Knoxville is home to many well-known attractions, including: University of Tennessee, Tennessee Valley Authority (TVA)and Dolly PartonVisually, you know you're in Knoxville. SunsphereA 23-metre-tall golden glass sphere sits atop an 81-metre-tall steel tower. The monument, created for the 1982 World’s Fair in the spirit of celebrating advances in energy, watched over us as we gathered to celebrate advances in cybersecurity at BSides Knoxville 2024.
This year marked the 10th anniversary of Tennessee-based BSides and was the biggest event yet. Over 400 attendees came together to exchange knowledge, share experiences, and celebrate a decade of cybersecurity innovation. It's hard to cover all the sessions across the two speaker tracks, the lock-picking looting, the remote-controlled robot hacking, and all the other little things that happened at the event. Mills and minesHere are some highlights.
Context is key in vulnerability management
One of the young presenters of BSides, Meghna VikramA high school senior, presented her research findings in a session called “Who Makes the Rules?” She described her efforts to leverage machine learning to more thoroughly patch vulnerabilities in JavaScript code.
Her first step was to find a vulnerability analysis tool that could output in a format that was easy to work with. She settled on a static analysis tool that generates YAML, a machine- and human-readable format defined by indentation. Her hypothesis was that while most SAST tools provide valuable findings in general, the version she was using didn't provide detailed information about how vulnerabilities might be introduced.
For example, a tool she quickly ran indicated that a cross-site scripting (XSS) vulnerability was present, but further research into the vulnerability database revealed that there were over 39,000 ways that XSS could be introduced. Knowing that vulnerabilities exist is useful, but she is working on developing tools that will show her exactly how each vulnerability was introduced into the code.
Meghna said she was amazed that after multiple rounds of training and experimenting with prompts, ChatGPT, the AI she relies on, began to provide deeper context for each issue and even examples of what the affected code would look like. Though her research is still in its early stages, it's clear that AI-assisted security tools will play a role in training and helping developers do their jobs.
Cybersecurity experts, this is easy!
Rarely have speakers been fully integrated into the overall atmosphere of a conference. Joshua Jones, Senior Compliance Consultant, Contextual Security Solutionsdemonstrated his findings in a Sherlock Holmes-themed talk, “The Baskervilles Compromise: Holistic Testing in the Age of 'Automagic.'” Not only did Joshua quote many famous lines from Sir Arthur Conan Doyle's classic novel, he also discussed the role of AI in security testing and the importance of getting the basics right.
Joshua from the Trojan Horse Enigma Machine Using the evolution of military forces in World War II as an example, we explain how security has evolved over time. AI or not, all tools ultimately require human oversight and strategic deployment. Defenders must understand the nuances of the systems they protect, and AI should be viewed as a means to strengthen defenses, not as a standalone solution.
Joshua used the analogy of the classic detective story, “The Hound of the Baskervilles,” to show how Watson plays a similar role to AI, performing simple data-gathering tasks so that Holmes, or we, can step in at the right time to solve the case. Like Watson, AI can play a vital role, but it lacks the self-awareness to reach the necessary conclusions and take the necessary actions. He concluded by saying that while AI will change the “how” of security, the “why” will remain rooted in fundamental human values of protection and resilience.
To understand the history of hacking, you need to understand “phreaking”
Always colorful Matt Scheurer, ThreatReel podcaster and VP of Security at a major US organizationIn a session called “The History of Lies, Phone Calls, and Hacking,” he took attendees on a nostalgic journey through the history of telephones and their relationship to hacking. Carrying a suitcase filled with various technologies from the past 60 years, he explained the history of the telephone system and how the subculture of phone hacking evolved.
The talk began with a story about how we got from exchanges to dial tone and how ingenious hackers explored and exploited these systems. He said that in the early days, the scene was driven by thirst for knowledge, mischief, and a desire for free calls, especially since long distance calls cost more than a dollar a minute in the 1970s and 1980s. Along the way, he showed off his collection of tools, including: Acoustic Coupler As seen in the movie “War Games,”Blue Box“These include a device that generates a 2600Hz tone to allow free long distance calls, and an interesting device that can be plugged directly into a telephone line.
Matt also discussed modern phone fraud, including the dangers of vishing (voice phishing), SMiShing (SMS phishing) and mobile SIM swapping. The techniques used by today's attackers have evolved over decades, and although technology has changed, the principles of social engineering and exploitation remain relevant. Communications systems are the backbone of IT systems, so securing them remains vigilant.
Community and collaboration in the age of AI
While many of the talks at BSides Knoxville focused on the role of AI, one overall theme stood out as a focus: holistic security – getting the basics right. Authors spoke about the importance of raising security awareness among all teams across an organization and the role that security champions play. Keeping us all safe at every level.
While the tools continue to change, the mission and core ideas remain the same. Now in its 10th year, BSides Knoxville 2024 celebrated a vibrant and dynamic cybersecurity community. It was a great day to reflect on the past, understand where we came from, and discuss the challenges ahead. Fortunately, one thing we are all looking forward to is more BSides in the future. We hope you will join us! Soon in your local.
***This is a Security Bloggers Network syndicated blog from the GitGuardian Blog – Code Security for the DevOps generation by Dwayne McDaniel. Read the original post here: https://blog.gitguardian.com/bsides-knoxville-2024/