Ilja Van Sprundel, Sr Director of Operating Systems Security, will be presenting ‘Fuzzing SMB’ and IOActive will be sponsoring the LLM Purple Test at CanSecWest this year. Find the IOActive team at the conference.
IOActive is a supporting sponsor for this year’s event in Santa Clara, CA.
Learn from leading hardware security researchers & professionals and discuss the latest & most innovative research on attacking and defending hardware. Connect with industry peers. Join the community for a bigger, bolder, and better hardwear.io.
More event details here.
Ramiro Pareja Veredas, IOActive Principal Security Consultant, will be presenting ‘Attacking Vehicle Fleet Management Systems’ at /Rooted CON Madrid.
The goal of the research was the assessment of the current state of the connected vehicles security. Compared with other works already published where the researchers chose to attack a popular modern car, the focus was in other automotive components and systems that security experts – and car designers – usually overlook and that could be abused to launch scalable and massive attacks on analyzed devices like T-boxes, OBD2 dongles, 5G modems, MQTT servers and mobile apps; getting a better aim on the broader picture of the automotive security and without the limited view based exclusively on the car security.
The /Rooted CON cybersecurity conference was born with the purpose of promoting the exchange of knowledge between members of the security community.
/Rooted CON is being held 7 March through 9 March, more details here.
Gabriel González, IOActive Director of Hardware Security, will be presenting: ‘Applying Fault Injection to the Firmware Update Process of a DJI Drone’ at CRIPTORED Cybersecurity Conference in Madrid.
Criptored brings together the most relevant national and international experts in cybersecurity, privacy, cryptography and civil liberties. Together with the RootedCon organization and a jury of experts, the best technical presentations, tools and courses with an applied approach will be selected to reach a wider audience.
The IOActive team will field a booth at the World Game Protection Conference 2024 – with the research team of Joseph Tartaro, Enrique Nissim and Ethan Shackelford, presenting at the conference: ‘Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers.’ Which continues the exploration of the research on card shuffler security the team presented at Black Hat 2023.
Conference detail can be found here.
Nick Dunn, IOActive Senior Security Consultant, will be presenting: ‘Slightly SOSL’ed – Locating and Testing SOSL Injection’ at Security BSides in London, 9 December.
Nick’s presentation will explore :
The Salesforce platform allows a platform-specific vulnerability within the Apex code, known as SOSL injection; while conceptually similar to SQL injection, the testing and exploitation entails different payloads and approaches.
With concerns stemming from the minimal documentation available online, the exploration will attempt to shed light on the Apex code and custom API issue – its consequences and the working methods for detecting and confirming the existence of the vulnerabilities found within; probing in detail the different payloads useful for detection and exploitation, the consequences of a vulnerable site and finally, discussions on solutions to fix the occurrences of the issue.
After a three-year break, the Chaos Computer Club will host its 37th Chaos Communication Congress (37C3) from 27 December to 30 December 2023. We invite you to the CCH in Hamburg for Germany’s most traditional IT security and technical competence conference, the largest European gathering of the hacker scene.
The digital world is once again in a state of upheaval: even more mercenary hacks, even more state Trojans dragged before the Federal Constitutional Court, even more AI hyper-hyper along with wonky ideas like chatcontrol, and even more politicians who only make decisions according to lobby promises. The only thing that helps against this is to inform oneself, get positive impulses for a digital future worth living in and learn what is possible with universal computers.
This is what we offer at 37C3 and all interested people can participate. As always, the talks will be streamed live and then offered on media.ccc.de. We also plan to translate the lectures again into several languages.
The Open Compute Project (OCP) Summit is the premier event uniting the most forward-thinking minds in open IT Ecosystem development. The Summit presents a unique platform for our Community from around the globe to share their insights, foster partnerships and showcase cutting-edge advancements in open hardware and software.
At the 2023 Global Summit, industry leaders, researchers and pioneers from the open community will engage in dynamic dialogues, enlightening workshops, and interactive engineering sessions designed to expand our understanding of the progress that our Projects have made as well as the challenges and road ahead. Participants will explore emerging trends, tackle complex challenges and discover new opportunities to drive global innovation. Through this collaborative spirit, we aim to accelerate the development of efficient, scalable, and sustainable open compute solutions that power the future of technology.
M. Samy, IOActive Security Consultant, will be presenting ‘Project C-Shell’ at the Black Hat MEA Arsenal, Call for Tools.
In his presentation, Mohamed introduces a unique Stager/Agent infrastructure that he has developed, integrating traditional methods with advanced AI and Blockchain technologies. This system operates across platforms and architectures, designed to circumvent antiviruses and Endpoint Detection and Response (EDR) systems. It achieves this through the dynamic and interactive execution of custom C# code, generated by GPT-4 based on user-provided prompts, using an execution engine called the “Kernel”.
The Stager/Agent’s remote control mechanism, facilitated by a Web3 (Blockchain SmartContract) Command & Control (C&C) backend, provides multiple layers of anonymity, immutability, and resilience. This approach leverages the inherent properties of Ethereum SmartContracts, making the system robust and resistant to censorship. Practical applications of this infrastructure span from remote control and management of servers and client operating systems for security control application and monitoring, to serving as a post-exploitation stager payload for red-teaming exercises, providing ethical hackers with remote code execution capabilities.
The Arsenal session aims to provide a comprehensive understanding of this tool and its applications, demonstrating the transformative potential of integrating AI and Blockchain technologies in cybersecurity practices, providing attendees with insights into the design and implementation of this infrastructure, exploring the potential of Web3, Blockchain, and GPT-4 code generation in the cybersecurity domain.
Nick Dunn, IOActive Senior Security Consultant, will be presenting: ‘Haven’t We Met Before? Using Recent Bug-Fixes to Find New Vulnerabilities’ at BSides Tirana 2023.
Nick’s presentation will explore the large, robust codebases that has been subjected to regular scanning by commercial and/or open-source scanning tools, where there can be difficulties in locating new bugs, particularly in a short time frame. This is particularly suitable for patterns that are spread across multiple lines and those that might be missed by standard scanners.
Held in the heart of Tirana, BSides Tirana 2023 is a dynamic two-day information security conference that promises to inspire and engage people with an interest in cyber security. Featuring a collaborative venue designed to facilitate the exchange of information and ideas, BSides Tirana serves as a vital connection between information security professionals and the thriving technology community in Tirana. Following the events of the cyber attacks in Albania, it becomes clear just how critical cyber security is for any organization, business, or government. It is important to ensure that everyone is prepared for today’s security challenges. BSides Tirana provides a valuable way for you and your organization to build connections with the information security community; connections that can lead to a better educated workforce, stronger security practices, and a safer world to do business.