BSides Peoria

“Salesforce is a customer-relationship management (CRM) tool used by over 150,000 businesses and it holds the majority of the market share for CRM solutions. As organizations increasingly rely on Salesforce it becomes a more lucrative attack surface for threat actors, making the process of properly testing and hardening this cloud-based CRM platform more vital. This presentation focuses on the process of uncovering and exploiting vulnerabilities hidden within Salesforce instances.

We will begin by discussing the unique security challenges posed by Salesforce’s multi-tenant architecture and extensive customization options. Attendees will learn about specific methodologies and tactics used for performing penetration tests tailored to Salesforce applications. The primary focus will include evaluating sharing rules, object and field level security, user permissions, annotation misconfigurations, and third-party integrations.

We will use sanitized, real-world examples of common high and critical severity vulnerabilities to illustrate the impact of an unsecured Salesforce instance being exploited in the wild and emphasize the industry need for regular and comprehensive testing.
By the end of this session, participants will have a clear understanding of how to leverage penetration testing to proactively identify and mitigate risks, ensuring their Salesforce instance remains secure in an ever-evolving threat landscape.”

This talk will have strict Chatham House Rules and will be Classified TLP:AMBER+STRICT. Attendees will be REQUIRED to follow these protocols to be admitted.

In today’s interconnected world, online and physical safety are more crucial than ever. This talk will explore the critical intersection of digital and personal security, highlighting key strategies to protect yourself in both realms.

IoT devices can be anything from temperature sensors to that new Smart Fridge in your house. When reviewing these devices for security issues, there are a wide variety of methods to discover weaknesses. Many companies will publish their firmware on the internet to allow users to update their systems. This is a great place to start finding vulnerabilities, and you can do it without even owning the device. The world of IoT presents difficulties for security, because many times these devices don’t have the capacity to run full security stacks such as Anti-Virus and logging. Come on a journey where you can learn how to hack hardware and software!

“In the rapidly evolving landscape of artificial intelligence (AI), fears about the potential risks and dangers of AI technologies often dominate public discourse. However, from my experience as a pentester who has tested several AI models and implementations, I can see that these fears can be significantly mitigated through rigorous development and testing practices. This presentation aims to demystify AI and provide a clear roadmap for ensuring its safety and security, with a particular focus on the OWASP Top 10 for LLM (Large Language Models) and Gen AI (Generative AI).

The session will begin by addressing common concerns surrounding AI, such as data privacy, algorithmic bias, and potential misuse. These issues, while legitimate, are not insurmountable obstacles. Instead, they can be effectively managed through the adoption of comprehensive security frameworks and guidelines. Central to this discussion is the OWASP Top 10 for LLM and Gen AI, a set of best practices specifically designed to address the unique challenges posed by these advanced AI systems. As a pentester, my role involves identifying vulnerabilities before malicious actors can exploit them. By applying OWASP’s principles, we can proactively secure AI systems against a wide range of threats.

Through real-world examples from my pentesting experiences, this presentation will illustrate how a methodical approach to AI security can transform potential “”monsters”” into manageable, trustworthy tools. By the end of the session, attendees will gain a deeper understanding of how AI can be developed and tested in a way that minimizes risks, making AI a beneficial and secure asset rather than a source of fear.”

Since 2012, OAuth 2.0 has been a critical method for authorizing applications to access data. This data can be private and sensitive, making attacks on OAuth all the more attractive. Exploiting vulnerabilities in OAuth’s intended functionality, particularly those related to the “redirect_uri” parameter, is a common tactic for attackers seeking to gain unauthorized access to user accounts. In such attacks, the authorization code returned by the server is the key target. The OAuth specification (RFC) can provide valuable insights into how to target and exploit vulnerabilities in the “redirect_uri” parameter to steal the authorization code. Attack methods can range from simply replacing the intended value to using specially encoded characters to bypass security measures. By successfully bypassing these restrictions, attackers can gain complete control over the compromised account and access the associated private and sensitive data.

Recently I uncovered a security vulnerability in a fire alarm monitoring system app, the api allowed me to access all the other customer information including adresses, lock box pins and more. In addition to this it was confirmed I could have triggered dispatch calls for fire and other emergency services as well. This talk will be a risk assessment style presentation looking at what was found and the large scale country wide impact that could have happened if a threat actor uncovered this.

Everyday the news presents multiple new cases of hacking, ransomware attacks, and other nefarious activities. If you did a little deeper, you can see that both Congress and their regulatory agencies are taking aim at companies, their CEOs and their Board of Directors for being victims of a breach. Regulatory pressure is growing for the banking industry, SEC, Medical, and Department of Defense contracting. This presentation posits the theory that regulation is coming for all industries–Ready or Not!

We’re running through the worst of the worst event and you’re taking on the roles within a company to see how you would react. Join in this interactive tabletop exercise live at BSides Peoria 2024

NixOS is a fully declarative Linux distribution. It is very unique in how it handles configuration and package management. While it is not quite mature enough, the advantages are clear. Reproducible builds 100% maintainable with version control systems.

The global CrowdStrike IT outage demonstrated that even non-ransomware cyber incidents may have serious repercussions. Events like these serve as a wake-up call for businesses to review their IT Business Continuity & Disaster Recovery plans in order to maintain resiliency and be prepared for more significant Cyber incidents in the future.

Burnout. Exhaustion. Eating Poorly. Losing Fitness. They’re all just part of the inherent risk of tech work, right? They were for me. In this talk, we’ll use my personal failures and successes in these areas to explore the unique stressors inherent in the field, early signs to watch out for, and approaches to stop it from happening to you.

Choosing the right messaging app that respects your privacy and security can be challenging, especially when different contexts demand different tools. This presentation offers a comparative analysis of widely-used messaging platforms like Discord, SMS, iMessage, WhatsApp, and Facebook Messenger against secure, private, and more open alternatives such as SimpleX, Signal, XMPP, Jami, and Matrix. We will explore key factors including support, usability, adoption, interoperability, and security features. By examining these criteria, we will uncover the trade-offs between convenience and privacy inherent in each option. My goal is to provide you with the insights needed to consider secure alternatives over mainstream options, helping you choose tools that better align with your privacy needs and values. Attendees will leave with a clear understanding of the strengths and limitations of different messaging apps to empower them to make informed decisions.