Fall 2024

Security at an Early-Stage Startup

Friday, November 8, 2024 at 4:30pm
Shriram 262

Early-stage startups have a unique opportunity to be secure by default. Startups should invest early in good security practices and hygiene, which are now more accessible and affordable than ever. It’s about selecting the right tools, making the right engineering decisions, and fostering a culture that prioritizes security from the start. Mokhtar discusses how this is implemented at his startup, Formal, and how other early-stage startups can do the same.

Speaker: Mokhtar Bacha
Mokhtar Bacha grew up in France. At 17, he was hired as the youngest employee at ConsenSys by Ethereum co-founder Joseph Lubin, where he developed expertise in cryptography, distributed systems, and cloud computing. He later joined Y Combinator, exploring various industries before founding Formal two years ago—a cybersecurity startup focused on enforcing least privilege at the packet level in data flows. Formal is VC-backed and supports security engineering teams at companies like Notion, Ramp, and Gusto.

Hacking Your Pentesting Career

Friday, November 1, 2024 at 4:30pm
Shriram 262

Speaker: Phillip Wylie
Phillip is a passionate offensive security professional with over two decades of information technology and cybersecurity experience. His specialties include penetration testing and application security. When Phillip is not hacking, he is educating others about pentesting and web application pentesting at the college level and during workshops at conferences and other events. His passion for education and pentesting inspired him to found The Pwn School Project, an education-focused cybersecurity organization. Phillip coauthored the book, “The Pentester Blueprint: Starting a Career as an Ethical Hacker” based on his conference talk on starting a career as a pentester. Phillip’s uncommon journey into the field of cybersecurity is preceded by his colorful past as a pro wrestler, where he once wrestled a bear.

Top Concerns with Vulnerability Data

Friday, October 25, 2024 at 4:30pm
Shriram 262

The cybersecurity landscape relies on managing vulnerabilities, with systems like the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS) playing pivotal roles. However, these systems are increasingly struggling to handle the growing complexity and volume of vulnerabilities, as demonstrated by the 2024 halt in CVE publication by the National Vulnerability Database (NVD). This paper highlights the critical shortcomings in vulnerability data management, such as outdated information, limited context, and inefficiencies in scoring. It also explores potential solutions to improve how vulnerabilities are tracked, scored, and prioritized to meet the demands of modern cybersecurity.

Speakers: Abhineeth Pasam and Ahaan Sinha

Supply Chain Attacks

Friday, October 18, 2024 at 4:30pm
Shriram 262

Starting with my personal experiences in hacking smart vehicles, financial institutions and government infrastructure, I tell some stories that are partly humorous, partly shocking. From there, I go over to the topic of critical infrastructure and development towards a “cyber-physical” world including the associated risks. Then I will shed light on the upcoming threats from a hacker’s perspective, briefly talking about cloud and API technologies, but especially the topic of software supply chain (SDLC) and the effects of artificial intelligence. In conclusion, I discuss the current shortage of skilled workers and share a common outlook on the future.

Speaker: David Colombo

Message Authentication Codes Workshop

Friday, October 11 2024 at 4:30pm
Shriram 262

Live coding demo using MACs to distinguish a camera from a random image online.

Speaker: Jeremy Kim

Intro to Web Hacking Workshop

Friday, October 4, 2024 at 4:30pm
Shriram 262

Join us for an engaging Intro to Web Hacking session where we’ll dive into website vulnerabilities and learn how to exploit common issues through live demonstrations. We’ll be using a fun cat website to explore different hacking techniques!

Speaker: Donovan Jasper

Breaking Secure Web Gateways (SWG) for Fun and Profit

Friday, September 27, 2024 at 4:30pm
Shriram 262

Today, more than 85% of endpoint usage time is on the browser. Yet, most organizations still rely on domain-based web filtering technologies such as SWGs/SASEs developed nearly two decades ago. Attackers have exploited this fact and developed increasingly complex attacks targeting users on the web. At DEFCON 32 this year, SquareX did four talks where they disclosed multiple advanced client side web attacks that completely bypass all major SWGs. Vivek will be conducting a workshop on two of these major attack classes:

  • Last Mile Reassembly Attacks - malicious payloads can be delivered through unmonitored channels (webRTC, gRPC, etc.), disguised as code/images, chunked/encrypted files or encoding techniques, among others, before being reassembled into a malicious file at the client site.

  • Malicious Browser Extensions - advanced attacks delivered through browser extensions including content script injections and remote code execution, DOM manipulation to invoke executable downloads, cookie session hijacking, webcam feed stealing and GitHub account hijacking.

Vivek will be presenting demos of how some of these attacks occur in real environments, how one would go about building these attacks and defenses against them.

Speakers: Vivek Ramachandran, Audrey Adeline, and Shourya Pratap Singh

Vivek Ramachandran is a security researcher, book author, speaker-trainer, and serial entrepreneur with over two decades of experience in offensive cybersecurity. He is currently the founder of SquareX, a Sequoia backed browser security company. Prior to that, he found and led Pentester Academy (acquired in 2021), where he trained the pentest & red teams of many Fortune500 companies and government institutions such as the Pentagon and DoD. As a security researcher, Vivek discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, and created Chellam (Wi-Fi Firewall), WiMonitor Enterprise (802.11ac monitoring), Chigula (Wi-Fi traffic analysis via SQL), Deceptacon (IoT Honeypots), among others and has been a speaker at BlackHat & Defcon since 2007. He is also currently part of the BlackHat Arsenal Review Board.

Audrey Adeline works closely with Vivek as part of the Founder’s Office and leads most key strategic initiatives for SquareX. Previously, she was part of the investment team at Sequoia that led SquareX’s seed round, where she specialized in cybersecurity and software investments.

Shourya Pratap Singh is a Principal Software Engineer at SquareX and is responsible for building SquareX’s security-focused extension and led multiple research pieces on browser extension based attacks. He has presented his innovative security research at Defcon, the Texas Cyber Summit and Blackhat Arsenal EU.