Prominent cybersecurity firm Bishop Fox is scheduled to present four talks at Black Hat USA, DEF CON, and BSides Las Vegas Aug. 5 – 9, 2015.
Security Associate Phil Purviance is presenting “Insider Tricks for Bug Bounty Success” at BSides Las Vegas on Wednesday, Aug. 5 at 3 PM PST.
That will be followed by a showing at Black Hat USA. “Bypass Surgery Abusing Content Delivery Networks” by Security Associate Mike Brooks and Security Analyst Matthew Bryant is slated for Thursday, Aug. 6 at 9:45 AM PST.
At DEF CON, Security Associate Dan Petro and Senior Security Associate Oscar Salazar will present “Hacking Smart Safes: On the “Brink” of a Robbery” on Saturday, Aug. 8 at 12 PM PST.
Partner Francis Brown and Security Analyst Shubham Shah close things out at DEF CON with “RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID” on Sunday, Aug. 9 at 1 PM PST.
“It’s always an honor to showcase our thought leadership with the greater community, and especially at conferences of this esteem,” said Partner Vincent Liu. “Our team includes some of the most innovative minds in the industry, and what they have planned for this year is truly remarkable.”
“Bypass Surgery Abusing Content Delivery Networks”
At Black Hat USA, Bryant and Brooks will shed light on two significant vulnerabilities in a prominent Content Delivery Network (CDN). Large portions of the Internet’s data — including many popular websites — depend on these powerful distributed CDNs.
When the newly discovered vulnerabilities are combined, the same-origin policies of many popular websites can be successfully bypassed. This means the users of the sites that employ this CDN are at risk of account hijacking and data theft.
“This exploit represents a violation of trust that is a critical part of Internet use,” explained Bryant. “Our research is meant to bring this to people’s attention, and begin a conversation on similar issues.”
“Hacking Smart Safes: On the “Brink” of a Robbery”
Petro and Salazar’s presentation at DEF CON will explore issues within the Brink’s CompuSafe Galileo that have made it vulnerable to hacking. The popular Galileo model is a “smart safe,” meaning it’s a computerized version of its traditional counterpart. The most conspicuous of the issues with this alleged smart safe is an external USB port, which will play significantly into their presentation.
About their research, Salazar stated, “The safe’s USB port enables a malicious user to automate the steps to hack into the safe’s computer and, as a result, steal the safe’s cash. Beyond opening the safe door, an attacker could perform additional actions that would make it difficult to determine who was at fault.”
On stage, Petro and Salazar will have an actual model of the safe on hand for demonstration purposes.
“RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID”
Brown and Shah’s presentation will highlight novel hacking techniques focused on high-frequency and ultra high-frequency RFID. Brown has previously presented low-frequency RFID research at Black Hat USA 2013. His earlier presentation was named one of the “Top 10 Moments” in the conference’s storied history, and Brown is considered an expert in RFID hacking.
Their latest research will encompass the RFID technologies found in credit cards, public transit cards, mobile payment systems, NFC loyalty cards, new hotel room keys, smart home door locks, “green cards,” and more. By compromising these technologies, Brown and Shah intend to illustrate the inherent flaws in RFID as well as to provide fellow penetration testers with a new RFID hacking resource.
Additionally, Brown and Shah will be handing out “new and free RFID hacking tools using Arduino microcontrollers, Raspberry Pis, phone/tablet apps, and even 3D printing” to audience members.
“Insider Tricks for Bug Bounty Success”
Purviance has worked extensively on internal bug bounty teams, monitoring queues and communicating with researchers to quickly remediate issues. His valuable experience on both sides of the equation will be an integral part of his talk. He will share his tried-and-tested best practices — and observations from the frontlines — with the audience. It’s a talk that will benefit both new and experienced bug hunters.
This presentation will capitalize upon Purviance’s years of bug bounty knowledge, both as an insider and as a “bug hunter.” His achievements as a bug hunter include placement in both the Google and Facebook Halls of Fame, discovering high-risk bugs that earned him considerable payouts.
All Bishop Fox presenters will be in Vegas next week to discuss their findings. Please contact Brittani Howard at [email protected] to set up a time to meet with the team.
About Bishop Fox
Bishop Fox is a leading information security consulting firm that protects businesses from today's increasing security threats. Headquartered in the Phoenix area since its start in 2005, the firm provides assessment and penetration testing and enterprise security services to the Fortune 1000, high-tech startups, and financial institutions worldwide. Bishop Fox's team of consultants draws from over 400 years of combined experience to provide comprehensive solutions for their clients' most challenging security problems.