Ross Merritt is a U.S. Marine Corps Veteran, Former Private Investigator, Performing Comedian, and a Cyber Security Consultant at Blue Bastion specializing in Social Engineering and OSINT.
Improv Comedy for Social Engineering (<– add to your schedule)
This workshop that introduces the techniques used in Improv Comedy and applies them to skills used in the OFFSEC field to enable the participants to better communicate, think on their feet, and gain confidence when operating in the unknown.
Jason Ross is a passionate cybersecurity expert with a diverse skillset in Penetration Testing, Cloud Security, OSINT, DevOps Security, and Incident Response. As a lead security engineer at Salesforce, Jason oversees security evaluations and penetration tests — most recently with a specific focus on AI and Large Language Models. Jason is active in the security community, frequently speaking at industry events, and is committed to education as an adjunct faculty member at the Rochester Institute of Technology’s Global Cybersecurity Institute. X (Twitter): @rossja
Unlocking Generative AI: Balancing Innovation with Security (<– add to your schedule)
Join us for ‘Unlocking Generative AI: Balancing Innovation with Security’ as we navigate the complex landscape of generative AI in corporate environments. From understanding the fundamentals to exploring security threats like data poisoning and model theft, discover how large enterprises can safeguard sensitive data and AI models. Learn robust mitigation strategies to tackle these challenges head-on, ensuring a secure future for AI innovation. Don’t miss this opportunity to delve into the promising yet challenging world of generative AI security.
I’ve spent the past 10+ years working on or helping people work on software. I was also a professional educator previously in my career, so I have a particular passion for helping people more easily understand difficult concepts. I currently work at AWS, and I’m focused on helping people learn through experience by using AWS GameDay. X (Twitter): @amsxbg
Secure Legends GameDay – A Cloud Security Danger Room (<– add to your schedule)
Bring a laptop for this interactive session, because we’ll be diving into a real environment together and learning how to prepare for the unique security threats faced in a cloud environment. I’ll be your guide as we work to increase the security posture of a fictional startup called Unicorn.Rentals.
Ariyan Bakhti-Suroosh is a senior security consultant on the Attack and Penetration team under Optiv’s Threat Management divison. Ariyan has a diverse background in information technology caused by an exigent curiosity for how things work. Ariyan has over 5 years of experience in comprehensive internal and external penetration testing of large enterprise environments as well as focused targeted attacks against small targets. Ariyan’s area of expertise is in physical facility penentration test where he has put together training for Optiv as well as delivered a talk at SANS Hackfest on methodology and execution. X (Twitter): @pursuit_of_root
Its Coming From Inside the House: A Guide to Physical Facility Penetration Testing (<– add to your schedule)
Physical security is crucial to any organization; however, physical security sometimes takes a back seat. Many companies still maintain a physical office presence, and protecting employees working from the office, along with other critical assets is vitally important as protecting networks. An attacker gaining access into a building through social engineering or other means of physical entry could jeopardize those critical assets and employee’s safety. Attackers may access unattended workstations, open file cabinets, server rooms, or other information inside the organization. Skilled attackers may only need a few moments to slip into a building and plant a remote access device on the network without anyone noticing they were in the building.
RVAsec is pleased to present WIZ, Inc. as an RVAsec 13 Gold sponsor!
Secure Everything You Build and Run in the Cloud.
https://www.wiz.io/
X (Twitter): @wiz_io
Oren Koren is the Co-Founder and Chief Product Officer of Veriti. Oren brings 19 years of experience in cybersecurity, advanced threat analysis, and product management. Prior to founding Veriti, Oren was a Senior Product Manager at Check Point Software Technologies, where he led AI-based innovations and advanced data analytics projects redefining threat hunting and SIEM applications. Before Check Point, Oren served for 14 years in the prestigious 8200 unit and was responsible for various cybersecurity activities and research. Oren’s allocades include the Israeli Security Award and 3 MoD (Ministry of Defense) awards for cutting-edge innovations in cyber security. X (Twitter): @orenkorenCLO
Verified for Business Continuity: How to Remediate Risk Safely Across the Enterprise (<– add to your schedule)
Remediation can feel like a high-wire act, balancing the need to close exposures against the imperative of maintaining business continuity. This talk addresses the quintessential challenge: how can organizations utilize their existing arsenal of security tools to remediate vulnerabilities, misconfigurations, and exposures without halting the business engine? Glean insights from a seasoned industry expert on leveraging security logs, configurations, and threat intelligence to unearth exposures, teaching CISOs to navigate this delicate balance.
Jennifer Shannon is a Senior Security Consultant at Secure Ideas with a background in malware analysis, penetration testing, and training. An avid computer geek for most of her life, she began her journey in cybersecurity as a SOC Analyst where she showed an aptitude for both penetration testing and malware analysis. She has experience performing penetration tests against web applications, mobile software and platforms, and physical security assessments.
Jennifer discovered a passion for computers and problem solving at a young age. She bought Steal This Computer Book 2.0, by Wallace Wang, with one of her first paychecks, and became enamored with hacking and cyber security. While pursuing her degree she dedicated time to teaching computing skills to underrepresented minorities. She is the co-leader for the TOOOL chapter in Jacksonville, FL. Jennifer continues to be passionate about teaching and is eager to share her knowledge with others.
X (Twitter): @Jencrypti0n
API-ocalypse (<– add to your schedule)
Get ready for a wild ride as Jennifer Shannon, a Senior Security Consultant at Secure Ideas, takes the stage to present “”API-ocalypse”” In this thrilling and entertaining session, Jennifer will showcase the vulnerabilities lurking within APIs and the havoc they can wreak if left unaddressed. Through live pentesting demos, she will demonstrate jaw-dropping exploits, mind-bending injection attacks, and authentication bypass techniques that will leave you on the edge of your seat. Join Jennifer as she navigates the dark side of API’s to help you understand and fortify your attack surface in order to prevent the impending API-ocalypse.
Nick Copi, an application security engineer at CarMax, seamlessly balances his professional role with a fervent pursuit of security research. From architecting full-stack web applications to spearheading innovative security initiatives at CarMax, Nick’s diverse background enriches his insights, allowing him to bring a multifaceted perspective to his endeavors. His dominance in cybersecurity competitions, including numerous 1st place CTF victories, highlights his adeptness. As the former president of the VCU Cyber Security Club and a co-organizer of the OffsecRVA meetup group, he ardently fosters community engagement and knowledge exchange. With a knack for blending practical experience and strategic vision, Nick embodies a commitment to excellence in both his professional endeavors and his contributions to the broader cybersecurity community. X (Twitter): @7urb01
Some Assembly Required: Weaponizing Chrome CVE-2023-2033 for RCE in Electron (<– add to your schedule)
In this presentation, the development process of a remote code execution (RCE) exploit for CVE-2023-2033 is discussed. CVE-2023-2033 is an N-day type confusion vulnerability that affects Google Chrome for Windows, Mac, and Linux with which an attacker can exploit Chrome V8 engine to cause heap corruption via a crafted HTML page and gain RCE. Prior to this presentation, a public RCE exploit for this vulnerability did not exist. This exploit is based on publicly available proof of concept code that uses this vulnerability to implement v8 heap read/write/addrof primitives. This presentation focuses on weaponizing these primitives to achieve remote code execution consistently on an unsandboxed renderer process of an Electron version running a vulnerable version of Chrome. Methods to hijack the render process instruction pointer and to write and execute specially encoded chunks of shellcode using these primitives are discussed.
Hacker, BJJ enthusiast, world traveler and surfer. I am a giant weirdo who somehow found my niche in offensive security. I have been blessed getting to build AppSec programs for companies like 1Password and Red Canary. I have an extremely diverse background and hope I can relate and or add value to everyones experience,
Social Engineering the Social Engineers: How to not suck at buying software. (<– add to your schedule)
There is a huge gap in security and that gap is understanding the process for acquiring security tools. After buying security tools as an architect and selling as a sales engineer I know the process, pitfalls and gaps in the process. We will dive into the process for both sides. You will learn how you should be architecting your program and winning budget for those tools. We will also explore what happens on the sales side of deal. I will explain what to look out for and what you can take advantage of and the common mistakes we make.
Sales people are top tier social engineers we will explore how to hack them.
Micah Parks started his professional career about six years ago in the National Security Agency. After moving to the private sector, Micah has continued to work as a security minded software engineer. He has created and maintains multiple open source projects, with the most popular one involving JSON Web Key Sets, used by thousands of other projects including those from Google, Microsoft, Nvidia, Nintendo, ByteDance, and various governments and telecom providers. He also runs a small, niche, SaaS platform and always has a side project or two going.
Reverse Engineering for Dummies: The “what if?” user (<– add to your schedule)
When developing a product, software engineers often discuss the “what if?” user. What if a user builds their own frontend client? What if a user finds that embedded API key? What if a user notices that endpoint doesn’t have authorization? This talk has three real-life examples from the speaker’s perspective as the “what if?” user. Each example will delve into the motivation, the security flaws reverse engineered, and how to improve the security of each product. This talk will cover reverse engineering assets from an Android game, a waitlist to buy exercise equipment, and a Publish Subscribe system for an auction house. This talk aims to generate interest in identifying software design flaws and reverse engineering them, as well as helping teach about common security issues and practical methods of fixing them.
