My Reflection on Texas Cyber Summit 2023

Gratitude

I am extremely grateful for the opportunity to be able to attend Texas Cyber Summit 2023. It was run solely by volunteers who have regular jobs, which shows their extreme passion, and thoughtfulness. I love their purpose for doing this which is for the us, the community, and for cybersecurity to be accessible to everyone. I'd like to give thanks to the speakers who did a great job and the lovely people I met during the conference one of which was Will Smith. He, Nicole Gonzales, and I made a cool little trio throughout the conference; it was awesome! Feel free to skip around because I wrote a lot lol.

Day 1:

In Riley Eller's talk, I learned that large language models are just huge dictionaries that store a bunch of information. Just one big magic dictionary. Additionally, toward the end of his talk, he mentioned why he started making puzzle challenges for people. He did so because he wanted to have engagement with the community, if not for the puzzles, then the people he would invite to his community parties would not feel qualified to talk. People may be silent because they do not feel qualified to talk, giving them a challenge to solve makes them feel like they have earned it.

In the Splunk workshop, I learned how the Splunk platform operates and some fundamental commands. It is a beast of a tool. I definitely plan on playing with Splunk more in the future and making a project based on it.

The next talk I went to was about IoT and OT devices given by Huxley Barbee. I learned that OT is way older than I thought, about 20-30 years of age! They are very insecure by design because they used to be air-gapped, but due to convenience, they are not anymore. Furthermore, they oftentimes don't use encryption, and many are using default credentials. We can see this to be true if you look at Shodan for vulnerable OT devices. Also, due to the purpose of OT devices needing to uphold availability, they cannot afford to be patched or updated. Now, in order to secure them, you need to know all the devices on your network first. To do that, companies are stuck between two options: They either scan them and accept the risk of losing availability, or listen passively through a tap. Listening through the tap is extremely difficult because you have to mirror every switch, through multiple sites, and it just becomes a mess. He mentions that for all the money it takes to passively fingerprint them to avoid an outage, it is not worth it. The solution he recommends is to inventory them slowly over time to mitigate outages.

Lastly, I ended day one off great by attending the talk given by Conrad Franke about reverse engineering hardware tools. This talk really demystified how circuit boards like the Raspberry Pi Pico work. He taught me that it was possible to make my own circuit boards and to reverse engineer other circuit boards with a multimeter and a schematic, you can figure out which connections go where. He taught us from start to finish how to create our own boards, by creating a Gerber file with the Kicad software and then sending it to a manufacturer to print it out for us. His story was inspiring, self-teaching himself how to reverse engineer expensive hardware to make it cheaper, all on his own. Through trial and error, even blowing things up a couple of times.

Day 2:

The next day I attended Mishaal Khan's talk about AI-powered vishing attacks. This talk was extremely eye-opening to how effective social engineering attacks can be. I learned that Phishing is the top attack vector with an average data breach of $4 million. Also, the part that takes longer is the reconnaissance phase, it takes days or weeks to prepare for a phishing attack. AI can fasten the process of creating the phishing email, and it can sift through social media pages or articles. ChatGPT is good at picking up patterns of personalities. For vishing, you can impersonate the voices of anyone as long as you have enough samples of their voice, either through interviews or podcasts. Also, when conducting the attack, you typically want as minimum interaction as possible because then they'll start to question and notice something is off, think of it as a one-way conversation. In a real-world scenario, you would typically ask for an MFA code while using a sense of urgency. The key to avoiding security controls such as EDR and whitelisting is to use a piece of software already running on their environment so it will not be flagged. Additionally, he talked about how effective QR code attacks can be. If it is in the building, people don't really question it and they think it was from upper management or something. You create a similar company login page, add bait such as "get a free company shirt" or something, and wait for users to input credentials. This method also bypasses some security controls as well. To prevent these types of attacks he recommends it's best to follow a cybersecurity framework, use a zero-trust architecture, conduct risk management on 3rd party vendors, and have social engineering awareness programs. For the programs to be effective, keep them short (less than a minute), but frequent because people lack patience. For example, if someone emails you a clever phishing attack, share it with your people for awareness.

Next, I attended the talk from W. Garrett Myler about inspecting a suspicious thumb drive. I had a foggy idea of how this was supposed to be done, but this reaffirmed how to properly do it step-by-step. First of all, I was introduced to Flare VM which is a Windows-based operating system with forensic analysis tools. Some of the things that stood out to me that I wanted to make sure I remembered were: to find malicious files, you can hash them and send them to Virustotal, and you can use Wireshark to see where malware is trying to connect back to.

Then I attended a CISO panel, and from there I learned to not put AI on a pedestal, it is not intelligent. It should be used as a tool to fasten research. They stressed the importance of giving credit to the AI and not plagiarizing it. If you did use AI for the content of an article, then it should be in perfect format, they will grade it based on a higher standard. They also pointed out not to input private data in the AI because it is used for training purposes, and they gave an example of an employee doing that which was crazy.

My next talk was about social engineering and physical pentesting by Marina Ciavatta. From this talk, I learned that there are severe physical security issues in organizations. Most of the time she was able to successfully pwn the organization through physical social engineering. I learned that utilizing the smoking area is a very effective way to not look suspicious and you can clone a badge when you ask for a lighter. She mentioned that an effective way of getting information is by leveraging people's empathy and willingness to help. You exploit this by creating a problem that they try to solve. Once they solve it, you make them feel good about it. Essentially, they are solving a problem that you created which makes them feel accomplished. It is important to note that urgency is key here. Also, since everyone always calls IT for everything, impersonating IT can get you inside super secure places. Once you are in, you just plug a malicious USB into all of their computers and say "Hmm it didn't seem to work, I'll come back tomorrow." She told that story and it was hilarious. A way to prevent most of these is by simply telling other people if you see something weird. Also, she mentioned that you can still be nice to others while being cautious for security's sake. The stories she gave during her talk were very insightful and entertaining. A great way to educate people about the effectiveness of social engineering is by telling these cool stories.

Next, I attended Tim Medin's talk, his talk was so engaging and entertaining, he is such a great presenter. From it, I learned that people tend to trust emails that get past the email filters. Also, when detecting breaches, try to find them quickly on the SOC because hackers usually stay there for years. Password rotation doesn't kick the hacker out of the system. Constant password rotation makes security weaker because people tend to just put something relevant like the year or month at the end of their password. Lastly, he found that kerberoasting still exists and is effective today.

Day 3:

On the final day, I attended Gabe Schuyler's talk about cloud security. I learned that compromised credentials due to human error are very common. Misconfigured settings are everywhere in the cloud since it is tricky and certain permissions are not clear sometimes. He mentioned that there is a lack of visibility when you have many things running, for example, he was being billed 30 cents per month and didn't know why. The top three things to stay secure in the cloud are to get visibility of what's running, patch your systems, and get more familiar with the cloud (there are many free resources).

The last talk I attended was on the same topic of the cloud by Shani Peled. She is so young with so much experience already, which is very inspiring to me. I learned that many big companies are vulnerable in the cloud. She is almost always able to successfully pwn cloud systems. She mentioned several methods to do it but I'm not too familiar with the cloud so I was a little behind during that part lol. She said that customers are not secure by default, the cloud provider does not cover everything. Customers have to secure their own resources by having TFA, having a strong password policy, patching OS's, etc. Additionally, due to user mistakes, the cloud is very vulnerable, for example, she told us about a time when she found a vulnerability that granted her write access to a website because a user forgot to input a digit in the subnet of the allow list. Some mitigations she recommended are to have continuous assessments of your cloud environment because it is very dynamic, and to follow the principle of least privilege.