2020 was a year where many people were looking to find alternative work. Many turned to Sex Work but desired the ability to stay masked, famous while anonymous and above all safe. I created a Sex Workers Cybersecurity Toolkit a collection of tools designed to help keep sex workers and their identities safe while promoting and working online.

'============ ABSTRACT ============ .gov domains are especially vulnerable to Doppelgänger registrations and typosquatting. Many governments have used .com and .org names for decades but are now making the move and thereby creating fresh opportunities for impersonation. How effective are such attacks? What data could a bad actor intercept? We did an experiment to find-out -- 4 months, 42 domains, and some of the most populous city and county governments in the US and beyond. Financial data, PII, health records, confidential deals, critical infrastructure info, and even police intelligence bulletins are all up for grabs. Come see the practical results of an incredibly inexpensive, lawful, and difficult to mitigate information gathering tactic. ============ DETAILED OUTLINE ============ I. Intro [ 5 min ] A. .gov domains: perceived as more secure due to restrictions B. many govs used/use .com, .org, .net, .us, etc. for decades C. citizens, even gov employees, type .com without thinking II. An Experiment [ 5 min ] A. idea genesis: copied on an email with the wrong domain for another rcpt B. whoami(1) and why do I care? C. research project i. scrape Wikipedia to find most populous cities and counties ii. do look-ups to find available lookalike domains iii. register domains, set-up MX (do friendly bounce), redirect web visits to real site, log DNS queries iv. plan: capture months of data, advise real .govs for awareness, offer to xfer domains gratis v. capture vi. purge captured emails III. Findings [ 10 min ] A. 42 domains later... cities, counties, states, also foreign .gov.xx B. 400+ emails per month i. collage of drivers' licence photos received ii. collage of invoices sent to .govs (ripe for invoice fraud) iii. law enforcement intelligence -- oops, officers typed address wrong now we get everything iv. "secure" emails -- Zix, O365, Virtru, etc. -- not secure when we own the wrong email addresses C. lessons from DNS queries D. stats of web redirection E. we could have been bad: email looking like vendors or employees, inject malware into web traffic, phish, etc. F. who is doing this in the wild? What's their MO? IV. A New Hope [ 3 min ] A. amazing .uk safety net (also .uk let us do it anyway which is cool) B. gently telling .govs about this risk C. releasing domains to .govs and/or sinkholing them V. Lessons Learned [ 2 min ] A. citizens and .gov employees trust email implicitly B. even big .govs miss opportunites to deny good real estate to attackers C. you can steal .gov email and web traffic for $4/year VI. Questions [ 2 min ]

Many security researchers and analysts spend their nights with analyzing new attacks. Most of them use public services, threat intelligence feeds, OSInt and Recon techniques. I am not an exception. Usually we are tracking well known malware families and campaigns and their evolution. However, in some cases, it is possible to reveal even an APT attacks. This talk is about uncovering and tracking one APT attack targeting small European country. In March 2021 there was a sample submitted to online sandbox, which contains a reference to the local National Security Agency of that country. Analysis of this sample leads to Cobalt Strike beacon. Then, investigation of its C2 setup allowed researchers to use specialized Internet search engines and revealed even more C2 servers and find more older malware samples associated with this campaign and threat actor. Based on this case I would like to demonstrate how it is possible to uncover and analyze APT attacks even without enterprise-grade monitoring tools in the victim infrastructure. From the point of view of independent researcher without any access to the affected systems, using only tools and services such as Any.Run, Hybrid Analysis, VirusTotal, Shodan, Censys, etc.

Have you wanted to increase automation within your recon workflows but not sure where to begin? How do you aggregate thousands of script output files, compile them into datasets, and display the information as actionable, normalized intelligence? Instead of sleeping, I spent the past year building a cloud-powered, fully automated recon ecosystem. With a year of failures, lessons learned, redesigns, and eventual success, I am excited to share the designs, accelerators, code, and strategies for a usable automation ecosystem that can scale across every bug bounty program. Although the use cases are tailored to bug bounty; the principles, strategies, and foundational code can be leveraged to support pentesting, OSINT, attack surface discovery, as well as improving internal security capabilities. This talk will provide walkthroughs, share lessons learned, strategies on tool chaining, scripts to normalize output from common tools, and the starter code which was the most challenging and tedious component for getting started. Detailed blog posts, architecture designs, and a Github repository of accelerator code will be provided to supplement the talk.

When we think "Social Credit Score", we probably imagine some overbearing Nation State that keeps track of everything we post on social media and using what we share to influence our behaviour or even go as far as validating our right to participate in society. There are also those out there who wish we didn't hold opinions that may be different from their own; who feel that we, namely "you", don't deserve a social following, or to even participate in the conversation. Can we bring these people to the surface of our feeds before it becomes a headache? What metrics would we use to create a "Social Threat Score" so that we may be better prepared for an attack of the "social mob" variant? Let's find out.

Threat actors need infrastructure like servers on the Internet for propagation, gathering data, etc. Not every time but many times they reuse a component even if they are known as APT groups. Reusing something creates a possibility of tracking. There is a methodology “adversary infrastructure tracking” which is based on this bad habit of adversaries. The methodology includes the following techniques: - Passive DNS monitoring - SSL certification monitoring through Certificate Transparency - HTTP response based monitoring through Internet-wide scan engines (Shodan, Censys, etc.) I will explain the basics of adversary infrastructure tracking and introduce an OSS tool, Mihari, to automate the tracking. - https://github.com/ninoseki/mihari Mihari can query across 15+ services including Shodan, Censys, VirusTotal, etc. and ingest query results into the database. Also, it can emit findings to MISP, TheHive and Slack. Mihari makes the tracking easier and enables you to focus on analyzing not the tracking. I will demonstrate how you can use this tool with practical examples.

For any pentesting, the first phase is the “Reconnaissance Phase”.But if you see bug bounty hunting we use it for increasing our attack surface and finding more hidden endpoint. In this talk,will cover the short brief info of what we can do if we get a target and also what is the next step or how can we use that for finding more vulnerabilities.Also manual recon vs Automation and also explaining the Pros and Cons of Automating Recon

Follow me live as I show you how to start with any seed information and pivot enough to unveil the bigger picture. Verify information with public records, connect the dots and in the process, pivot further. The presentation walks through the process live, from beginning to end on how an investigator would take 1 or 2 pieces of "seed" information about a target and build an entire mind map of information. While the demo will show some basic OSINT techniques, it will primarily focus on the process and advanced techniques to obtain and verify information on an asset or person of interest. Techniques used by hackers will be incorporated for advanced techniques that may include Kali Linux, cracking, spoofing, url manipulation, automation, scraping, breached data, and public government records. Experience, intuition and knowledge in OSINT will all be displayed and talked about throughout the live demo.