significantly lower cost than specialized PyroMEMS or nanothermite approaches * **Reliability**: Proven performance in harsh environments * **Implementation simplicity**: Minimal modification to existing hardware * **Effectiveness**: Demonstrated ability to irreversibly destroy sensitive components Our work contributes to the broader field of hardware security by providing a readily deployable solution for organizations seeking to protect high-value computing assets against sophisticated physical attacks. It is particularly relevant in the context of emerging AI safety and governance frameworks such as FlexHEG, where reliable hardware-based safety mechanisms are essential. Although software-based protection mechanisms such as zeroization play an important role in a layered security approach, physical destruction provides a last line of defense against sophisticated supply chain manipulation or laser key extraction. The approach we have demonstrated offers a balance of effectiveness, cost, reliability, and implementation simplicity that makes it suitable for immediate deployment in secure computing environments. Future work should focus on refining the integration of physical destruction mechanisms with advanced tamper detection systems, exploring regulatory-friendly pathways and alternatives, and extending the approach to a broader range of computing hardware. As AI systems continue to advance in capability and strategic importance, ensuring their physical security will remain a critical challenge, and practical approaches like the one presented in this paper will form an important part of comprehensive security strategies. ## Acknowledgment The author would like to acknowledge the financial support of the Survival and Flourishing Fund, Good Forever Foundation, as well as thank the broader flexHEG community for valuable discussion and feedback. John Norman of ACCX research (Fullerton, CA) consulted and handled all of the explosive work, and Evan Miyazono of Atlas Computing provided invaluable project support. false https://pretalx.com/security-bsides-las-vegas-2025/talk/NV9MUC/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NV9MUC/feedback/ Florentine F Talk-20m 2025-08-05T14:30:00-07:00 14:30 00:20 In the cybersecurity world, the Common Vulnerabilities and Exposures (CVE) system serves as a cornerstone for understanding and mitigating security threats. However, the process of contributing to and utilizing CVE data is often hindered by issues related to transparency. This talk explores how the CVE community struggles with openness, examining why participants—such as vulnerability researchers, vendors, and users—may sometimes fall short of full disclosure. security-bsides-las-vegas-2025-68489-the-art-of-concealment-cve-s-challenge-with-transparency Common Ground Jerry Gamblin en In the cybersecurity world, the Common Vulnerabilities and Exposures (CVE) system serves as a cornerstone for understanding and mitigating security threats. However, the process of contributing to and utilizing CVE data is often hindered by issues related to transparency. This talk explores how the CVE community struggles with openness, examining why participants—such as vulnerability researchers, vendors, and users—may sometimes fall short of full disclosure. false https://pretalx.com/security-bsides-las-vegas-2025/talk/FWHWNV/ https://pretalx.com/security-bsides-las-vegas-2025/talk/FWHWNV/feedback/ Florentine F Talk-45m 2025-08-05T15:00:00-07:00 15:00 00:45 Ready to dive into the exhilarating world of hacking gadgets? Whether you're looking to impress your fellow nerds, make your FBI agent a little nervous, or just tinker with some cool tech, this talk has got you covered. From making a small little box turn into a Wi-Fi spy to mastering the mystical art of circuit boards, we’ll explore everything you need to build your very own hacking gizmo. security-bsides-las-vegas-2025-66372-so-you-want-to-build-your-own-hacking-device Common Ground Alex Thines en In this presentation, I will delve into the burgeoning world of small hacking devices, such as the Flipper Zero and WiFi Nugget, providing a comparative analysis of popular microcontroller boards like the Raspberry Pi Pico, ESP series, and Arduino. This discussion will explore their functionalities, use cases, specifications, and cost considerations, highlighting the broader implications for security practices. We will also examine programming environments including MicroPython, CircuitPython, Arduino IDE, and C, assessing their advantages and limitations for different types of projects. Further, the session will guide attendees on selecting the right components for their projects, such as WiFi shields, displays, and various sensors, and provide practical advice on assembling these components into functional security tools. The talk aims to empower attendees to enhance their security setups or develop new solutions, providing a roadmap from initial concept to prototype development and eventual production, thereby demystifying the technical complexities and equipping them with the knowledge to effectively utilize these tools in their cyber security endeavors. false https://pretalx.com/security-bsides-las-vegas-2025/talk/FXMV3G/ https://pretalx.com/security-bsides-las-vegas-2025/talk/FXMV3G/feedback/ Florentine F Talk-45m 2025-08-05T17:00:00-07:00 17:00 00:45 Tired of security training that puts your team to sleep? What if we told you the most powerful training tool in cybersecurity has been sitting in your game room all along? Welcome to the world of game-based learning, where the proven power of play transforms how professionals master complex skills. Research shows that humans learn best when working together, yet traditional training methods keep pushing isolated, theoretical learning. Game-based learning flips this approach on its head, creating environments where people forget about office politics and actually engage with the material. Through structured play and collaborative storytelling, participants don't just memorize concepts—they live them, breaking down professional barriers and building genuine understanding through experience. We'll show you the compelling evidence behind why using roleplaying games work, and demonstrate how to transform resistant learners into engaged participants. Using compelling examples, you'll discover how tabletop role-playing mechanics can turn your most challenging training scenarios—from incident response to zero trust architecture—into adventures your team actually looks forward to. Join us to learn why adding roleplaying games to your professional development isn't just about making training fun—it's about making it work. security-bsides-las-vegas-2025-69653-dungeons-dragons-the-security-tool-you-didn-t-know-you-needed Common Ground Klaus AgnolettiGlen Sorensen en # Game-Based Learning for Effective Incident Response Training: Beyond Traditional Tabletops This talk explores a revolutionary approach to incident response training that leverages role-playing game mechanics to create engaging, effective learning experiences. Traditional tabletop exercises, while common, often fail to prepare teams for real incidents due to their static nature and participants' reluctance to be fully transparent about organizational vulnerabilities. The foundation of this approach rests on a simple premise: humans learn better when they're having fun. This isn't just intuitive wisdom – it's backed by scientific research. A meta-study of board, tabletop, and analog game-based learning approaches confirms that engagement and enjoyment significantly enhance knowledge retention and application. When we examine why traditional training methods fall short, we find they often create artificial environments where participants worry about protecting their professional reputation rather than honestly assessing security gaps. Real incidents rarely unfold according to plan. They happen at inconvenient times (like Friday afternoons), depend on people who might be unavailable, and involve unexpected complications. Our role-playing framework simulates these realities through game mechanics that introduce unpredictability while fostering collaborative problem-solving. The structure mirrors popular role-playing games like Dungeons & Dragons – a comparison supported by research showing that when such games are played in "inviting, encouraging, compassionate, and intellectually engaged environments," they create powerful learning opportunities. Each session is guided by an Incident Master who serves as both storyteller and authority on scenario progression. Participants embody stereotypical characters with defined personality traits and modifiers that affect their interactions. For instance, a Microsoft system administrator might have a bias toward Windows solutions and a negative modifier to likability, while a help desk supporter might have enhanced communication skills. These character archetypes add both humor and realism to the scenarios, encouraging participants to step outside their usual perspectives. The gameplay follows a three-round structure, typically beginning at the worst possible moment – late Friday afternoon – and progressing through different phases of the incident. Each participant has two actions per round, and outcomes are determined through dice rolls that simulate real-world unpredictability. This mechanic forces teams to develop contingency plans when their initial approaches fail, just as they would in actual incidents. What sets this approach apart from traditional exercises is the psychological safety it creates. By framing the activity as a game rather than a test or evaluation, participants feel free to experiment with approaches, admit knowledge gaps, and honestly discuss organizational vulnerabilities without fear of professional consequences. This honesty is crucial for effective incident response preparation. The framework's applications extend well beyond security incidents. Organizations can use it to teach abstract security concepts like Identity and Access Management or Zero Trust principles through concrete scenarios. Sales and marketing teams can gain technical understanding by experiencing incidents firsthand. Product teams can demonstrate functionality in realistic contexts. The approach scales from individual to team-based exercises and can be customized to address specific learning objectives. The open-source nature of this framework makes it accessible to organizations of all sizes. All characters, scenarios, and guidance materials are available on GitHub as markdown files, allowing security teams to implement and customize the approach without significant investment. From a compliance perspective, this approach offers substantial advantages over traditional methods. Many regulatory frameworks require organizations to conduct regular incident response training. Rather than treating this as a checkbox exercise, the role-playing approach transforms compliance activities into engaging, memorable experiences that produce measurable learning outcomes. The speaker's experience implementing this methodology has revealed several key insights. First, the Incident Master role requires both broad security knowledge and the ability to think dynamically as scenarios unfold in unexpected directions. While previous experience as a Dungeon Master in role-playing games is helpful, it's not essential. Second, scenarios should remain open-ended to simulate the unpredictability of actual incidents. Finally, the Incident Master must carefully calibrate difficulty to maintain the optimal learning zone – challenging enough to require creative thinking but not so difficult that participants become frustrated. This approach recognizes that human minds are not meant to function in isolation. They're "plug-and-play devices" designed to operate in networks, and games provide a structured environment for leveraging collective intelligence. By embracing this reality rather than fighting against it, organizations can transform incident response training from a dreaded obligation into an anticipated opportunity for team building and skill development. In summary, this game-based learning approach represents a paradigm shift in security training methodology. It addresses the fundamental limitations of traditional exercises by creating psychologically safe environments where honest assessment, creative problem-solving, and team collaboration flourish. By making incident response training engaging and enjoyable, organizations not only satisfy compliance requirements but also build genuinely resilient security cultures prepared to face real-world challenges. false https://pretalx.com/security-bsides-las-vegas-2025/talk/HVRLVM/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HVRLVM/feedback/ Florentine F Talk-20m 2025-08-05T18:00:00-07:00 18:00 00:20 Laptop stickers are more than colorful pieces of flair. They represent our interests, hopes, goals, and communities. They help us find our tribe in a sea of unknown faces in black shirts. But there is a major danger to the stickers that define ourselves: upgrading our laptops. Hundreds of poor hackers punish themselves with old and barely usable systems just to retain their rare mementos. After talking with many of these poor souls I've experimented with various methods to remove, retain, and reuse cherished stickers. This is a conversation on the role of stickers in our communities and learn the right and wrong ways to keep our history alive. security-bsides-las-vegas-2025-68770-keeping-our-history-alive-the-hacker-s-guide-to-sticker-preservation Common Ground Brian Baskin en Hi board! This talk came from a conversation at RE//verse con in February where people admitted using old laptops because they didn't want to lose their laptop stickers. Online guides were for sticker removal but not retention. I promised to find some solutions and make it public. The two sides to this talk are the culture of stickers and the actual how-to of reapplication. They'll likely be 50/50 on time for 20 mins. And lots of pictures throughout. There are many ways to approach the culture side. I want to hit on: * general interest side (offsec, dfir, networking, etc. "There's no place like 127.0.0.1") * specific stances (IDA Pro "No undo, no surrender") * political statements ("Make Malware Great Again!") * the Scene (BSides logos, DEFCON, LUGs, other cons) * just fun ("Five Eyes: Backdoors and Spies") For tech side I've already started buying chemicals and equipment: * Heat guns * questionable ways - WD-40, Goo Gone, Acetone * Still underway - Heptane, VOC compliant Heptane alternatives, Un-Du, drawing gum * Techniques - How to separate between adhesive and laptop and not between vinyl and adhesive. Dangers of razor blades. Safety third * Readhesion - How to not lose the glue but if you do how to appropriately add more I plan on continuing the research between now and the con. I've done enough work to know the good and bad ways, but now want to explore variations on them. I'm trying to find someone to sacrifice a laptop to let me test the limits of burning into the screen. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JJUSHH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JJUSHH/feedback/ Florentine F Talk-20m 2025-08-05T18:30:00-07:00 18:30 00:20 This presentation delivers a deep (but definitely not boring) dive into the risks of CSP-managed NHI's across the big three clouds. By asking “What can go wrong?”, we'll examine how these machine identities can be exploited and the differences in technique and impact. How do we keep things fun? Exploits unique to each cloud provider’s managed NHI are used as the framework to highlight the shortcomings of each design and inform our threat model. You’ll leave with an understanding of each cloud provider's NHI implementation and what you can do to mitigate risks posed by the ones automatically introduced by cloud services. security-bsides-las-vegas-2025-70213-the-not-so-boring-threat-model-of-csp-managed-nhi-s Common Ground /media/security-bsides-las-vegas-2025/submissions/Z3YUJW/Scree_RAwzPyA.png Kat Traxler en This presentation provides a focused examination of a critical risk area across all three major cloud providers: their implementations of CSP-managed Machine Identities. Specifically, we will delve into AWS Service-Linked Roles, Google-managed Service Agents, and Microsoft First-Party Applications. Drawing upon my extensive experience in Cloud, Cloud Security, and, at its most niche, Cloud Security Identity, this talk will be structured around specific, known vulnerabilities and potential exploitation vectors inherent in each cloud's implementation of these CSP-managed identities. This will move beyond theoretical risks to highlight concrete issues. false https://pretalx.com/security-bsides-las-vegas-2025/talk/Z3YUJW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/Z3YUJW/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T10:00:00-07:00 10:00 00:25 As quantum computing advances, traditional cryptographic systems are increasingly vulnerable. Post-quantum cryptography provides a crucial solution to protect sensitive data across industries such as finance, healthcare, and government. This session will examine the impact of quantum computing on encryption, with a focus on "Harvest Now, Decrypt Later" attacks, where attackers exfiltrate encrypted data now with plans to decrypt it later using quantum technology. The discussion will also highlight how artificial intelligence can enhance anomaly detection, enabling early identification of quantum-powered attacks. We will compare various artificial intelligence models, such as Isolation Forest and Autoencoders, to assess their effectiveness in detecting emerging threats. Furthermore, we’ll explore quantum-resistant encryption methods and cutting-edge technologies, including quantum key distribution, secure multiparty computation, and fully homomorphic encryption. This session will demonstrate how artificial intelligence and post-quantum cryptographic techniques can fortify cybersecurity against future quantum threats. Attendees will leave with actionable insights on how to prepare for a quantum-secure future. security-bsides-las-vegas-2025-67802-harnessing-ai-and-post-quantum-cryptography-for-cybersecurity-in-the-quantum-era Proving Ground Natalia SemenovaAnushka Khare en Over the past two months, I have focused on researching how Artificial Intelligence (AI) can address the challenges posed by advances in quantum cryptography. As quantum computing evolves, encryption methods and identity tokens face increasing risks, with adversaries potentially breaking encryption much faster. AI provides an efficient solution by enabling quicker detection of attacks and allowing cryptographic systems to adapt in real-time. My research has explored several AI techniques for detecting quantum-related attacks, including Isolation Forest, K-Nearest Neighbors from Scikit-learn, H2O's Isolation Forest and Deep Learning models, as well as PyOD and Autoencoder-based Anomaly Detection from TensorFlow. These methods have been evaluated for their effectiveness in identifying data exfiltration and credential theft, which are often early indicators of a "Harvest Now, Decrypt Later" attack. A "Harvest Now, Decrypt Later" attack involves attackers silently exfiltrating encrypted data now with the intent to decrypt it later when quantum computers can break current cryptographic systems. This attack is characterized by subtle, persistent data exfiltration, often during off-peak hours, and the targeting of highly sensitive data, such as passwords or private keys, without immediate decryption. The absence of immediate fraudulent activity or ransom demands, coupled with the use of weak cryptographic algorithms (e.g., RSA, ECC), can indicate a "Harvest Now, Decrypt Later" attack. To defend against such threats, it is critical to monitor unusual access patterns, transition to quantum-resistant cryptographic systems, and implement advanced strategies like Quantum Key Distribution, Secure Multiparty Computation, and Fully Homomorphic Encryption. In my session, I will delve into methods for enhancing protection against post-quantum attacks, discussing the implementation of quantum-resistant encryption mechanisms such as Machine Learning-based Key Encapsulation, Machine Learning-based Digital Signature Algorithm, and Symmetric-Lattice-based Hybrid Digital Signature Algorithm. These technologies offer robust solutions to safeguard data from emerging quantum cryptographic risks. Tools: https://scikit-learn.org/stable/modules/neighbors.html https://docs.h2o.ai/h2o/latest-stable/h2o-docs/data-science/if.html References https://github.com/QNLab-USTC/Key-Management-and-Service-Framework-for-QKD-Networks https://github.com/h2oai/h2o-tutorials/blob/master/tutorials/isolation-forest/isolation-forest.ipynb Papers: https://cds.cern.ch/record/2723971/files/2005.01598.pdf https://medium.com/@weidagang/demystifying-anomaly-detection-with-autoencoder-neural-networks-1e235840d879 https://postquantum.com/post-quantum/pqc-quantum-ai-qai/ https://postquantum.com/quantum-ai/quantum-ai-qai/ false https://pretalx.com/security-bsides-las-vegas-2025/talk/ADBAVR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ADBAVR/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T10:30:00-07:00 10:30 00:25 Everyone’s talking about securing cloud-native AI—but what about desktop applications, the unsung workhorses powering critical workflows in design, engineering, finance, and content creation? Often seen as “legacy,” today’s desktop apps are evolving—embedding local LLMs, enabling predictive UIs, intelligent automation, and offline inference. This talk reframes the AI security conversation by spotlighting threats that emerge when AI meets the desktop. We’ll explore how these integrations open up new attack surfaces—prompt injection in embedded models, adversarial inputs, abuse of local inference, and vulnerable plugin ecosystems. These risks don’t replace traditional issues—they amplify them. Longstanding flaws like memory corruption, unsafe file parsing, and protocol-level bugs remain highly relevant. We’ll demo two real-world attacks: prompt injection on a local model, and file-format fuzzing exposing a legacy crash. Then we’ll look at AI-aware threat modeling for desktop apps, including edge cases like tampered models and insecure automation. Finally, we’ll share practical strategies to integrate validation, fuzzing, and modeling into your secure SDLC. If you thought desktop security was yesterday’s problem—think again. With AI in the mix, it’s more relevant, more complex, and more important than ever. security-bsides-las-vegas-2025-67682-desktop-applications-yes-we-still-exist-in-the-era-of-ai Proving Ground Uday Bhaskar SeelamantulaElizabeth R Rasnick en In today’s rush toward AI-native development, desktop applications are often dismissed as legacy systems. However, they remain foundational to industries like design, finance, healthcare, and engineering. These applications are evolving too—embedding local LLMs, enabling predictive UIs, and offering offline AI inference. But in doing so, they create a new category of hybrid software: traditional desktop logic combined with AI decision-making. This evolution introduces a unique and largely under-explored threat landscape. This talk reframes the AI security conversation around the desktop domain. It starts by cataloging AI use cases already embedded in modern desktop applications—intelligent assistants, context-aware automation, AI-enhanced plugins, and model-influenced file parsing. With this foundation, we’ll explore the novel risks they bring, including: * Prompt injection in offline or locally-embedded LLMs. * Inference-based abuse, where untrusted inputs manipulate model behavior. * Unsafe output handling, where AI-generated content drives downstream actions. * AI plugin ecosystems prone to over-permissioning or unvalidated extensions. * Model tampering, especially in scenarios without strong integrity checks. But these new threats don’t replace the old—they amplify them. Traditional issues such as memory corruption, unsafe file parsing, and protocol vulnerabilities remain present, and in some cases, are re-exposed by AI-powered workflows (e.g., previewing or auto-parsing files without validation). To demonstrate this hybrid risk model, the session includes two practical demos: 1. A prompt injection attack targeting an embedded local LLM in a desktop app, leading to unintended file disclosure or unauthorized automation. 2. A file-format fuzzing demo against a legacy parser now wrapped in AI functionality, resulting in a crash or memory corruption—highlighting the dangers of blindly coupling AI with legacy input handling. We’ll then transition into modern threat modeling for these AI-desktop hybrids. We'll break down: * How to model trust boundaries when inference engines are embedded locally. * Risks introduced by model updates or user-controlled configuration. * Edge cases like AI-driven plugin behavior and adversarial content generation. From a defense perspective, we’ll provide fuzzing strategies that remain effective—file format fuzzing, protocol fuzzing, and model I/O fuzzing—along with examples of tools like AFL++, libFuzzer, and custom harnesses for AI pipelines. Finally, we’ll outline how to bring this into the Secure Development Lifecycle (SDLC): * Introduce abuse-case testing for AI features. * Incorporate threat modeling sessions into early feature design. * Automate fuzzing pipelines into CI for both legacy and AI logic. * Develop organizational awareness around the risks of hybrid systems. This session is ideal for security engineers, red teamers, and AppSec practitioners who want a deeper understanding of how the AI transformation impacts a class of software that hasn’t gone anywhere—but is becoming more complex and critical than ever. Expect actionable insights, demo-driven examples, and a modernized approach to defending desktop applications in the AI era. false https://pretalx.com/security-bsides-las-vegas-2025/talk/CUL8P9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/CUL8P9/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T11:00:00-07:00 11:00 00:25 Security teams love policies, frameworks, and well-intentioned controls—but when those efforts lack product or business context, they’re often just… theater. In this talk, I’ll share what happened when I joined a security program driven by compliance rather than clarity, and how that led to friction, rework, and wasted energy. Through real-world examples from a fast-moving startup, I’ll walk through how we started rebuilding trust with teams who didn’t want to work with us—by first learning how our product actually worked and what the business actually needed. You’ll leave with questions every security team should be asking their product counterparts, tactics for embedding security into the roadmap without slowing it down, and ideas for transforming from checkbox-driven blockers into true partners. Whether you’re leading a program or just trying to get un-ghosted by your engineers, this talk will help you make security relevant, respected, and real. security-bsides-las-vegas-2025-67443-security-theater-now-playing-when-security-is-a-sideshow-instead-of-a-strategy Proving Ground Vanessa RedmanMia Kralowetz en Security programs built on frameworks, checklists, and best practices can look great on paper—but without a deep understanding of the product and the business, they often fail to drive real outcomes. At best, they create friction. At worst, they create risk where there was none. In this talk, I’ll share my journey inheriting a security program at a fast-paced fintech startup that was built entirely through the lens of compliance—without aligning to how the product worked or how the company actually made money. Security was seen as a service function, not a partner. Trust was low, leadership was in flux, and teams carried “security trauma” from past engagements from previous companies. Through real examples and hard lessons, I’ll walk through how we started turning things around by asking better questions, building fluency in the business, and rethinking what effective security looks like. I’ll cover: - How misunderstanding the product led us to focus on the wrong risks - Key questions we started asking product, engineering, and leadership - Tactical strategies for embedding security into the development lifecycle without slowing teams down - How we shifted our posture from service provider to strategic enabler - How AI and automation gave us back time and influence when headcount wasn’t an option This talk blends storytelling, leadership lessons, and practical takeaways. It's designed for anyone trying to build or mature a security program in an environment with limited resources, unclear ownership, or complex dynamics. If you’re tired of playing defense in the dark—or struggling to get buy-in from teams that don’t trust you—this talk will give you a new lens and real strategies for making security work with the business, not just alongside it. false https://pretalx.com/security-bsides-las-vegas-2025/talk/DD8DUT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DD8DUT/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T14:00:00-07:00 14:00 00:25 iOS reverse engineering can seem daunting – where do you even begin? With jailbreaking iOS becoming increasingly difficult each year, you can no longer simply attach a debugger to your phone and analyse an app’s behaviour as you once could. However, new tools and frameworks have emerged that make it possible to modify apps without a jailbreak. This talk is designed as a practical guide from zero to hero, using the YouTube app as a case study – specifically, modding it to remove short-form content. We’ll cover the history of iOS reverse engineering and tweak development, iOS app packaging, dynamic analysis, method swizzling, and in-app debugging. Plus, with the advent of Apple Silicon Macs, you don’t even need an iPhone to start reverse-engineering iOS apps. security-bsides-las-vegas-2025-67689-shorts-begone-modding-youtube-on-ios-without-jailbreaking Proving Ground MasterChenNavan en I was wasting far too much time mindlessly scrolling through YouTube Shorts—especially the black hole that is clips from Suits. After watching a few of Bryce Bostwick’s videos on YouTube, I was inspired to take matters into my own hands and figure out how I could rip out all short-form content entirely. After a few days of haxxing, I managed to do just that. This talk is a practical guide I wish I’d had when starting out—an introduction to practical iOS reverse engineering for beginners. What I found was that most online resources on iOS reverse engineering assume you have a jailbroken device you can simply connect to via GDB. That’s what makes this interesting to me—I added the constraint of doing everything on a non-jailbroken device. This talk will briefly explore the history of iOS reverse engineering and then move into practical techniques like: * Dynamic Analysis with Frida: How to hook into iOS apps at runtime, inspect function calls, and modify behaviour on the fly * Method Swizzling: Overriding Objective-C/Swift methods to change how apps function without modifying binaries * FLEX – In-app debugging and exploration * Theos and Tweak Development false https://pretalx.com/security-bsides-las-vegas-2025/talk/9EAAT8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9EAAT8/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T14:30:00-07:00 14:30 00:25 Some PHP libraries mitigate PHP Object Injection by adding a `__wakeup()` that throws an exception in classes that could serve as Property-oriented Programming (POP) gadgets, eliminating them in one stroke. Traditional bypasses exploit interpreter bugs, yet patches quickly kill those attacks. This talk introduces a new bypass built on an **Arbitrary Object Instantiation (AOI) primitive**: we trigger dynamic class instantiation entirely outside the process of `unserialize()`, so the guarding `__wakeup()` never runs. The only prerequisite is a POP gadget that executes `new $className(...)`. Because the technique relies solely on core language behavior, future patches are unlikely to break it. A live demo revives the retired Guzzle/RCE1 chain of PHPGGC and gains remote code execution on a default Neos Flow installation. Takeaways — Pentesters: learn how to resurrect “dead” chains and locate AOI primitives; Developers: adopt practical defenses such as migrating to JSON or adding HMAC-protected serialization. security-bsides-las-vegas-2025-70314-unawakened-wakeup-a-novel-php-object-injection-technique-to-bypass-wakeup Proving Ground Mat SaulnierHiroki Matsukuma en This bypass was conceived about 5 years ago when I tried to hack an Neos Flow application in our business. At the time, I was a novice in POI, but the change of mindset allowed me to build the bypass technique. I am currently out of the field due to a change in my life stage, but I am challenging the CFP to prove that everyone can create opportunities to present their research even if they are out of the field. This content has been presented at m0leCon this year, a security conference organized by the CTF team "pwnthem0le" and "Politecnico di Torino", the oldest politechnic university in Italy. The presentation covered an introduction to PHP Object Injection, explained how POP gadgets are mitigated by overriding `__wakeup()`, and demonstrated how to bypass the mitigation to revive the Guzzle/RCE1 gadget. It was the first technical presentation for me and some subjects and regrets have remained. So I would like to improve my in-English presentation skill at Proving Ground in Security BSides Las Vegas 2025. false https://pretalx.com/security-bsides-las-vegas-2025/talk/RU39RL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RU39RL/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T15:00:00-07:00 15:00 00:25 Enhance your career in privacy, security, and open source by actively engaging with your local community. Discover how working with low-income students and their parents not only sharpens your own skills but also cultivates a culture of awareness and responsibility. Get ready to roll up your sleeves and gain hands-on experience right in your hometown! This session will provide you with actionable strategies from my journey in guiding K-12 students and their families as they learn about security and privacy. Together, we can empower the next generation and strengthen our communities—one practical lesson at a time. Don’t sit on the sidelines; seize this opportunity to elevate your career while making a real impact! Join us and take the first step toward your future! security-bsides-las-vegas-2025-67803-boost-your-career-get-practical-infosec-experience-in-your-community Proving Ground Mea CliftAshley Cihak en After feeling lost in roles that didn’t fulfill me, I took some time to reflect on how to create change in my life. With a longstanding interest in security and a concern for the lack of knowledge many people have about safe internet browsing, I decided to immerse myself in this field. Fortunately, I discovered a club dedicated to helping low-income students in the community gain internet access, enabling them to compete with their classmates in terms of information and knowledge. From my very first meeting, I knew I had found something that would truly fulfill me. I was later elected President of the club, where I not only assist students but also manage tasks such as loading open-source software on desktops and troubleshooting bugs in our systems. This role has allowed me to streamline our processes while honing my professional skills. During this talk I would like to share my passion for open source and giving back to others in true open source fashion. I am eager to share my experiences and inspire others to seek hands-on opportunities that enable them to develop skills while making a positive impact in their communities. Last year this topic was mentioned at I am the Calvary during a talk done by Ira Victor, throughout the rest of the conference we had many people come up and talk to us about how to get more involved. Not only would I have a mentor from Proving Grounds but also have the assistance of an infosec and DFIR expert who was a previous BSides speaker, to also help mentor me with this talk. false https://pretalx.com/security-bsides-las-vegas-2025/talk/SWPNGK/ https://pretalx.com/security-bsides-las-vegas-2025/talk/SWPNGK/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T15:30:00-07:00 15:30 00:25 As organizations increasingly adopt cloud technologies and artificial intelligence, the attack surface expands, heightening the risk of data breaches and security incidents. Third-party vendors play a significant role in this dynamic, often introducing additional vulnerabilities into the ecosystem. This presentation aims to provide organizations, practitioners, and individual contributors with an accessible and familiar framework for evaluating and onboarding potential vendors. By implementing effective third-party risk management strategies, attendees will learn how to mitigate risks and protect their organization's critical data. security-bsides-las-vegas-2025-67936-let-s-go-shopping-third-party-vendors-and-cyberrisk Proving Ground /media/security-bsides-las-vegas-2025/submissions/HZTYYL/Groce_nGl1CaN.png Meghan JacquotRafael Ayala en We engage in third-party risk management (TPRM) on a weekly, if not daily, basis through various activities such as shopping for clothes, toys, and food. This talk will explore the analogy of a grocery store to better understand how we practice TPRM in our daily lives and how this can serve as a foundation for robust cyber hygiene. Key terms and concepts that will be visited in this talk are the Criticality of a Vendor, the Inherent Risk of a Vendor, and what considerations may affect these two variables. The talk will go through the different aisles of a grocery store to see how we vet our shopping cart: *Stationary *Food *Flowers *Etc. The conclusion of this talk will emphasize using our everyday shopping habits as a model for effective TPRM. This approach aims to empower attendees in their role in cybersecurity, highlighting the importance of individual contributions to the overall security framework. false https://pretalx.com/security-bsides-las-vegas-2025/talk/HZTYYL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HZTYYL/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T17:30:00-07:00 17:30 00:25 Supply chain security has been all the rage recently - we keep hearing over and over again, about how numerous malicious packages have been found on this package repository or that. This talk gives an overview of malicious packages and the different ways that they can pose a danger: from simple mistakes like mistyping a package name all the way up to well known and loved packages being compromised. So how can we protect ourselves from these threats? There are various options such as checking package health, source code reviews/scans, or use of tooling such as SCA tools. SCA scans, while very useful for vulnerability scanning, cannot be relied upon to protect against malicious packages. This talk will discuss their blind spots and other options for adding further protection. It will further reinforce that security should always take a multi-layered approach. security-bsides-las-vegas-2025-67690-malicious-packages-they-re-gonna-get-ya Proving Ground Allan FriedmanMegg Sage en Over the past few years as a developer and then a security engineer, I've been tasked with upgrading packages due to vulnerabilities countless times, and more recently implemented tooling to detect these vulnerabilities. Throughout this work, one subset of vulnerable packages has really stood out to me - malicious packages. They come in many different shapes and sizes. Their risks appear when adding new packages, or when updating existing packages previously thought to be safe. This talk will discuss what malicious packages do, where they come from, the different types, and the risks associated with them. Examples will be provided for each of the various different types. The recent compromise of xz utils will be given as an example of just how far some attackers will go to compromise legitimate packages. If any other particularly noteworthy examples come up within the next few months, those may be discussed as well. The talk will then discuss different solutions for protecting against these risks. There are many tactics when it comes to new dependencies - reviewing package health, verifying package names, code review / scanning, etc. As well, many companies implement Software Composition Analysis (SCA) tools to detect vulnerable packages. These, however, are insufficient to protect against malicious packages. These tools have an obvious weakness in that they can only catch known malicious packages. They also miss the danger that malicious packages can pose as soon as they're run on a developer's machine, which is often long before any SCA tool will scan them. Malicious packages can also pose a danger in CI/CD pipelines, particularly if they're in testing or build tools ("dev dependencies"), which may run before any SCA tools do(assuming the tool(s) used even scan dev dependencies). Additional protections such as EDR, private package repositories, and package integrity will also be discussed along with their associated weaknesses. In closing, the talk will highlight the need to have multiple layers of defense and remind us that malicious packages are not the only source of supply chain attacks to be vigilant about. false https://pretalx.com/security-bsides-las-vegas-2025/talk/TRVZRS/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TRVZRS/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T18:00:00-07:00 18:00 00:25 Who needs money to grow on trees when you can make it rain out of an ATM! If this sounds like something that you would be interested in, this talk is for you! In this talk you will hear career war stories from an ATM pentester. Other topics that will be covered include technical aspects of ATM hacking, common tools used, as well as troubles that can arise when trying to set up an ATM test. Attendees will leave with a better understanding of the composition of an ATM, a basic methodology to approach ATM penetration testing with, and some crazy stories that will be shared with anyone that will listen. security-bsides-las-vegas-2025-69932-take-all-my-money-penetrating-atms Proving Ground Jonathan FischerFredrik Sandström en In this presentation we will discuss real-world examples of cybersecurity issues with ATMs. Ever wondered what it takes to make an ATM spewing out cash? You’ll hear some war stories from Fredriks career when penetration testing ATMs which includes the technical aspects of ATM hacking like tools but also troubles that can arise when trying to set up an ATM test. false https://pretalx.com/security-bsides-las-vegas-2025/talk/Z3RMSJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/Z3RMSJ/feedback/ Firenze Proving Ground Talk-25m 2025-08-05T18:30:00-07:00 18:30 00:25 Secrets are being leaked at an alarming rate—hardcoded API keys, tokens, credentials—you name it, it’s out there. From SolarWinds to everyday developers, secret exposure has become one of the top root causes of major breaches. But _what if you could scan for these secrets… at scale? On a student budget?_ This talk is a deep dive into how I used Kubernetes, cloud credits, and some infrastructure hacking to scan VS Code extensions and other public sources for secrets—effectively and cheaply. Whether you're a cloud security enthusiast, a DevOps tinkerer, or just broke and curious, this talk will show how to harness distributed systems and automation to do big things with limited resources security-bsides-las-vegas-2025-68748-broke-but-breached-secret-scanning-at-scale-on-a-student-budget Proving Ground Ming ChowRaviteja en Secrets are being pushed everywhere in the wild. Given that most major security breaches involve secrets being exposed—like the SolarWinds breach and many others—I became fascinated by how often secrets are being publicly leaked and how little effort it can take to find them if you know where to look. I wanted to perform secret scanning at scale, but I’m a student with a limited budget. So I’m going to talk about how I maximized the compute power available to me using Kubernetes and leveraged it to scan for secrets at scale. ### Infrastructure Setup: Given my constraints as a broke college student, I looked at what I had available: I recently completed my CKA and CKS certifications, and I had access to $100 in free Azure credits through a student account, plus similar free-tier resources across various cloud providers. My solution? Use Kubernetes to orchestrate compute resources across multiple accounts. To set up the infrastructure, I used K3s to run a master node on my Azure account using those $100 credits very carefully. Then, I asked a few friends—also students—to use their own free credits to spin up virtual machines in their Azure accounts. I connected all of these together using Tailscale, putting them on the same virtual network. K3s was the best choice due to its lightweight footprint and simplicity. Right now, I’m building out a Terraform configuration so I can just give my friends a link to my Terraform Cloud project. That way, they can deploy their own VM and have it automatically join my cluster. This assumes a level of trust between me and them. I’m actively working on a secure abstraction layer so they can deploy without being exposed to (or able to access) any secrets. #### Scanning VS Code Extensions: The next phase of the project is to scan VS Code extensions for secrets. It might seem like overkill, especially considering Microsoft’s API rate limits, but I have a workaround. Here’s how it works: - Every morning, a Kubernetes CronJob spins up and pulls a fresh list of VS Code extensions recently published to the marketplace. - These extensions are then distributed to Docker containers running TruffleHog, which scan them for known patterns of exposed secrets. - Redis is used for fast, in-memory storage of scan results. - Every 3 minutes, Redis syncs with a persistent master database for durability and redundancy. - All of this orchestration and data handling is written in Go. ##### API Rate Limiting and IP Rotation: Microsoft is fairly generous with rate limits, but I wanted to plan for scale. I set up a paid VPN service and developed a solution where IP addresses are rotated using a FIFO queue in AWS SQS. IPs are rotated in and out of the queue based on usage, helping me work around API rate limits. This idea is still being refined, but it's designed to allow future scaling with more nodes and broader scanning capabilities. ### Current Status: To test the idea, I wrote a quick set of Python 3 scripts and downloaded around 10,000 VS Code extensions. I’ve already identified exposed credentials including: OpenAI keys, Hugging Face tokens ,AWS credentials, SSH private keys, And more Since this initial proof of concept was successful, I plan to slowly expand the setup, refine the automation, and run these scans at a scale as explained above. ### Tools: Kubernetes (K3s) Tailscale (networking) Terraform Cloud (for easy node deployment) Docker TruffleHog – https://github.com/trufflesecurity/trufflehog Redis (fast key-value storage) GoLang (core orchestration logic) Python3 (initial PoC + scraping scripts) AWS SQS (FIFO) – used for VPN IP queueing Amazon DocumentDB (it's in always free tire) --- ### 📌 A Note to the CFP Review Board **Just a quick note** — *I'm still working on the explained setup for my talk*, and the outline I'm submitting right now reflects my current plan. *Some things might evolve* as I make progress and depending on how everything comes together. Also, *please reach out to me before the talk title is published on the website.* I’m planning to collaborate with a few folks and want to give them a heads-up before anything goes public. false https://pretalx.com/security-bsides-las-vegas-2025/talk/X7ERWF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/X7ERWF/feedback/ Tuscany Talk-20m 2025-08-05T10:00:00-07:00 10:00 00:20 F5 load balancers and other products store secrets in configuration files encrypted by a unit specific master key. This talk describes how with access to an F5 device via an exploit or legitimate access the master key can be extracted and configuration passwords decrypted. This talk will also share a weaponized version of an F5 exploit with the added functionality. These techniques are not documented however the technique was determined through a careful reading of the documentation and manipulation of the data storage formats. Learn the secrets of the $M$ password storage format today. security-bsides-las-vegas-2025-68487-reversing-f5-service-password-encryption PasswordsCon Dustin Heywood en This technique was developed in 2022 by X-Force and withheld from broader distribution for several years to protect the broader community. Now that its 2025 the weaponized version of the CVE-2022-1388 exploit will be released (we modified a zephyphish exploit), the gist of it is this: 1. retrieve f5 master key from unit with `f5mku -K` and that gives the master key 2. the password storage is effectively AES-128 in Electronic Codebook Mode, as demonstrated with this python snippet # get the master key from the F5 master_key_str = get_master_key(target_url) # decode the master key master_key_data = base64.b64decode(master_key_str) # its basically salted AES in ECB mode aes = AES.new(master_key_data, AES.MODE_ECB) # loop over the goods to decrypt for ciphertext in password_list: # grab everything past $M$xx$ which is the cyphertext cipher_data = base64.b64decode(ciphertext[6:]) # we store in cleartext because we need to chop off the salt and decode it cleartext = aes.decrypt(cipher_data) # displaytext = decoded text with salt displaytext = cleartext.decode("utf-8") # xtext is what we finally show after the salt has been removed, the value of xx above xtext = displaytext.removeprefix(ciphertext[3:5]) # show the final text print("Ciphertext: " + str(ciphertext) + " Cleartext: " + xtext) return This really could be 10 minutes but I'm going to add some history to the talk false https://pretalx.com/security-bsides-las-vegas-2025/talk/7EYXUL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7EYXUL/feedback/ Tuscany Talk-20m 2025-08-05T10:30:00-07:00 10:30 00:20 What if the solution to the major problem of identity theft was to play the same game as our opponents? Following a major crisis caused by spear phishing, we immersed ourselves in developing a defense strategy that we called “Phish-Back,” the only real technical way to recover stolen credentials that don't end up on marketplaces. But exposing defensive phishing pages to the internet comes with many challenges. From managing dozens of fingerprinting technologies to eliminating the phenomenal noise of the internet, this talk will detail all the technical challenges we encountered and the surprising results we achieved. security-bsides-las-vegas-2025-68691-phish-back-how-to-turn-the-problem-into-a-solution PasswordsCon /media/security-bsides-las-vegas-2025/submissions/JAZY78/phish_jxyuyAE.png Gautier Bugeon en As explained in the abstract, I worked as a SOC Manager for international companies for nearly 10 years. A little over two years ago, I was confronted with the worst cyber crisis management of my career due to spear phishing. I then came up with this “phish-back” strategy to finally regain technical control over the issue of identity theft, which is currently mainly managed through employee awareness. As there has been very little public research on this topic, the team I put together has experimented and learned how to create the best defensive phishing techniques. The goal of this approach is to create fake pages exposed to the internet that would tempt attackers to try out what they have stolen in order to gain access to the network. The goal of this talk is to present our work and explain to technical teams how they can implement such a strategy in their organization. There are many technical pitfalls to avoid and a huge amount of reverse engineering to anticipate in order to prevent adversaries from discovering that this is a fake gateway to the network. The 20-minute talk will consist of approximately 15 minutes of technical presentations/demos and 5 minutes of context and results. The part that excites me the most is presenting the results we have observed over the last two years. As a technical expert and pentester, I knew the strategy was great, but I had no idea that attackers would take the bait so readily. I am very happy to present these research results and give back to the community. You may notice that I have built a company around this strategy after working on it for many months as a side project with my team. I am passionate about cyber security above all else, and the name of our company or the products we sell will never be mentioned once in the presentation. I have attended dozens of conferences in my life, and nothing would annoy me more than seeing someone come and sell something at this type of conference. This is first and foremost a technical conference, by an enthusiast and for enthusiasts. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JAZY78/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JAZY78/feedback/ Tuscany Talk-20m 2025-08-05T11:00:00-07:00 11:00 00:20 In this engaging session, Dave will explore how organizations can go beyond resilience to create anti-fragile systems—cybersecurity strategies that not only survive but thrive under unexpected disruptions like black swan events. Drawing on real-world examples, including the infamous WannaCry ransomware attack, he’ll cover: The concept of anti-fragility and its relevance to cybersecurity in 2025. Why basic security hygiene—especially password management—remains critical. Practical steps like implementing MFA, extended access management, using password managers, and fostering cybersecurity awareness to reduce breach risks. Don’t miss this opportunity to gain practical guidance and valuable insights into preparing your organization for the ever-evolving threat landscape. security-bsides-las-vegas-2025-69843-lessons-from-black-swan-events-and-building-anti-fragile-cybersecurity-systems PasswordsCon Dave Lewis en Dumpster fires litter the virtual landscape defined by unpredictability and accelerating digital threats, cybersecurity must evolve beyond traditional notions of resilience. In this compelling session, Dave Lewis explores how organizations can move past merely withstanding disruption to actively benefiting from it by building anti-fragile cybersecurity systems. Borrowing from the work of Nassim Nicholas Taleb, Dave will introduce the concept of anti-fragility—the idea that certain systems grow stronger when exposed to volatility, shocks, and stressors—and examine its practical relevance in today’s cybersecurity landscape. Through vivid real-world examples, including a deep dive into the global impact and lessons learned from the WannaCry ransomware attack, Dave will illustrate how black swan events can expose critical systemic weaknesses—but also create opportunities to reimagine how we defend our digital environments. He will argue that while advanced security solutions play a role, it’s the foundational elements—such as password management, widespread adoption of multi-factor authentication, and a culture of cyber awareness—that often make the difference between a breach and a bullet dodged. This session is designed to equip security professionals, technical leaders, and business stakeholders with actionable guidance to help their organizations not just survive the next unexpected crisis, but emerge stronger because of it. Attendees will leave with a clear understanding of anti-fragile principles and how to apply them to create cybersecurity programs that are not just reactive or robust, but dynamically adaptive in the face of chaos. false https://pretalx.com/security-bsides-las-vegas-2025/talk/NK9P3P/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NK9P3P/feedback/ Tuscany Talk-45m 2025-08-05T14:00:00-07:00 14:00 00:45 The talk is a step by step warstory on how we as a Red Team was able to go from nothing to physical access to the EMP secure server room with the servers that control the power grid for a large part of the country. security-bsides-las-vegas-2025-69219-taking-down-the-power-grid PasswordsCon John-André Bjørkhaug en The talk is a step by step warstory on how we as a Red Team was able to go from nothing to physical access to the EMP secure server room with the servers that control the power grid for a large part of the country. It contains topics such as infrastructure hacking, default passwords, PIN code "eavsdropping", access card encryption key revelation, access card cloning, social engineering, etc. It is a scary story on how it was possible to get access to the EMP secure server room for a power company, and place a dummy bomb bomb. false https://pretalx.com/security-bsides-las-vegas-2025/talk/XTUW3N/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XTUW3N/feedback/ Tuscany Talk-45m 2025-08-05T15:00:00-07:00 15:00 00:45 Non-Human Identities (NHIs) like service accounts, bots, and automation now outnumber humans by at least 45 to 1, and are a top target for attackers. Their rapid growth has outpaced traditional security controls, and simply securing secrets is not enough; attackers exploit blind trust in tokens and credentials every day. With the release of the OWASP Top 10 Non-Human Identity Risks in 2025, we finally have clear guidance on where the biggest threats lie and how to prioritize remediation. But OWASP isn't alone, industry experts agree: NHI security is an urgent, organization-wide challenge that goes far beyond IT. Shadow IT and AI-powered automation are accelerating the problem, making strong identity governance and access management (IAM) essential. Developers need to understand the risks, leverage the latest best practices, and advocate for a holistic approach to NHI security. By raising awareness and driving governance across teams, we can start to control the chaos and protect our organizations as NHIs continue to proliferate. security-bsides-las-vegas-2025-69865-what-to-tell-your-developers-about-nhi-secrets-security-and-governance PasswordsCon Dwayne McDaniel en Non-Human Identities (NHIs) outnumbered humans 45 to 1 in 2022. Given that their access abuse is one of the most easily exploited attack paths, we really need to get a handle on NHI security right now. But how do we start? What do we even tell the developer? We can't tell them to just not keep building applications and secrets security alone has not addressed all the concerns NHI security requires. Once again, OWASP is here to shed some light on the situation right as this issue becomes a major, main steam concern. In January of 2025, they released the Top 10 Non-Human Identity Risks, which highlights exactly how NHIs keep getting exploited and gives us a guide to raising awareness and prioritizing and remediating the situation inside our organizations. But they are not the only ones who released a guide or even a top 10 list. This talk will guide us through the commonalities of all the published wisdom around NHI security, and we will end with a discussion that governance is a path forward but will need to go through IAM and, eventually, the whole organization. false https://pretalx.com/security-bsides-las-vegas-2025/talk/KX3CRZ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/KX3CRZ/feedback/ Tuscany Talk-45m 2025-08-05T17:00:00-07:00 17:00 00:45 My experience cracking 936 million passwords. It is challenging to crack passwords at scale. I will discuss the hardware I used, tools used, wordlists, custom rules, CPU vs GPU tradeoff, found password statistics and defenses against password cracking. To date, I have found 92% of the passwords. security-bsides-las-vegas-2025-66787-cracking-936-million-passwords PasswordsCon Jeff Deifik en 0 About Me 1 A brief history of password cracking 2 Dump from Have I Been Pwned Good news – they are NTLM format Bad news – 936,000,000 This requires a Big Data approach and lots of RAM 3 Hardware and software used Strategy used to crack passwords Rainbow Tables Good for finding a few passwords, bad for finding millions of passwords John the Ripper Infrequent official releases, Many unofficial releases Poor Graphical Processor Unit (GPU) windows support Easy to make custom rules Good mailing list support Hashcat 6.2.6 latest release Sep 2022 Great GPU acceleration Primitive rule syntax Dictionary attacks takes a lot of memory Custom Tools I wrote Custom Rules The exponential cost of finding passwords You will never find all of the passwords 4 Found passwords Found password statistics Control characters in passwords 5 Defense against having your password cracked Don't use NTLM 2 factor authentication Use cryptographically strong random passwords Use a password manager false slides https://pretalx.com/security-bsides-las-vegas-2025/talk/7PHURF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7PHURF/feedback/ Tuscany Talk-45m 2025-08-05T18:00:00-07:00 18:00 00:45 If a user account falls down in a forest, and it isn’t managed by the organization’s identity security policy, is its password still secure? While there is ample discussion and research on organizational security policies and password governance of corporate accounts, the emergence of the ‘SaaS economy’ has led to a rise in non-corporate and non-SSO identities that are not covered by corporate IdPs. These identities are often hidden from organizational security systems, and fall outside of the purview of organizational password policies and identity security posture. As a consequence, they are left exposed to attack and easy exploitation, even though they are often used for work activity and handle sensitive corporate information. This talk will dive into the world of ‘hidden’ identities of non-corporate and non-SSO identities and analyze the implications with regard to password security and exploitation. We’ll define these identities, quantify them, and dive into specific risks such as password strength, password re-use, and password sharing, and offer methods and best practices on how to secure them. security-bsides-las-vegas-2025-68760-cracking-hidden-identities-understanding-the-threat-surface-of-hidden-identities-and-protecting-them-against-password-exposure PasswordsCon Or Eshed en This talk is based on research conducted by LayerX Security on its customer base, analyzing the identity and password security practices of end users for both corporate and non-corporate accounts. Some of the parameters for which we have metrics include: • Password strength (for both corporate and non-corporate accounts) • Usage patterns (of corporate vs. non-corporate account activity on SaaS apps) • Details of password re-use and cross-account password sharing • Account sharing between users • Usage patterns of SSO on corporate accounts (and SaaS applications) • Analysis of user password exposure based on public data breach databases • And more Some key highlights from the research: • Corporate Passwords are Just as Weak as Personal Passwords: Over 54% of corporate passwords are classified as medium strength or below, meaning modern password-cracking tools and hardware could easily break them. This is remarkably close to the percentage of risky non-corporate passwords, where 58% of personal passwords were medium-strength or below. • Enterprises Are Blind to Most Identity Usage: Over 40% of SaaS applications in organizational networks are accessed via personal credentials. Moreover, over two-thirds of corporate login events are done without SSO. Together, they account for over 80% of SaaS activity on corporate networks and endpoints. This means security and IT teams are blind to usage of these accounts, and have little-to-no visibility and control over their activities, security controls (such as password security policies) or where they are used. • Just 2% of Users Are Organizations’ Biggest Security Risk: These are users who have a history of exposure that includes exposed passwords, do not use SSO-backed passwords, and have weak passwords that can be easily cracked. If cybersecurity is all about risk management, these users are the biggest risk you should worry about. • Browser Extensions are a Significant Threat to Users’ Identity: 66.6% of extensions have ‘high’ or ‘critical’ -level permissions and 40% of users have such extensions installed. 13% of extensions have access to users’ cookies, meaning they could potentially use those cookies and access tokens to steal corporate identities In this talk, we’ll cover the research in detail to provide a strong empirical foundation and then use it to identify key password risks in the new ‘SaaS’ economy and offer actionable best practices and guidelines to address these gaps. false https://pretalx.com/security-bsides-las-vegas-2025/talk/QPBRHA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/QPBRHA/feedback/ Tuscany Event2HR 2025-08-05T19:00:00-07:00 19:00 03:00 Global BSides Organizers Un-Conference Meet-up This year, we're adding a little light structure so we can gauge topics and have more non-blocking conversations. If you organize a regional BSides conference, come hang out with your colleagues, make some connections, and learn! security-bsides-las-vegas-2025-70743-global-bsides-organizers-un-conference-meet-up Events milqtst en Global BSides Organizers Un-Conference Meet-Up This year, we're adding a little light structure so we can gauge topics and have more non-blocking conversations. If you organize a regional BSides conference, come hang out with your colleagues, make some connections, and learn! false https://pretalx.com/security-bsides-las-vegas-2025/talk/KZGVRJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/KZGVRJ/feedback/ Siena Talk-45m 2025-08-05T10:00:00-07:00 10:00 00:45 It may be difficult to predict the future of AI and cybersecurity. However, there are several mental models that we can use to see the shadow of what's to come. They give us clear thinking through patterns that clearly point to new threats and opportunities. This talk uses a few of these models to help us understand the present and the potential futures in AI and cybersecurity to systematically plan for what's next. security-bsides-las-vegas-2025-69661-mental-models-to-anticipate-the-next-stages-of-the-ai-and-cybersecurity-revolution Ground Truth Sounil Yu en AI and cybersecurity threats are evolving at rapid pace and unfortunately, many of us are often caught off guard, reacting tactically to the latest issues rather than thinking strategically about what might come next. This talks delves into the power of mental models as a proactive tool to better understand, anticipate, and mitigate both current and future AI and cybersecurity risks. I will cover several different mental models, such as the Cynefin Model, People Process Technology trio, OSI model, DIKW Pyramid, NIST CSF, Kahneman’s System 1 and 2, OODA loop, Cyber Defense Matrix, DIE Triad, and more. Moreover, I’ll show what I have newly discovered when I combined these mental models. These new discoveries point directly to currently emerging and previously unforeseen risks, but they also reveal patterns for how to address these risks. This is not just a theoretical discussion. These mental models support clear thinking for decision making and produce insights that can be translated into tactical actions. For example, the Cynefin model when combined with the People Process Technology trio reveal the hard limits of automation and indicate when we should rely upon technology vs services to tackle new challenges, such as GenAI. In another example, combining the DIKW Pyramid with the Cyber Defense Matrix and the OSI model shows fundamental flaws in data-centric approaches when dealing with the leakage of sensitive content through LLMs. I'll use the OODA loop to show how it can be applied to Agentic AI and what type of controls we will need to secure them. Without the insights that these models reveal, we will approach the future blind. Even worse, we might approach the future with a false sense of assurance that our current controls will continue to work. false https://pretalx.com/security-bsides-las-vegas-2025/talk/AHT3D8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/AHT3D8/feedback/ Siena Talk-20m 2025-08-05T11:00:00-07:00 11:00 00:20 This talk introduces a research-driven approach to improving network intrusion detection by combining standardized feature extraction techniques with dynamic ensemble machine learning. Traditional signature-based detection struggles to identify new or evolving attacks, and prior ML-based research often suffers from poor generalization due to narrow datasets and single-model reliance. This work addresses these shortcomings by proposing a standardized feature extraction framework focusing on metadata and flow-level statistics, training multiple diverse machine learning models, and developing a novel ensemble classifier to optimize detection based on class-specific model strengths. Experimental validation shows the ensemble maintains high detection accuracy (97.92%) across various traffic types while minimizing false positives, offering a promising foundation for building more adaptable and resilient network defenses. security-bsides-las-vegas-2025-68566-advancing-network-threat-detection-through-standardized-feature-extraction-and-dynamic-ensemble-learning Ground Truth /media/security-bsides-las-vegas-2025/submissions/XH9W7Q/Advan_gYt2k8v.png Jason Ford en This research from my undergraduate senior thesis for my degree in Applied Computer Science - Cybersecurity from the University of South Carolina to be conferred in May 2025. Through my prior work in Infosec and an extensive literature review, I found deficiencies in both traditional NIDS solutions and ML-driven detection experiments that rely too heavily on limited datasets and monolithic classifiers. Over the past 18 months, I developed a feature extraction framework standardizing packet and flow statistics to enhance model generalization across multiple environments, including CTU-13, TON_IoT, USTC-TFC2016, and custom-collected benign traffic. Eight machine learning models were selected to represent varied classification strategies: Random Forest, Isolation Forest, Gaussian Mixture Models, Quadratic Discriminant Analysis, AdaBoost, XGBoost, CNN, and RNN. I then designed the Ford-CSWV ensemble algorithm, which applies dynamic class-specific weighting to model outputs during classification, improving robustness across traffic variations. Experimental results demonstrate that while the ensemble yields only minor gains in overall accuracy compared to top individual models, it significantly improves stability and adaptability, which are critical for real-world implementations. The talk will include a detailed walkthrough of the difference between NIDS and NDR, feature selection rationale, model training approaches, the mechanics of the Ford-CSWV ensemble classifier, and the classification results of my experiment. Slides include dataset comparisons, classifier diagrams, and ensemble methodology visuals. I will not be conducting a live demo, but the session will be highly visual and practical, and designed for security practitioners, researchers, and students interested in applied ML for cybersecurity. false https://pretalx.com/security-bsides-las-vegas-2025/talk/XH9W7Q/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XH9W7Q/feedback/ Siena Talk-45m 2025-08-05T14:00:00-07:00 14:00 00:45 Widespread cyber events are happening more frequently. Third party risk continues to be top of mind. As cyber events growing to be more complex, and dynamic privacy regulations, how some of the cost factors have changed and ways navigate the changing risk environment. security-bsides-las-vegas-2025-67674-increasing-complexity-and-frequency-of-cyber-events-trends-costs-and-risk-mitigation-strategies Ground Truth Wendy Hou-Neely en The cyber claims and risk environment are evolving. The year 2024 was a record-breaking year for cyber events. The continued threat of ransomware events and cyber events growing complexity. Cyber risk associated with 3rd party increase in complexity and frequency. Understanding digital supply chain risk is essential to cyber risk management. This session will show attendees what some of the cost factors and ways to navigate the changing risk environment. Marsh McLennan collects cybersecurity incidents, cybersecurity controls, claims data from thousands of organizations in its client portfolio. There are different organization-dependent factors that contribute to the severity of cyber events. These include record counts and types in possession, industry, revenue, and cyber security controls. false https://pretalx.com/security-bsides-las-vegas-2025/talk/8KYQ3Q/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8KYQ3Q/feedback/ Siena Talk-45m 2025-08-05T15:00:00-07:00 15:00 00:45 As threat actors evolve faster than our security tools, defenders need a new playbook—one that blends explainable AI with real-world cyber context. Enter CADDIE: a Retrieval-Augmented Generation (RAG) engine driven by the Model Context Protocol (MCP) to supercharge SOCs, auditors, and compliance teams. This talk will unpack how we use RAG + MCP to inject real-time policy, threat intel, and log data into large language models, enabling automation for tasks like gap analysis, alert triage, and regulatory mapping. Whether you're a blue teamer, GRC lead, or AI practitioner, you'll walk away understanding how to wield GenAI as a precise, compliant tool—not a hallucinating risk vector. security-bsides-las-vegas-2025-69839-rag-against-the-machine-using-retrieval-augmented-generation-and-mcp-to-fortify-cybersecurity-defenses Ground Truth /media/security-bsides-las-vegas-2025/submissions/TKNLJQ/rage__wjmGGli.png Brennan Lodge en In this session, I will present the architecture, use cases, and lessons learned from deploying CADDIE, a self-hostable Retrieval-Augmented Generation platform tailored to cybersecurity. With growing adoption of LLMs, enterprises are facing a gap: how to contextualize outputs with real, trusted data across threat detection, policy writing, and compliance monitoring. This is where the Model Context Protocol (MCP) shines—allowing structured ingestion of logs, threat intelligence, policy documents, and MITRE mappings into an LLM interface. Attendees will see: How MCP structures retrieval pipelines and token-efficient prompts RAG in action for GRC (e.g., SOC 2, ISO 27001, DORA) and threat detection workflows Case studies from proof-of-concepts with financial institutions, think tanks, and public-sector orgs Why context-aware GenAI reduces hallucinations and increases interpretability in cyber operations Red team and blue team applications of MCP: from compliance automation to contextualized alert triage This talk draws on prior research and presentations, including Black Hat 2024 (“Leveraging RAG for Proactive Cybersecurity Posture”) and my AI Summit talk on RAG-powered policy agents. Attendees will leave with an understanding of how to incorporate RAG in their cyber environments and how structured context via MCP is a key defense layer when working with LLMs in production false https://pretalx.com/security-bsides-las-vegas-2025/talk/TKNLJQ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TKNLJQ/feedback/ Siena Talk-45m 2025-08-05T17:00:00-07:00 17:00 00:45 Last year, we learned a key truth: not everything on the Internet is forever, and there is far more variability in host lifespan across different ports, protocols, and networks than we initially thought. Today, we’re going to focus on how we moved beyond the descriptive analyses to ask the next natural question: Given all this variability, how can we actually predict the lifespan of a host? In this talk, I invite participants to dive down the ML rabbit hole with me. I’ll walk through how our research questions evolved, where our early methods/initial attempts failed, and what we learned from those failures to finally arrive at a practical solution. While ML has improved many aspects of our lives, applying it to solve problems in niche, high-noise areas like security and the Internet-wide measurement space is not always straightforward. With the right tweaks and persistence, we found a path forward, and I hope that audience members walk away with a better understanding of some of these ML pitfalls, as well as a way to think about how to apply ML to their own similarly gnarly problems, using our case study as an example. security-bsides-las-vegas-2025-67777-predicting-the-lifespans-of-internet-services-falling-down-the-ml-rabbit-hole-and-what-we-learned-from-the-thud Ground Truth Ariana Mirian en One key aspect of Internet-Wide scanning research is “When should I scan this entity again?”. In this talk, I talk about how descriptive analyses (presented last year!) are insufficient in finding trends at an Internet-scale, and instead a better way to tackle this question is via a more methodological approach with ML techniques. In this talk, I go over the promises of ML, and what we faced in reality at each step of the way. While we were inevitably successful in applying ML techniques to our use case, it does illuminate that sometimes you can’t just throw an ML model at the problem naively, especially when you have so many contextual aspects to account for, and the need to re-work your outputs and expectations to match a more realistic model. Specifically, my talk will cover the following: 1) How did we get here? - Last year we were like WOAH, lots of differences, but then trying to apply it in practice meant shifting the question to “can we predict the lifespan of a service”, such that we can predict when to scan it again? 2) What were the promises of ML? - ML models would help with prediction, and also bring up interesting facets such as feature importance (should we be scanning based on port, or port and some other variable?). - We tried some straightforward methods based on our inputs and outputs and immediately ran into some crazy and gnarly problems 3) Taking a step back – what do we need, and what do we have? - We have a highly multi dimensional categorical dataset that we really cannot change. - We really want to know when we should rescan something, or even a gradient of “scan these more, scan these other ones less” 4) Reframing the question and recognizing the aspects we couldn’t change led us down a new path - Can we predict ephemerality? Which allows us to bucket hosts that we need to rescan more frequently vs hosts that we dont need to rescan more frequently - Yes!! We can. 5) Now that we found a model that worked for us, we discuss evaluation and metrics - Typically you focus on things like precision, recall, and f1 scores, and we see some variance in those that is not unexpected given the output data (walk through this example) - In practical settings, we might want to reframe our metrics to be - We also show which features are most important to the prediction, which is slightly different than our hypothesis going into the problem, but not wholly unexpected false https://pretalx.com/security-bsides-las-vegas-2025/talk/GTYAKW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/GTYAKW/feedback/ Siena Talk-45m 2025-08-05T18:00:00-07:00 18:00 00:45 Modern ransomware attacks no longer just encrypt files—they exfiltrate and leak terabytes of internal corporate documents. These leaks contain unstructured chaos: scanned passports, HR forms, insurance records, and other sensitive data. Yet most breach-checking tools ignore them completely. This talk presents Have I Been Ransomed? (HIBR), a toolchain and public search engine designed to extract meaningful PII from this mess using OCR and Large Language Models (LLMs). We’ll explore how we crawl these leaks, how we safely extract identifiers without exposing PII, and how LLMs allow us to detect personal data buried deep inside PDFs and image scans. We'll also address the ethical landmines, legal constraints (e.g., GDPR), and our design decisions to avoid becoming a privacy nightmare. Attendees will walk away with a practical understanding of how to process complex ransomware dump data and build awareness tools responsibly—while seeing live examples of HIBR in action. security-bsides-las-vegas-2025-70093-indexing-the-chaos-extract-pii-from-ransomware-leaks Ground Truth Juanma en The tool was developed as a response to a growing blind spot in breach awareness: unstructured data dumped by ransomware gangs. Traditional tools focus on structured email/password leaks. In contrast, ransomware leaks are a dumpster fire of scanned ID cards, tax records, and resumes, usually dropped on .onion sites or mirror dumps. No one wants to parse that—so I did. This talk breaks down how I built: A crawler (breach.house) that collects dump data (Ransomware Leaks, Normal Breaches, Stealer Logs, Leads) A backend pipeline that: Ingests mixed-format files (PDF, DOC, images, databases, etc.) Uses OCR to extract text from image-based leaks Feeds results into a fine-tuned LLM that recognizes contextual PII A frontend search engine (haveibeenransom.com) that shows only metadata, not PII, and flags where data might have been exposed. This talk will explain how I implemented protections to comply with privacy law (GDPR, Article 6) and prevent misuse. No PII is shown. Users can only search identifiers (email, passport number) and see where it may have appeared—without downloading any leak. This tool is open-source (in part) and still under active development. It’s a blend of OSINT, NLP, ethical grey zones, and threat intelligence, all rolled into one live system. false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZRBVME/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZRBVME/feedback/ Copa Talk-45m 2025-08-05T10:00:00-07:00 10:00 01:00 This talk explores how energy infrastructure forms the backbone of resilient and robust AI ecosystems and challenges like transformer shortages and foreign dependencies threaten AI ecosystems and national security. We'll examine how disruptions in the energy sector can cascade across AI development, national security, and global competitiveness. By focusing on the often-overlooked role of power infrastructure, including the critical shortage of domestic sourced electrical equipment such as transformers, we'll reveal how energy resilience is the true key to AI dominance beyond algorithms and computing power. security-bsides-las-vegas-2025-67790-power-play-ai-dominance-depends-on-energy-resilience I Am The Cavalry Emma M StewartMunish Walther-Puri en The United States faces a multifaceted challenge in maintaining its technological edge, particularly in AI. While much attention is given to semiconductor production and algorithm development, the foundation of AI supremacy lies in a stable, resilient, flexible, and abundant energy infrastructure. Private capital flows into chips and frontier models; government agencies and labs can only chase and shape the attention of resources. Disruptions in one sector can profoundly impact another: recent challenges, such as the extreme shortage of voltage step-down transformers and heavy reliance on non-domestic equipment, significantly hinder the growth and expansion of AI data centers. Moreover, U.S. utilities and energy projects remain heavily reliant on non domestic equipment - for large and distribution power transformers, battery energy storage systems, and communications equipment - introducing potential cybersecurity risks that could destabilize power grids and erode energy resilience. China's control over critical mineral processing further compounds U.S. supply chain fragility, threatening to disrupt key industries essential for AI infrastructure. This interconnectedness demonstrates that dominance in AI is not just about computational performance but about securing and optimizing the power that fuels it. false https://pretalx.com/security-bsides-las-vegas-2025/talk/KQWJAH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/KQWJAH/feedback/ Copa Talk-20m 2025-08-05T11:00:00-07:00 11:00 00:30 Ransomware is one of the more prevalent and expensive cyber incidents, and more pervasive and arguably more disruptive than outright disruptive cyber attacks. In this discussion, we will review the impact of ransomware on critical social services and functions, and detail how unchecked such operations may lead to unacceptable disruption in vital services and operations. Based on this understanding, we will then expand the conversation in two directions: how addressing the ransomware issue through defensive countermeasures and preventative investment can also curtail more "advanced" actor operations; and how dealing with pervasive cyber threats may justify enhanced countermeasures to deny, deter, or degrade adversary capabilities. From this discussion, we will arrive at a nuanced, complex view of the ransomware ecosystem and its outsized role in actual, observable critical infrastructure disruption. security-bsides-las-vegas-2025-66371-ransomware-as-canary-for-societal-disruption I Am The Cavalry Joe Slowik en Ransomware, like other e-crime actions, is typically viewed as a nuissance and a law enforcement matter from a policy and strategic perspective. However, the economic impact of ransomware (along with other crimes such as business email compromise) is vast, while the disruptive impact - to schools, hospitals, the industrial base, and civil functions - is immense. Compared to actual cyber "attacks" outside of events in Ukraine, ransomware has arguably had a much greater impact on societal function than any "APT" intrusion or incident across the developed world. To set the stage, we will first review the persistent and long-standing e-crime epidemic and particularly disruptive events such as ransomware that induce loss of availability and functionality. While ransomware carries a significant economic cost in payouts and lost output, there is also a non-trivial social cost in lost functionality related to the operations of schools, hospitals, local governments, and similar entities. When reviewed in detail, especially in the cases of rural hospitals and similar disadvantaged entities, ransomware may serve as a killing function for vital services for marginalized populations. With this context in mind, we can then review the nature of ransomware operations: often aligning or overlapping with the same tactics, techniques, and procedures employed in supposedly more concerning state-sponsored intrusion operations. Based on this threat actor convergence in behavior, we see an interesting opportunity: that defending against and closing opportunities to criminal actors will improve community defense against a variety of threat actors. For example, the rapid weaponization and exploitation of vulnerabilities in edge devices represents a primary initial access mechanism for both state-sponsored and criminal entities. Developing and implementing planning to more rapidly address these items while advocating for improved development and engineering practices at vendors may thus reduce the impact and likelihood of an incident from multiple threats. However, defensive measures cannot just be passive in nature. The critical nature of disruptive ransomware to vital societal functions also demands active measures to reduce the scope of adversary activity. This "impose cost" approach is increasingly popular in the current administration, but carries operational and ethical costs depending on how far it is pushed. Yet simply standing by and letting adversaries operate with relative impunity places a significant burden on often poorly-resourced organizations to respond to and mitigate against such threats. Therefore, we will discuss a "reasonably effective and ethically supported" approach to counter-ransomware operations focused on targeting adversary infrastructure, operations, and communication networks for disruption utilizing law enforcement and other authorities. From this discussion, we will arrive at a conclusion where the ransomware (and broader e-crime) threat is simply no longer sustainable under current mechanisms. By providing for response functions both passive and active in nature, we can "drain the swamp" of ransomware operations to provide greater resilience to critical societal functions across the western world. Furthermore, doing so may not just dramatically alter matters with respect to criminal entities, but have the positive externality of making life significantly harder for state-sponsored hacking teams to breach critical infrastructure entities for more focused and targeted disruption. false https://pretalx.com/security-bsides-las-vegas-2025/talk/JKHHMR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/JKHHMR/feedback/ Copa Event2HR 2025-08-05T14:00:00-07:00 14:00 02:00 Hospitals and trauma centers have been increasingly targeted by sophisticated cyber threats that jeopardize patient safety, disrupt critical care, and compromise sensitive health data. In 2025, the healthcare sector remains one of the most attacked industries, with ransomware, phishing, and supply chain disruptions posing daily risks to clinical operations. These threats are especially acute in trauma centers, where even brief system outages can result in life-threatening delays. This panel will explore the evolving cybersecurity landscape facing healthcare providers, with a focus on high-impact vulnerabilities such as legacy medical devices, unsegmented networks, and third-party software dependencies. Panelists will discuss recent incidents and their cascading effects on emergency care delivery, as well as the broader implications for public health and national security. The discussion will also highlight emerging policy challenges, including the impact of new federal funding and regulatory frameworks. In addition, the panel will explore operational mitigations such as zero-trust architectures, incident response planning, and workforce training. Attendees will gain a deeper understanding of the systemic risks facing healthcare infrastructure and leave with actionable insights into how policy, technology, and cross-sector collaboration can strengthen resilience in the face of growing cyber threats. security-bsides-las-vegas-2025-72400-emergency-urgent-care-remains-in-critical-condition I Am The Cavalry Beau WoodsChristian DameffDina Carlisle en Hospitals and trauma centers are increasingly targeted by sophisticated cyber threats that jeopardize patient safety, disrupt critical care, and compromise sensitive health data. In 2025, the healthcare sector remains one of the most attacked industries, with ransomware, phishing, and supply chain disruptions posing daily risks to clinical operations. These threats are especially acute in trauma centers, where even brief system outages can result in life-threatening delays. This panel will explore the evolving cybersecurity landscape facing healthcare providers, with a focus on high-impact vulnerabilities such as legacy medical devices, unsegmented networks, and third-party software dependencies. Panelists will discuss recent incidents and their cascading effects on emergency care delivery, as well as the broader implications for public health and national security. The discussion will also highlight emerging policy challenges, including the impact of new federal funding and regulatory frameworks. In addition, the panel will explore operational mitigations such as zero-trust architectures, incident response planning, and workforce training. Dr. Dameff will provide an informational briefing on an ARPA H project that he is working on. In this session, Beau Woods shares his unexpected journey into the world of medical device security—a path that began with curiosity and evolved into a mission to protect lives. As a prominent voice in the "Hackers for Health" movement, Woods will recount how he first encountered vulnerabilities in life-critical systems and the profound ethical questions that followed. Unlike traditional cybersecurity domains, hacking medical equipment involves systems that are directly connected to human bodies—pacemakers, infusion pumps, ventilators, and more—where even minor disruptions can have life-or-death consequences. Attendees will gain a deeper understanding of the systemic risks facing healthcare infrastructure and leave with actionable insights into how policy, technology, and cross-sector collaboration can strengthen resilience in the face of growing cyber threats. false https://pretalx.com/security-bsides-las-vegas-2025/talk/LNMTZM/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LNMTZM/feedback/ Copa Talk-45m 2025-08-05T17:00:00-07:00 17:00 01:00 The U.S. food industry—an essential pillar of national security and economic stability—is increasingly vulnerable to cyber threats and systemic concentration risks. From farm to fork, the sector relies heavily on digital infrastructure for logistics, processing, refrigeration, and supply chain coordination. Yet, many food producers and distributors operate with limited cybersecurity maturity, making them prime targets for ransomware, data breaches, and operational disruption. security-bsides-las-vegas-2025-72783-hackers-kinda-like-to-eat I Am The Cavalry Curtis HansonWhitney Bowman-ZatzkinAndrew Rose en This session will explore the dual challenges facing the food sector: the growing frequency and sophistication of cyberattacks, and the economic concentration that amplifies their impact. With a small number of corporations controlling large portions of meat processing, grain distribution, and food logistics, a single cyber incident can ripple across the entire national food supply. The 2021 ransomware attack on JBS Foods, the world’s largest meat processor, is a stark example of how digital vulnerabilities can threaten food availability, pricing, and public trust. Panelists will examine the policy landscape, including the role of the Food and Agriculture Sector Coordinating Council, recent CISA advisories, and the implications of proposed cybersecurity mandates for critical infrastructure. The discussion will also address economic incentives and disincentives for cybersecurity investment in a low-margin industry, and the need for public-private collaboration to build resilience. Attendees will gain a deeper understanding of the systemic risks facing the food industry, the policy levers available to mitigate them, and the urgent need to treat food security as a national cybersecurity priority. false https://pretalx.com/security-bsides-las-vegas-2025/talk/TLPNPG/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TLPNPG/feedback/ Copa Talk-45m 2025-08-05T18:20:00-07:00 18:20 01:00 As digital infrastructure ages, a growing number of critical systems across sectors—from healthcare and manufacturing to energy and transportation—continue to rely on end-of-life (EOL) equipment that no longer receives security updates or vendor support. These legacy systems often harbor “forever-day” vulnerabilities: known flaws for which no patches exist and none are forthcoming. The persistence of these unfixable weaknesses poses a significant and growing threat to national security, public safety, and economic stability. security-bsides-las-vegas-2025-72784-end-of-life-eol-equipment-should-not-mean-end-of-life-your-life I Am The Cavalry Silas CutlerPaul RobertsStacey Higginbotham en This panel will examine the multifaceted challenges of managing EOL technology in high-risk environments. Topics will include the operational and financial barriers to replacing legacy systems, the risks of continued reliance on unsupported software and hardware, and the ethical dilemmas faced by defenders who must secure the unsecurable. Panelists will also explore real-world incidents where forever-day vulnerabilities were exploited, and the cascading consequences that followed. The discussion will highlight emerging policy proposals aimed at mitigating these risks, including mandatory lifecycle planning, incentives for modernization, liability frameworks for unsupported systems, and the potential role of government-backed vulnerability research and mitigation programs. Attendees will gain insight into how public and private stakeholders can collaborate to reduce systemic exposure, prioritize critical upgrades, and build a more resilient digital ecosystem. false https://pretalx.com/security-bsides-las-vegas-2025/talk/NB8XNJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NB8XNJ/feedback/ Copa Event2HR 2025-08-05T21:00:00-07:00 21:00 03:00 BSides Pub Quiz security-bsides-las-vegas-2025-70749-bsides-pub-quiz Events en BSides Pub Quiz false https://pretalx.com/security-bsides-las-vegas-2025/talk/CBW9Y8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/CBW9Y8/feedback/ Pool Event1HR 2025-08-05T19:00:00-07:00 19:00 3:01:00 A meet-up for Proving Ground Mentors, past or present. Hang out and chill poolside with your fellow BSides heroes. security-bsides-las-vegas-2025-79257-proving-ground-mentors-meet-up Events en A meet-up for Proving Ground Mentors, past or present. Hang out and chill poolside with your fellow BSides heroes. false https://pretalx.com/security-bsides-las-vegas-2025/talk/DZ7B39/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DZ7B39/feedback/ Pool Event1HR 2025-08-05T19:00:00-07:00 19:00 01:00 Data Science Meet-Up security-bsides-las-vegas-2025-70741-data-science-meet-up Events en Data Science Meet-Up false https://pretalx.com/security-bsides-las-vegas-2025/talk/HHVRQ9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HHVRQ9/feedback/ Pool Event2HR 2025-08-05T20:00:00-07:00 20:00 02:00 2025 BSides LV Speaker Reception. Come meet and hang out with the Program Committee and your fellow presenters at a private poolside function. security-bsides-las-vegas-2025-70747-speaker-reception Events en 2025 BSides LV Speaker Reception. Come meet and hang out with the Program Committee and your fellow presenters at a private poolside function. false https://pretalx.com/security-bsides-las-vegas-2025/talk/GUPQKX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/GUPQKX/feedback/ Pool Event4HR 2025-08-05T22:00:00-07:00 22:00 04:00 Security BSides Karaoke, poolside! security-bsides-las-vegas-2025-70751-bsides-karaoke Events en Security BSides Karaoke, poolside! false https://pretalx.com/security-bsides-las-vegas-2025/talk/MYMJAW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MYMJAW/feedback/ G-103 Event2HR 2025-08-05T19:30:00-07:00 19:30 02:00 Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Monday, Tuesday and Wednesday, 19:30-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door. security-bsides-las-vegas-2025-70744-recovery-hackers-tuesday Events en Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Monday, Tuesday and Wednesday, 19:30-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door. false https://pretalx.com/security-bsides-las-vegas-2025/talk/MEABSP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MEABSP/feedback/ Hallway Event1HR 2025-08-05T07:00:00-07:00 07:00 00:00 Info Booth Opens, Tuesday security-bsides-las-vegas-2025-70717-info-booth-opens-tuesday Middle Ground en Info Booth Opens, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/EUXUJ3/ https://pretalx.com/security-bsides-las-vegas-2025/talk/EUXUJ3/feedback/ Hallway Event1HR 2025-08-05T08:00:00-07:00 08:00 00:00 Registration Opens, Tuesday security-bsides-las-vegas-2025-70719-registration-opens-tuesday Middle Ground en Registration Opens, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/KALKCA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/KALKCA/feedback/ Hallway Event1HR 2025-08-05T09:00:00-07:00 09:00 00:30 Skytalks Token Drop 3 Skytalks token distribution for Tuesday MORNING sessions (10:00-11:30) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. security-bsides-las-vegas-2025-70725-skytalks-token-drop-3 Middle Ground en Skytalks Token Drop 3 Skytalks token distribution for Tuesday MORNING sessions (10:00-11:30) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. false https://pretalx.com/security-bsides-las-vegas-2025/talk/H9N7UE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/H9N7UE/feedback/ Hallway Event1HR 2025-08-05T12:30:00-07:00 12:30 01:00 Skytalks Token Drop 4 Skytalks token distribution for Tuesday AFTERNOON sessions (2:00-4:00 PM) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. security-bsides-las-vegas-2025-70736-skytalks-token-drop-4 Middle Ground en Skytalks Token Drop 4 Skytalks token distribution for Tuesday AFTERNOON sessions (2:00-4:00 PM) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. false https://pretalx.com/security-bsides-las-vegas-2025/talk/3E78YM/ https://pretalx.com/security-bsides-las-vegas-2025/talk/3E78YM/feedback/ Hallway Event1HR 2025-08-05T16:00:00-07:00 16:00 00:00 Registration Closes, Tuesday security-bsides-las-vegas-2025-70722-registration-closes-tuesday Middle Ground en Registration Closes, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/7A79C9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7A79C9/feedback/ Hallway Event1HR 2025-08-05T16:00:00-07:00 16:00 00:00 Info Booth Closes, Tuesday security-bsides-las-vegas-2025-70718-info-booth-closes-tuesday Middle Ground en Info Booth Closes, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/SVTTCL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/SVTTCL/feedback/ Ballroom Training-16h 2025-08-05T10:30:00-07:00 10:30 04:00 CyberWarFare Labs workshop on "Multi-Cloud Security" aims to provide practical insights of the offensive / defensive techniques used by the Red & Blue Teams in an Enterprise Cloud Infrastructure. Learn from the creators of the renowned CWL RedCloud OS, a cloud adversary simulation VM, how to perform enterprise offensive / defensive operations. - As a Red Team / Penetration Tester: Trainees will understand advanced real-world cyber attacks against major cloud vendors like AWS, MS Azure, and GCP. Simulate Tactics, Techniques, and Procedures (TTPs) widely used by APT groups in a practical lab environment. - As a Blue Team / Defender: Trainees will learn to identify and defend against various emerging threats in a multi-cloud infra. Understand complex attack vectors & sophisticated compromise scenarios from a defensive mindset security-bsides-las-vegas-2025-73342-multi-cloud-aws-azure-gcp-security-25-edition-day-two-am Training Ground Yash BharadwajManish Gupta en To make the workshop hands-on in the real sense all the trainees will be provided with Lab Access to the Multi-Cloud Environment. Lab Architecture is designed to cover all the attacks from both aspects that are demonstrated during the sessions. ### DAY 1 (8 Hrs) - Part-1 : Introduction about Multi Cloud Environment - Module-1 : Azure Cloud Environment - Azure Identity : Entra ID & RBAC - O365 / Microsoft 365 - Azure Cloud Services (VM, Storage, IaaS, PaaS, SaaS) - Module-2 : AWS Cloud Environment - Identity & Access Management - AWS Cloud Services (IaaS, PaaS, SaaS) - AWS identity Center - Module-3 : GCP Cloud Environment - GCP Identity & Access Management - GCP Cloud Services (IaaS, PaaS, SaaS) - Google Suite / Workspace + Cloud Identity - Part-2 : Enumeration & Initial Access on Cloud Infrastructure - Module-1 : Unauthenticated Enumeration - Enumerating Information from DNS Records - Enumerating Information from Cloud Vendors - Leaked secrets from github - Enumeration storage & other information from OSINT - Module-2 : Initial Access - Exploiting Cloud Services - Leaked Credentials - Compromising CI/CD pipeline - Compromising storage accounts - Module-3 : Authenticated Enumeration : IAM, Compute & Storage - AWS Services - Entra ID & Azure Services - Cloud Identity, Google Workspace, GCP Services ### DAY 2 (8 Hrs) - Part-3 : Exploiting Multi-Cloud Services - Module-1 : Exploiting Multi-Cloud Services - AWS : cross account, within account - Azure : service principal, cross tenant, Entra ID - GCP : Access organization, Cloud Identity - Module-2 : Privilege Escalation - Elevating Privileges on AWS - Elevating Privileges on Azure - Elevating Privileges on GCP - Part-4 : Lateral Movement - Module-1 : Within Multi-Cloud - AWS, GCP, Azure to each other - Part-5 : Case Study (Multi-Cloud Red Team Simulation) - Red Teaming in Simulated Multi-Cloud Lab (Initial Access to Data Exfiltration) ###### NOTE : Attendees do not require cloud accounts, they will get access to the seamless environment & have access to the environment for 15 days with a dedicated discord channel. - Why should people attend your course? - Practically Understand Enterprise Grade Red Team Operation Methodology in Multi-Cloud Environment - Perform Red Team Attack Cycle in Simulated Enterprise Environment - Stealth Lateral Movement Techniques in Multi-Cloud, Cloud to on-premise & vice-versa - Core Services Mapping / Enumeration / Exploitation - Create custom tools to perform manual enumeration - Student Requirements : - Fair Knowledge of Networking and Web Technology - Familiarity with CLI - An Open mind (*No prior Cloud knowledge is required). - Who Should Take This Course ? - Targeted Audience may include the following group of people: - Penetration Testers / Red Teams - Cloud Security Professionals - Cloud Architects - SOC analysts - Threat Hunting Team - Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities in Cloud - How many years of practical experience would the ideal student have to get most out of this workshop? - Minimum 1-3 years in Penetration Testing Domain. - What Students Should Bring? - System with at least 16GB RAM having VMWare Workstation PRO installed - CWL RedCloud VM With Internet Connectivity - What Students Will Be Provided With? - Soft Copy of the Course Content. - Great Knowledge about the Offensive Cloud Techniques used by adversaries. - Defense Tactics & Techniques against the discussed offensive techniques. false https://pretalx.com/security-bsides-las-vegas-2025/talk/87YVWJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/87YVWJ/feedback/ Ballroom Training-16h 2025-08-05T15:00:00-07:00 15:00 04:00 CyberWarFare Labs workshop on "Multi-Cloud Security" aims to provide practical insights of the offensive / defensive techniques used by the Red & Blue Teams in an Enterprise Cloud Infrastructure. Learn from the creators of the renowned CWL RedCloud OS, a cloud adversary simulation VM, how to perform enterprise offensive / defensive operations. - As a Red Team / Penetration Tester: Trainees will understand advanced real-world cyber attacks against major cloud vendors like AWS, MS Azure, and GCP. Simulate Tactics, Techniques, and Procedures (TTPs) widely used by APT groups in a practical lab environment. - As a Blue Team / Defender: Trainees will learn to identify and defend against various emerging threats in a multi-cloud infra. Understand complex attack vectors & sophisticated compromise scenarios from a defensive mindset security-bsides-las-vegas-2025-73343-multi-cloud-aws-azure-gcp-security-25-edition-day-two-pm Training Ground Yash BharadwajManish Gupta en To make the workshop hands-on in the real sense all the trainees will be provided with Lab Access to the Multi-Cloud Environment. Lab Architecture is designed to cover all the attacks from both aspects that are demonstrated during the sessions. ### DAY 1 (8 Hrs) - Part-1 : Introduction about Multi Cloud Environment - Module-1 : Azure Cloud Environment - Azure Identity : Entra ID & RBAC - O365 / Microsoft 365 - Azure Cloud Services (VM, Storage, IaaS, PaaS, SaaS) - Module-2 : AWS Cloud Environment - Identity & Access Management - AWS Cloud Services (IaaS, PaaS, SaaS) - AWS identity Center - Module-3 : GCP Cloud Environment - GCP Identity & Access Management - GCP Cloud Services (IaaS, PaaS, SaaS) - Google Suite / Workspace + Cloud Identity - Part-2 : Enumeration & Initial Access on Cloud Infrastructure - Module-1 : Unauthenticated Enumeration - Enumerating Information from DNS Records - Enumerating Information from Cloud Vendors - Leaked secrets from github - Enumeration storage & other information from OSINT - Module-2 : Initial Access - Exploiting Cloud Services - Leaked Credentials - Compromising CI/CD pipeline - Compromising storage accounts - Module-3 : Authenticated Enumeration : IAM, Compute & Storage - AWS Services - Entra ID & Azure Services - Cloud Identity, Google Workspace, GCP Services ### DAY 2 (8 Hrs) - Part-3 : Exploiting Multi-Cloud Services - Module-1 : Exploiting Multi-Cloud Services - AWS : cross account, within account - Azure : service principal, cross tenant, Entra ID - GCP : Access organization, Cloud Identity - Module-2 : Privilege Escalation - Elevating Privileges on AWS - Elevating Privileges on Azure - Elevating Privileges on GCP - Part-4 : Lateral Movement - Module-1 : Within Multi-Cloud - AWS, GCP, Azure to each other - Part-5 : Case Study (Multi-Cloud Red Team Simulation) - Red Teaming in Simulated Multi-Cloud Lab (Initial Access to Data Exfiltration) ###### NOTE : Attendees do not require cloud accounts, they will get access to the seamless environment & have access to the environment for 15 days with a dedicated discord channel. - Why should people attend your course? - Practically Understand Enterprise Grade Red Team Operation Methodology in Multi-Cloud Environment - Perform Red Team Attack Cycle in Simulated Enterprise Environment - Stealth Lateral Movement Techniques in Multi-Cloud, Cloud to on-premise & vice-versa - Core Services Mapping / Enumeration / Exploitation - Create custom tools to perform manual enumeration - Student Requirements : - Fair Knowledge of Networking and Web Technology - Familiarity with CLI - An Open mind (*No prior Cloud knowledge is required). - Who Should Take This Course ? - Targeted Audience may include the following group of people: - Penetration Testers / Red Teams - Cloud Security Professionals - Cloud Architects - SOC analysts - Threat Hunting Team - Last but not the least, anyone who is interested in strengthening their offensive and detection capabilities in Cloud - How many years of practical experience would the ideal student have to get most out of this workshop? - Minimum 1-3 years in Penetration Testing Domain. - What Students Should Bring? - System with at least 16GB RAM having VMWare Workstation PRO installed - CWL RedCloud VM With Internet Connectivity - What Students Will Be Provided With? - Soft Copy of the Course Content. - Great Knowledge about the Offensive Cloud Techniques used by adversaries. - Defense Tactics & Techniques against the discussed offensive techniques. false https://pretalx.com/security-bsides-las-vegas-2025/talk/WBBRNJ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/WBBRNJ/feedback/ Pearl Training-4h 2025-08-05T10:30:00-07:00 10:30 04:00 What Engineers Need to Know About Cyber and Why (and are not getting this in school). This workshop uses a case study of a hypothetical engineering project to support discussion and application of the principles for Cyber-Informed Engineering (CIE) throughout the workshop. The scenario draws from a selection of real-world case studies, is fictional, and is crafted to support the application of CIE principles. Workshop participants get a workbook to structure their journey, capture insights and lessons learned, and provide a useful takeaway item that can further conversations after the event. This is a hands-on workshop filled with exercises to develop understanding of the principles of Cyber Informed Engineering. This training event is designed for anyone who is interested in learning a methodology of designing out cyber-risk before a system is placed into operation. security-bsides-las-vegas-2025-72731-engineering-cyber-resilience-for-the-water-sector Training Ground /media/security-bsides-las-vegas-2025/submissions/EAYEJC/CIE_L_c6mIGgt.png Art ConklinVirginia “Ginger” WrightAndrew Ohrt en This training session emerges from the Idaho National Laboratory Cyber Informed Engineering project, a Department of Energy supported effort to improve system resilience and risk reduction through design efforts to include cyber risks alongside other engineering considered hazards. Previous versions of this course have been conducted using different specific engineering problems to local industry groups. This class is a product from those experiences. The diversity of the BSidesLV attendee base will make this class much more engaging than an industry specific audience. Cyber-Informed Engineering (CIE) offers an opportunity to “engineer out” some cyber risk across the entire system lifecycle, starting from the earliest possible phases of conceptual design and requirements development and system design—the most optimal times to introduce mitigations against cyber risk. CIE is an emerging method to integrate cybersecurity risk considerations into the conception, design, development, and operation of any physical system that has digital connectivity, monitoring, or control. CIE uses design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attacks or reduce the consequences when an attack occurs. In the same way that engineers design systems for safety, engineers informed by CIE use similar methods to prevent or lessen the impact of a cyber-attack. CIE also allows the engineers to advise the approaches used by specialized Information Technology (IT) and Operational Technology (OT) cybersecurity experts to align cybersecurity mitigations to the most critical consequences identified by the engineers. What are the 12 principles of CIE? 1. Consequence-Focused Design 2. Engineered Controls 3. Secure Information Architecture 4. Design Simplification 5. Layered Defenses 6. Active Defense 7. Interdependency Evaluation 8. Digital Asset Awareness 9. Cyber-Secure Supply Chain Controls 10. Planned Resilience 11. Engineering Information Control 12. Organizational Culture The purpose of the training is to help people understand how to use these principles during engineering design to design out many sources of cyber risk. The hands-on workshop engages participants in a journey that helps improve their skills in designing out issues that would later potentially affect cyber risk. The session begins with a presentation of the principles for Cyber Informed Engineering and leads thoughts with an initiating question to prompt thoughts and actions for each principle. The scenario used to facilitate discussion is then presented, providing a template upon which the principles can then be addressed. The exercise then moves through the 12 principles where each is given an overview by one of the facilitators. What follows next is small group exercise tasks designed to facilitate the operationalization of each principle. The facilitators help the groups advance their discussion and learning. The training exercise concludes with a lessons-learned discussion. References: U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Cyber Informed Engineering Implementation Guide. Version 1.0, August 7, 2023. https://www.osti.gov/biblio/1995796. Technical Report: Cyber-Informed Engineering Workbook: CIE Hands-On Training. Cyber-Informed Engineering Workbook: CIE Hands-On Training. May 29, 2024. https://www.osti.gov/biblio/2371031. false https://pretalx.com/security-bsides-las-vegas-2025/talk/EAYEJC/ https://pretalx.com/security-bsides-las-vegas-2025/talk/EAYEJC/feedback/ Pearl Training-4h 2025-08-05T15:00:00-07:00 15:00 04:00 In Wi-Fi-So-Serious, we will explore setting up and troubleshooting our 802.11 assessment rig. Then we will look at passive reconnaissance and cracking different Wi-Fi security protocols. Using the Kali Linux VM we will setup our 802.11 cards in monitor mode and see how to set them up to collect PCAPs. Troubleshoot drivers and common Linux commands needed for troubleshooting the cards. We will work with command line tools such as iw, iwconfig, hostapd, wpa_cli, wpa_supplicant and others. Next move on to passive collections and common Wireshark display filters. Finishing up the lecture portion of the class with cracking common 802.11 security protocols using such tools as Aircrack-ng, Wifite, Airgeddon, Reaver, and Wacker. And finally, we will finish out the workshop with a Capture The Flag (CTF) so all participants can apply what we have learned during the workshop. The participants will also learn how to setup a lab that they can take home with them. security-bsides-las-vegas-2025-69214-wi-fi-so-serious Training Ground /media/security-bsides-las-vegas-2025/submissions/DVKZMR/sweet_4s7y3de.png James Hawk en Wi-Fi-So-Serious is a beginner-friendly course teaching the basics of 802.11, common Wi-Fi troubleshooting, command-line tools, network reconnaissance, and attacks against common Wi-Fi security protocols. It wraps up with a hands-on CTF to apply the learned skills. Practical Troubleshooting Skills: Participants will learn: Common Wi-Fi Issues: Identifying and understanding typical connectivity problems, such as signal interference, authentication failures, and dropped connections. Troubleshooting Methodologies: Developing a systematic approach to diagnose Wi-Fi issues, including checking physical connections and analyzing network configurations. Basic Troubleshooting Tools: Getting introduced to software or built-in operating system tools that can help analyze Wi-Fi environments and identify problems. Network Reconnaissance: Understanding the surrounding wireless environment is a key step in both network management and security testing. The course will cover methods for: Passive Scanning: Detecting and gathering information about Wi-Fi networks without actively interacting with them. This includes identifying SSIDs, BSSIDs, supported data rates, and security protocols. Active Scanning: Probing networks to gather more detailed information, potentially revealing hidden networks or vulnerabilities. PCAP Analysis: Using Wireshark to extract information from PCAP files. Attacking Common 802.11 Security Protocols and cracking: Open/OWE: Coffee Shop attacks and recon WPS/Wi-Fi Direct: An overview and look at useful tools for attacking WPS and Wi-Fi Direct. WEP: Understanding the historical weaknesses of WEP and how it can be easily cracked using readily available tools. WPA/WPA2: Exploring the vulnerabilities in WPA and WPA2, including handshake capture and password cracking techniques (e.g., dictionary attacks, brute-force attacks). WPA3: An overview of the improvements in WPA3 and its resistance to some of the older attack methods. Participants will learn how to attack WPA3 by leveraging transition mode. EAP: A high level overview, recon, and basics of EAP network attacks Hands-On CTF: The course culminates in a CTF, which is an invaluable way for participants to solidify their learning in a practical and engaging manner. The CTF will involve a series of challenges where participants need to use what they have learned during the class. What to Bring: Students should bring a laptop with at least 8GB of ram. VMware or VirtualBox already installed. Students should have the provided VM loaded as well. Students should also bring a Wi-Fi card that is capable of monitor mode and packet injection. Recommended card: AWUS036ACM false Getting Started https://pretalx.com/security-bsides-las-vegas-2025/talk/DVKZMR/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DVKZMR/feedback/ Opal Training-4h 2025-08-05T10:30:00-07:00 10:30 04:00 Join us in this workshop to engage in hands-on attacks to identify weaknesses in generative AI. If you’re interested in learning about getting started in red teaming generative AI systems, this is the workshop for you. security-bsides-las-vegas-2025-69901-llm-mayhem-hands-on-red-teaming-for-llm-applications Training Ground Travis SmithKasimir Schulz en In this workshop we have set up hypothetical chatbots with varying levels of difficulty to walk attendees through various attack techniques. We'll model the attack after typical red team engagements we have been on in order to test the resiliency of a LLM powered application. The goals of this session are: (1) Provide a foundation on red teaming chatbots, (2) understand how and why the attacks work, and (3) provide guidance on how attendees can set up their own infrastructure to test and hone their skills after the conference has concluded. false https://pretalx.com/security-bsides-las-vegas-2025/talk/XMWTBT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XMWTBT/feedback/ Opal Training-4h 2025-08-05T15:00:00-07:00 15:00 04:00 Don't plug in devices you don't trust - It's an often repeated mantra everywhere from the workplace to the movies. But, have you ever wondered how it works in real life, and what the risks truly are? This training covers the basics of Hak5's DuckyScript-Language (Version 3) and how to utilize O.MG Devices to develop HID based attacks. Learn the basics of Hak5's DuckyScript, how to script human input, how to GeoFence, Remote Control, and much more. This workshop covers exploiting the "human factor" of security and will go over Physical Red Team Assessments, Attacks, and normalizing strategies to improve reliability and performance of your scripts. security-bsides-las-vegas-2025-69919-hands-on-duckyscript-introduction-to-hid-attacks-with-o-mg-devices Training Ground WasabiKalani Helekunihi en This beginner-friendly training will be approximately 4 hours and introduces attendees to the world of physical red teaming using O.MG Devices. This training is meant for those with minimal prior experience covers the fundamentals of HID (Human Interface Device) attacks, ethical hacking, and how attackers exploit physical access to systems using tools that emulate keyboards and mice. Participants will learn how to use the O.MG Plug. Attendees will be encouraged to bring their own devices, however O.MG Plugs will be able to purchased to ensure uniformity of the training. While the class focuses on O.MG devices, the techniques and scripting knowledge are transferable to other DuckyScript-compatible devices like those offered by Hak5. The trainers have a variety of experiences including experience with blue teaming, red teaming (physical attacks), and accessibility. Each trainer will bring these unique personal experiences to the attendees and introduce use cases common tools, deployment strategies, and the truth behind popular portrayals of hacking. It then delves into the technical workings of USB HID protocols and how DuckyScript leverages them to automate keystrokes, launch payloads, and even initiate wireless or geo-fenced commands. Students will get hands-on experience flashing, configuring, and scripting O.MG Devices. The course also covers payload design—emphasizing reliability, stealth, and accessibility—and explores advanced features such as remote control, C2 (Command and Control) integration, and security best practices. No prior scripting experience is required, though basic familiarity with networking and operating systems will be helpful. Students must bring their own laptop. By the end of the course, students will have a strong foundational understanding of HID-based attacks, be able to create and deploy basic payloads, and appreciate the role of human factors in security breaches. Wednesday if possible due to flight itinerary of one of our workshop presenters false https://pretalx.com/security-bsides-las-vegas-2025/talk/88YDQ7/ https://pretalx.com/security-bsides-las-vegas-2025/talk/88YDQ7/feedback/ Emerald Training-4h 2025-08-05T10:30:00-07:00 10:30 04:00 You’ve identified the vulnerability, tested the exploit, and written the report. But they just don’t see the urgency. Now what? This 4-hour, hands-on workshop bridges the gap between technical mastery and executive and influence. We’ll move beyond simply reporting risks to crafting compelling narratives, quantifying value, and building the relationships necessary to drive meaningful security improvements. We’ll delve into the psychology of decision-making, explore adversarial communication tactics (including those used against YOU), and arm you with practical strategies to become a trusted advisor who can effectively advocate for security and get things done. security-bsides-las-vegas-2025-70260-from-zero-trust-to-trusted-advisor-selling-security-to-stakeholders Training Ground /media/security-bsides-las-vegas-2025/submissions/TG9SK9/cd5f6_WVScSik.png Glen SorensenDaniela Parker en Target Audience: Security professionals of all levels (penetration testers, security engineers, analysts, red teamers, etc.) who want to improve their communication and persuasion skills to influence stakeholders and drive security initiatives. Workshop Objectives: Participants will be able to: • Identify and analyze key stakeholders, influencers, and decision makers within their organizations. • Translate technical findings or concepts, such as security by design, into business-centric language. • Tailor your message to your stakeholders and influence them to make better decisions (social engineering for good!). • Articulate the ROI of security investments. • Effectively counter common objections and adversarial tactics. • Develop a practical method for ongoing stakeholder engagement. • Practice communicating complex security issues to non-technical audiences. • Build trust and credibility with diverse stakeholders. • Overcome their own fears and perceived limitations when dealing with key business decision makers. false https://pretalx.com/security-bsides-las-vegas-2025/talk/TG9SK9/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TG9SK9/feedback/ Emerald Training-4h 2025-08-05T15:00:00-07:00 15:00 04:00 This hands-on class provides students with practical experience attacking and defending Active Directory (AD) environments. Designed for system administrators, IT professionals, and security practitioners, the course covers foundational AD infrastructure, common misconfigurations, and real-world attack techniques. Students will gain insight into threats like NTLM Relay, Kerberoasting, Machine Account Quota abuse, and Unconstrained Delegation. Each student will access a dedicated lab environment in Azure featuring three virtual machines: a Windows 10 client, a Windows Server 2019 domain controller, and an Ubuntu VM configured with relevant attack tools (including Docker containers for NTLM relay). Participants will perform each attack step-by-step, then implement defensive measures such as restricting delegation, reducing MachineAccountQuota, disabling unnecessary services, and enabling LDAP signing. The class also covers defensive logging practices, including increasing LDAP diagnostic levels and configuring Windows Event Forwarding (WEF) from the domain controller to a log aggregator. Students will leave with a solid understanding of how to identify, exploit, and mitigate common AD weaknesses. This class balances theory and hands-on labs, giving students actionable skills to improve the security posture of their AD environments. security-bsides-las-vegas-2025-67796-active-directory-attacks-and-defense-101 Training Ground Darryl G. Baker en Active Directory remains a critical and often vulnerable component in enterprise environments. Misconfigurations, legacy protocols, and overly permissive defaults frequently expose organizations to high-impact attacks. This 4-hour technical workshop equips attendees with both offensive and defensive AD skills, focusing on real-world threats and mitigation strategies. The session begins with a quick primer on AD architecture—covering domain controllers, LDAP, Kerberos, NTLM, and common user/computer misconfigurations. Students will learn how attackers enumerate domains and locate exploitable targets using built-in Windows tools and open-source utilities. Students will then perform impactful attacks in their own isolated Azure lab environments including: - NTLM Relay using an Ubuntu Docker machine to capture and relay credentials to AD services. - Kerberoasting, where students request service tickets for SPNs and crack them offline. - Machine Account Quota abuse, exploiting the default ability for authenticated users to create computer accounts. - Unconstrained Delegation, showing how attackers impersonate users when delegation is misconfigured. After each attack, students will implement defenses including: - Configure SMB and LDAP signing to prevent relay attacks. - Restrict MachineAccountQuota and delegate computer creation privileges. - Convert Unconstrained Delegation to Constrained/Resource-Based Delegation. - Using Blue Team tools such as Bloodhound CE and PingCastle to investigate a possible breach. Logging and detection are core to any defense. Students will learn how to increase LDAP diagnostic logging levels on the DC, identify key logs associated with each attack, and configure Windows Event Forwarding (WEF) to send critical events to a centralized Ubuntu-based log collector. The lab demonstrates how increasing visibility makes even stealthy attacks detectable. All scenarios will be demonstrated live and reinforced through guided student lab exercises. Lab guides include screenshots and command snippets for easy reference. Students will walk away with a reusable lab environment and deeper insight into AD threats, defense-in-depth strategies, and hardening techniques suitable for real-world environments. This course is ideal for Windows administrators, red teamers, blue teamers, and anyone responsible for defending Microsoft environments. false https://pretalx.com/security-bsides-las-vegas-2025/talk/8AZNL7/ https://pretalx.com/security-bsides-las-vegas-2025/talk/8AZNL7/feedback/ Diamond Training-4h 2025-08-05T10:30:00-07:00 10:30 04:00 As AI systems become integral to enterprise operations, effective governance is essential to mitigate associated risks. This hands-on workshop offers a comprehensive introduction to AI governance, focusing on AI system lifecycle oversight, alignment with frameworks like the NIST AI RMF, and compliance with regulations such as the EU AI Act. Participants will engage in a guided tabletop exercise simulating a real-world AI incident, fostering collaborative response strategies and practical risk mitigation planning. Attendees will leave equipped with actionable insights and tools to implement responsible AI governance within their organizations.​ security-bsides-las-vegas-2025-68763-ai-governance-in-action-fundamentals-tabletop-workshop Training Ground /media/security-bsides-las-vegas-2025/submissions/9GQUFW/AI_Sy_V7iWUCt.png Josh HarguessChris Ward en This workshop is designed for security professionals, risk managers, and compliance officers seeking to understand and apply AI governance principles. The session begins with an overview of AI governance fundamentals, including risk assessment, policy development, and regulatory compliance. The latter half involves a tabletop exercise where participants navigate a simulated AI incident, encouraging the application of learned concepts in a controlled environment. The workshop emphasizes interactive learning, providing participants with templates, checklists, and a practical playbook for managing AI risks.​ false https://pretalx.com/security-bsides-las-vegas-2025/talk/9GQUFW/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9GQUFW/feedback/ Diamond Training-4h 2025-08-05T15:00:00-07:00 15:00 04:00 Traditional patching has failed to scale - it’s time for a new approach. This hands-on workshop teaches you to eliminate entire bug classes with modern browser security features instead of endlessly reacting to reports. Instead of firefighting the same issues, you’ll learn how Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata to go beyond traditional recommendations to prevent vulnerabilities at scale. You’ll work with a training app that’s already secured, but we’ll go further. By applying advanced browser defenses, monitoring their effectiveness, and enforcing it at scale, you’ll experience firsthand how modern web standards protect both new and legacy systems. This isn’t just about fixing issues - it’s about scaling security across an organization. We’ll explore measuring adoption across hundreds of services, automating enforcement, and applying defense-in-depth beyond single vulnerabilities. Through interactive group challenges, you’ll tackle XSS vulnerabilities (among others) but not as you are used to it. Whether you’re a developer, security engineer, or architect, you’ll leave with practical tools and a proactive security mindset - moving from patching to prevention. security-bsides-las-vegas-2025-67125-eliminating-bug-classes-at-scale-leveraging-browser-features-for-proactive-defense Training Ground Javan Rasokat en Fixing the same vulnerabilities over and over doesn’t scale. This workshop takes a different approach - eliminating entire bug classes (where we can) using latest browser security features (some are very new). With the new OWASP Proactive Controls list now including C6 browser security, it’s the perfect time to focus on prevention instead of endless patching. I first ran this workshop inside my own organization, and even experienced AppSec leads found it eye-opening. The idea was inspired by some work happening behind closed doors at big tech companies, e.g. Google. One of the things made public was the Security Signals research paper by Google. I took those ideas, built on them, and created this hands-on training. - Attendees will exploit vulnerabilities in a training app, then apply defenses like CSP v3, Trusted Types, and Sec-Fetch-Metadata to see their impact in real-time. - Teams will compete to break and defend a web application using modern security headers and policies. - We’ll analyze security breaches that could have been prevented with these mechanisms, making the session practical and engaging. - Attendees will learn how to measure and enforce adoption across an organization using their own automation, rather than relying on one-off fixes. - Many security workshops focus on finding and fixing individual bugs. This workshop shifts the perspective toward eliminating entire bug classes using modern browser security features. - Unlike classic hands-on labs, this workshop helps attendees think at scale - how to enforce security measures across entire organizations, making it relevant to large enterprises as well as individual developers. - Covers new web security standards that didn’t exist a few years ago, offering attendees fresh, actionable knowledge beyond OWASP basics. - Unlike many offensive security workshops, this is a security-builder-focused session, empowering developers and security teams to integrate security-by-design. false https://pretalx.com/security-bsides-las-vegas-2025/talk/KRY9EL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/KRY9EL/feedback/ Boardroom Training-4h 2025-08-05T10:30:00-07:00 10:30 04:00 SIGMA rules are an agnostic, text-based, open signature format written in YAML for creating threat detections, developed and open-sourced in 2017 by Florian Roth and Thomas Patzke. The project was conceived to address the challenges facing analysts when sharing and translating rule logic across the various SIEMs and EDRs tools. I will share with you how I implemented the gift of SIGMAs in our hunting workflow to assist with sniffing out gremlins hiding in the network. I will walk through the SIGMA creation process, sharing tips on how to tackle some of the challenges you might run into in real life when working with SIGMA. Hopefully my story can prove helpful for you, whether you are looking for ways to mature and streamline your hunting programs or just getting started playing around with Sigma. security-bsides-las-vegas-2025-67736-gremlin-hunting-with-sigma-rules Training Ground /media/security-bsides-las-vegas-2025/submissions/PEKNAB/greml_vocPWTM.jpg Rain BakerNicholas Carroll en Training will start with a walk through of what a SIGMA rule is, how they work, and how to construct them. I will show various community resources available on how to get started implementing SIGMA in your environment. I will then cover in detail the workflow for our guided hunt framework, "Gremlin Hunters". 1) How the hunts are developed using the SIGMA rule format, using OSINT and internal research. 2) How rules are inputted into our MISP instance, where we use pySIGMA to process and translate the rules. 3) Show how the rules are then sent over to our ticketing system where they are distributed to the hunting team on a weekly basis. 4) How hunt team uses the translations, tailors to environment, then submits findings (and a prod ready rule if applicable). false https://pretalx.com/security-bsides-las-vegas-2025/talk/PEKNAB/ https://pretalx.com/security-bsides-las-vegas-2025/talk/PEKNAB/feedback/ Boardroom Training-4h 2025-08-05T15:00:00-07:00 15:00 04:00 This hands-on workshop provides participants with foundation in practical threat and adversary emulation. Designed for security professionals looking to enhance their offensive and defensive capabilities, the training takes place in a controlled, enterprise-grade lab environment equipped with real-world defensive technologies, including Anti-Virus, Web Proxies, EDR, SIEM integration, and other detection mechanisms. Participants will engage in guided step-by-step exercises to safely emulate real-world threat actors and assess the effectiveness of common security controls. The workshop covers key areas such as gathering actionable cyber threat intelligence, planning and executing adversary emulation engagements, and using a variety of emulation tools and frameworks. Attendees will also learn how to map techniques to the MITRE ATT&CK framework, conduct threat hunting activities, and design custom adversary emulation plans tailored to organizational needs. By the end of the workshop, attendees will be equipped with the practical skills needed to operationalize threat emulation efforts and strengthen their organization’s cyber defense posture. \ security-bsides-las-vegas-2025-68805-threat-and-adversary-emulation-operational-exercises Training Ground Abhijith "Abx" B R en This hands-on workshop is designed to equip participants with a solid foundation in practical threat and adversary emulation. Through guided exercises in a controlled, enterprise-grade lab environment, attendees will learn how to safely emulate real-world threat actors. All lab systems will include active defenses such as Anti-Virus, Web Proxies, EDR, SIEM integration and other detection mechanisms. Key topics covered include: • Gathering actionable cyber threat intelligence • Planning and executing adversary emulation engagements • Utilizing attack emulation tools and frameworks • Leveraging MITRE ATT&CK for mapping and execution • Threat hunting techniques • Building custom adversary emulation plans • An introduction to dynamic adversary simulation Each module includes step-by-step walkthroughs of attack vectors, guiding participants through realistic attack paths across enterprise environments. The goal is to help attendees evaluate the effectiveness of security controls and better understand how to test and improve cyber defenses through adversary emulation. false https://pretalx.com/security-bsides-las-vegas-2025/talk/RB9NV3/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RB9NV3/feedback/ Misora Talk-20m 2025-08-05T10:00:00-07:00 10:00 00:25 How can we undermine AI censorship for freedom, activism, truth, and of course…for trolling? We rely on AI more and more to generate and moderate our content, but how do we operate in a world conditioned to accept unwarranted censorship for the sake of convenience? How do we control the systems that control ours? Do not obey in advance! Learn what hackers and artists have in common for evading graphical content moderation and writing bots that fight mod bots. Automate to manipulate AI before it is weaponized to manipulate you. Why is this all possible? Because AI can’t tell how many “legs” a person has, and that includes the third leg. Warning: NSFW content. security-bsides-las-vegas-2025-69115-hr-hates-my-mugs-evading-ai-censorship-token-07 Skytalks TerryBibbles en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/7MBYEA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7MBYEA/feedback/ Misora Talk-45m 2025-08-05T10:30:00-07:00 10:30 00:45 Not only is sex work real work, it’s work that overlaps heavily with the work technologists do in non-sex career paths. As a marginalized professional community, sex workers are often the first hit by new forms of risk or abuse, and have had to remain innovative through a culture of continuous education and community care. As we go through a time when many groups in the US are finding themselves increasingly marginalized and sometimes newly-criminalized, looking at the ways the same skills manifest in sex work and tech work communities can help us recontextualize our skills and seek new approaches from other industries that have more experience with these challenges. security-bsides-las-vegas-2025-69123-sex-work-is-tech-work-what-technologists-should-know-from-the-sex-industry-token-07 Skytalks Gwyndolyn en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/TRNJJY/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TRNJJY/feedback/ Misora Talk-20m 2025-08-05T14:00:00-07:00 14:00 00:20 When a cybersecurity director for a major American city realized the city lacked a clear mapping of the 16 critical infrastructure sectors, they set out to create one. What began as a straightforward exercise revealed enormous blind spots, gaps, and disconnects between federal definitions and state/local realities of cybersecurity. This talk explores how the process of mapping critical infrastructure exposed vulnerabilities in areas like energy, transportation, and emergency services—and highlighted the systemic misalignment between federal priorities and local preparedness. The disconnect isn’t just about definitions; it’s about resources, communication, and the ability to respond effectively to cyber threats. Through this journey, attendees will see how critical infrastructure mapping can uncover hidden risks, challenge assumptions, and reveal the consequences of fragmented cybersecurity strategies. The talk will also examine how these gaps leave cities under-resourced and unprepared for increasingly sophisticated threats to vital systems. By sharing lessons learned and actionable insights, this session aims to inspire better coordination between federal and local stakeholders to strengthen critical infrastructure resilience. security-bsides-las-vegas-2025-69911-mapping-the-gaps-how-disconnects-in-critical-infrastructure-leave-cities-vulnerable-token-08 Skytalks QuietRoar en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/PBWQHT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/PBWQHT/feedback/ Misora Talk-20m 2025-08-05T14:25:00-07:00 14:25 00:20 The cybersecurity industry thrives on innovation but exploits its workforce - regardless of seniority of an employee. As corporations strip away protections and consolidate power, cybersecurity and IT professionals must fight back - through unions. This talk explores the urgent need for cybersecurity workers to organize, the challenges we face in unionizing, and how we can build a coalition to push for fair wages, job security, and ethical workplace conditions. Whether by supporting existing unions or launching new movements, it’s time to act. The fight isn’t just for blue-collar workers - white-collar cyber professionals need collective power too. Now is the time. security-bsides-las-vegas-2025-69117-organizing-cyber-why-we-need-more-it-cybersecurity-unions-token-08 Skytalks CyberGuy en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/9JKECQ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9JKECQ/feedback/ Misora Talk-45m 2025-08-05T15:00:00-07:00 15:00 00:45 Electronic Frontier Foundation (EFF) is thrilled to return to BSides Las Vegas and delve into policy issues that matter most to the security community. At this interactive session, our panelists will share updates on critical digital rights issues and EFF's ongoing efforts to safeguard privacy, combat surveillance, and advocate for freedom of expression. From discussions on hardware hacking to navigating legal and policy landscapes, we invite attendees to engage in dynamic conversations with our experts. This session isn't about passive lectures; it's about fostering meaningful exchanges on today's most pressing policy issues and addressing your most burning questions. We will be joined by EFF’s Staff Attorney Hannah Zhao; Grassroots Advocacy Organizer Chris Vines; Staff Attorney Lisa Femia, and Director of Engineering Alexis Hancock. security-bsides-las-vegas-2025-69905-ask-eff-token-09 Skytalks Chris VinesHannah ZhaoLisa FemiaAlexis Hancock en Panelists from the EFF Staff will give brief updates on key topics in their expertise before turning it over to BSides attendees to ask their burning questions about policy, advocacy and making the future of tech brighter. It's a dynamic session fostering engaging discussions on digital rights featuring an EFF staff attorney, activist, and public interest technologist. Moderator Hannah Zhao (she/her) is a Senior Staff Attorney on EFF’s Coders Rights Project. Her work with CRP protects hackers, researchers, and tinkerers on the digital frontier through legal defense, amicus briefs, and education. She also works to push back on emerging surveillance technologies like face recognition, electronic monitoring, and government drones. Hannah has a background in computer science, criminal justice, and international human rights law before her time at EFF. Chris Vines (he/him) is EFF's Grassroots Advocacy Organizer, working with members of the Electronic Frontier Alliance (EFA). With over a decade of experience in organizing and having been a part of over 50 successful electoral & non-profit campaigns, Chris has been instrumental in building progressive bases in several states and is passionate about mobilizing people and getting them the tools needed to bring about progressive change. Lisa Femia (she/her) is a Staff Attorney on EFF's civil liberties team. Her work focuses on surveillance, privacy, free speech, and the impact of technology on civil rights and civil liberties. Lisa came to EFF from Hogan Lovells US LLP, where she maintained a robust pro bono practice centered on democracy reform, criminal justice, and civil rights. Alexis Hancock (she/her) is EFF’s Director of Engineering on our Public Interest Technologist team. She researches an intersection of issues on digital rights, encryption, and consumer technology. She is also well known for managing the Certbot project, advocating for open technology standards and for unveiling insecurities in consumer devices. false https://pretalx.com/security-bsides-las-vegas-2025/talk/7RPBUM/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7RPBUM/feedback/ Misora Talk-45m 2025-08-05T16:00:00-07:00 16:00 00:45 This is our stage, set in early 2023, a nation state is prepping a campaign against several organizations - using similar TTPs. Join us on an exhilarating journey through a massive incident response (IR) in an incredibly intricate setting. Picture this: A drone strike motivates a nation state to attack an organization and launch an InfoOps campaign. With over 30 distinct Business Units, each with its own unique IT structure. Every endpoint directly exposed to the vast expanse of the internet, boasting a class B IP range. And to top it off, varying levels of security hygiene. But wait, there's more! The attackers unleashed a devastating ransomware attack, which, surprise, turned out to be successful. Countless terabytes of data held hostage, with no possibility of a key. Fear not, for we have discovered a remarkable method to exploit this ransomware and reclaim the majority of the encrypted data. Prepare to witness the magic of resourcefulness, innovation, and the art of cracking cryptography. Brace yourself for a talk that will leave you in awe! security-bsides-las-vegas-2025-69122-from-drone-strike-to-file-recovery-outsmarting-a-nation-state-token-10 Skytalks Guy Barnhart-MagenBrenton Morris en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/93CHRX/ https://pretalx.com/security-bsides-las-vegas-2025/talk/93CHRX/feedback/ Misora Talk-20m 2025-08-05T17:00:00-07:00 17:00 00:20 Sometimes in our industry you get to put on your supersuit. In March of 2022 my team and I uncovered an attack on a customer that was specifically targeted at backdooring/incapacitating nuclear reactor control systems. This is our story. security-bsides-las-vegas-2025-70238-stopping-the-nuclear-apocalypse-with-threat-intel-token-11 Skytalks Paul Miller en Please see above abstract. This is a short talk talking about what we saw that day, and how we used threat intel on top of our X&Os playbooks to understand that what we were looking at was a way bigger attempt than it appeared. false https://pretalx.com/security-bsides-las-vegas-2025/talk/XZ9RXT/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XZ9RXT/feedback/ Misora Talk-20m 2025-08-05T17:25:00-07:00 17:25 00:20 A Lawyer Explains Legal & Security Issues at the Border: if you’re returning to the US and are stopped at customs and immigration, what are your rights (or lack of rights)? This talk was first given in 2017 in the wake of the Muslim Ban, and has been brought out, dusted off, and updated for 2025. This is not a talk about hiding volumes on your phone with whiz-bang crypto software. This is a pragmatic discussion of the border search exception to the 4th Amendment and what could actually happen if CBP or ICE seize your laptop and phone. security-bsides-las-vegas-2025-69118-crossing-the-border-again-with-a-burner-phone-token-11 Skytalks Wendy Knox Everette en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/TAMDET/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TAMDET/feedback/ Misora Talk-45m 2025-08-05T18:00:00-07:00 18:00 00:45 In early 2025, former Intelligence Officers in the commercial sector identified and removed foreign actors from physical and virtual access to a major portion of US Infrastructure. Using a commercial blend of HUMINT, OSINT, Digital Forensics and AI, the risk posed was mitigated through long hours developing new defensive techniques with AI and old-school OSS tradecraft. This talk will equip the attendees to better protect their network, their employer, and their clients. security-bsides-las-vegas-2025-69915-a-glitch-in-the-matrix-humint-osint-and-digital-forensics-to-identify-remove-hostile-foreign-corporate-espionage-actors-token-12 Skytalks John O. Thorne en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/AWCU7W/ https://pretalx.com/security-bsides-las-vegas-2025/talk/AWCU7W/feedback/ Foyer, Platinum Hotel Conference Center Training-4h 2025-08-05T10:30:00-07:00 10:30 04:00 Morning Trainings, Tuesday security-bsides-las-vegas-2025-70733-morning-trainings-tuesday Middle Ground en Morning Trainings, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/HM7REA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HM7REA/feedback/ Foyer, Platinum Hotel Conference Center Event1HR 2025-08-05T14:30:00-07:00 14:30 00:00 Trainer Box Lunches Delivered, Tuesday security-bsides-las-vegas-2025-70737-trainer-box-lunches-delivered-tuesday Middle Ground en Trainer Box Lunches Delivered, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/TKFECF/ https://pretalx.com/security-bsides-las-vegas-2025/talk/TKFECF/feedback/ Foyer, Platinum Hotel Conference Center Training-4h 2025-08-05T15:00:00-07:00 15:00 04:00 Afternoon Trainings, Tuesday security-bsides-las-vegas-2025-70738-afternoon-trainings-tuesday Middle Ground en Afternoon Trainings, Tuesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/ULDGKP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ULDGKP/feedback/ Florentine A Talk-45m 2025-08-06T10:00:00-07:00 10:00 00:45 Invitation systems in social media platforms often appear simple, but they can hide critical business logic vulnerabilities. In this talk, I’ll reveal how I exploited these flaws in platforms like Facebook and Snapchat to gain unauthorized access, maintain connections indefinitely, and even block users from their own accounts. These real-world examples demonstrate how overlooked invitation mechanics can expose significant security risks, leading to privacy breaches and persistent access issues. Attendees will gain insight into how these vulnerabilities can be exploited and what measures can be taken to defend against them. security-bsides-las-vegas-2025-67775-breaking-the-guest-list-hacking-invitation-systems-for-fun-and-profit Breaking Ground Ali Kabeel en Invitation systems are an essential part of many social platforms, designed to help users connect and engage. However, these systems can also harbor subtle business logic flaws that, when exploited, allow attackers to manipulate their functionality in unexpected ways. This talk uncovers how vulnerabilities in social media invitation mechanisms can lead to severe security risks. Through detailed examples from Facebook and Snapchat, I'll share how I: - Discovered a way to create permanent invites in Facebook Groups, granting indefinite access to outsiders. - Exploited flaws in Facebook's friend management system to stay friends with anyone indefinitely, bypassing their attempts to remove me. - Broke Snapchat’s invitation system to block legitimate users from accessing their own accounts. This session will explore the technical and logical breakdowns behind these exploits, showing how these vulnerabilities could be leveraged by attackers for persistent access, privacy violations, and account disruption. Attendees will learn how to identify, prevent, and fix business logic vulnerabilities in their own systems, strengthening the overall security of user interaction workflows. false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZRR3WQ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZRR3WQ/feedback/ Florentine A Talk-45m 2025-08-06T11:00:00-07:00 11:00 00:45 Zygote is the first process to be started on Android, serving as a template/interface for launching new processes. As such, it has sufficient privileges to interact with any application, unlike the application-to-application perspective, which is extremely limited due to Android’s SELinux policies. Here, therefore, we find the state of the art for breaking the Android sandboxing system! Tools like Riru and Zygisk use root privileges to alter Android's properties and subvert the system's behavior in order to inject code into Zygote, thereby reaching any loaded application and enabling hooking techniques for both native code and Dalvik (DEX) code. In this talk, we will understand how these injections are carried out during the loader process, Zygote hooking, and hooking of both native and Dalvik (DEX) application code. Interesting, right? Come unlock the true potential of Android! security-bsides-las-vegas-2025-70306-the-age-of-zygote-injection Breaking Ground /media/security-bsides-las-vegas-2025/submissions/YGNSNC/Thumb_jXy9FQL.png Tricta en This project, called Yaga, was developed with the goal of learning how Zygote injection attacks and frameworks like Riru and Zygisk works, and how they can be applied in an offensive context. Over the past two years, I’ve become fascinated by understanding how the Android system works and how its behavior differs from other operating systems. The Zygote process is the first one launched on Android, acting as a template or interface for spawning other processes. Due to its elevated privileges, it can interact with any application, unlike the highly restricted communication between apps enforced by Android’s SELinux policies. This makes Zygote an interesting target for bypassing Android’s sandboxing mechanisms. Today, many people use root binaries like Magisk to customize their devices without understanding what the modules do. Some modules might even use Zygisk to steal sensitive user information or hook critical application functions to subvert them! In this talk, I will explain and demonstrate how these injections are carried out during the loader process, Zygote hooking, and hooking of both native and Dalvik (DEX) application code. In a few years or months, I hope to use this project as a tool or a way to educate others on how to conduct these attacks and emphasize the importance of studying this technique deeply. Reference Projects: Riru - https://github.com/RikkaApps/Riru Zygisk - https://github.com/topjohnwu/Magisk ARTDroid - https://github.com/vaioco/ARTDroid Yaga project will be released on beginning of June! I will put a PoC here to give an idea what is coming, on the video I show the installation of Magisk module and a log message showing the injection was performed successfully coming from Zygote process and making it print process names: https://drive.google.com/file/d/1U3WYDDI5KS2B-uGUdYTdpgKkHIhKJnkK/view?usp=sharing The project will be released on my GitHub: https://github.com/Tricta false https://pretalx.com/security-bsides-las-vegas-2025/talk/YGNSNC/ https://pretalx.com/security-bsides-las-vegas-2025/talk/YGNSNC/feedback/ Florentine A Talk-45m 2025-08-06T12:00:00-07:00 12:00 00:45 In cybersecurity, wisdom doesn't always come from experience alone—it often starts with recognizing what we don't know. This talk examines the contradictions and challenges we all encounter in security work, highlighting the growing need for effective knowledge sharing between different technology and actual generations of practitioners. As a 25 year veteran of cybersecurity and someone who has been facilitating collaboration at the coalface full-time for the last 13 years, Casey go through the thesis, some observations of why this is increasingly critical, some stories of where it has worked and failed, and provide some practical ideas for how understanding the two types of fool can make you a wiser, smarter, and more effective defender. security-bsides-las-vegas-2025-70763-the-two-types-of-fool-generations-in-cybersecurity Keynotes Casey John Ellis en Keynote, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZSU7J8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZSU7J8/feedback/ Florentine A Event1HR 2025-08-06T13:00:00-07:00 13:00 01:00 Closing Ceremony security-bsides-las-vegas-2025-70764-closing-ceremony Keynotes milqtst en Closing Ceremony false https://pretalx.com/security-bsides-las-vegas-2025/talk/HWGE3E/ https://pretalx.com/security-bsides-las-vegas-2025/talk/HWGE3E/feedback/ Florentine B Event2HR 2025-08-06T10:00:00-07:00 10:00 01:55 Free resume reviews in Hire Ground. security-bsides-las-vegas-2025-73247-hire-ground-resume-reviews-wednesday-morning Hire Ground en Free resume reviews in Hire Ground. false https://pretalx.com/security-bsides-las-vegas-2025/talk/7YTJNV/ https://pretalx.com/security-bsides-las-vegas-2025/talk/7YTJNV/feedback/ Florentine C+D Event1HR 2025-08-06T08:30:00-07:00 08:30 00:00 Silent Auction Opens security-bsides-las-vegas-2025-78179-silent-auction-opens-wednesday Middle Ground en Silent Auction Opens false https://pretalx.com/security-bsides-las-vegas-2025/talk/RUSV93/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RUSV93/feedback/ Florentine C+D Event1HR 2025-08-06T08:30:00-07:00 08:30 00:00 Middle Ground Opens, Wednesday security-bsides-las-vegas-2025-70760-middle-ground-opens-wednesday Middle Ground en Middle Ground Opens, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/B7AYTL/ https://pretalx.com/security-bsides-las-vegas-2025/talk/B7AYTL/feedback/ Florentine C+D Talk-45m 2025-08-06T10:00:00-07:00 10:00 02:00 Morning Talks, Wednesday security-bsides-las-vegas-2025-70762-morning-talks-wednesday Middle Ground en Morning Talks, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/LLYXAP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/LLYXAP/feedback/ Florentine C+D Event1HR 2025-08-06T11:00:00-07:00 11:00 00:00 Silent Auction Closes security-bsides-las-vegas-2025-70683-silent-auction-closes-wednesday Middle Ground en Silent Auction Closes false https://pretalx.com/security-bsides-las-vegas-2025/talk/XYBGFV/ https://pretalx.com/security-bsides-las-vegas-2025/talk/XYBGFV/feedback/ Florentine C+D Event1HR 2025-08-06T14:00:00-07:00 14:00 00:00 Middle Ground Closes, Wednesday security-bsides-las-vegas-2025-70761-middle-ground-closes-wednesday Middle Ground en Middle Ground Closes, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/NWHBU3/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NWHBU3/feedback/ Florentine E Talk-45m 2025-08-06T10:00:00-07:00 10:00 00:45 Syscall filtering with seccomp is one of the most effective defenses for containerized workloads, but despite its power, it's underused, misunderstood, or plain painful to deploy at scale. This talk goes beyond theory: we'll get hands-on with practical seccomp profile generation, live demos of defending real vulnerable apps, and show how syscall filtering can contain actual exploits — using an Apache Druid vulnerability as a live case study. You'll leave knowing not just why seccomp matters but also how to build, tune, and deploy real-world profiles with open-source tools like Kubescape and how to avoid the common traps that derail seccomp adoption in production. security-bsides-las-vegas-2025-70002-hardening-containers-with-seccomp-hands-on-profiles-pitfalls-and-real-exploits Ground Floor Ben Hirschberg en Containers have transformed how we build and deploy applications, but the attack surface at runtime remains dangerously exposed in many environments. Seccomp, Linux’s built-in syscall filtering mechanism, offers a powerful way to reduce that surface, but it’s often seen as too painful or risky to apply in production. This talk takes a practical, hands-on approach to solving that. We'll start by grounding the audience in what seccomp is, why it's critical for modern container security, and where profiles and the ecosystem fall short. From there, we'll dive into live demonstrations: showing how to monitor actual container behavior, generate tailored seccomp profiles using open-source tools like Kubescape, and deploy these profiles effectively within Kubernetes environments. We'll walk through a real-world vulnerable application (Apache Druid) and demonstrate a remote code execution exploit inside a container. Then, using a generated seccomp profile, we'll block the attacker’s execution path live, without changing the application code. Along the way, we’ll tackle real operational pitfalls: handling noisy apps, evolving profiles with your software lifecycle, and keeping the dev team moving without constant breakages. Attendees will leave with precise, repeatable techniques for using syscall filtering to harden their workloads against real-world attacks and a realistic sense of the strengths and limitations of seccomp as a defense-in-depth strategy. false https://pretalx.com/security-bsides-las-vegas-2025/talk/S3QCRP/ https://pretalx.com/security-bsides-las-vegas-2025/talk/S3QCRP/feedback/ Florentine E Talk-45m 2025-08-06T11:00:00-07:00 11:00 00:45 The Black Lotus Labs team at Lumen Technologies documented a 3 year campaign by one of the more elusive threat actors in the world, Secret Blizzard (aka Turla). Here they discovered and broke into Pakistani ISI C2s that were part of an espionage campaign against Indian, Syrian and Afghan governments. Turla is infamous for repurposing the infrastructure of other threat actors, while exfiltrating data and deploying their own tool sets. This was the 4rd documented case of Turla hacking another actors C2 nodes, but it is the first case of their moving past the C2 servers and into operators workstations. We'll talk about the Sidecopy threat actor, their tradecraft, and how they appeared on our radar. We'll show one of the rare cases where we observed Sidecopy deploy Hak5 equipment in real world operations and how we tied this back to known infrastructure. A rogue C2 node allowed us to map out Turla's efforts. We'll talk about networks where Turla had access to C2s, but choose not to deploy their agents. Lastly we'll talk about how their activities have shifted due to public disclosure and where they have been operating for the last several months. security-bsides-las-vegas-2025-67805-russian-nesting-dolls-when-turla-got-into-the-isi-who-was-into-an-indian-embassy-and-how-we-found-them Ground Floor /media/security-bsides-las-vegas-2025/submissions/78QXVQ/Scree_0a4IBqA.png Danny Adamitis en This talk came from research that took place over the course of a year, but the overall scope of activity had been going on for roughly 3 years. We originally got on the trail of a ReverseRAT sample and developed analytics that allowed us to enumerate the C2s being used by Sidecopy. Soon we found some interesting aspects that led us down the rabbit hole. The first of which was the Hak5 device that communicated with those Pakistani C2s from inside an Indian Embassy in Europe. This was our first sign of something very interesting, as we don't see that every day. We'll talk about how that was identified and of course we can speculate on how a physical device got in there, but as interesting as it is, that's a story we can only guess at. In this case, they were clearly going after some of their more strategic objectives, breaking into the Indian government and those of their neighbors in Afghanistan, while keeping tabs on the government in Syria during the conflict there. Where things got even more interesting is how pivoting off those original ISI C2s, led us to Turla. Given the international climate over the last few years, Turla was of special interest to us. Turla is infamous for using old-school spycraft to camouflage their activities by working through other's infrastructure and appearing to be anything other than what they are. While we can expect them to stay true to their core techniques in the future, our reporting has changed some of their activities and we'll include that in the talk. The talk will chart the connections of the ISI into their targets, as well as those of Turla into the ISI and downstream in each direction. We'll be using slides to show the scope of activity, and to describe the tradecraft and tools used by both parties. We'll also go over some of the indicators that defenders can use to help identify tendencies that reveal these threat actors. And of course, we'll have some memes along the way. Probably some dogs in there for good measure. false https://pretalx.com/security-bsides-las-vegas-2025/talk/78QXVQ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/78QXVQ/feedback/ Florentine F Talk-45m 2025-08-06T10:00:00-07:00 10:00 00:45 As a community, we can no longer count on power, be it the government or our employers, to engage with us out of goodwill. As workers, we cannot assume that "the cybersecurity workforce shortage" will protect us either. While our jobs, working conditions, and friends are threatened, the institutions we would turn to have also been eroded. However, this community knows how to build things for each other, and it's past time we turn that solidarity into broader power by channeling it through one of the few robust institutions left: unions and the labor movement. This talk will use my experience as a member of the InfoSec community and as my department's union rep to make an argument for all of us, at least those of us who currently or want to sell our skills for a paycheck, to focus on building power as workers. It will build on existing arguments for tech worker unions by adding context specific to the InfoSec community, my practical experience in a union and the labor movement, and the current moment. All views are my own and not necessarily my employer's or any labor organization’s. security-bsides-las-vegas-2025-68705-union-select-from-hackers-why-we-should-be-building-infosec-worker-power-through-the-labor-movement Common Ground Logan Arkema en In recent years, there has been high-level talk within the InfoSec community about the role for organized labor in the community but with no active stakeholders "from labor" or practical InfoSec worker organizing experience present (see Cory Doctorow's DEF CON 32 talk, the White House's Cybersecurity Workforce Strategy, etc.). Similarly, in the tech worker space, I've noticed very little attention given explicitly to InfoSec workers and the unique considerations that apply to our community and industry. I am mildly frustrated by this discrepancy, particularly since I've been involved with the labor movement long before I ever wrote my first "Hello World" program. It’s also a discrepancy ripe with opportunity, as many of the skills and values that define the InfoSec community are directly applicable to labor organizing. This talk is my attempt to start remediating the situation by making the pitch for unions and broader labor movement organizing to the InfoSec community as a member of both this community and the labor movement. Initially, I waited to pitch this talk to Hacker Summer Camp until I could find a coalition of other unionized InfoSec professionals, or until I had buy-in from other parts of the labor movement that may be able to process any increased interest generated by this talk. However, the recent deterioration of the community's soft power policy influence and heightened attacks on the labor movement convinced me of the urgency of giving this talk this year. This talk builds on arguments on the need for and utility of tech sector unions made by Cory Doctorow, Ethan Marcotte, the Tech Workers Coalition, various tech unions, grassroots organizers, and others. I tailor those general arguments towards the InfoSec community and industry to stress the relevance of organized labor as one of the best tools this community has to build power and influence people as we lose the voluntary deference, particularly as individuals, we received from our bosses and the government in the past. This talk goes beyond a few words on how "you should unionize your workplace!" and provides an in-depth discussion on why building collective power as workers is more important now than ever, shows how it has worked in ways other forms of organizing cannot, and provides practical insight from the perspective of someone who actively represents developers, incident responders, analysts, auditors, cloud engineers, etc. when I'm not in a terminal or VSCode. false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZNXL8D/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZNXL8D/feedback/ Florentine F Talk-45m 2025-08-06T11:00:00-07:00 11:00 00:45 This talk unveils previously undisclosed vulnerabilities in Microsoft Defender and Zscaler, currently under review by Microsoft and US-CERT. It explores how adversaries can bypass EDR protections without malware or exploits—leveraging native OS tools, misconfigurations, and weak self-protection mechanisms. Through real-world examples and live demos, the session will challenge assumptions about EDR resilience and reveal how simple, repeatable techniques can disable or remove endpoint security controls. security-bsides-las-vegas-2025-68804-breaking-the-illusion-bypassing-endpoint-security-controls-with-simple-tactics Common Ground Blake HudsonCaleb Sargent en At BSidesLV, we will unveil previously undisclosed vulnerabilities affecting Microsoft Defender and Zscaler—flaws currently being triaged by Microsoft and coordinated with US-CERT. These vulnerabilities expose critical weaknesses in how endpoint and network security solutions enforce protection and prevent tampering. But beyond new vulnerabilities, this talk will demonstrate how EDR solutions can be bypassed using built-in OS functionality, overlooked misconfigurations, and flawed integrity protections—no exploits, no malware, just simple, repeatable techniques that adversaries are already using. Organizations often assume that EDR is resilient—that once deployed, it provides a reliable defense against attackers. But what happens when an adversary removes, disables, or renders it ineffective using nothing more than tools already available on the system? We will walk through real-world examples of how: Scripts found in the wild silently bypass endpoint security uninstallation logic. EDR solutions fail to enforce self-protection, allowing simple tampering techniques. Native Windows tools like wmic, sc, and PowerShell can be abused to disable or remove security software. Newly discovered vulnerabilities in Defender and Zscaler can be exploited to weaken security controls. This talk will include exclusive first-time disclosures of new security weaknesses alongside live demonstrations of real-world security bypasses that work today. false https://pretalx.com/security-bsides-las-vegas-2025/talk/9WYQKB/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9WYQKB/feedback/ Tuscany Talk-45m 2025-08-06T10:00:00-07:00 10:00 00:45 This is the story of three organizations: EvilCats (a criminal group), YOLO Corp (a new company that don't have any security staff) and CoolSec (a company that goes above security compliance). We will see how two corporations fret against EvilCats during various attack scenarios that all involve passwords. security-bsides-las-vegas-2025-70289-password-audit-cracking-in-ad-the-fun-part-of-compliance PasswordsCon /media/security-bsides-las-vegas-2025/submissions/ZUWAF8/PassC_cr7je1x.jpg Mat Saulnier en To begin, we will present the latest NIST recommendation for passwords and the risks and benefits of implementing them. We will also present our 3 corporations (with AI generated icon style images) (~5 mins) We will then jump in the heart of the subject. **Attack 1**: Password Spray We will present stats about breach that starts with Brute Force/PassSpray attacks We'll see how YOLO Corp falls from an exposed RDP service to a ransomware scenario VS CoolSec who was able to both detect the attack and resist the PassSpray Attacks because they audits their passwords and eliminates the common one (~ 5 mins) **Attack 2**: Evils gets a copy of NTDS.dit from an unprotected backup from YOLO Corp & CoolSec They attempt cracking the passwords. Typically that'll get over 50% of the password within a few days and some will fall in seconds (anything that has 7 characters long) We will then see that dumping NTDS.dit from your DC to perform Password Audit isn't the most elegant way to go about it. Fortunately Michael Grafnetter's DSInternals got us covered. This Open Source PowerShell project will pull the information for the DC (just like the DCSync attack) and will perform some basic analysis of the hashes found. We will go over the main modules of this project and how to configure a user that can fetch the hashes. And finally how to detect this type of activity if another user (or if that account ever gets compromised!!) ever perform a similar action (~15 mins) From there it's also easy (built-in command) to convert the user & hash to a format John the Ripper or Hashcat can ingest for additional cracking. We will go over some effective password cracking rules and methodology for Hashcat and reference Travis Palmer's Defcon 28 Red Team Village talk "Passwd Cracking Beyond 15 Chars, Under $500" Using either Password Filter or Azure AD "ban list" we can prevent users from choosing derivatives of these weak passwords in the future (~10 mins) In conclusion we'll cover how once you have DSInternals & Hashcat in place, it's easy to create a wrapper script to automate the whole process : - Extract the hashes - Run a few check on hashes (without cracking) - Any previously cracked hash present - Any hash associated with multiple accounts - Etc. - Launch a Password cracker against the account - Force change password on accounts with "known passwords" - Send a communication to the account's owner. (~5 mins) After attending this talk the attendees should leave the room with knowledge about the latest NIST recommendation for passwords and a plan to enforce them while making sure their users are not using weak passwords and putting the whole enterprise at risk. false https://pretalx.com/security-bsides-las-vegas-2025/talk/ZUWAF8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/ZUWAF8/feedback/ Tuscany Talk-20m 2025-08-06T11:00:00-07:00 11:00 00:20 For decades, organizations have enforced password rotation policies under the assumption that regular resets increase security. But do they really? In this talk, we challenge the value of traditional password expiry policies using real-world data, cracked password timelines, and behavior analysis. By analyzing enterprise credential datasets before and after forced rotations, we reveal that most users simply mutate old passwords — creating predictable, pattern-based credentials that are easier to crack, not harder. We’ll discuss how password expiration policies: Decrease entropy over time Encourage poor user behaviors Fail to meaningfully reduce compromise risk Instead, we'll introduce alternatives such as : time-to-crack scoring, event-driven rotations, and credential risk thresholds that align better with actual attacker models. If your org is still enforcing 90-day resets, this session will give you the ammunition — and the data — to rethink that approach entirely. security-bsides-las-vegas-2025-71900-password-expiry-is-dead-real-world-metrics-on-what-rotation-actually-achieves PasswordsCon Dimitri Fousekis en Our talk debunks the myth that routine password expiration improves security. Many audit outcomes and recommendations given push for password expiration as a way to prevent attacks. Using historical and real cracked password data, we show how forced rotations lead to predictable patterns and weaker passwords — not stronger ones. And propose smarter, risk-based alternatives to legacy policies. false https://pretalx.com/security-bsides-las-vegas-2025/talk/BWUGRH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/BWUGRH/feedback/ Siena Talk-45m 2025-08-06T10:00:00-07:00 10:00 00:45 In cybersecurity, analysts routinely drown in noisy, fragmented alerts—making it difficult to uncover coordinated, multi-stage attacks. This talk introduces an innovative approach to contextualizing alerts and extracting hidden attack chains using fully explainable, open-source machine learning—no black boxes or complex large-language models involved. Attendees will explore how clustering algorithms, temporal knowledge graphs, and Markovian sequencing methods can systematically map security alerts, logs, and telemetry to MITRE ATT&CK Techniques, clearly revealing attacker tactics and objectives. The session will include practical demonstrations using the speaker’s open-source tool, Attack Flow Detector, available on GitHub. Participants do not need deep data science expertise; basic familiarity with MITRE ATT&CK and standard SOC processes will help maximize learning outcomes. After attending, participants will understand how to implement transparent ML-based correlation workflows, reduce false positives, accelerate response times, and detect stealthy, multi-step attack flows. security-bsides-las-vegas-2025-69536-root-cause-and-attack-flows-interpretable-ml-for-alert-log-correlation Ground Truth Ezz Tahoun en This talk introduces an open-source approach to alert correlation and attack flow reconstruction using interpretable machine learning—not LLMs or black-box AI. Designed for SOC analysts and defenders, the presentation walks through how to map logs and alerts to MITRE ATT&CK techniques, cluster them into meaningful stages, and chain those stages into full attack narratives. The goal is to expose coordinated attacks that hide within fragmented telemetry, false positives, and lone incidents. Attendees will learn how to apply context-driven techniques—like density-based clustering, temporal graph modeling, and simple NLP classifiers—to turn noisy data into actionable insight. We’ll demonstrate how the Attack Flow Detector tool performs this work in real-world-style environments, outputting root cause analysis and ticket-ready reports. The talk emphasizes transparency, explainability, and practicality—giving hackers and blue teamers a framework to trace attacker movement through data they already have, without needing search-heavy SIEMs or opaque AI platforms. false https://pretalx.com/security-bsides-las-vegas-2025/talk/RGNJER/ https://pretalx.com/security-bsides-las-vegas-2025/talk/RGNJER/feedback/ Siena Talk-20m 2025-08-06T11:00:00-07:00 11:00 00:20 This talk explores the design and creation of two cybersecurity competitions: WRCCDC (Western Regional Collegiate Cyber Defense Competition) and CIRCUS (Collegiate Incident Response Competition for Undergraduate Students). This brief talk will go over challenges, best ways to gain interest, grow competitions. In addition we will discuss how to build interest in different cyber-security based fields using competitions. Drawing on proven examples, we’ll offer actionable guidance for competition organizers, coaches, and academic programs aiming to bridge the cybersecurity skills gap. security-bsides-las-vegas-2025-70180-a-winning-competition Ground Truth Wasabi en As new security challenges arise, hands-on competitions are vital for training the next generation of defenders and responders. Collegiate cyber competitions like WRCCDC and CIRCUS serve dual roles: they test students’ technical skills under pressure and expose them to real-world operational and legal contexts. WRCCDC places teams in the role of network administrators defending “commercial” infrastructure against persistent red-team attacks, while CIRCUS challenges participants to perform deep forensic analysis and defend findings before legal professionals. This talk will go over operation insight and technical challenges in running different structured competitions. You will gain insights into competition architecture, work involved in creating realistic scenarios, custom software development work, scoring mechanisms, red-team integration, and team development strategies that foster collaboration and technical proficiency. We’ll also delve into role assignment (e.g., network, system, application, forensics, reporting), and training regimens, culminating in a blueprint for both organizers and competitors. false https://pretalx.com/security-bsides-las-vegas-2025/talk/9CCKBA/ https://pretalx.com/security-bsides-las-vegas-2025/talk/9CCKBA/feedback/ Siena Talk-20m 2025-08-06T11:30:00-07:00 11:30 00:20 What if cybersecurity’s biggest challenges—supply chain vulnerabilities, dark web economies, critical infrastructure risks—already have solutions? The problem isn’t finding new answers; it’s identifying existing ones systematically. This talk introduces TRIZ (Theory of Inventive Problem Solving), an engineering-based methodology that resolves contradictions and forecasts innovation patterns to tackle complex problems effectively. Think of the contradiction matrix as a “decision tree for conflicts,” helping you navigate dilemmas like "secure but open" or "privacy vs functionality." Patterns of evolution act as “forecasting the weather in technology,” enabling professionals to anticipate emerging risks and opportunities. Attendees will learn how TRIZ can be applied to secure software supply chains, analyze underground economies on the dark web, design resilient critical infrastructure during natural disasters, and protect sensitive data while balancing privacy concerns. Through vivid case studies—including anti-phishing strategies and internal data leakage prevention—participants will gain actionable insights into integrating TRIZ into their analytical processes. By adopting this mindset, cybersecurity professionals can anticipate emerging threats, minimize surprises, and lead teams toward innovative solutions. security-bsides-las-vegas-2025-67801-manufacturing-breakthroughs-how-conflict-leads-to-innovation Ground Truth Munish Walther-Puri en Cybersecurity is a field filled with contradictions: how do we balance security with openness, privacy with functionality, or resilience with complexity? TRIZ (Theory of Inventive Problem Solving) offers a roadmap for navigating these dilemmas systematically. Originally developed in engineering, TRIZ is a structured methodology that helps identify existing solutions to seemingly unsolvable problems by resolving contradictions and leveraging patterns of innovation. Think of TRIZ as a GPS for problem-solving. The contradiction matrix acts as a “decision tree for conflicts,” guiding professionals to resolutions without compromise. Patterns of evolution serve as “forecasting the weather in technology,” enabling organizations to anticipate future risks and opportunities based on predictable progressions. This talk focuses on applying TRIZ principles to three critical domains in cybersecurity: supply chain security, dark web economies, and critical infrastructure resilience. Using vivid case studies—such as anti-phishing strategies that leverage contradiction resolution techniques or data leakage prevention through segmentation—attendees will see how TRIZ can transform their approach to problem-solving. By the end of this session, participants will understand how to integrate TRIZ into their analytical processes, empowering them to anticipate threats, minimize surprises, and design resilient systems that adapt dynamically to emerging challenges. false https://pretalx.com/security-bsides-las-vegas-2025/talk/AWLR99/ https://pretalx.com/security-bsides-las-vegas-2025/talk/AWLR99/feedback/ Copa Talk-20m 2025-08-06T10:00:00-07:00 10:00 00:30 NA security-bsides-las-vegas-2025-67799-na I Am The Cavalry NA en NA false https://pretalx.com/security-bsides-las-vegas-2025/talk/GAYADE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/GAYADE/feedback/ Copa Talk-20m 2025-08-06T10:30:00-07:00 10:30 00:30 In an era marked by increasing natural disasters, geopolitical instability, and infrastructure vulnerabilities, personal emergency preparedness has become a critical component of resilience. This panel will discuss approaches to maintaining a one-month supply of food, water, and medicine per household member to ensure self-sufficiency during extreme emergencies. Such events—ranging from hurricanes and earthquakes to cyberattacks and pandemics—can disrupt supply chains, utilities, and emergency services, leaving communities isolated and vulnerable. A well-stocked reserve of non-perishable food, potable water, and essential supplies not only enhances individual and family safety but also reduces the burden on emergency responders and public resources. This proactive approach fosters a culture of readiness, empowering citizens to withstand crises with greater confidence and stability. security-bsides-las-vegas-2025-72396-neighborhood-household-resilience-a-month-without-external-assistance I Am The Cavalry David Batz en This panel will discuss approaches to maintaining a one-month supply of food, water, and medicine per household member to ensure self-sufficiency during extreme emergencies. Such events—ranging from hurricanes and earthquakes to cyberattacks and pandemics—can disrupt supply chains, utilities, and emergency services, leaving communities isolated and vulnerable. David will be joined by some guests to talk about the art of the possible as it relates to maintaining resilience within the home and community. false https://pretalx.com/security-bsides-las-vegas-2025/talk/MQCNWH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MQCNWH/feedback/ Copa Event1HR 2025-08-06T11:00:00-07:00 11:00 01:00 This portion of the event is focused on no-kidding short-term measures to take to reduce risk. We have discussed water, urgent and emergency care, energy, public safety, household resilience and more. What actions can you take this month to protect your community, your family, yourself? What about next month? What about October? Ongoing, incremental steps can materially reduce risk. security-bsides-las-vegas-2025-72402-time-is-running-out-tying-it-all-together-what-will-you-do-in-the-near-term I Am The Cavalry Josh Corman en This portion of the event is focused on no-kidding short-term measures to take to reduce risk. We have discussed water, urgent and emergency care, energy, public safety, and household resilience. What actions can you take this month to protect your community, your family, yourself? What about next month? What about October? Ongoing, incremental steps can materially reduce risk. false https://pretalx.com/security-bsides-las-vegas-2025/talk/WFYFWE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/WFYFWE/feedback/ Pool Event6HR 2025-08-06T21:00:00-07:00 21:00 06:00 BSides Pool Party security-bsides-las-vegas-2025-70766-bsides-pool-party Events en BSides Pool Party false https://pretalx.com/security-bsides-las-vegas-2025/talk/PFRLVK/ https://pretalx.com/security-bsides-las-vegas-2025/talk/PFRLVK/feedback/ G-103 Event2HR 2025-08-06T19:30:00-07:00 19:30 02:00 Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Monday, Tuesday and Wednesday, 19:30-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door. security-bsides-las-vegas-2025-70765-recovery-hackers-wednesday Events en Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Monday, Tuesday and Wednesday, 19:30-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door. false https://pretalx.com/security-bsides-las-vegas-2025/talk/D83EH8/ https://pretalx.com/security-bsides-las-vegas-2025/talk/D83EH8/feedback/ Hallway Event1HR 2025-08-06T07:00:00-07:00 07:00 00:00 Info Booth Opens, Wednesday security-bsides-las-vegas-2025-70754-info-booth-opens-wednesday Middle Ground en Info Booth Opens, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/NZA8EH/ https://pretalx.com/security-bsides-las-vegas-2025/talk/NZA8EH/feedback/ Hallway Event1HR 2025-08-06T08:00:00-07:00 08:00 00:00 Registration Opens, Wednesday security-bsides-las-vegas-2025-70757-registration-opens-wednesday Middle Ground en Registration Opens, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/UJBZWE/ https://pretalx.com/security-bsides-las-vegas-2025/talk/UJBZWE/feedback/ Hallway Event1HR 2025-08-06T09:00:00-07:00 09:00 01:00 Skytalks Token Drop 5 Skytalks token distribution for Wednesday MORNING sessions (10:00-12:00) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. security-bsides-las-vegas-2025-70775-skytalks-token-drop-5 Middle Ground en Skytalks Token Drop 5 Skytalks token distribution for Wednesday MORNING sessions (10:00-12:00) Queue in Tuscany Hallway between Middle Ground and Speaker Room. Tokens are limited in number, and distribution ends when they are gone. false https://pretalx.com/security-bsides-las-vegas-2025/talk/CMTLQN/ https://pretalx.com/security-bsides-las-vegas-2025/talk/CMTLQN/feedback/ Hallway Event1HR 2025-08-06T11:00:00-07:00 11:00 00:00 Registration Closes, Wednesday security-bsides-las-vegas-2025-70758-registration-closes-wednesday Middle Ground en Registration Closes, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/DLKXPU/ https://pretalx.com/security-bsides-las-vegas-2025/talk/DLKXPU/feedback/ Hallway Event1HR 2025-08-06T16:00:00-07:00 16:00 00:00 Info Booth Closes, Wednesday security-bsides-las-vegas-2025-70755-info-booth-closes-wednesday Middle Ground en Info Booth Closes, Wednesday false https://pretalx.com/security-bsides-las-vegas-2025/talk/BPC3MD/ https://pretalx.com/security-bsides-las-vegas-2025/talk/BPC3MD/feedback/ Misora Event2HR 2025-08-06T10:00:00-07:00 10:00 01:45 Do you have an idea for how you might make the world better with a genetically modified organism, but you hit roadblocks in your project because of regulation, licenses, or biosafety certifications? Well, the Four Thieves Vinegar Collective feels your pain. We have had the same issues, and we would like to show you all the methods we've used to circumvent those roadblocks so that you too can work to cure a disease, create a vaccine, or save a species from extinction. We are going to show you these methods by detailing two projects, both of which have been in the pipeline for over seven years. One you might have already heard about, the other is a secret that you'll have to show up to see. Stage time allowing, we will also detail how to ""Nonconsentually Open-Source"" existing biotech products with a third concrete example. Let's reclaim the OG meaning of the word BioHacking, and actually manupulate organisms and ecosystems at the molecular level, and leave the world a little better than we found it. Come party. security-bsides-las-vegas-2025-69116-advanced-bioterrorism-methods-for-the-discerning-practitioner-token-13 Skytalks Dr. Mixael S. Laufer en n/a false https://pretalx.com/security-bsides-las-vegas-2025/talk/MEGNEQ/ https://pretalx.com/security-bsides-las-vegas-2025/talk/MEGNEQ/feedback/