Conference Talks – September 2021

This month, members of NCC Group will be presenting their work at the following conferences:

  • Javed Samuel, “Overview of Open-Source Cryptography Vulnerabilities”, to be presented at the International Cryptographic Module Conference 2021 (Virtual – Sept 3 2021)
  • Robert Seacord, “Secure Coding”, to be presented at Auto ISAC Analysts (Virtual – Sept 7 2021)
  • Erik Steringer, “Automating AWS Privilege Escalation Risk Detection With Principal Mapper”, to be presented at fwd:CloudSec (Salt Lake City Utah Sept 13-14 2021)
  • Duane Reeves, “Telephony: The Forgotten Network Threat”, to be presented at GSX 2021 (Orlando Florida Sept 27 2021)

Please join us!

Overview of Open-Source Cryptography Vulnerabilities
Javed Samuel
ICMC21 – Bethesda, Maryland
September 3 2021

This talk will review the foundations of cryptographic vulnerabilities as applicable to open-source software from a penetration tester’s perspective over multiple public cryptography audit reports. It will discuss what attacks in the past took advantage of these cryptography vulnerabilities and what the consequences were. The talk will also examine ways that open-source software has been updated over time to mitigate these cryptography flaws and how successful these mitigations may have been. Finally, some thoughts on possible areas that could be the focus for future cryptography vulnerabilities in open-source applications will be presented. 

Secure Coding
Robert Seacord
Auto ISAC Analysts – Virtual
September 7 2021

Secure coding is essential to the development of secure, connected vehicles. Current safety guidelines such as MISRA are deficient from a security perspective. This talk will provide an overview of secure coding and some of the problems it solves that are not adequately addressed by MISRA. It will provide an explanation of common programming errors in C and C++ and describe how these errors can lead to code that is vulnerable to exploitation. It will concentrate on security issues intrinsic to the C and C++ programming languages and associated libraries.

Automating AWS Privilege Escalation Risk Detection With Principal Mapper
Erik Steringer
fwd: Cloud Sec – Salt Lake City, Utah
September 13-14 2021

You locked down your AWS account’s IAM Policies, but are you certain there aren’t any unexpected side effects? Are there any passable/assumable roles that could be abused to access those credentials you stashed in Secrets Manager? Principal Mapper (PMapper) is a tool for in-depth evaluation of AWS IAM Authorization Risks. This talk covers how to extend it to automate finding risks (continuous monitoring) and test for resource isolation.

Telephony: The Forgotten Network Threat
Duane Reeves
GSX 2021- Orlando Florida
September 27 2021

Telecommunications networks are now relied upon more than ever before, making them a staple of modern society’s critical infrastructure. Unfortunately, fraud and security threats are arising alongside the technological advancements by today’s unified communications (UC) systems. The Communications Fraud Control Association (CFCA), in its 2019 annual survey, announced that global yearly fraud losses are in the range of $28–$30 billion. What does telephony look like today, and how have UC networks made fraudulent activities easier, cheaper, and available to more people? In this session, I will address those questions, explore the various risks organizations face, and detail important steps to identify countermeasures to protect against the multiple threats.