Anna Collard &
Christine Gordon-Bennett
Zen and the Art of Cognitive Defense: Zero-Trust Mindsets and Cyber-Mindfulness
Jason Jordaan
Ignorantia Juris Non Excusat - Understanding the Impact of the Law on the SA Hacker Community
Many cybersecurity researchers and ethical hackers are becoming the target of criminal prosecutions and litigation, essentially for trying to do the right thing, and acting in an ethical manner. The reality is that cybersecurity researchers, practitioners and ethical hackers do run the risk of running afoul of both criminal and civil law in South Africa. This talk will explore the various laws and legal actions that could impact on them, and how to work within the framework of the law in South Africa, and essentially keep them safe from legal harm.
David Baker Effendi & Rohan Dayaram
Attacking Pipelines: Large Scale Exploitation of Workflow Files
In this talk, we present a tool designed to perform large-scale scanning of GitHub repositories to identify potential expression injection vulnerabilities within their workflow files. Our system efficiently scrapes repositories, concurrently pulling and analysing workflow configurations for insecure patterns. Through this mining process, we have discovered that expression injection vulnerabilities are surprisingly prevalent, even among popular projects, and often go unnoticed. We have reached out to affected vendors for remediation and hypothesis this prevalence attributed to a lack of in detection mechanisms and key documentation on GitHub’s end. Additionally, we found that even when vulnerabilities are patched, they can be easily reintroduced by interpolating sanitised values. Our findings underscore the need for better tooling and awareness around securing GitHub workflows. Finally, we make our tool available to open-source for both blue and red team security researchers to benefit from.
Blessing Mufaro Kashava
Rite of Passage: My Journey from BSides Volunteer to Black Hat Asia Attendee
From volunteering at BSides Cape Town to being sponsored to attend Black Hat Asia, I’ll share my unexpected journey and the power of community involvement in shaping my career in cybersecurity. Through this talk, I aim to inspire students to take that first step into getting involved with the cybersecurity community.
Ethan
Breaking the Barrier: Exploring modern WAFs.
In an era where web threats evolve as quickly as the technologies we deploy, the temptation to rely on Web Application Firewalls (WAFs) to mitigate holes in a web application’s security is high. But how effective are these digital shields? Could they be more prone to error than we think? This talk will uncover the gaps within our WAF defenses, examining a variety of WAF bypass techniques, both complex and simple. By showcasing these potential weaknesses, we can get a better understanding of the state of modern WAFs so that teams know what to expect when choosing to fall back on WAFs for “protection”.
Nunudzai Mrewa
SpeedRunners: The Hackers of the Gaming World
Speedrunning, the art of completing games with incredible speed, has evolved into more than a gaming feat—it’s a showcase of ingenuity, creativity, and technical prowess. This talk delves into the fascinating world of speedrunners, drawing parallels between their methodologies and those of cybersecurity professionals, while highlighting the significant impact on game development and software security.
Tinus
Dependable Red Teaming by using Confusion
Dependency Confusion, a DevOps supply chain attack path discovered in 2021, hasn’t really gotten the attention that it deserves. This is mainly due to a misunderstanding of how large the attack surface can be. In this talk, we will show how dependency confusion can be exploited to not just attack the pipeline, but covertly gain full access to PROD!
Johan VD Merwe & Jacob Simmons
Attack of the clones: Modern deepfake phishing
Recent trends have shown that the next evolution in phishing is the abuse of AI tooling to create realistic and believable deepfake clones. Organisational resilience against deepfake phishing is drastically behind the curve.
In this talk, we will investigate the state of the art, present case studies of actual deepfake attacks, examine the practical feasibility and ease of execution of these kinds of attacks as well as possible solutions to these problems.
Jonathon Everatt
DevOps or DevOops? Securing a Pipeline Without Losing Your Mind
This talk will follow a light-hearted take on the mistakes and solutions I had while setting up a Gitlab to Jenkins to Tomcat CICD pipeline this year. Many of the configurations were insecure by default and when approached a mentality of “Make it work” it just compounds the issue. The talk will go through each stage of the pipeline, the issues I found, the issues I caused and the solutions for both.
Callian
Find and fix Vulnerabilities within open source projects
It’s actually pretty easy to find and fix vulnerabilities within open-source projects. With the right tools and techniques, identifying security flaws and patching them can be a straightforward process.
In this talk, we’ll explore practical methods to detect vulnerabilities, from automated scanning to manual code review, and guide you through the steps to address them effectively.
Whether you’re a seasoned developer or new to open source, you’ll learn how to contribute to making projects more secure.
Let’s commit to securing open-source code—starting today, with your next pull request!
Roelof Temmingh
AI in OSINT - Zero snake oil
In this blink-and-you’ll-miss-it talk we cut all the introductions and waffle and, just like this abstract, get straight to the point 🙂 Can we use AI in OSINT? Spoiler – yes and its pretty magical. We’ll show, on screen, how AI helped solved real(ish) world cases. That’s it.
Sharon Knowles
Unmasking the Digital Shadows: OSINT Techniques for Cybersecurity Professionals
The cyber threat landscape is becoming increasingly complex and sophisticated. Cybersecurity professionals are constantly challenged to stay ahead of attackers who exploit the anonymity of the internet to carry out malicious activities. Open Source Intelligence (OSINT) has emerged as a powerful tool in the cybersecurity arsenal, enabling professionals to uncover hidden threats, track malicious actors, and safeguard sensitive information.
Robin Roodt
Hacking the Airwaves: Beyond Relay Attacks!
This talk will dive into the fundamental concepts of the radio frequency (RF) Relay attack and how it could be used to attack different type of systems that make use of radio communication. The Relay Attack allows an attacker to extend the intended range of communication between two devices, deceiving them into believing that they are in close proximity to one another to perform some type sensitive action, such as unlocking or starting cars, or making payments with PoS devices!
Jared Naude
Cloud Security Theater: Rising above the noise of misguided strategies
To secure cloud environments effectively, a modern operating model needs to be created to solve the real security challenges faced during cloud adoption. However, are security teams focusing on the right problems when it comes to cloud security or we are just doing Cloud Security Theater?
Keith Makan
Attacking GraphQL : A guide for penetration testers
Whats GraphQL? How do pwn it? And what do I write in my pentest report if I get this in a test? If these questions get your heart racing, fret not, this stalk is for you!
GraphQL is at minimum, yet another API technology your company can get horribly wrong. The technology has grown considerably has an API interface technology in the last few years. With the growing interest, security engineering has been a keen focus for deployments because the technology is new, promises a lot (i.e. strict data typing, query batching and nesting, rapid adaptability etc.) and may not deliver the same impact in all environments or use cases. Futhermore, in the contemporary landscape there are a number of services, and open source projects that make this accessible each with their own set of complexities and pitfalls. With all these new fangled environments, a novel query language, and wildly variable backends, pentesters and security engineers need a good overview in order to navigate a security assessment or deployment. The talk here aims to provide guidance to pentesters in navigating these environments, using the open source and free tooling on offer and delivering a good quality penetration test against GraphQL environments.