The New Normal
Date : May 9, 2020
Time : 17:00:00 UTC
LevelUp is Bugcrowd’s live information security conference, conducted entirely online via Youtube, Twitch, and Discord.
Speakers will present cutting-edge information on cybersecurity, security research, and bug bounties. All you need to participate is a computer and an internet connection that can support streaming video – The mission of LevelUp is to remove the barriers to some of the world’s best education, so there’s no charge, and no need to travel!
Session topics include:
- Brand new tools and new techniques
- Career and professional tips and tricks
- Tips and tricks on automotive hacking
- Personal accounts/experience on offensive hacking and thought processes around maximizing impact
Louis (@snyff/@pentesterlab) is a security engineer based in Melbourne, Australia. He is the founder of PentesterLab, a learning platform for web penetration testing.
Rhys Elsmore is a self-deputised internet mall cop who has a passion for breaking computers in weird and wonderful ways. By day he helps secure a large blue cloud, and by night he hunts bugs in other people's clouds. Outside of the internet he likes to overdo it at CrossFit (People who do CrossFit are legally required to tell you that they do CrossFit), gets his butt kicked at Brazilian Jiu-Jitsu, cooks new and exciting food, looks after two Australian Shepherds, and serves his community as a Retained Firefighter with Fire + Rescue NSW.
Thomas Dullien is a security researcher and entrepreneur well-known for his contributions to the theory and practice of vulnerability development and software reverse engineering. He won Germany's biggest privately financed research prize in the natural sciences in 2006 (the Horst-Goertz Prize) for work on graph-based code similarity then started and ran a company to commercialize this research that was then acquired by Google. After a few years of Google Project Zero, he is now co-founder of a startup called http://optimyze.cloud that focuses on efficient computation.
Josh Schwartz, aka FuzzyNop, is an alleged computer who knows how to computer. He currently is the Director of Proactive Engagement overseeing red team, security engagement, phishing, and behavioral engineering for the Paranoids at Verizon Media.
Jay Turla is a Manager, Security Operations (PH) at Bugcrowd, and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Microsoft, etc. for his responsible disclosures, and has also contributed auxiliary and exploit modules to the Metasploit Framework. He has presented at ROOTCON, HITCON, PEHCON, DEFCON, DragonCon, Bsides Myanmar, Nullcon and TCON. His main interest/research right now is car hacking and is currently one of the main organizers of the Car Hacking Village of ROOTCON / Philippines which is supported by the Car Hacking Village community.
Chloé Messdaghi is the VP of Strategy at Point3 Security. She is an ethical hacker advocate who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She is the founder of WomenHackerz & he President and cofounder of Women of Security (WoSEC) and heads the SF Bay Area chapter.
Katie is a Ph.D. student in machine learning and cybersecurity. During her free time, she is a bug bounty hunter and cybersecurity Youtuber. Having only started bug bounty in 2019, she's still a bit of a noob, but always learning. Katie is really passionate about giving back to the community who helped her by producing videos on the basics of bug bounty and how to find your first bug. You can find her on twitter @InsiderPhD and on YouTube as InsiderPhD.
May 9, 2020
Code that gets you pwn(s|’d)
Speaker: Louis Nyffeneger (@snyff)
In this talk, Louis will cover examples of vulnerabilities that are not necessarily obvious. We will look at some snippets in Golang, Ruby, Python and others, demonstrating practical flaws and attacks on:
- Golang Tempfile
- Golang path.Clean
- Startswith and URL
- Unicode and Regexp
Recognition-Primed Bug Bounty Hunting
Speaker: Rhys Elsmore (@Rhys Elsmore)
In this talk, Rhys will explain how humans are wired to consume, process, and act on large amounts of information. Every day – often without knowing – we take cues and signals from our environment, recall our past experiences, mix it all together, and make decisions. As bug bounty hunters we are often faced with many decisions, such as “where do I look next?”, “where do I start”, “how can I maximize impact”, “how can I escalate this finding”, and “how do I understand what this means”. A well-tuned decision making process is essential to maximizing impact and ensuring success while hunting bugs.
This talk draws on my experience in various emergency service roles – where the outcome of decisions are critical and thinking several steps ahead is required, mixes it with walkthroughs of the decision-making process I have followed when finding high-paying bugs, adds in a bit of psychology*, and details focus areas that will assist bug bounty hunters in being able to make better decisions.
Attendees will not only get walkthroughs of hard-hitting bugs, but also learn the basics of a decision making model that will hopefully lead them to bigger scopes and larger rewards.
Business Tradecraft for Hackers in the Corporate Industrial Complex
Speaker : Josh Schwartz (@fuzzynop)
There are countless tutorials that teach you how to weaponize an exploit, pop a box, catch a shell, overflow a buffer, and test a pen so hard that Milton Reynolds would rise from the dead, but what happens once all those 1337 skills eventually drop you into the lemming factory of a large corporation? That rebellious chaos agent anarchy driven hacker mentality may have got you there, but you’ll need new skills to survive the endless onslaught of institutionalized mediocrity that rains down like an endless miserable wave of sadness. Come listen as a corporate sellout preaches privilege escalation techniques for modern bureaucracy. Sometimes you need a pivot table instead of a network pivot. Think bits flips and exploit kits for corporate politics, because when the game is to hack the planet, you need to play to win.
Why I <3 Offense (and Why I </3 Offense)
Speaker: Thomas Dullien (@halvarflake)
In this talk, Halvarflake will have a personal talk about his 24-year relationship with offensive security work.
Hackers Don’t Wear Black Hoodies, They Wear Capes
Speaker: Chloé Messdaghi (@ChloeMessdaghi)
60% of hackers do not report vulnerabilities due to the fear of prosecution. This talk provides insights about the past, present, and future for ethical hacker rights, along with sharing stories of what happens when there is a lack of bilateral trust when conducting ethical hacking. To ultimately share why we need to work together within the infosec community to encourage instead of discouraging.
Automotive Security Bugs Explained for Bug Hunters V2.0
Speaker: Jay Turla (@shipcod3)
Dive into the world of car hacking as Jay unveils common automotive security bugs as a baseline for starting your journey in hunting bugs for it. In this talk we will explain some PoCs, attacks, vulnerabilities and how we prioritize or rate it from a Bug Bounty Bug Bash or Program perspective. Get to know the methodologies from IoT Security to CAN bus hacking. Learn some insights that Car Hacking is not just about CAN Bus hacking, Key Fob attacks and ECU attacks – that even the web apps, APIs, hardware, and mobile apps can become part of the scope too. The goal of this talk is to inspire and promote Car Hacking and Automotive Security because you may never know when you get to be invited in a car bug bash.
Sticking With It: How To Choose a Target & Stay Motivated
Speaker: Katie Paxton-Fear (@InsiderPhD)
It’s really easy to find yourself lost in the number of bug bounty programs available, whether on dedicated platforms or external programs, the sheer number can be exhausting. Even when you find something to hack, brought on by the frustration of not finding a bug or anticipation when a new invite finds its way into your inbox, temptation sets in. It can be difficult to resist the urge to jump ship despite the guilt of “Am I giving up too quickly?“. In this talk we cover how to choose the target right for you, how to keep motivated whilst hacking and more importantly to make the call: time to move on or keep on trucking.