Conference:  Defcon 31

Authors: Michael Stepankin Security Researcher at GitHub

2023-08-01

Although x509 certificates have been here for a while, they have become more popular for client authentication in zero-trust networks in recent years. Mutual TLS, or authentication based on X509 certificates in general, brings advantages compared to passwords or tokens, but you get increased complexity in return. In this talk, we’ll deep dive into some novel attacks on mTLS authentication. We won’t bother you with heavy crypto stuff, but instead we’ll have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation and information leakages. We present some CVEs we found in popular open-source identity servers and ways to exploit them. Finally, we’ll explain how these vulnerabilities can be spotted in source code and how the safe code looks like.

Conference:  Black Hat Asia 2023

Authors: Alex Matrosov, Richard Hughes, Kai Michaelis

2023-05-12

Over the past two years, attacks on multiple targets in the semiconductor industry have consistently led to leaks of firmware source code. A compromised developer device could potentially give an attacker access to the source code repository, adding a major gap in the security of the software supply chain. There are multiple policies in place to improve transparency in the firmware supply chain in general, but implementing and adopting them will take years. The technology industry is in the midst of active discussions about the use of "software bill of materials" (SBOMs) to address supply chain security risks.In order to implement supply chain security practices, there must be better transparency on software dependencies. Previously, any piece of software shipped as black-box without providing any information related to software dependencies and third-party components. Firmware has largely been looked at in the same way. We already discussed in our previous talks the multiple levels of complexity in the UEFI firmware ecosystem and supply chain taxonomy and we already discussed the firmware supply chain complexity topics regarding the firmware update delivery and how the timing plays a negative role to give an attackers advantage to adopt already known vulnerabilities (N-days) to their attacks in last year's research "The Firmware Supply-Chain Security Is Broken: Can We Fix It?".The silicon vendor reference code vulnerabilities are always the worst since impacting the whole industry and all the device vendors have used the same chips on their devices. When it comes to applying mitigations, how does the industry take advantage of them, and who controls their adoption in the firmware? Those are all good questions, but unfortunately, no positive news can be shared. The system firmware attack vectors will be discussed in this talk from the perspective of attacking the operating system or hypervisor. The nature of these attacks breaks the foundation of confidential computing and often creates problems for the entire industry.This talk will focus on practical examples of such attacks and how they are dangerous.

Conference:  Black Hat Asia 2023

Authors: Xiaosheng Tan

2023-05-11

Data has been regarded as the fifth factor of production, and data security is ranked a high priority by governments across the world. In China, data security-related legislation such as the "Data Security Law" and "Personal Information Protection Law" have been promulgated and have were put into effect in 2022. The number of data security projects also increased rapidly. The government, finance, telecommunications, energy, education, healthcare, and other industries have different regulatory requirements for data security and their strategies for data security are quite different.The biggest challenge facing data security is that data security technologies, products, solutions, and service capabilities are far behind regulatory and customer requirements. Some companies have made meaningful explorations in data security products and solutions, such as privacy enhanced computing, transparent encrypt/decrypt, zero trust in data security, etc.

Conference:  RSA Conference 2023

Authors: Tracy Walker

2023-04-24

Do buzzwords like "Zero Trust" trigger vendor fatigue and anxiety? If so, then feel safe and secure with a demonstration of actual, automated Zero Trust security policies that are enforceable at network and process layers! This session will discuss Open Zero Trust, a new opensource project enables innovative security automation independent of Kubernetes to auto-create Zero Trust security policies.

Conference:  RSA Conference 2023

Authors: Dr. Lisa McKee

2023-04-24

The foundation of Zero Trust Privacy must be data and for good reason! Organizations with visibility to data and related activities are better equipped to implement a successful privacy program using Zero Trust principles. Many assume identity is the core principle of Zero Trust losing sight of the data. This session will present a model for Zero Trust Privacy and a roadmap for implementation.

Conference:  RSA Conference 2023

Authors: TJ Gonen

2023-04-24

Criminal actors need a single misconfiguration in the code to paralyze a company’s entire ecosystem. To combat these risks, putting Zero-Trust principles at the core of DevOps supply chains help ensure complete security from Code to Cloud. Learn how to help customers apply Zero-Trust tenets to DevOps, from the secure deployment of microservices to a deep shift left in production environments.

Conference:  RSA Conference 2023

Authors: J. Wolfgang Goerlich

2023-04-24

Imagine it is 2028, five years into the organization's Zero Trust transformation. People like it, usability has improved. Defensibility is better, too, with a number of attacks having been stopped over the past couple years. But then, in 2028, a call comes in. There’s been a security breach. What happened!? Join this session for a pre-mortem on how breaches will look under a Zero Trust architecture.

Conference:  RSA Conference 2023

Authors: Jason Garbis, Jerry Chapman, Megha Kalsi, Chris Steffen

2023-04-24

Love going deep into security technologies? Some see this passion as a character strength, but in some cases it hinders effectiveness and success. Zero Trust is one of those cases. This session will look at the broad security strategy, and what is necessary to communicate its value, priority, and impact to a non-technical audience. This panel will explain the value of Zero Trust for business stakeholders.

Conference:  RSA Conference 2023

Authors: Shinesa Cambric

2023-04-24

Is it possible to apply Zero Trust to billions of consumer identities while simultaneously addressing the challenges of growing a business and preventing fraud? Through this case study, attendees will learn about some of the real-life challenges faced and lessons learned when balancing user experience and protection while simultaneously introducing friction to prevent and detect malicious actors.

Conference:  RSA Conference 2023

Authors: Bryan Green

2023-04-24

NIST’s Zero Trust architecture is the de facto framework for addressing the modern threat landscape. In this session, attendees will learn how practitioners translate abstract concepts, as defined in NIST 800-207, into an actionable Zero Trust playbook on a journey from the whiteboard to the boardroom.