Loading…
BSidesSF 2021 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Saturday, March 6
 

12:00pm PST

Opening Remarks

Speakers
avatar for Reed Loden

Reed Loden

Director of Security, HackerOne
Reed Loden is the Director of Security at HackerOne, the #1 hacker-powered security platform. He is an information security expert, hacker, and developer. Reed brings over 14 years of security experience to his role at HackerOne where he is charged with protecting the company’s... Read More →


Saturday March 6, 2021 12:00pm - 12:10pm PST
Stream

12:00pm PST

Reddit Q&A Sessions with presenters, villages, and sponsors
Join us on Reddit (https://www.reddit.com/r/BSidesSF/) to ask questions AMA style about the presentations as well as talk with our villages and sponsors.

Saturday March 6, 2021 12:00pm - 4:00pm PST
Reddit

12:10pm PST

Switched On: Behavioral Science, hypervigilance, and the human impact of cyber-defense and crisis management
Streaming at https://youtu.be/ljBju-TONss
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(New - Live)

Moderators
WK

Will Killgallon

Mr Killgallon is an experienced risk management executive with a Fortune 10 ranked multi-national. William served with the US Secret Service and Department of Defense in various security, intelligence, and risk management leadership roles before leaving in 2014 to create the Global... Read More →

Speakers
SO

Susan Owen-Langley

Susan Owen Langley is an experienced Employee Assistance consultant who has worked with employees from the front lines to the C-Suite of Fortune 500 companies. She provides clinical counseling, work performance coaching, wellness education seminars, Change Management coaching, Critical... Read More →
BL

Bob Lord

Bob Lord is the Chief Security Officer at the Democratic National Committee. In this role he works to secure the Committee, as well as helping state parties and campaigns. Previous roles include being the CISO at Yahoo, CISO in Residence at Rapid 7, and before that he headed up Twitter’s... Read More →
JS

Jeanine Stewart

Jeanine Stewart, PhD, PCC [She/Her/Hers] is an organizational systems neuroscientist and executive coach who consults with leaders in technology, government and Fortune 100 organizations. Jeanine supports leaders and initiatives that foster human performance and successful change... Read More →

Sponsors
avatar for Netflix

Netflix

Mental Health Panel


Saturday March 6, 2021 12:10pm - 1:00pm PST
Stream

1:10pm PST

Visualizing Security
Streaming at https://youtu.be/ljBju-TONss
Join us at r/BSidesSF on Reddit for live AMA style Q&A with the original speaker

(2020) Data analysis and visualization skills are becoming a critical part of the security domain. To learn what makes for good analysis and visualizations, this talk will share and explore real-
world security analyses and visualizations (and animations) I've worked on over several years.

Speakers
JJ

Jay Jacobs

Jay is a co-founder and Chief Data Scientist at Cyentia Institute. Prior to Cyentia, Jay served as the Lead Data Analyst on the Verizon Data Breach Investigations Report and is the co-founder of the Society for Information Risk Analysts. Jay also co-authored Data-Driven Security... Read More →


Saturday March 6, 2021 1:10pm - 1:45pm PST
Stream

1:45pm PST

Lockpick Extreme
Streaming at https://youtu.be/ljBju-TONss

Locks are puzzles you can solve without a key and we love sharing these puzzles with the world! Lockpick Extreme is dedicated to bringing fun and welcoming lockpicking to all audiences. Our village focuses on easy to learn lockpicking knowledge and the fact that lockpicking is truly for everyone. Learn more on our website about lockpicking or about hosting your own remote or in-person lockpicking workshop for your next team building or marketing event! LockpickExtreme.com

Join us at r/BSidesSF on Reddit for live AMA style Q&A

Saturday March 6, 2021 1:45pm - 2:15pm PST
Stream

2:20pm PST

Non-Political Security Learnings from the Mueller Report
Streaming at https://youtu.be/ljBju-TONss
Join us at r/BSidesSF on Reddit for live AMA style Q&A with the original speaker

(2020) The Mueller Report had a trove of forensics evidence around how the DNC & DCCC were compromised. By reading the Report through a critical security lens we can gather a trove of learnings around how access was gained, how their networks were traversed, & what we can do to defend our organizations.

Speakers
AT

Arkadiy Tetelman

Arkadiy is Head of Application & Infrastructure Security at Chime. He is passionate about all things security, ranging from technical, to policy and legal, to security management and leadership. He contributes to several open source projects and has spoken on topics of security across... Read More →


Saturday March 6, 2021 2:20pm - 2:40pm PST
Stream

2:45pm PST

Hacking the Law: Are Bug Bounties a True Safe Harbor
Streaming at https://youtu.be/ljBju-TONss
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2018) In the wake of recent media headlines, bug bounties emerge as a murky legal landscape to navigate. While the vulnerability economy is booming, a novel survey of bug bounty terms reveals that platforms and companies sometimes put hackers in “legal” harm’s way, shifting the risk for civil and criminal liability towards hackers instead of creating safe harbors. This practice already resulted in one public story concerning a bug hunter being allegedly threatened with legal action under the CFAA. This is a call for action for industry stakeholders to influence this emerging landscape of cyberlaw, since hackers’ actions speak louder than scholars’ words. I suggest simple steps that could be taken to minimize the legal risks of more than 120,000 hackers participating in bug bounties. I further suggest that the industry should move towards standardization of legal terms, in light of the recent DOJ framework. Hackers will learn not only which terms they should beware of in light of recent developments in anti-hacking laws, but which terms they, individually and through the platform, should demand to see to ensure “authorized access.” Contracts and laws will continue to play a role in this murky landscape, therefore hackers should start paying attention to the fine print and demand better terms.

Speakers
AE

Amit Elazari

Dr. Amit Elazari is a Director, Global Cybersecurity Policy at Intel Corporation and a Lecturer at the University of California (U.C.) Berkeley School of Information Master in Information and Cybersecurity, as well as a member of the External Advisory Committee for the Center of Long... Read More →


Saturday March 6, 2021 2:45pm - 3:10pm PST
Stream

3:15pm PST

Friend or Replicant: How Attackers Automate and Disguise Themselves in a Shroud of Authenticity to Gain Followers, Control Influence, and Malign Credit
Streaming at https://youtu.be/ljBju-TONss
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2019) Is this "real"? This is the story of how attackers today leverage a variety of tools and tricks to impact the influence landscape at scale. Many have heard of "fake news" and know that those "friends," "matches," or "followers" might not all be real; the information we consume is inflated with likes and ratings generated by coordinated attackers utilizing anything from users' browsers to IoT devices.
How are these fake accounts and likes and clicks created? To what extent are they "real"? This session will explore the fake account ecosystem, with specific focus on the lifecycle of a fake account and how specific tools and attacks are used to create likes and clicks; sometimes through automation and emulators, sometimes using real people through phone farms, mechanical turks, and sweatshops. We'll dissect the different main attack vectors and how they are being exploited:
Content: repurposed to fit a different context,
Access & Authentication: gained through Account Takeovers and credential cracking,
Fake Accounts: created strategically to build trust,
Usage: to emulate "real" users and not get caught
Together, we’ll workshop practical steps to building an army of influencers (on a budget) using off-the-shelf tools and show some more advanced techniques seen in attacks today.

Speakers
AW

Anna Westelius

Anna Westelius is a Scandinavian expat and Security Researcher, Analyst & hacking enthusiast turned technology strategist; currently on the Netflix Security team, leading their security services engineering organization.


Saturday March 6, 2021 3:15pm - 3:45pm PST
Stream

3:50pm PST

OWASP
Streaming at https://youtu.be/ljBju-TONss

Find out what makes OWASP great through an introduction to OWASP, its chapters, and its many projects and guides.

Join us at r/BSidesSF on Reddit for live AMA style Q&A

Saturday March 6, 2021 3:50pm - 4:00pm PST
Stream
 
Sunday, March 7
 

12:00pm PST

Give away security's Legos
Streaming at https://youtu.be/Zhu00aOcF3w
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2020) It’s common to hear of security teams that feel overwhelmed. They have too many alerts, too many design reviews, too many approvals, too many everything! What if I told you we can reduce risks and scale security by reducing what security teams do? How? By dumping the centralized, traditional security team.

Speakers
FF

Fredrick "Flee" Lee

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance, and risk. Before Gusto, Lee spent more than 15 years leading global information security and privacy efforts... Read More →


Sunday March 7, 2021 12:00pm - 12:40pm PST
Stream

12:00pm PST

Reddit Q&A Sessions with presenters, villages, and sponsors
Join us on Reddit (https://www.reddit.com/r/BSidesSF/) to ask questions AMA style about the presentations as well as talk with our villages and sponsors.

Sunday March 7, 2021 12:00pm - 4:00pm PST
Reddit

12:40pm PST

How to Orchestrate a Cyber Security Incident Tabletop Exercise
Streaming at https://youtu.be/Zhu00aOcF3w
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2019) "Assume breach" helps incident responders prepare for the next major cyber security incident. Ask yourself—What would you do if an attacker were inside your systems? In this interactive presentation, the speaker will present a hypothetical security incident and guide you through a simulated timeline of events. She will engage with the audience and ask questions like, "What would you do next?"


Sunday March 7, 2021 12:40pm - 1:15pm PST
Stream

1:15pm PST

EFF
Streaming at https://youtu.be/Zhu00aOcF3w

EFF’s Director of Investigations Dave Maass provides an overview of police surveillance technologies used at protests in the United States. If you would like to support our work, be sure to donate and become a member at https://eff.org/eff30!

Join us at r/BSidesSF on Reddit for live AMA style Q&A

Sunday March 7, 2021 1:15pm - 1:40pm PST
Stream

1:40pm PST

How to 10X your Security (without the series D)
Streaming at https://youtu.be/Zhu00aOcF3w
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2020) I’ll summarize and distill the insights, unique tips and tricks, and actionable lessons learned from a vast number of DevSecOps/modern AppSec talks and blog posts, saving attendees 100s of hours. I’ll show where we’ve been, where we’re going, and provide a lengthy bibliography for further review.

Speakers
CG

Clint Gibler

Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation... Read More →


Sunday March 7, 2021 1:40pm - 2:25pm PST
Stream

2:30pm PST

Anti-Privacy Anti-Patterns
Streaming at https://youtu.be/Zhu00aOcF3w
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2019) In this talk, we will examine key research findings and technological innovations in the past 20 years that have led to the accepted practice of collecting all of the data. We show a difference between tangible (e.g. PII) and non-tangible data and show how seemingly harmless data can still be used to derive behavior (with examples!). We also examine how privacy perspective can change depending on your role or background and propose a perspective shift if we are to try to maintain digital privacy today.

Speakers
SH

Sarah Harvey

Sarah leads the Privacy Engineering team within the Security org at Square. Her background includes 10 years of security/privacy experience wearing a variety of hats, including but not limited to: privacy research, security design/review, systems and infrastructure engineering, and... Read More →


Sunday March 7, 2021 2:30pm - 3:00pm PST
Stream

3:00pm PST

Managing the Assets of your Security Career
Streaming at https://youtu.be/Zhu00aOcF3w
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2020) Security folks often struggle with quality feedback and influence during promotion. In this session I provide tooling and strategies for “asset management” of stakeholders that will improve the growth of influence, increase visibility in an organization, and help chance of successful promotion.

Speakers
KT

Kyle Tobener

Kyle Tobener is a Director of Enterprise Security at Salesforce. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. His specialty is application security, with a side dish of 3rd party / supply chain security. In his free... Read More →


Sunday March 7, 2021 3:00pm - 3:25pm PST
Stream

3:30pm PST

IoT Village
Streaming at https://youtu.be/Zhu00aOcF3w

Embedded device researchers often come across traditionally valuable vulnerabilities, such as command injection, whose exploitation is limited to authenticated, LAN-side users. From an attacker’s point of view, these restrictions are less than ideal for remote compromise. How can such bugs be weaponized for use in actual exploits? For the Lenovo ix4-300d NAS, the key to a successful attack lies in the victim’s web browser. In this livestream, ISE Labs will demonstrate the chaining of two unrelated vulnerabilities against the ix4-300d—cross-site scripting and command injection—to show how remote, unauthenticated adversaries can abuse the browser to gain root access to LAN targets.

Join us at Discord here: https://discord.gg/dC4729FHEY
Join our labs here: https://labs.iotvillage.org/

Sunday March 7, 2021 3:30pm - 4:10pm PST
Stream
 
Monday, March 8
 

12:00pm PST

Coronavirus: What Science Says Leaders Should Do
Streaming at https://youtu.be/Lhd5ldoCuG8
Join us at r/BSidesSF on Reddit. Original presenters will not be available, but participant discussion is encouraged.

(2020) The coronavirus is rattling markets and whipping communities into a frenzy. In times like these, it’s important for leaders to stay cool under pressure, make the right decisions for all stakeholders, and then execute those decisions effectively. But uncertainty lies at the heart of this crisis, so what exactly are leaders to do?

Join Dr. David Rock, Dr. Jay Van Bavel, and Dr. Kamila Sip as they examine the impact our ongoing health scare is having on leaders and employees. Our hosts will identify the big decisions leaders need to make, how to offset threats and keep people engaged, the opportunities that exist to make virtual work a reliable (and maybe even superior) alternative, and more.

Speakers
Sponsors
avatar for Netflix

Netflix

Mental Health Panel


Monday March 8, 2021 12:00pm - 12:50pm PST
Stream

12:00pm PST

Reddit Q&A Sessions with presenters, villages, and sponsors
Join us on Reddit (https://www.reddit.com/r/BSidesSF/) to ask questions AMA style about the presentations as well as talk with our villages and sponsors.

Monday March 8, 2021 12:00pm - 2:00pm PST
Reddit

1:00pm PST

Dispatch: Crisis Management Automation When Everything is on Fire
Streaming at https://youtu.be/Lhd5ldoCuG8
Join us at r/BSidesSF on Reddit for live AMA style Q&A


(2020) We built Dispatch to automate our entire crisis management lifecycle, from initial report, to resource creation, participant assembly, task tracking and post-incident reviews. We want you to use it someday too, so we'll explain how it helps us, and why you should check it out.

Speakers
MV

Marc Vilanova

Marc is a Senior Security Engineer at Netflix where he helps drive security incidents to resolution, and design and develop automation for crisis management and digital forensics. Marc previously worked for Facebook as a Security Engineer where he focused on building automation for... Read More →


Monday March 8, 2021 1:00pm - 1:30pm PST
Stream

1:30pm PST

How to Kill an AWS Access Key
Streaming at https://youtu.be/Lhd5ldoCuG8
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2020) AWS Access Keys are great for attackers; powerful and sitting in plaintext. The Security Token Service enables short-lived credentials, but the path to getting that to work for humans isn't simple. Assuming zero level of expertise, we'll cover how our company killed off our static access keys.

Speakers
BH

Benjamin Hering

Benjamin Hering is a Security Architect at ASAPP. His career focuses on leveraging technology to improve organizations and people in both the for-profit and non-profit spheres; making technology meet people where they are rather than the other way around.


Monday March 8, 2021 1:30pm - 2:00pm PST
Stream
 
Tuesday, March 9
 

12:00pm PST

Offensive Javascript Techniques for Red Teamers (Or Anyone Really)
Streaming at https://youtu.be/wa_T8vAv9kg
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2019 / 2021) AppSec is often very heavily focused on pre-exploitation. Frameworks like BeEF break this norm a little and can be used as tools to move laterally from the browser, to implant malware on adjacent machines. Unfortunately, performing network reconnaissance with JavaScript becomes tricky if the victim doesn't keep the tab open for long.

This presentation will discuss relatively new techniques and features of JavaScript that have made it easier for sophisticated threat actors to craft JavaScript payloads that target internal network vulnerabilities, as fast as a person can think to close a tab. We'll also show new reconnaissance techniques traditionally used by red teams, post-malware implant, that can be used to get a foothold onto a network from a browser, pre-malware implant. We'll also show some real examples of this, crafting external payloads that target internal assets at large companies, and we'll show how responsible disclosure for intranet facing bugs typically gets resolved.

Speakers
DA

Dylan Ayrey

Dylan is a security researcher who's open sourced a number of tools such as Trufflehog, and has spoken at a number of conferences including Defcon/Blackhat
CF

Christian Frichot

Christian 'xntrik' Frichot (he/him) is an application security nerd who spends his free time trying to avoid computers. Currently working for HashiCorp, Christian used to contribute a lot to BeEF, and has helped put together words for The Browser Hacker's Handbook. He's also been... Read More →


Tuesday March 9, 2021 12:00pm - 12:40pm PST
Stream

12:00pm PST

Reddit Q&A Sessions with presenters, villages, and sponsors
Join us on Reddit (https://www.reddit.com/r/BSidesSF/) to ask questions AMA style about the presentations as well as talk with our villages and sponsors.

Tuesday March 9, 2021 12:00pm - 2:00pm PST
Reddit

12:45pm PST

So you're the first security hire
Streaming at https://youtu.be/wa_T8vAv9kg
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2020) You're the first security hire at a company, where do you start? How do you keep the company from getting hacked without getting in the way? How do you integrate security into the culture of the business? I'll cover the critical areas to focus on, implementation steps, and first-hand examples.

Speakers
BZ

Bryan Zimmer

Bryan is the Head of Security at Humu. He previously worked for Netflix, where he successfully migrated the company to LISA, one of the first Zero Trust architectures outside of Google’s BeyondCorp. He’s also worked in the federal, finance, and education sectors, and presented... Read More →


Tuesday March 9, 2021 12:45pm - 1:05pm PST
Stream

1:05pm PST

Checking your --privileged container
Streaming at https://youtu.be/wa_T8vAv9kg
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(2020) Docker provides a convenient --privileged flag to create "privileged containers" but what does it actually do? In this talk, we will explain the internals of how docker provides isolation, and what happens when these security features are disabled. Spoiler alert: trivial container escapes.

Speakers
SF

Sam "Frenchie" Stewart

Frenchie is far too biased to answer this question, and instead chooses to break the 4th wall. Originally from Batmania, live[d|s] in San Secuestro, now in Middle Earth. Currently Infrastructure Security @ Brex. Previously, Infrastructure Security Engineering Manager at Cruise. Shipped... Read More →
MK

Maya Kaczorowski

Maya is a Product Manager at GitHub in software supply chain security. She was previously in Security & Privacy at Google, focused on container security, and encryption at rest and encryption key management. Prior to Google, she was an Engagement Manager at McKinsey & Company, working... Read More →


Tuesday March 9, 2021 1:05pm - 1:30pm PST
Stream

1:40pm PST

Closing Remarks
Streaming at https://youtu.be/wa_T8vAv9kg
Join us at r/BSidesSF on Reddit for live AMA style Q&A

(New - Live) We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!

Speakers
avatar for Reed Loden

Reed Loden

Director of Security, HackerOne
Reed Loden is the Director of Security at HackerOne, the #1 hacker-powered security platform. He is an information security expert, hacker, and developer. Reed brings over 14 years of security experience to his role at HackerOne where he is charged with protecting the company’s... Read More →


Tuesday March 9, 2021 1:40pm - 1:55pm PST
Stream