Like many in the industry, we are mentally preparing for the trip out to Las Vegas for the US’s crowning trio of big security conferences: BSidesLV, Black Hat USA, and DEF CON. Every year tens of thousands make the annual pilgrimage to the “Hacker Summer Camp” trifecta to see friends, learn from the smorgasbord of tasks and trainings, and share their knowledge far and wide.
Each year we at the ThinkstScapes HQ find great content worth highlighting from these longstanding pillars of the conference scene. The talks below are the ones we’re most keen to watch, but there’s always a few that outshine their abstracts and surprise us–look for these sleeper-standouts in the Q3 edition!
Black Hat USA
- AppleStorm – Unmasking the Privacy Risks of Apple Intelligence by Yoav Magid (Also at DEF CON) — Privacy is a cornerstone of Apple’s marketing, and a core part of their Apple Intelligence offering. This talk should offer a glimpse into how that system operates, where potential privacy gaps exist, and how to introspect on a system that is by definition trying to minimize privacy leaks. Taking marketing claims at face value is a recipe to get burned; this talk should teach the audience how to inspect those claims a little deeper, at least for the Apple iOS ecosystem.
- I’m in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR by Olaf Hartong — After the CrowdStrike debacle, Microsoft is pushing EDR and other defensive agents out of the kernel–forcing them to rely on their own telemetry. If the Windows ETW framework is susceptible to manipulation of telemetry streams, then it could undermine the data underlying EDR entirely. This talk promises to shine some light into a deep dark corner of Windows security, and we’re keen to see what the speaker uncovered.
- Ghosts in the Machine Check – Conjuring Hardware Failures to Breach CPU Privilege Boundaries by Christopher Domas (Also at DEF CON) — Christopher has a knack for explaining deep CPU/ISA flaws and highlighting their impact. His talks usually offer more than promised, and in this abstract he’s promising a lot. We’re keen to see how abuses to the CPU can result in privilege escalation, and what can be done about it as a defender.
- When ‘Changed Files’ Changed Everything: Uncovering and Responding to the tj-actions Supply Chain Breach by Varun Sharma and Ashish Kurmi — This talk is a stand in for the table top exercise we all should have had, but haven’t got around to yet. CI/CD pipelines have famously been abused, and a deep dive into how this recent malicious change was caught and recovered from should be both interesting and useful to all types of organizations.
- Windows Hell No for Business by Baptiste David and Tillman Oßwald — Identity is the new perimeter, and device manufacturers have been working to make biometric authentication seamless and secure. This talk promises a deep dive into the data flows in Windows Hello, which can be used to authenticate to an IdP in addition to just local machines. The abstract promises to show a way where biometric data can be modified on device to allow an attacker to authenticate as any other enrolled user–even to cloud services.
- AI Agents for Offsec with Zero False Positives by Brendan Dolan-Gavitt — XBOW recently reached the #1 spot on HackerOne’s US leaderboard using their fully-autonomous LLM-based agents. This talk offers a glimpse at the science behind the pwnage for how to leverage LLM’s powerful capabilities without drowning in false positive noise.
- Safe Harbor or Hostile Waters: Unveiling the Hidden Perils of the TorchScript Engine in PyTorch by Ji’an Zhou and Li’shuo Song (Also at DEF CON) — ML models are often packed as Python pickles, which are carelessly downloaded and run. To minimize the risk of pickle RCE attacks, PyTorch generally only loads the weights. However, there is a new execution engine that is embedded into Torch’s engine: TorchScript. This talk should shine a light on this unknown corner of ML model security, and hopefully remind us that there are still risks to YOLO loading random models from the internet.
DEF CON
- You snooze you lose: RPC-Racer winning RPC endpoints against services by Ron Ben Yizhak — RPC has been around longer than many of us care to consider, but has recently had a resurgence in research against it. This talk offers insights into how the OS registers RPC services, and shows that being first in line allows for your untrusted code to serve as the RPC service for high-privileged OS components. It’s great to see others digging into this legacy system and finding new results.
- The (Un)Rightful Heir: My dMSA Is Your New Domain Admin by Yuval Gordon (Also at BSidesLV) — We love seeing a good o’ fashion AD attack, and this one looks like it brings it into the 21st century. dMSA accounts are new for many AD administrators, especially those who are running a hybrid AD environment, so they are likely misconfigured. AD vulnerabilities are the bread and butter for many attackers elevating their privileges, so it’s nice to see there are already eyes on the new account scheme.
- Zero Trust, Total Bust – Breaking into thousands of cloud-based VPNs with one bug by David Cash and Rich Warren — Zero Trust has been an RSAC buzzword for a couple of years, so it’s good that folks are finally putting these “next-gen” VPNs to the test. Perhaps surprising to no one, ZTNA is simply a newer VPN, and like the VPNs of yesteryear, they can also have security flaws. This talk should dump some cold water on the ZTNA hype train and help defenders think beyond the buzzwords when it comes to secure networking.
- Turning Microsoft’s Login Page into our Phishing Infrastructure by Keanu Nys — Phishing M365 has been an actively-contested battleground for the last few years. This talk promises the Holy Grail of Entra ID phishing (from Microsoft’s real login domain), it will be well-worth a listen to see how defenders can adapt and keep their users safe.
- Journey to the center of the PSTN: How I became a phone company, and why you should too. by Enzo Damato — We too often forget about the legacy tail of PSTN land-lines and how they are a network connection without next-gen firewalls or DLP monitoring. This talk will reveal the technical and regulatory aspects of connecting to this global network and what that can mean for security.
BSidesLV
- .e’X’es and ‘O’auths (They Haunt Me): In-Depth Analysis of OAuth/OIDC Misconfigurations and Token Replay Attacks by Darryl Baker — OAuth and OIDC are both complex and commonplace. This talk promises to show how that can be a dangerous combination, and what defenders can do to reduce their risk of misconfigurations.
Our next ThinkstScapes release will feature content from this list and much more, subscribe for an email notification when each quarterly edition is dropped (no spam, we promise)! We’ll have part of the Thinkst crew out at Black Hat, if you’re there, stop by our booth, 5618, and say hi!
