A virtual event where new techniques
and threats can be disclosed
Catch up on the sessions from our agenda by watching on-demand. Click "Watch Now" to access all of the session videos.
Disclosure is an experimental security event that aims to bring together bleeding edge researchers and security professionals. Our goal is to create an environment where the latest research can be discussed. Somewhere where new techniques and threats can be disclosed to the information security community.
- OAuth Best Practices
- OAuth Vulnerabilities
- The Future of Exploitation
- OpsSec Engineering
- Hardware Exploitation
- Privilege Escalation
9:15 AM - 10:00 AM (PDT)
Opening Keynote with the Grugq, Strategic Cyber Warfare: In Great Power Competition, Cybercraft > Kinetic War
Kick things off with Okta's Chief Security Officer, David Bradbury then hear from the Grugq, our opening keynote presenter.
This talk describes strategic cyber warfare, including great power conflicts from a strategic level that includes cyber, and cyber operations from within a prism that includes great power contest. Under this lens, individual cyber operations are less interesting, and are advancing towards strategic objectives. Cyber operations can now achieve results typically reserved for kinetic warfare.
Existing discussions of CyberWar are severely hampered by focusing on cyber battles at the tactical or operational level, rather than the strategic level of war. Strategic cyber warfare, aka persistent engagement, is based on principles that have been around for a long time (e.g. Fabian strategy), but only recently formalised as doctrine in the West. None of this is new, but the cyber dimension collapses information spheres, geolocation, and gatekeepered communities. The main impact of this is flattening the resource requirement differences between a state, a corporation and a person.
Small groups of people can take actions that are as effective or more effective than states.
10:10 AM - 10:45 AM (PDT)
Hardware Security: The Final Frontier?
, VP of Cybersecurity Strategy, Okta
All eyes are focused on software, July saw over 1000 vulnerabilities drop in just two weeks. Despite this there are only a few notable people looking at hardware security and whole categories of critical devices getting no scrutiny at all. I will demonstrate just how vulnerable this hardware is to attack and show some of the ramifications live.
How Ops Work Made Me Better at AppSec
, Application Security Engineer, Salesforce
11:00 AM - 11:45 AM (PDT)
Disinformation: Threat Intelligence and Creating a Distributed Response
, Founder, Bodacea Light Industries LLC
With companies providing disinformation as a service (DaaS) and the US election coming up in November, we need to prepare our disinformation defences now more than ever. This talk is about how we set up and ran a real-time disinformation threat intelligence team inside a larger information security response - The CTI-League. It includes tools, processes, data science support and how to keep the team sane whilst reading dangerous materials.
How to Think About OAuth Security
, Senior Security Architect, Okta
In this talk, Aaron Parecki, a contributor to the OAuth specifications, provides a summary of the recent updates to the OAuth 2.0 Security Best Current Practice spec, and sheds some light on the vulnerabilities and weaknesses that led to some of the changes. You'll learn how to look for potential flaws and what it takes to build a secure OAuth implementation.
12:00 PM - 12:30 PM (PDT)
12:30 PM - 1:15 PM (PDT)
, Managing vulnerabilities for the Microsoft Security Response Center
On June 30th, 2020 F5 Networks disclosed an extremely high severity (CVSS10.0) vulnerability in their Web GUI management interface, affecting nearly of their products. While most of the world was enjoying a weekend – and a holiday weekend for those in the United States – defenders were working hard to detect and respond. By Monday, widescale attacks had started and continue to this day. In this talk I’ll cover the work I & others did to identify at-risk devices, notify at-risk organizations and craft a much needed defense strategy. I’ll explain this vulnerability, it’s similarity to other attacks against network devices seen in 2020, and share IOCs and techniques seen in real-world attacks. Finally, I’ll address the vendor response, the challenges it posed for defenders and how it could have been improved.
Open Source Anti-Reconnaissance
, Web Security Researcher
Gathering intelligence about a target is the first step an attacker takes to attack an application. One key piece of information an attacker looks for is development information. What technology is the application built with? What security issues does the development team struggle with? What does the input validation code look like? Are there any outdated dependencies that might pave the way to a successful attack? Attackers collect information about an application’s development process, technology, and dependencies to strategize how to best attack an application. Open source reconnaissance is an increasingly popular method of reconnaissance. Compared to traditional web reconnaissance techniques like host enumeration and active fingerprinting, open-source intelligence is stealthy and almost impossible to detect. In this breakout session, we'll dive deep into how attackers conduct open-source reconnaissance and how to prevent open-source recon from compromising the security of your application.
1:30 PM - 2:15 PM (PDT)
I Choose You
, Sr. Director of Threat Research and Detection, Proofpoint
If you could be anyone, who would you be and what malware would you unleash upon your victims? Discussions of what threat actors are using to make decisions, understanding their thought process, tools, what’s available and which threats go to which targets. We’ll explore interesting campaigns including the social engineering and malware payload combinations intended to get the best results.
Introduction to Public Key Cryptography
, Account Security, Twilio
From TLS to authentication, “crypto” is used for a lot more than just currencies. In 2020 security should be part of every engineer’s toolkit and cryptography is a foundation we can master together. This talk will dive into modern cryptography, the math behind how it works, and its everyday use cases. You’ll leave understanding the difference between symmetric and asymmetric cryptography, why you would have a public and private key, and how those get used in a variety of applications. We’ll look at how to encrypt and decrypt data in code and discuss the reasons you should never roll your own crypto. This will not be a talk about bitcoin, but will dive into how cryptography helps secure anonymous transactions and keeps your identity and data safe.
2:30 PM - 3:00 PM (PDT)
3:00 PM - 3:45 PM (PDT)
Theory to Practice: Applying Academic Program Analysis Advances in the Real World
, Assistant professor at Arizona State University
The automated analysis of software to find and fix vulnerabilities has been a core interest in the Academic Cybersecurity community for decades. Techniques are proposed, evaluated, discussed, shown to be effective, and, almost always, immediately forgotten. Despite hundreds of such academic papers, security analysis is still a heavily manual process. One can’t help but wonder: why does the academically proven efficacy of automated tools rarely gain traction in the real world? I ran into this question head first as I tried to apply my own research techniques to the real world after my participation in the DARPA Cyber Grand Challenge, the first fully automated cybersecurity competition. In this talk, I will discuss the difficulties that arise in transitioning theoretical techniques to practice, talk about recent directions in the field aimed at assuaging these difficulties, and present a frank look at the current cutting edge in software analysis. Hopefully, knowing the hurdles that can be encountered will help with the future transition of academic advancements to the real world.
Lazy, Stupid and Unconcerned - Why You Are the Perfect Target
, Cofounder of Gun.io
In this fast-paced and wide-ranging talk, I'll show you some fun and practical attacks against application developers and system administrators that can allow for even greater access to treasured goodies than through flaws in applications themselves.
4:00 PM - 4:45 PM (PDT)
Cyber Threat Intelligence Demystified
Today’s security professionals recognize that threat intelligence is a critical component in their cyber toolkit, enabling them to proactively respond and pre-empt advanced threats. Yet many of these same professionals are having a difficult time understanding the array of threat intelligence solutions and how to best utilize them within their organizations.
Join CrowdStrike’s Director of the Strategic Threat Advisors Group, Jason Rivera, to learn more about these challenges and highlights the importance of leveraging threat intelligence as a critical part of an effective cybersecurity strategy. He will share how to get the most value out of threat intelligence by effectively applying it across your organization — from security operations to executive leadership.
Blasting Browser Security with Extensions
, Senior Security H@X0R, Okta
Multi-platform browser extensions are easier to write than ever, can have great authority to examine and alter HTTP requests and responses, and are shockingly easy to get listed on the official respective browser stores.
In this talk, Micah gives an overview of how browser extensions work and the web-ext tool for creating extensions that work in both Google Chrome and Mozilla Firefox. He then shows how to debug and test extensions locally as well as how to package them up for distribution. The talk culminates with a real-time attempt to get an extension with an over-powered list of permissions listed on the Chrome Web Store and the Firefox Browser Add-ons Store.
5:00 PM - 5:45 PM (PDT)
Closing Keynote with Samy Kamkar, The Future of Exploitation
, Cofounder of Openpath Security
The world is a beautiful place. We are all fortunate to experience or observe curious physical phenomena; the sound of birds singing or the ultrasonic chirping of cryptographic functions, the glowing scattered light of an early sunrise or the electromagnetic emanations of a secret key unwrapping, a cool breeze of morning air or a gust of canned air increasing data remanence of passwords in memory. The math and physics found around us in nature, harnessed by humans, transmitted through silicon, extracted from sand, all to be wonderfully exploited by low cost technologies that we will explore together.
6:30 PM (PDT)