The Infosec Song Remains The Same – RVAsec 2023 – June 13, 2023 – video | slides – Throughout my journey in information security, many challenges have remained the same. This talk recaps some of my previous presentations and discusses how we have the same difficulties today and still no great solutions. I cover how to get people into information security, firmware security, and the digital supply chain.
Eclypsium Webinar 2023: The Force of Zero Trust – video | slides – If you ever wanted several analogies between Star Wars and Zero Trust, this presentation is for you! Also, there is no longer registration required to view this presentation. Original description: You may associate Zero Trust with the Dark Side. One could perceive Zero Trust as a term used by the imperial empire to describe many different aspects of a security program. No fear; the Eclypsium rebels are here to dispel the myths and show you the ways of the force of Zero Trust.
BSides Charm 2023: Protecting Yourself From Supply Chain Attacks – Trust Is Overrated – video | slides – How can you trust all of the hardware and software you use daily? Hardware, firmware, and software have a unique (often complex) supply chain. I believe we extend far too much trust to the supply chain and do not verify the integrity of our hardware and software components. Using open-source and free tools learn how to enumerate and validate the integrity of your devices in this talk!
Shmooncon 2023: The UEFI Threat: Or How I Can “Permentantly” Brick Your Computer – video | slides – What happens when you analyze over 100k firmware images? The firmware inside your PCs, servers, and laptops often flies beneath the radar of IT and security teams. Looking at just one type of firmware on your computer, UEFI (the replacement for BIOS), offers a wide range of attack surfaces. I was curious about UEFI’s available protections, specifically, the SPI flash it is stored on. In this presentation, you’ll learn what’s stored here, how it’s often not protected correctly, and how to protect it. We will not just theorize; the analysis of thousands of UEFI firmware images backs data for this presentation. We will be able to determine the most common misconfigurations in this data. Some may say that the manufacturer should provide properly configured firmware, and this presentation will prove this does not happen as often as it should. The solutions are complex, as your computer comprises hardware and software from multiple manufacturers participating in an even more confusing supply chain.
2022:
Firmware Enumeration Using Open Source Tools (BHIS Cybercast) – video | slides – In this Black Hills Information Security (BHIS) webcast, Paul will share free and open-source tools techniques to evaluate the state of security on the firmware-based devices that live inside your devices, and servers, including Utilities such as dmidecode, fwupd, dbxtool, and Chipsec to explore devices and firmware, enumerating and updating firmware within your system using LVFS (Linux Vendor Firmware Service), enabling Secure Boot and its components (and keeping your DBX up-to-date using new functionality in LVFS!), discovering Intel ME/AMT and associated vulnerabilities, using Chipsec to understand the permissions applied (or not applied) on your SPI flash chip.
2021:
Hacker Heroes: Building The Next Generation Of Hackers – video | slides – I spoke about hacking culture and mindset, as people often misunderstand hackers. In turn, people are afraid to be a hacker or pursue a career in information security because they don’t fit the mold and/or believe they need extraordinary technical skills. During the presentation, you’ll look from another angle at what defines a hacker and examples of hackers throughout history, and how we can influence the next generation.
2018:
Everything Else I Learned About Security I Learned From Hip Hop – video (Derbycon 8) – Original description: “Come along on a fantastic voyage and learn Hip Hip and how it relates to information security! When I was growing up there were two things that intrigued me, computers and rap music. Using examples from my favorite genre or music, we’ll explore some interesting facets of rap music, and discuss the lessons and parallels to security today. There will be no half steppin’. It will be dope as it allows us to dig into topics such as: Is security a fad? How do we differentiate a fad from something here to stay? Encouraging youth to become security engineers, a call-to-action for the community” Deviating from established norms and setting trends, few truly change the industry, and who will change the security industry in the near future? Remembering those who have passed on and learning from their work. How true experts practice their craft (and how to best utilize their skills and share the knowledge) Few things are truly original (and it’s okay, in most cases). Not all legends reach the same pinnacle of success. What separates the best from the rest? How experts make career pivots and actually pull it off New isn’t always better. We all have beefs (and better ways to resolve them. And no, we’re not going to dig into social media beefs) You can expect to learn a little about rap music, and the history of the rap genre, in this talk. We’ll focus on the security side by exploring industry trends and fads, tips on how to manage your career, and how to continue positive trends in the security community. Don’t be whack, attend this talk! This is a sequel to “Everything I Learned About Security I Learned From Kung Fu Movies”, and expectations should be set as such. I will share my favorite lists of rap artists, albums and tracks, and even a few Spotify playlists.“
2017:
Everything I Need To Know About Security I Learned From Watching Kung Fu Movies – video (webcast), video (Derbycon 7), video (Bsides Boston) | slides – Original talk description: “Are you an aspiring or current security professional overwhelmed with how to get into and be successful in information security today? Kung Fu can help. Specifically, Kung Fu movies can help. Take it from me, a security professional and kung fu movie nerd here to help. Whether you are a fan of Kung Fu movies or not, this will be an entertaining and informative look at various aspects of problems in computer security and how the lessons learned from Kung Fu movies can help. We’ll discuss how to effectively learn about computer security, student and teacher dynamics, practical security tactics for defense and offense, and explore some of the security’s political and social aspects. In the end, you’ll learn some tips and tricks to be more successful in breaking into the security field, being successful at your job as a defender, and better understanding security politics. If that’s not enough for you, this presentation requires audience interaction (no Kung Fu demonstrations will be performed unless the audience requests). (Insert signature “Whaaaaaaaaaaa” sound here) More detailed topics will include: Your teacher may be reluctant to teach you how to overcome this challenge, the consequences of taking shortcuts in your training, there will always be adversaries more skilled than you and how to get over it, the best defense is to have a good offense, the “softer” skills will more likely than not lead you to victory, heroes don’t always start out as such (And that’s okay).”
IoT Security: My Worst Nightmares Come True and How To Sleep Better At Night – Source Boston 2017 – slides – IoT stuff was still broken…
2015:
Crash The IoT Train Yourself: Intentionally Vulnerable WRT (IV-WRT) – BSidesLV 2015 – video – An attempt at an intentionally vulnerable version of OpenWRT.
2014:
The Internet of Insecure Things: 10 Most Wanted List – NOLA Con 2014 – slides – Original description: “In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives. You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can’t be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.”
2010:
Embedded Systems Hacking and My Plot To Take Over The World – Brucon 2010 – video | slides– Before we called it IoT!