A virtual event where new techniques
and threats can be disclosed

September 2, 2020

About
Disclosure

Disclosure is an experimental security event that aims to bring together bleeding edge researchers and security professionals. Our goal is to create an environment where the latest research can be discussed. Somewhere where new techniques and threats can be disclosed to the information security community.

Topics

  • Anti-Reconnaissance
  • OAuth Best Practices
  • OAuth Vulnerabilities
  • The Future of Exploitation
  • Cryptography
  • OpsSec Engineering
  • Disinformation
  • Hardware Exploitation
  • Privilege Escalation

2020
Agenda

9:15 AM - 10:00 AM (PDT)

Opening Keynote

Kick things off with Okta's Chief Security Officer, David Bradbury then hear from our surprise opening keynote presenter.

10:00 AM - 10:45 AM (PDT)

Hardware Security: The Final Frontier?

Marc Rogers, VP of Cybersecurity Strategy, Okta

Security

All eyes are focused on software, July saw over 1000 vulnerabilities drop in just two weeks. Despite this there are only a few notable people looking at hardware security and whole categories of critical devices getting no scrutiny at all. I will demonstrate just how vulnerable this hardware is to attack and show some of the ramifications live.

How Ops Work Made Me Better at AppSec

Breanne Boland, Application Security Engineer, Salesforce

Developer

Ops engineers and security engineers share a reputation for being curmudgeonly, but there are more things they share than demeanor. While the differences between roles are considerable, there are things from previous roles that made me better equipped to do a new and very different job. How does an ops person learn to embrace Javascript after years of defending Bash? What does being a Terraform guru bring to secure code reviews? And is it easier to see security sins in Python scripts after years of writing quick-and-dirty networking tools? You’ll learn what an ops engineer can bring to your appsec team and how a background in site reliability and infrastructure might give you a leg up in appsec work.

11:00 AM - 11:45 AM (PDT)

Disinformation: Threat Intelligence and Creating a Distributed Response

Sara-Jayne “SJ” Terp, Founder, Bodacea Light Industries LLC

Security

With companies providing disinformation as a service (DaaS) and the US election coming up in November, we need to prepare our disinformation defences now more than ever. This talk is about how we set up and ran a real-time disinformation threat intelligence team inside a larger information security response - The CTI-League. It includes tools, processes, data science support and how to keep the team sane whilst reading dangerous materials.

How to Think About OAuth Security

Aaron Parecki, Senior Security Architect, Okta

Developer

In this talk, Aaron Parecki, a contributor to the OAuth specifications, provides a summary of the recent updates to the OAuth 2.0 Security Best Current Practice spec, and sheds some light on the vulnerabilities and weaknesses that led to some of the changes. You'll learn how to look for potential flaws and what it takes to build a secure OAuth implementation.

12:00 PM - 12:30 PM (PDT)

Break

12:30 PM - 1:15 PM (PDT)

Hunting CVE-2020-5902

Nate Warfield, Managing vulnerabilities for the Microsoft Security Response Center

Security

On June 30th, 2020 F5 Networks disclosed an extremely high severity (CVSS10.0) vulnerability in their Web GUI management interface, affecting nearly of their products. While most of the world was enjoying a weekend – and a holiday weekend for those in the United States – defenders were working hard to detect and respond. By Monday, widescale attacks had started and continue to this day. In this talk I’ll cover the work I & others did to identify at-risk devices, notify at-risk organizations and craft a much needed defense strategy. I’ll explain this vulnerability, it’s similarity to other attacks against network devices seen in 2020, and share IOCs and techniques seen in real-world attacks. Finally, I’ll address the vendor response, the challenges it posed for defenders and how it could have been improved.

Open Source Anti-Reconnaissance

Vickie Li, Web Security Researcher

Developer

Gathering intelligence about a target is the first step an attacker takes to attack an application. One key piece of information an attacker looks for is development information. What technology is the application built with? What security issues does the development team struggle with? What does the input validation code look like? Are there any outdated dependencies that might pave the way to a successful attack? Attackers collect information about an application’s development process, technology, and dependencies to strategize how to best attack an application. Open source reconnaissance is an increasingly popular method of reconnaissance. Compared to traditional web reconnaissance techniques like host enumeration and active fingerprinting, open-source intelligence is stealthy and almost impossible to detect. In this breakout session, we'll dive deep into how attackers conduct open-source reconnaissance and how to prevent open-source recon from compromising the security of your application.

1:30 PM - 2:15 PM (PDT)

I Choose You

Sherrod DeGrippo, Sr. Director of Threat Research and Detection, Proofpoint

Security

If you could be anyone, who would you be and what malware would you unleash upon your victims? Discussions of what threat actors are using to make decisions, understanding their thought process, tools, what’s available and which threats go to which targets. We’ll explore interesting campaigns including the social engineering and malware payload combinations intended to get the best results.

Introduction to Public Key Cryptography

Kelley Robinson, Account Security, Twilio

Developer

From TLS to authentication, “crypto” is used for a lot more than just currencies. In 2020 security should be part of every engineer’s toolkit and cryptography is a foundation we can master together. This talk will dive into modern cryptography, the math behind how it works, and its everyday use cases. You’ll leave understanding the difference between symmetric and asymmetric cryptography, why you would have a public and private key, and how those get used in a variety of applications. We’ll look at how to encrypt and decrypt data in code and discuss the reasons you should never roll your own crypto. This will not be a talk about bitcoin, but will dive into how cryptography helps secure anonymous transactions and keeps your identity and data safe.

2:30 PM - 3:00 PM (PDT)

Break

3:00 PM - 3:30 PM (PDT)

Theory to Practice: Applying Academic Program Analysis Advances in the Real World

Yan Shoshitaishvili, Assistant professor at Arizona State University

Security

The automated analysis of software to find and fix vulnerabilities has been a core interest in the Academic Cybersecurity community for decades. Techniques are proposed, evaluated, discussed, shown to be effective, and, almost always, immediately forgotten. Despite hundreds of such academic papers, security analysis is still a heavily manual process. One can’t help but wonder: why does the academically proven efficacy of automated tools rarely gain traction in the real world? I ran into this question head first as I tried to apply my own research techniques to the real world after my participation in the DARPA Cyber Grand Challenge, the first fully automated cybersecurity competition. In this talk, I will discuss the difficulties that arise in transitioning theoretical techniques to practice, talk about recent directions in the field aimed at assuaging these difficulties, and present a frank look at the current cutting edge in software analysis. Hopefully, knowing the hurdles that can be encountered will help with the future transition of academic advancements to the real world.

Lazy, Stupid and Unconcerned - Why You Are the Perfect Target

Rich Jones, Cofounder of Gun.io

Developer

In this fast-paced and wide-ranging talk, I'll show you some fun and practical attacks against application developers and system administrators that can allow for even greater access to treasured goodies than through flaws in applications themselves.

4:00 PM - 4:45 PM (PDT)

CrowdStrike Session

Security

Coming Soon

Dangers of the OAuth Implicit Flow

Micah Silverman, Senior Security H@X0R, Okta

Developer

In this talk, Micah reviews the historical context for the OAuth 2.0 authorization framework, what the various use cases and flows are, why the Implicit Flow exists, why it's a security risk and how it's been deprecated by the 2019 Security Current Best Practices specifications. Micah will demonstrate the Implicit Flow Detector, a browser extension to alert users to websites still using this flow. Micah will also demonstrate its replacement: The Authorization Code + PKCE flow.

5:00 PM - 5:45 PM (PDT)

Closing Keynote with Samy Kamkar, The Future of Exploitation

Samy Kamkar, Cofounder of Openpath Security

The world is a beautiful place. We are all fortunate to experience or observe curious physical phenomena; the sound of birds singing or the ultrasonic chirping of cryptographic functions, the glowing scattered light of an early sunrise or the electromagnetic emanations of a secret key unwrapping, a cool breeze of morning air or a gust of canned air increasing data remanence of passwords in memory. The math and physics found around us in nature, harnessed by humans, transmitted through silicon, extracted from sand, all to be wonderfully exploited by low cost technologies that we will explore together.

6:00 PM (PDT)

Event Ends

2020 Featured
Speakers

Samy Kamkar

Marc Rogers

Sara-Jayne “SJ” Terp

Micah Silverman

Vickie Li

Aaron Parecki

Yan Shoshitaishvili

Breanne Boland

Rich Jones

Kelley Robinson

Sherrod DeGrippo

Nate Warfield

2020 Sponsor