- Hive Five
- Posts
- Must-watch infosec talks of 2020
Must-watch infosec talks of 2020
Photo by Philipp Katzenberger / Unsplash
To say that 2020 was a difficult year is an understatement. What got me through it were friends, family, and community. Luckily for me, the latter takes place on Discord and Twitch.
This was also the year where virtual conferences became the new norm. Already being involved with various communities, and by being a Nahomie, I was asked to help build and moderate several cons. It was a great experience.
A plus of this new trend was that the barrier of entry was lowered, allowing more people access to amazing talks.
I’ll list the ones that stood out to me. Make sure to follow their social media and show your support!
Bug bounty
Unique Mindset - Hacking with Zseano
Zseano, web app hacker + founder BugBountyHunt3r @ VirSecCon
Zseano goes through some of his favourite findings and discusses how he went about finding them.
How to do Chrome Extension code reviews
Breanne Boland, appsec engineer @ Levelup0x07
A look at how to do effective code reviews on Chrome extensions, what tools you can use to perform them, and some common tells of security issues. I took a stab at making an extension for Google SERP.
How to Crush Bug Bounties in the first 12 Months
Hakluke, manager training + QA Bugcrowd @ Levelup0x07
This talk is perfect for anyone who has just started, or is about to start bug bounties. More seasoned hackers will also glean some tips to improve their workflow. Repping the BugCrowd community.
How to Get Into Bug Bounty
Katie Paxton-Fear, lecturer + PhD @ GrayHat
Always wanted to know how to get into bug bounty? Katie lays it all out for you. It's introductory, helpful for anyone interested in bug bounties but not sure what to do next! Her community is awesome.
The Bug Hunter’s Methodology v4
Jason Haddix, head of security + risk management Ubisoft @ Red Team Village
The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. Jason explores both common and lesser-known techniques to find assets for a target. Check out his recon interview with NahamSec.
Recognition Primed Bug Bounty Hunting
Rhys Elsmore, product engineer Heroku + firefighter @ levelup0x06
Rhys walks you through hard-hitting bugs, and teaches you the basics of a decision making model that will hopefully lead to bigger scopes and larger rewards.
Who, What, Where, When, Wordlist
TomNomNom, tech lead security research Detectify @ NahamCon2020
Everything you need to know about wordlists. Tom expertly teaches you how to create target specific, custom wordlists using various sources and tools. Check out Tom's recon talk.
You've Got Pwned - Exploiting E-Mail Systems
securinti, community manager Intigriti @ NahamCon2020
Inti tends to look for a very particular range of vulnerabilities, more often than not related to e-mail systems. He'll share some of his findings in this talk.
Bug Bounties With Bash
TomNomNom, tech lead security research Detectify @ VirSecCon2020
Tom demonstrates how you can use Bash for bug bounty. It's a shell that wraps a kernel so you can launch processes. Learn how to quickly and efficiently automate tasks, and make your own tools.
Beyond the Borders of Scope
Jr0ch17, sr. application security advisor Videotron @ h@cktivitycon
A somewhat controversial topic in bug bounty, looking at out-of-scope assets. This is not about doing actual hacking on those out-of-scope assets, it's about doing recon on them in special ways in order to find bugs on the in-scope assets.
Practical Exploitation of Math.random on V8
d0nutptr, lead security engineer graplsec @ VirSecCon 2020
A talk about V8's Math.random, what it is and how to break it practically. V8 JavaScript is used in Chrome and Node.js. PoC || GTFO. Currently building recon platform resync.
HTTP Desync Attacks - Request Smuggling Reborn
James Kettle, head of research PortSwigger @ Black Hat
HTTP requests are traditionally viewed as isolated, standalone entities. James introduces techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, harvesting over $70k in bug bounties.
How I became a HackerOne MVH without writing a single line of python
STÖK, educational content + hacker Truesec @ H@cktivityCon
Want to know how you become a HackerOne Most Valuable Hacker (get awarded multiple awards and win the Best Team Award) without writing a single line of code? Well this is how STÖK did it. In this talk he touches on his methodology, his mindset and the importance of collaboration.
Mechanizing the Methodology
Daniel Miessler, cybersecurity expert + writer @ Red Team Village
This talk will take you through finding new attack surface, performing multiple types of test against those targets, and sending real-time alerts — all on a continuous basis using automation from a cloud-based Linux host. It really brought home the Unix philosophy for me.
Infosec
Phishy Little Liars - Pretexts That Kill
Alethe Denis, security consultant + DefCon black badge @ conINT
Add more value to your engagements, better prepare employers and their employees, and learn how to create pretexts that your targets are much less likely to question
The Act of Balancing - Burnout in Cybersecurity
Chloé Messdaghi, vp strategy Point3 security @ OWASP DevSlop
Have you ever felt like no matter how much sleep you get, you feel exhausted? Struggle to concentrate? Having trouble balancing work and personal life? Or perhaps feel your work is your life? Then this talk is for you.
A Quick Guide to Your Hacker Rights
Chloé Messdaghi, vp strategy Point3 security @ WWHF Deadwood 2020 Virtual
Sixty percent of hackers don’t submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and company's misdirected policies. This talk will focus on the current landscape for hacker rights and what is needed to improve it.
HostSplit - Exploitable Antipatterns in Unicode Normalization
Jonathan Birch, senior security software engineer Microsoft @ Black Hat
Jonathan demonstrates new exploit techniques that leverage Unicode normalization behavior to bypass URL security filters. In some cases it even allows one domain to impersonate another.
Code that gets you pwn(s|'d)
Louis Nyffenegger, security engineer + founder PentesterLab @ levelup0x06
Louis covers examples of vulnerabilities that are not necessarily obvious. Taking a look at some snippets in Golang, Ruby, Python. Covering Golang Tempfile, Golang path.Clean, Startswith and URL, and Unicode.
The Electronic Frontier Foundation (Closing Keynote)
Eva Galperin, director cybersecurity EFF @ AppSecCali
The Electronic Frontier Foundation is the leading nonprofit defending digital privacy, free speech, and innovation for 30 years and counting. Eva Galperin explains what the EFF stands for, who they help, and what they do. Her work is primarily focused on providing privacy and security for vulnerable populations around the world.
My Journey to Cybersecurity (Keynote)
Heath Adams, founder TCM Security @ CIA
Heath (the Cyber Mentor) talks about his cybersecurity journey, and touches on his upbringing. I found his story to be inspiring and motivational. He provides you with life lessons and actionable tips, so you can start your own journey.
How to Hunt for Jobs like a Hacker
Jason Blanchard, Content & Community Director @ Black Hills Information Security
Jason shows you how to combine OSINT, marketing technology, and a hacker/social engineer mindset to job hunting. Look at job hunting differently and get the career of your dreams.