ABOUT FIRETALKS
Firetalks is an evening event that tests the skills of those who stand on the stage. Six people are given 15 minutes to dive right into the core of their content and present their ideas.
Several judges will be on hand, American Idol-style, to listen to and critique the presentation on both style and content. This is done in both a serious and humorous manner in front of the audience. After the event the judges will vote on the best presentations–with the top three being awarded some cool prizes to be handed out at ShmooCon closing ceremonies.
Firetalks is a ShmooCon event and contestants and attendees must already have a ShmooCon Barcode to participate.
Questions can be sent to firetalks@shmoocon.org.
FIRETALKS 2023 SCHEDULE
| Friday, January 20, 2023 | |
|---|---|
| Time | Firetalks |
| 2000 |
Firetalks Opening |
| 2010 | We’re Going To Hell in a Handbasket (Together)
Bryson Bort and Tarah Wheeler |
| 2030 | Building a Successful Internal Red Team
mubix “Rob” Fuller |
| 2050 | A 15-minute Crash Course to Building Your Own IoT Hacking Lab at Home
Amit Serper |
| 2110 | Incident Dress Rehearsal — Creating and Executing Your Own Table Top Exercise
Brett Thorson |
| 2130 | A Celebration of (End of) Life
Tabatha DiDomenico and Tarah Wheeler |
| 2150 | Catching Some Phisherman
Nick Ascoli and Aiden Raney |
| 2210 | “No! No! I can’t go to bed! Someone is wrong about Infosec!”
Jake Williams and Ray [Redacted] |
| 2230 |
Firetalks Closing |
FIRETALKS 2023 PARTICIPANTS
We’re Going To Hell in a Handbasket (Together)
Bryson Bort and Tarah Wheeler
Industry focuses on problems for The Haves but most SMBs don’t have the “interesting problems,” money, or resources. SMB is 99.9% of US business, but it’s also your water utility or local school plagued by ransomware yet mostly ignored by industry.
Here are some lessons from the trenches, where we still see abc123 and Password1!, and how we can all improve SMB security in the near-absence of products and support for the most important half of US businesses.
Bryson Bort (@brysonbort) is the Founder of SCYTHE, an attack emulation platform; GRIMM, a cybersecurity consultancy; and Co-Founder of ICS Village, 501(c)3 for industrial control system security awareness.
Tarah Wheeler (@tarah) is CEO of Red Queen Dynamics and Senior Fellow for Global Cyber Policy at the Council on Foreign Relations.
Building a Successful Internal Red Team
mubix “Rob” Fuller
Red Teaming has a large number of definitions in the Cyber Security community, but we rarely define the success condition for any of said definitions. This talk is defining what success looks like no matter what definition you use for “Red Team” when it comes to having an internal Red Team. This talk will also define metrics on how to measure a Red Team and its effectiveness within an organization. Finally we will work on questions like: When do you want to build a red team? When not to build a red team?
mubix “Rob” Fuller (@mubix) does stuff for that place that does the thing.
A 15-minute Crash Course to Building your Own IoT Hacking Lab at Home
Amit Serper
It’s 2023 and IoT devices are EVERYWHERE and their security still sucks. Having an IoT research lab at home can be really handy for finding vulnerabilities on IoT devices. However, understanding how firmware works and how to get the actual code that runs on these IoT devices can be tricky! In this quick talk I will walk you through how to build such a lab at home, how to cheaply and farily easily be able to dump firmware directly off of eeprom/flash memory on the device and what other equipment can be use to achieve UART and JTAG access, which parts in the firmware usually hold vulnerabilities, and why conducting such research is so important. IoT hacking can be good for the beginner and advanced researcher alike, and the more IoT hacking is being done, the more secure the rest of us can be. In this quick talk, I’d like to bridge some of the gaps and make it easier to begin with IoT hacking and find vulnerabilities in no time!
Amit Serper (@0xamit) has nearly 2 decades of security research experience, doing anything from malware analysis to exploit research and development and product architecture. Amit works as the Director of Security research for IoT security startup Sternum and in the past worked for Akamai, Guardicore, Cybereason, and the Israeli government.
Incident Dress Rehearsal — Creating and Executing Your Own Table Top Exercise
Brett Thorson
The Table Top Exercise is critical to determine if your organization is ready for whatever issue gets thrown at it. From COVID, to zero days, to silly users clicking on silly things, your organization has to be prepared and work together to be faster, smarter and better than the adversaries. But are you? The only way to know without actually having an incident is a Table Top Exercise.
But what goes into making and executing a TTX? How do you get the right materials, the right people in the room, and the right processes practiced?
In this talk Brett Thorson, Global Cybersecurity TTX leader for BCG, provides his experience creating and delivering TTXs to Fortune 100 companies, law firms, manufacturing giants, and executive boards.
If you plan to hire or do a TTX yourself, attend to learn the rules, guides, tips, tricks, and secrets for a TTX.
Brett Thorson (@handynerds) is an Associate Director and Global Cybersecurity TTX lead at Boston Consulting Group, ShmooCon Staff member, and BSidesDC board member. Brett has worked in the Intelligence Community, Fortune 100, and state and local governments. He likes to play with LEDs and is quite tall.
A Celebration of (End of) Life
Tabatha DiDomenico and Tarah Wheeler
Side projects can be a fantastic way to expand your skills, give back to the infosec community, and advance your career. However, they can also be a source of stress and pressure contributing to burnout. That’s why it’s so important to periodically take stock of your involvement in these projects and assess their potential for the future.
During this session, attendees will learn how to evaluate the health of an open source or public project and consider their own continued involvement as we retire two of our own side projects. We will also provide a flow and checklist to explore various options for the future of projects–including the sometimes difficult but necessary decision to say goodbye.
Tabatha DiDomenico (@tabdido) is an Open Source Developer Relations Engineer at G-Research and president of Security BSides Orlando.
Tarah Wheeler (@tarah) is CEO of Red Queen Dynamics and Senior Fellow for Global Cyber Policy at the Council on Foreign Relations.
Catching Some Phisherman
Nick Ascoli and Aiden Raney
Adversaries have increasingly been leveraging completely legitimate 3rd party web hosting products to circumvent traditional domain reputation analysis engines and successfully get their phishing pages in front of their victims. Using these third party services also offers them a great opportunity to limit the exposure of their own infrastructure, offering a great OPSEC advantage. However, in one investigation, a few breadcrumbs left in the adversary’s code led us down a rabbit hole to uncovering a cybercrime group behind what is perhaps the largest Facebook credential harvesting campaign ever investigated (over 100 million potentially impacted at the time of this submission).
In this talk, we will follow the breadcrumb trail left by a threat actor and tour the backend of their malicious infrastructure live, demonstrating how we pieced together the shocking scale of their credential harvesting and malversating operation. From comments in their code, to their various online identities, to accessing their infrastructure–we will walk through our investigation into a wanted Cyber Crime Group.
Nick Ascoli (@kcin418) is a cybersecurity researcher and the founder and CEO of Foretrace, an External Attack Surface Management (EASM) solution. Nick has been a guest on the Cyber Wire podcast and a speaker at GrrCON, DEF CON Skytalks, Black Hat Arsenal, SANS, and various BSides conferences on SIEM, Recon, and UEBA.
Aidan Raney is an OSINT analyst, full-stack developer, and freelance cyber investigator specializing in using OSINT to help solve digital crimes. Aidan provided his OSINT capabilities to those in need via his volunteer work at Tracelabs.
“No! No! I can’t go to bed! Someone is wrong about Infosec!”
Jake Williams and Ray [Redacted]
When it comes to cybersecurity, most so-called “expert” opinions are wrong. Watch @MalwareJake debate @RayRedacted about questions such as “is SMS MFA worse than no MFA at all?” along with similar infosec topics which confuse audiences of all industries and backgrounds. Tonight’s topics will include MFA, To Cert or not Cert, Passwords, Phishing “training” exercises, plus any off-topic and irrelevant rants from either party as long as that party is Jake.
DISCLAIMER: The opinions expressed herein are not necessarily the opinions of any employer, government or non government entity, or even the speakers themselves. Parental advisory: adult language, security cliches, bad puns, and general buffoonery.
Jake Williams (@MalwareJake) is an incident responder & former government hacker who was tricked into appearing tonight when Ray lied that the topic would be Hunter Biden’s laptop.
Ray [Redacted] (@RayRedacted) is a “researcher” probably better known for his sporadic & inconsistent work as associate producer of Jack Rhysider’s renowned “Darknet Diaries.”