OSINT for Social Engineering: A Phishy Little Liars Workshop
Based on the talk delivered at BSidesSF 2020 and The Layer 8 Conference 2020, this ‘OSINT for Social Engineering’ workshop steps through each phase of pretext development. From the initial acquisition of the target to implementation and testing of the pretexts developed from information gathered during OSINT this workshop will show attendees how to find the data they need to inspire great pretexts and what makes or breaks a pretext.
This 3-hour workshop breaks each section of the talk out into a more granular view and steps attendees through the process from start to finish including two labs where attendees will be assigned their own target and build out their own pretext using what they have learned.
Alethe Denis is a social engineer who specializes in open-source intelligence (OSINT) and phishing, specifically vishing (voice elicitation). The winner of a black badge at DEFCON 27 in the Social Engineering Capture the Flag contest, she is the VP of Dragonfly Security and a Founding Member of the DC209 DEFCON Group. She's presented at BSides San Francisco 2020 and the Layer 8 conference as well as joined panels at DerbyCon and the Human Firewall Event.
Social Engineering Workshop: Defending against human exploitation
and removing attack verticals
Social Engineering has become today the most prevalent attack method for initiating and enabling attacks. We read in the news about large-scale attacks where investigators are not able to pinpoint the phase of initiation. These are often indications of social engineering-initiated attacks. By design, this is a type of attack that moves in the shadows, delivered by criminals that are able to blend in multiple environments and often leave no trace, making it very difficult to identify the point of initial compromise. Similar to warfare operations, these threat actors strive to create an asymmetrical advantage based on a carefully planned strategy. However, how relevant is social engineering today and how much of a threat factor does it pose for companies and organizations?
This workshop aims to discuss these questions and provide insights on the methodology employed by attackers in order to build a strategy and an asymmetrical advantage. We will take a look at the typical backbone and methodology of a social engineering attack strategy as well as on what makes some targets more attractive than others. We will discuss the information that attackers commonly seek to gather, as well as common methods of information harvesting. Taking it a step further, we will also explore a methodology of profiling followed by attackers, in order to identify and select the best targets. Last, attendees will be provided with examples of best practices that aim to increase their organizational security and create a human perimeter.
The Ultimate Guide to Bug Bounty Hunting
Interested in the world of bug bounty hunting? Want to get started but feel utterly overwhelmed with it all? This workshop is designed for you! Instead of being told to ‘google it’ this workshop will guide you through the basics, to give you the confidence to approach bug bounty. Starting with the basics of bug hunting, how to use burp, what kind of bugs exist, what should you look for? And demoing each step, finally ending with some next steps if you decide to pursue bug hunting. This workshop is designed for beginners who are familiar with the idea of bug bounties but want some guidance in getting started. So grab your favourite note-taking method, burp community edition, Firefox and a pen, and let’s get you hacking!
Katie is a PhD student studying Machine Learning and Cyber Security. Although she’s more known for her work in the bug bounty community, coming through a mentorship program she now helps others with her YouTube channel. Her channel is focused on beginners who want to find their first bug even if they have no technical background. Her videos cover a range of topics from technical to professional skills. Outside of all that she has been knitting for several years and claims that her success is all due to her handmade lucky socks!
YouTube as InsiderPhD.
Phillip Wylie, CISSP, GWAPT, OSCP
Pwning Web Apps – An Intro to Web App Pentesting
Web applications have become the most popular and widely used application type due to portability and compatibility, and these attributes have made them widely used for businesses of all sizes. Web application security and the assessment of security is often misunderstood, overlooked, or just ignored. Web applications and websites accessible through the Internet can be a risk and, when not secure, can expose sensitive information and access to underlying IT infrastructure. The skills taught in this workshop are valuable to aspiring to become pentesters or security researchers and participate in bug bounties. Attendees will be provided with a virtual machine-based lab learning environment for use in the workshop and after to continue learning web app pentesting. Participants will receive a list of resources to further their study of web app pentesting.
Phillip Wylie is the Senior Red Team Lead for a global consumer products company, Adjunct Instructor at Richland College, and The Pwn School Project founder. Phillip has over 22 years of experience with the last 8 years spent as a pentester. Phillip has a passion for mentoring and education. His passion motivated him to start teaching and founding The Pwn School Project a monthly educational meetup focusing on cybersecurity and ethical hacking. Phillip teaches Ethical Hacking and Web Application Pentesting at Richland College in Dallas, TX. Phillip is a co-host for The Uncommon Journey podcast. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT.
Overflowing Buffers 101
Participants will walk through the process of fuzzing for and developing an exploit for a buffer overflow on a linux system. This workshop is oriented towards beginners with minimal exploit development experience. Participants should have a computer with linux, python, gdb, and msfvenom.