This month, members of NCC Group will be presenting their work at the following conferences:
- Sourya Biswas, “Psychology of the Phish: Leveraging the Seven Principles of Influence”, to be presented at ISACA Conference North America (Virtual – May 5 2021)
- Sourya Biswas, “Cybersecurity is War: Lessons from Historical Conflicts”, to be presented at Secure360 (Virtual – May 12 2021)
- Jeff Dileo (NCC Group), Addison Amiri (ex-NCC), “dRuby Security Internals”, to be presented at NorthSec (Virtual May 20-21 2021)
- Eric Evenchick, “Building CANtact Pro: An Open Source CAN Bus Tool”, to be presented at NorthSec (Virtual May 20-21 2021)
- Xavier Garceau-Aranda, “Training: Offensive Cloud Security”, to be presented at NorthSec (Virtual May 24-28 2021)
Please join us!
Psychology of the Phish
Sourya Biswas
ISACA NA – Virtual
May 5 2021
According to the X-Force Threat Intelligence Index 2020, produced by IBM X-Force Incident Response and Intelligence Services, phishing is still the number one attack vector in use today. Security professionals often overlook the “social” aspect of “social engineering”, focusing on tool deployment instead. The success of phishing is predicated on exploiting normal human behavior for nefarious purposes. This session looks at phishing through this psychological lens, specifically on how the Seven Principles of Influence as expounded by Robert Cialdini are leveraged by attackers.
Cybersecurity is War: Lessons from Historical Conflicts
Sourya Biswas
Secure360 – Virtual
May 12 2021
It’s during moments of adversity that humankind exhibits innovation of the highest order. Nowhere is this truer than during armed conflicts that pit humans against their most dangerous adversaries, other humans. And while the cybersecurity landscape is not a battleground with fallen bodies, there’s truly a war ongoing with hostile threat actors using a variety of evolving attack vectors to compromise information assets. This session looks back at historical conflicts and tries to draw lessons that translate to today’s cybersecurity landscape.
dRuby Security Internals
Jeff Dileo (NCC Group) & Addison Amiri (ex-NCC)
NorthSec – Virtual
May 24-28 2021
dRuby is a “distributed object system” built into Ruby that is generally known
to be insecure, but which has never been properly audited… until now. In this
talk, we will discuss how dRuby works, where its insecurities lie, and how it
is much more insecure than previously understood to be — which is a feat,
considering that dRuby already provides code execution as a service.
This talk will focus on a discussion of the dRuby API, its
internals, and its underlying wire protocol, covering the security issues
inherent in each along the way. As part of the this, we will also demonstrate
several novel exploitation techniques that can be used against both dRuby
servers and clients, the latter of which have not been known to be vulnerable
until now. Following this, we will discuss some of our work to harden dRuby
against each of the issues we identified. We will then close our talk by
covering our work to exploit the exploits used to compromise dRuby-based
services for some very ironic honeypotting.
Building CANtact Pro: An Open Source CAN Bus Tool
Eric Evenchick
NorthSec – Virtual
May 20-21 2021
Ever wanted to build your own hardware tool? In this talk, we’ll discuss the design and release process for the CANtact Pro device. From PCB design to driver development, there’s a lot of steps that go into bringing a hardware idea to market. This talk will give you a better understanding of this process and how you can launch your own hardware product. We’ll talk about open source tools for designing PCBs, writing cross-platform drivers using Rust, the economics of releasing a device, and the unavoidable logistical headaches of building hardware.
Training: Offensive Cloud Security
Xavier Garceau-Aranda
NorthSec – Virtual
May 24-28 2021
While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. This training’s goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. The training is scenario-based and focuses on applied exercises.
Published