BSides 2024 Speakers

Gabe Roy

I am from Peoria, Illinois and graduated from Bradley University in 2023. I work as a Pentester at RSM US LLP in Des Moines, Iowa. I am most experienced/specialized in web application penetration tests but have additional experience performing API, network, and social engineering assessments. I regularly enjoy participating in CTFs and posting writeups to my blog.

Gabe Roy

I am from Peoria, Illinois and graduated from Bradley University in 2023. I work as a Pentester at RSM US LLP in Des Moines, Iowa. I am most experienced/specialized in web application penetration tests but have additional experience performing API, network, and social engineering assessments. I regularly enjoy participating in CTFs and posting writeups to my blog.

closepopup
Dan Krueger

39 years in Information Technology and 25 years as a Senior Technical Leader in the areas of Cybersecurity and Infrastructure in Enterprise Global industries. Speaker at numerous Technology conferences. Currently, a Senior Manager of Information Security Engineering and Operations at W.W. Grainger. 1985 graduate of Bradley University with a BS in Business Administration and Finance. Proud member of the Bradley U. Cybersecurity Council. Inducted to the IHSA Softball Coaches Umpire Hall of Fame, IHSA Softball Umpire of the Year award, and a 40 year IHSA Official in Girl's Softball and Volleyball.

Dan Krueger

39 years in Information Technology and 25 years as a Senior Technical Leader in the areas of Cybersecurity and Infrastructure in Enterprise Global industries. Speaker at numerous Technology conferences. Currently, a Senior Manager of Information Security Engineering and Operations at W.W. Grainger. 1985 graduate of Bradley University with a BS in Business Administration and Finance. Proud member of the Bradley U. Cybersecurity Council. Inducted to the IHSA Softball Coaches Umpire Hall of Fame, IHSA Softball Umpire of the Year award, and a 40 year IHSA Official in Girl's Softball and Volleyball.

closepopup
REDACTED

REDACTED is a seasoned intelligence analyst with expertise in custom intelligence curation, adversary tracking, and in-depth analysis. REDACTED has successfully led incident response engagements and IR teams, as well as conducted threat hunting and penetration testing. A strong interest in forensics and malware analysis drives REDACTED's commitment to developing cutting-edge tools and methodologies that enhance cybersecurity effectiveness.

REDACTED

REDACTED is a seasoned intelligence analyst with expertise in custom intelligence curation, adversary tracking, and in-depth analysis. REDACTED has successfully led incident response engagements and IR teams, as well as conducted threat hunting and penetration testing. A strong interest in forensics and malware analysis drives REDACTED's commitment to developing cutting-edge tools and methodologies that enhance cybersecurity effectiveness.

closepopup
Doug Kras

With a background in penetration testing, I made the change to becoming an IoT pentester. With 0 hardware, IoT experience, reverse engineering experience, I quickly learned how to find critical risk vulnerabilities in products. Having a curious mindset, has allowed me to pose questions on what if I supplied this data to this program, what would happen. Sometimes that leads to gaining code execution on devices. I love learning new things, and continually am reading up on the latest hacking news!

Doug Kras

With a background in penetration testing, I made the change to becoming an IoT pentester. With 0 hardware, IoT experience, reverse engineering experience, I quickly learned how to find critical risk vulnerabilities in products. Having a curious mindset, has allowed me to pose questions on what if I supplied this data to this program, what would happen. Sometimes that leads to gaining code execution on devices. I love learning new things, and continually am reading up on the latest hacking news!

closepopup
Sebastian Whiting

An InfoSec professional with a background in nuclear reactor operations. I am originally from central Illinois and have returned in recent years after finishing up my Navy career. I have worked for a defense contractor and currently work for a fintech. I love cats, terminals, and solving problems.

Sebastian Whiting

An InfoSec professional with a background in nuclear reactor operations. I am originally from central Illinois and have returned in recent years after finishing up my Navy career. I have worked for a defense contractor and currently work for a fintech. I love cats, terminals, and solving problems.

closepopup
Reed Sanders

Reed is a graduate of Bradley University majoring in Computer Science with a concentration in web, hardware, and software security, and a Minor in Cybersecurity. He has spent the last year as an Offensive Security Associate at RSM primarily focused on webapp, API, and LLM/GEN AI testing.

Reed Sanders

Reed is a graduate of Bradley University majoring in Computer Science with a concentration in web, hardware, and software security, and a Minor in Cybersecurity. He has spent the last year as an Offensive Security Associate at RSM primarily focused on webapp, API, and LLM/GEN AI testing.

closepopup
JD Zluticky

--JD Zluticky is a Featured Cybersecurity Professional, Entrepreneur, Trusted Advisor, and Public Speaker. He is the President of Essential IT Services, Inc, based in Wichita, KS. When JD founded Essential IT Services in 1999, he had a goal of helping other business owners grow wealth through the strategic use of information technology in the workplace, but his passion has always been protecting customers from natural disasters, mechanical failures, and the criminal actions of those would steal, extort, or destroy company data. Over the years Essential IT Services has advised, educated, and created cybersecurity strategies to assist hundreds of companies throughout Kansas and the surrounding states. JD was prominently featured in the 2023 cybersecurity documentary entitled Cybercrime: Investigations, and the 2024 cybersecurity documentary entitled Cybercrime: Fallout. JD is a native of Wichita, KS, has a BBA in International Business from Wichita State University and an MBA from Friends University. He has over 30 years of experience in the IT / Cybersecurity industry. JD and his wife, Renit, have two adult children, two grandchildren, and currently reside in Wichita.

JD Zluticky

--JD Zluticky is a Featured Cybersecurity Professional, Entrepreneur, Trusted Advisor, and Public Speaker. He is the President of Essential IT Services, Inc, based in Wichita, KS. When JD founded Essential IT Services in 1999, he had a goal of helping other business owners grow wealth through the strategic use of information technology in the workplace, but his passion has always been protecting customers from natural disasters, mechanical failures, and the criminal actions of those would steal, extort, or destroy company data. Over the years Essential IT Services has advised, educated, and created cybersecurity strategies to assist hundreds of companies throughout Kansas and the surrounding states. JD was prominently featured in the 2023 cybersecurity documentary entitled Cybercrime: Investigations, and the 2024 cybersecurity documentary entitled Cybercrime: Fallout. JD is a native of Wichita, KS, has a BBA in International Business from Wichita State University and an MBA from Friends University. He has over 30 years of experience in the IT / Cybersecurity industry. JD and his wife, Renit, have two adult children, two grandchildren, and currently reside in Wichita.

closepopup
William Shea

William Shea is a security consultant at AON Cyber Solutions and has a passion for web application security.

William Shea

William Shea is a security consultant at AON Cyber Solutions and has a passion for web application security.

closepopup
Matt Topper

Matt Topper is a security professional with a passion for captivating audiences. With almost two decades of experience in technology, Matt has thrived in roles ranging from development to CTO. Today, he focuses on information security, compliance, and security program management at MSPs.

As ConnectWise's Security Evangelist, Matt's mission is to educate and inspire. Armed with a Computer Science degree and CISSP, CISM, and CCSP certifications, he draws from his expertise across Internal IT, MSP, and vendor roles to provide unique insights. Outside of tech, Matt finds balance in running and family time.

Matt Topper

Matt Topper is a security professional with a passion for captivating audiences. With almost two decades of experience in technology, Matt has thrived in roles ranging from development to CTO. Today, he focuses on information security, compliance, and security program management at MSPs.

As ConnectWise's Security Evangelist, Matt's mission is to educate and inspire. Armed with a Computer Science degree and CISSP, CISM, and CCSP certifications, he draws from his expertise across Internal IT, MSP, and vendor roles to provide unique insights. Outside of tech, Matt finds balance in running and family time.

closepopup
McKeegan Curran

McKeegan Curran is a dedicated Cybersecurity Analyst at Caterpillar, specializing in development and penetration testing. With a strong academic background in Computer Information Systems and a minor in Cybersecurity from Bradley University, McKeegan excels in identifying and remedying security vulnerabilities. His expertise includes Python, JavaScript, network management, and automation. Known for his problem-solving skills and innovative approach, McKeegan has led internal red team engagements and improved operational efficiency through automation. He actively shares his insights with the tech community, contributing to safer digital environments.

McKeegan Curran

McKeegan Curran is a dedicated Cybersecurity Analyst at Caterpillar, specializing in development and penetration testing. With a strong academic background in Computer Information Systems and a minor in Cybersecurity from Bradley University, McKeegan excels in identifying and remedying security vulnerabilities. His expertise includes Python, JavaScript, network management, and automation. Known for his problem-solving skills and innovative approach, McKeegan has led internal red team engagements and improved operational efficiency through automation. He actively shares his insights with the tech community, contributing to safer digital environments.

closepopup
Benjamin Padgitt

Benjamin is a graduate of Bradley University's MIS - Cybersecurity program. He now works as a Cyber Threat Intelligence Analyst at a Fortune 100 financial services company.

Benjamin Padgitt

Benjamin is a graduate of Bradley University's MIS - Cybersecurity program. He now works as a Cyber Threat Intelligence Analyst at a Fortune 100 financial services company.

closepopup

Sign up for updates! (we promise, no spam)

  • BSides Peoria 2024 Schedule
  • Main Room
  • Track 1
  • Track 2
09:15 AM - 09:45 AMBSides Peoria 2024 Kickoff By Nick & Cody

We’re kicking off BSides Peoria 2024 in style!

11:45 AM - 01:00 PMLunch Time

Time to grab a bite to eat

05:00 PM - 05:30 PMBSides Peoria 2024 Wrap Up By Nick & Cody

Join us as we wrap up BSides 2024 with a quick chat, our annual transparency report, awards and what to look forward to at BSides 2025!

10:00 AM - 10:45 AMPentesting Salesforce Instances By Gabe Roy

“Salesforce is a customer-relationship management (CRM) tool used by over 150,000 businesses and it holds the majority of the market share for CRM solutions. As organizations increasingly rely on Salesforce it becomes a more lucrative attack surface for threat actors, making the process of properly testing and hardening this cloud-based CRM platform more vital. This presentation focuses on the process of uncovering and exploiting vulnerabilities hidden within Salesforce instances.

We will begin by discussing the unique security challenges posed by Salesforce’s multi-tenant architecture and extensive customization options. Attendees will learn about specific methodologies and tactics used for performing penetration tests tailored to Salesforce applications. The primary focus will include evaluating sharing rules, object and field level security, user permissions, annotation misconfigurations, and third-party integrations.

We will use sanitized, real-world examples of common high and critical severity vulnerabilities to illustrate the impact of an unsecured Salesforce instance being exploited in the wild and emphasize the industry need for regular and comprehensive testing.
By the end of this session, participants will have a clear understanding of how to leverage penetration testing to proactively identify and mitigate risks, ensuring their Salesforce instance remains secure in an ever-evolving threat landscape.”

11:00 AM - 11:45 AMOPSEC, OSINT, & HUMINT: Securing Signals and Shadows By REDACTED

This talk will have strict Chatham House Rules and will be Classified TLP:AMBER+STRICT. Attendees will be REQUIRED to follow these protocols to be admitted.

In today’s interconnected world, online and physical safety are more crucial than ever. This talk will explore the critical intersection of digital and personal security, highlighting key strategies to protect yourself in both realms.

01:00 PM - 01:45 PMIntro to IoT Hacking By Doug Kras

IoT devices can be anything from temperature sensors to that new Smart Fridge in your house. When reviewing these devices for security issues, there are a wide variety of methods to discover weaknesses. Many companies will publish their firmware on the internet to allow users to update their systems. This is a great place to start finding vulnerabilities, and you can do it without even owning the device. The world of IoT presents difficulties for security, because many times these devices don’t have the capacity to run full security stacks such as Anti-Virus and logging. Come on a journey where you can learn how to hack hardware and software!

02:00 PM - 02:45 PMIs AI the Monster Under the Bed By Reed Sanders

“In the rapidly evolving landscape of artificial intelligence (AI), fears about the potential risks and dangers of AI technologies often dominate public discourse. However, from my experience as a pentester who has tested several AI models and implementations, I can see that these fears can be significantly mitigated through rigorous development and testing practices. This presentation aims to demystify AI and provide a clear roadmap for ensuring its safety and security, with a particular focus on the OWASP Top 10 for LLM (Large Language Models) and Gen AI (Generative AI).

The session will begin by addressing common concerns surrounding AI, such as data privacy, algorithmic bias, and potential misuse. These issues, while legitimate, are not insurmountable obstacles. Instead, they can be effectively managed through the adoption of comprehensive security frameworks and guidelines. Central to this discussion is the OWASP Top 10 for LLM and Gen AI, a set of best practices specifically designed to address the unique challenges posed by these advanced AI systems. As a pentester, my role involves identifying vulnerabilities before malicious actors can exploit them. By applying OWASP’s principles, we can proactively secure AI systems against a wide range of threats.

Through real-world examples from my pentesting experiences, this presentation will illustrate how a methodical approach to AI security can transform potential “”monsters”” into manageable, trustworthy tools. By the end of the session, attendees will gain a deeper understanding of how AI can be developed and tested in a way that minimizes risks, making AI a beneficial and secure asset rather than a source of fear.”

03:00 PM - 03:45 PMUnraveling OAuth Protections: Exploiting Loopholes By William Shea

Since 2012, OAuth 2.0 has been a critical method for authorizing applications to access data. This data can be private and sensitive, making attacks on OAuth all the more attractive. Exploiting vulnerabilities in OAuth’s intended functionality, particularly those related to the “redirect_uri” parameter, is a common tactic for attackers seeking to gain unauthorized access to user accounts. In such attacks, the authorization code returned by the server is the key target. The OAuth specification (RFC) can provide valuable insights into how to target and exploit vulnerabilities in the “redirect_uri” parameter to steal the authorization code. Attack methods can range from simply replacing the intended value to using specially encoded characters to bypass security measures. By successfully bypassing these restrictions, attackers can gain complete control over the compromised account and access the associated private and sensitive data.

04:00 PM - 04:45 PMBurn Baby Burn: One Click is all it takes By McKeegan Curran

Recently I uncovered a security vulnerability in a fire alarm monitoring system app, the api allowed me to access all the other customer information including adresses, lock box pins and more. In addition to this it was confirmed I could have triggered dispatch calls for fire and other emergency services as well. This talk will be a risk assessment style presentation looking at what was found and the large scale country wide impact that could have happened if a threat actor uncovered this.

10:00 AM - 10:45 AMFriday the 13th: Compliance is Coming for You By JD Zluticky

Everyday the news presents multiple new cases of hacking, ransomware attacks, and other nefarious activities. If you did a little deeper, you can see that both Congress and their regulatory agencies are taking aim at companies, their CEOs and their Board of Directors for being victims of a breach. Regulatory pressure is growing for the banking industry, SEC, Medical, and Department of Defense contracting. This presentation posits the theory that regulation is coming for all industries–Ready or Not!

Whose Breach is it anyway? An Interactive Tabletop Exercise
11:00 AM - 11:45 AMWhose Breach is it anyway? An Interactive Tabletop Exercise By Cody Kretsinger

We’re running through the worst of the worst event and you’re taking on the roles within a company to see how you would react. Join in this interactive tabletop exercise live at BSides Peoria 2024

01:00 PM - 01:45 PMDeclarative Operating Systems for Better Security By Sebastian Whiting

NixOS is a fully declarative Linux distribution. It is very unique in how it handles configuration and package management. While it is not quite mature enough, the advantages are clear. Reproducible builds 100% maintainable with version control systems.

02:00 PM - 02:45 PMLessons Learned from the CrowdStrike Outage: Key Strategies to Build Cyber Resilience By Dan Krueger

The global CrowdStrike IT outage demonstrated that even non-ransomware cyber incidents may have serious repercussions. Events like these serve as a wake-up call for businesses to review their IT Business Continuity & Disaster Recovery plans in order to maintain resiliency and be prepared for more significant Cyber incidents in the future.

03:00 PM - 03:45 PMHacker Health By Matt Topper

Burnout. Exhaustion. Eating Poorly. Losing Fitness. They’re all just part of the inherent risk of tech work, right? They were for me. In this talk, we’ll use my personal failures and successes in these areas to explore the unique stressors inherent in the field, early signs to watch out for, and approaches to stop it from happening to you.

04:00 PM - 04:45 PMNavigating the Messaging Matrix: Comparing Popular and Secure Chat Applications By Benjamin Padgitt

Choosing the right messaging app that respects your privacy and security can be challenging, especially when different contexts demand different tools. This presentation offers a comparative analysis of widely-used messaging platforms like Discord, SMS, iMessage, WhatsApp, and Facebook Messenger against secure, private, and more open alternatives such as SimpleX, Signal, XMPP, Jami, and Matrix. We will explore key factors including support, usability, adoption, interoperability, and security features. By examining these criteria, we will uncover the trade-offs between convenience and privacy inherent in each option. My goal is to provide you with the insights needed to consider secure alternatives over mainstream options, helping you choose tools that better align with your privacy needs and values. Attendees will leave with a clear understanding of the strengths and limitations of different messaging apps to empower them to make informed decisions.

Get Tickets

Get your tickets before time runs out

00
Days
00
Hours
00
Minutes
00
Seconds