Summercon 2024

WE HAVE A SCHEDULE

It’s not quite finalized, but we have a functioning schedule. We’re excited to see if we can actually keep to it. Last year went super smoothly, and we somehow stayed within one minute of our published schedule (as far as anyone remembers). You can click the link up there where it says “schedule,” or you can try this link out here.

THE LINEUP

Here’s what we have cooking!

Friday, July 19

TimeSpeakerPresentation
10:00amDOORS OPEN
10:45amJohn Terrill &
Mark Trumpbour		Opening Remarks and Financials, probably a ridiculous amount of inside jokes; we’ll see how well John and Mark banter.
11:00amKaiRiPHash: Analyzing execution traces on a budget
12:00pmGenevieve StarkFrom Exploit Brokers to Extortion
12:35pmSUMMERCON HALL OF FAME – LIFETIME ACHIEVEMENT AWARD
1:00pmLUNCH
2:00pmBrian ReillyModern ColdFusion Exploitation and Attack Surface Reduction
3:00pmSteve MyrickDa Bomb: Beyond Insanity
4:00pmSPECIAL PRESENTATION – IN MEMORIAM
4:30pmGabe[REDACTED]
5:00pmInvisigothTBD – It’s Visi, so it’s something cool
6:00pmHAPPY HOUR
7:00pm[We strongly recommend using this time to have dinner]
9:30pmSummercon 2024 Presents: RESIDUAL GROOVE
1:00amEND DAY 1
Subject to change.

Saturday, July 20

TimeSpeakerPresentation
10:00amDOORS OPEN
10:45pmJohn Terrill &
Mark Trumpbour		Welcome back:, Recap, Apology, and Police Blotter.
11:00amSharon NachshonyIdentity Threat Hunting Insights: Unveiling Real-World Cases
12:00pmDavid CampbellDeveloper Mode Enabled: Pushing AI Red Teaming Boundaries
1:00pmLUNCH
2:00pmJ. GdanskiWe Kill People Based on Metadata
3:00pmMichael CoppolaStarfox: A Case Study in Exploiting Impractical Bugs (35min)
3:40pmIan Roos2024 PWNIE AWARDS NOMINATIONS
4:00pmMartin WendiggensenChinese Discourse Power
5:00pmJAGSTBD
6:00pmHAPPY HOUR / CLOSING CEREMONIES / FLIP CUP / SHOUTDOWN & OTHER INARTICULACIES
7:00pm[We’re not your mother, but you should eat something]
8:30pmPre-Game: HACK THE PLANET
9:30pmMovie Screening: Hackers (1995)
11:15pmPRIZES / DJ / PARTY PARTY
1:00amEND DAY 2
Subject to change

TICKETS TICKETS TICKETS

We’re finally remembering that we need to tell you where to buy tickets.

It’s here. Eventbrite. And thanks for your ongoing support — without you, there’s no Summercon.

HOTEL ROOM BLOCS

If you’re looking for a place to stay for Summercon 2024, do we have great news for you! There’s a new hotel right around the corner from Littlefield, Tru by Hilton. Or maybe you’re looking for the style and luxury of The Ace Brooklyn. Either way, we have room blocs ready to go, get ’em before they run out!

Tru By Hilton (Link expires June 18)

The Ace Brooklyn  (Link expires June 27)

  • Alternate instructions to make Online Reservations
  • Go to https://www.acehotel.com/brooklyn
  • Click BOOK NOW
  • Select Check in date | 7/18/24
  • Select Checkout date |  7/21/24
  • Select: Group Code
  • Enter Group Code: SMRCN724
  • Click Check Availability

Trouble is brewing

We’re excited to announce that we’re gearing up for our July event in Brooklyn, NY. We’re currently huddled over keyboards (and coffee mugs) planning something extraordinary. Yes, we’re a bit late in getting the news out – blame all the booze (and the hangovers)!

More thrilling updates are on the way. Stay tuned, keep hacking, and perhaps, keep nursing those hangovers – we’ll make sure this year’s Summercon is worth the wait!

Cheers,

Summercon Management

CFP Now Open 2024

It is once again time to submit your proposals for Summercon presentations.

We admit that we have a lot of latitude in how we schedule speakers, but generally presentations fall into two categories: short (25 minutes), and long (55 minutes).

We tend to favor technical presentations that are geared around offense, but we’re open to all good ideas. Please build in time for spirited Q&A. 

We invite you to review what we look for when selecting a presentation here, but here’s the quick summary:

  1. Technical
  2. Novel
  3. Irreverent
  4. Revels in the Journey
  5. Sticks it to the Man
  6. Engages the Audience
  7. Fits into the Allocated Time

Please submit your proposals using our Google Form.

sponsors sidebar 2024

Research Grant Sponsors

 

 

Platinum Sponsors

 

 

Gold Sponsors

 

 

Silver Sponsors

 

 

Supporter Sponsors

 

 

 
 

Presentations

RiPHash: Analyzing execution traces on a budget

KAI

This talk presents a strategy for analyzing dynamic execution of binaries based on sample traces

From Exploit Brokers to Extortion

GENEVIEVE STARK

Underground communities have provided marketplaces for selling malware, illicit accesses, and stolen data for well over twenty years. But in the past decade, it has become increasingly common for financially motivated actors to specialize in specific stages of the attack lifecycle. Ransomware-as-a-Service (RaaS) offerings are a notorious example of this shift, but cyber crime actors can purchase a wide range of services and tools, including private or semi-private malware capabilities, malware distribution services, domain registration services, traffic distribution services, code signing certificates, and exploits. In this presentation, we’ll review how the cyber crime ecosystem has flourished under this approach. We’ll then discuss the types of exploits available for purchase. Finally, we’ll examine several case studies that illustrate how specific threat actors have benefited from the professionalization and commoditization of the attack lifecycle.

Modern ColdFusion Exploitation and Attack Surface Reduction

BRIAN REILLY

Yes, an Adobe ColdFusion talk in 2024. It’s been a busy 18 months for ColdFusion security — from new 0-day vulnerabilities discovered to the wild to ancient vulnerabilities being part of ransomware playbooks. Even if you haven’t embraced modern CFML, ColdFusion remains a common legacy application platform found in organizations of all sizes and verticals. In this talk we’ll look at a series of ColdFusion vulnerabilities, map out the attack surface of modern ColdFusion environments, and consider some approaches for attack surface reduction. So whether you consider ColdFusion to be a modern JVM scripting language, legacy application tech debt, or an easy pentest win, this talk is for you. And if you’re too cool for ColdFusion, just squint and pretend it’s a Java talk.

Da Bomb: Beyond Insanity

STEVE MYRICK

As offensive security professionals, our most limiting factor is often our time. If we find an exploit on one host, how can we accurately communicate the impact for our entire network? If the vulnerability is fixed, how do we monitor for regressions? Manual exploit verification on hundreds or thousands of hosts is unrealistic – we need to be able to do more with less. Atomic red team is an open-source library of simple, focused tests that map to the MITRE ATT&CK framework. Combined with an automation platform, we can exponentially multiply the effectiveness of our red team talent and allow them to focus on novel attacks rather than low-hanging fruit. This talk will demonstrate how, with a few free tools, we can automate red teaming techniques to amplify our output without expanding our team or increasing our time spent

Frequently Attacked Questions

GABE


TBD

INVISIGOTH

TBD

Identity Threat Hunting Insights: Unveiling Real-World Cases

SHARON NACHSHONY

In today’s cyber threat landscape, identity has emerged as a critical yet often overlooked aspect of cybersecurity. Join me as I delve into the world of identity-based threat hunting, highlighting its importance and complexity. As cybersecurity professional, I’ll share insights from my experiences and real-world cases, providing a comprehensive overview of how identity can enhance threat detection and incident response. This presentation will explore the initial goals of harnessing big data and ensuring identity isn’t sidelined in threat hunting. We will discuss the distinct types of identity and contrast identity-based threat hunting with traditional methods that rely on Endpoint Detection and Response (EDR) or network data. While Indicators of Compromise (IoCs) in EDR and network contexts are typically clear, identity-based IoCs often remain elusive, requiring a more nuanced approach. Using a hypothetical company, “Nexus” as a case study, I’ll illustrate how understanding normal identity behavior can help identify and mitigate abnormal activities promptly. Real-world scenarios will show how early detection of credential scanning and malicious actors through identity threat hunting can transition into effective incident response before significant damage occurs. We’ll examine how compromised accounts can be identified and contained, showcasing the importance of lateral movement detection and comprehensive attack visibility from an identity perspective. The session will also cover how identity-based insights can significantly expedite incident response during breaches, using the Nexus case study to highlight these benefits. Attendees will learn about common security gaps, such as the misuse of administrator accounts and the risks of elevated privileges. We’ll discuss practical strategies to eliminate these vulnerabilities, aiming to leave no loopholes for attackers. Prepare for an engaging and technical session that underscores the vital role of identity in threat hunting and incident response. No prior specific materials are required, but a basic understanding of cybersecurity concepts will be beneficial.

Developer Mode Enabled: Pushing AI Red Teaming Boundaries

DAVID CAMPBELL

In this talk, we will explore the evolution of Red Teaming into AI Red Teaming, emphasizing its crucial role in advancing the security of Large Language Models (LLMs) and beyond. Drawing from my firsthand experiences developing and deploying the largest generative red teaming platform, I will share insightful anecdotes and real-world examples. We will delve into the multifaceted nature of adversarial red teaming, examining how it fortifies AI applications at every layer. This comprehensive approach includes securing the external application interfaces, reinforcing LLM guardrails, and enhancing the robustness of the LLMs’ internal algorithms. By understanding these layers, we can better protect platforms, businesses, and consumers from potential threats. The talk will also highlight the strategic importance of red teaming in identifying vulnerabilities and stress-testing AI systems to withstand real-world adversarial attacks. We will discuss specific case studies that showcase the effectiveness of these strategies in improving the resilience of AI systems. These examples will illustrate the practical applications and significant impact of red teaming on the overall security landscape. Moreover, we will explore the future of AI Red Teaming, considering emerging challenges and the evolving threat landscape. This includes a discussion on how to stay ahead of adversaries by continuously updating and adapting red teaming methodologies. Join me to uncover the essential role of adversarial strategies in fortifying the AI landscape. This talk aims to provide a deep understanding of AI Red Teaming, its practical implementations, and its pivotal importance in ensuring the security and integrity of AI technologies.

We Kill People Based on Metadata

J. GDANSKI

Apple presents itself as a privacy first company and the choice for dissidents, journalists, politicians, and others in need of protection from surveillance, however a number of their products and decisions actively prevent real privacy and put their users at risk digitally and physically. In this talk we explore some of these short comings and make suggestions on how to address them.

Starfox: A Case Study in Exploiting Impractical Bugs

MICHAEL COPPOLA

Not knowing when to give up can sometimes be your greatest asset. In this talk I’ll dive into my first ever project at Trenchant, a capability named Starfox, and how the worst bug ever was turned into a crazy Rube Goldberg machine with reliable iOS persistence as a side-effect.

Chinese Discourse Power

MARTIN WENDIGGENSEN

TBD

TBD

JAGS

TBD

Summercon 2024 Presents: RESIDUAL GROOVE

Get ready to move with Residual Groove, the electrifying five-piece funk/fusion band hailing from Norwalk, CT, that will be closing out Day 1 of Summercon with a bang! This dynamic ensemble features the incredible talents of brothers Previn Edwards on guitar and vocals, and Kiran Edwards on keys and vocals, alongside the rhythmic prowess of Miles Livolsi on bass, Henry Thomas on drums, and Garrett Halstead on percussion.

Residual Groove blends a healthy mix of their groovy original tunes with surprising and eclectic covers, ensuring a setlist that keeps you on your toes. Known for their seamless transitions and spontaneously improvised segments, their performances are a journey through a diverse soundscape that bridges their varied influences and unique creations. You’ll be entranced by their musical synergy and infectious energy as they create an unforgettable live experience. Don’t miss this chance to feel the funk when Residual Groove brings it to the stage!

Movie Screening: Hackers (1995)

Director: Iain Softley
Starring: Jonny Lee Miller, Angelina Jolie, Jesse Bradford, Matthew Lillard, Laurence Mason, Renoly Santiago, Fisher Stevens, and Lorraine Bracco

Join us for a special, free to the public screening of the 1995 cult classic Hackers! Directed by Iain Softley, this iconic film features an ensemble cast including Jonny Lee Miller, Angelina Jolie, Jesse Bradford, and Matthew Lillard. Hackers plunges us into the exhilarating world of cyber warfare and underground hacker culture, following a group of teenage hackers who uncover a high-stakes conspiracy.

Set against the backdrop of 90s New York City, Hackers captures the zeitgeist of an era where the burgeoning digital revolution promised both boundless opportunities and unprecedented dangers. The film’s portrayal of hacking as both a rebellious act and a form of digital artistry resonated deeply with the emerging tech-savvy generation.

The movie’s authenticity is bolstered by the contributions of real-life New York hacking scene advisors, whose insights ensured that the film’s depiction of hacking techniques and subcultures remained grounded in reality, offering a glimpse into the minds of those who navigated the early digital frontier. They tried, anyway.

Hackers has left an indelible mark on popular culture, influencing everything from fashion to music, and inspiring countless individuals to explore the realms of coding and cybersecurity. Its legacy endures as a nostalgic touchstone for those who witnessed the dawn of the internet age.

After the screening, we invite you to participate in our costume contest! Dress as your favorite Hackers character for a chance to win exciting prizes. Show off your best Dade “Zero Cool” Murphy, Kate “Acid Burn” Libby, or Chris “Cereal Killer” Valasek, and celebrate the enduring legacy of this groundbreaking film.

PRIZES / DJ / PARTY AFTERPARTY

After we dive into the rollerblading documentary film Hackers, the night is just getting started! Stick around for the Party Afterparty where you can show off your best costumes inspired by the movie and stand a chance to win fantastic prizes. And that’s not all – we’ve got DJ Gidjet ready to spin some electrifying tracks, keeping the energy high until 1am. Don’t miss out on this unforgettable night of fun, music, and camaraderie. Don’t worry — when Littlefield eventually bounces us, the party will move on to Summercon stronghold Canal Bar!

Sponsors 2024

Platinum Sponsors

Atredis Partners is a research-driven Information Security consultancy. We deliver advanced penetration testing, embedded security research, and cutting edge risk management. Our team is made up of some of the most respected hackers in the information security industry, and we thrive on hacking complicated targets, on time and under budget. Our HQ also happens to be in the birth city of SummerCon, but we’re pretty sure the Best Western in North Saint Louis burned down years ago.

Gold Sponsors

Etsy is the global marketplace for unique and creative goods. We build, power, and evolve the tools and technologies that connect millions of entrepreneurs with millions of buyers around the world. As an Etsy Inc. employee, whether a team member of Etsy, Reverb, or Depop, you will tackle unique, meaningful, and large-scale problems alongside passionate coworkers, all the while making a rewarding impact and Keeping Commerce Human.
Flatiron Health is a healthtech company expanding the possibilities for point of care solutions in oncology and using data for good to power smarter care for every person with cancer. Through machine learning and AI, real-world evidence, and breakthroughs in clinical trials, we continue to transform patients’ real-life experiences into knowledge and create a more modern, connected oncology ecosystem. Flatiron Health is an independent affiliate of the Roche Group.

Silver Sponsors

RED BALLOON SECURITY was founded by Dr. Ang Cui out of Columbia University’s Intrusion Detection Systems Lab in 2011 with its pioneering technology, Symbiote Defense. Today, its R&D has expanded to a team of world-class researchers and developers who continue to publish seminal research papers on embedded security and intrusion detection. Since its inception, the team at Red Balloon has partnered with the U.S. Department of Defense and Department of Homeland Security, performing on funded research activities and deploying its defensive technologies on a range of critical embedded systems. The company has also ethically disclosed vulnerabilities in hundreds of millions of embedded devices and continues to advance the state of embedded device security as part of its mission.

Supporter Sponsors

Bishop Fox is the largest private professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world’s leading organizations — working with over 25% of the Fortune 100 — to help secure their products, applications, networks, and cloud with penetration testing and security assessments. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.
The Phosphorus Unified xIoT Security Management Platform is the industry’s only CPS Protection Platform proactively covering the entire security and management lifecycle for xIoT. Through its unique ability to directly communicate with over one million device models (including over 600 vendors) in their native languages, Phosphorus’ platform empowers all organizations to safely discover, remediate, monitor, and manage any IoT, OT, IIoT, and IoMT device, including the most sensitive mission-critical and life-critical assets. It fully automates the remediation of the biggest xIoT device vulnerabilities – including unknown and inaccurate asset inventory, default credentials, out-of-date and vulnerable firmware, risky configurations, banned and end-of-life devices, and expired or self-signed certificates.
645 Ventures is an early-stage venture capital firm that partners with exceptional founders who are building iconic companies. We invest at the Seed and Series A stages and leverage our Voyager software platform to enable our Success team and Connected Network to help founders scale to the growth stage. 645 has $550m+ in AUM across 5 funds, and is growing fast with backing from leading institutional investors, including university endowments, funds of funds, and pension funds. The firm has offices in New York and SF, and you can learn more at www.645ventures.com.

The Important People

Kai

Kai is a security researcher and PHD student at NEU.

David Campbell

David Campbell is a seasoned technology leader with nearly 20 years of experience in Silicon Valley’s startup ecosystem, now spearheading Responsible AI initiatives at Scale AI. As the Lead AI Risk Engineer, David has been pivotal in developing a cutting-edge AI Red Teaming platform that marries ethical AI practices with rigorous security evaluations. His work, recognized by the U.S. Congress and highlighted by the White House, underscores his commitment to shaping a safer AI ecosystem. With a deep background in Security, Core Infrastructure, and Platform Engineering, David actively drives discussions and actions that integrate responsible AI principles into practical security frameworks, aiming to nurture robust, ethical AI applications across industries.

Michael Coppola

Michael Coppola is a Senior Security Researcher working at L3Harris Trenchant (formerly known as Azimuth Security). Michael has over a decade of experience in professional vulnerability research and focuses primarily on hacking mobile platforms.

Invisigoth

TBD

J. Gdanski

J. Gdanski is the Founder and CEO of Evertas, where he has led Evertas’s technical development and underwriting, as well as secured multiple rounds of funding from top investors; he is a security, privacy, and risk expert. J is also a founder of CryptoISAC.

Prior to launching Evertas, he was a leader in the enterprise blockchain space and was one of the first to work on institutional custody for crypto. In this capacity he served as an early, significant contributor to blockchain consortia including R3 and Enterprise Ethereum Alliance, of which he was a founding member. He was an integral part of the first enterprise blockchain RFP and has worked on numerous blockchain-based systems. He was the first dedicated hire in the space for a bulge bracket bank and the world’s largest custodian bank and has presented to regulators, legislators, politicians, and business executives, including from Fortune 50 companies.

JAGS

TBD

Steve Myrick

Steve Myrick is the manager of adversarial engineering and DevSecOps at Avalara. For the last 5 of his 8 years in security, he’s been building the offensive security practice at his job from the ground up. 

Back home in NC, he spends his time hosting the CTF events for CackalackyCon and BSides RDU and occasionally speaking there as well. 

Steve loves a good security conference, followed by a cold beer over hearing stories of hilarious pentest findings or social engineering hijinx. 

Sharon Nachshony

Sharon has been practicing cyber security since 2017. She is a technological unit alumni & B.Sc. in Computer Science. She previously worked at Argus Cyber Security as a Cyber Security Architect and is now a security researcher at Silverfort specializing in threat hunting, risk assessment, identity posture, network hardening and suggested mitigations.

Brian Reilly

Brian Reilly is a security engineer focused on application security, penetration testing, offense, and vulnerability research. He’s been attending SummerCon sporadically since SummerCon IX.

Genevieve Stark

Genevieve is a manager on Google Threat Intelligence’s Cyber Crime Analysis team, which researches financially motivated threat actors involved in a variety of operations, including extortion and financial fraud. She has supported and led in-depth research projects on ransomware actors and regularly spearheads initiatives for improving Mandiant’s analytical capabilities and standards. Prior to joining Mandiant in 2019, Genevieve spent a decade providing threat intelligence, digital forensics, and training support to US Government customers.

Martin Wendiggensen

TBD