Kris Silvers

Kris Silvers Chris Silvers

Chris Silvers

Capture the Fail: Avoiding Pitfalls When Running Your CTF

Is it possible to contribute to the security community without dropping an 0 day or coding the next nmap? How about running a CTF? Kris and Chris Silvers, creators of the OSINT CTF, share some lessons learned along their journey. They’ve run into some interesting problems — like their scoring engine’s exploitable vulnerabilities to targets changing their attack surface mid-competition — and met them all head-on. Laugh along and learn something as they walk through their toughest challenges and how they handled them.


Jonathan Tomek

Jonathan Tomek

What the world needs now, is HAM sweet HAM

Do you know why the hacker community is so interested in HAM radio? You probably do; it is the ultimate nerd hobby. It invokes a variety of abilities involving multiple competencies and skills. What skills you may ask? Too many to list here…

Devices from IoT to satellites to power meters all use radio signals to communicate. Since security is often an after-thought, it is the wild west in the radio realm for a hacker.

Let’s introduce you to some things to increase your appetite for becoming a HAM. Whether you have an SDR laying around or hand-held you have had since the last hackercon, you should to know how to use it. For those HAMs out there, this should still get you excited to try something new. Since it wouldn’t be Cyphercon without the “cypher”, there will be some fun things here to spir the curiosity in your old hackerself.


Michael Portera

Michael Portera

Don’t Forget to Wipe

On June 29, 2018, Toys R Us shut its doors to the public after filing Chapter 11 bankruptcy. The months leading up to that day consisted of liquidating its assets, including the computer hardware found in local stores. While everything should have been sanitized before being let go, it wasn’t. In this talk, we’ll take a look at what happened and I’ll review my forensics investigation: what I was able to recover, how I did it, and the importance of sanitizing devices before disposing. Spoiler alert: it’s bad…


Jeff Man

Jeff Man

What Are We Doing Here? Rethinking Security

Have you ever noticed that much of the mission of cyber- and information security professionals seems to be focused on vulnerabilities? Have you ever heard of the risk equation? Perhaps you are familiar with one or more versions that help you derive the risk to your organization (sometimes referred to as residual risk). I have been wondering for a while how to suggest to our industry that there is perhaps TOO much focus on vulnerabilities and not enough attention or focus on the other elements that derive the standard risk equation. Remember how the disclosure of Meltdown/Spectre introduced a “perfect storm” scenario where the vulnerability wasn’t easy to patch or fix, and the solution seemed to be break things? This created a situation where the “security solution” wasn’t simply to apply the patch – and that left many organizations scrambling to figure out how to deal with this example of a persistent vulnerability. This is a great example of what I’ve wanted to discuss for a while – what else should we focus on in terms of security if/when the vulnerabilities still remain.  Interested? Intrigued? Come join the discussion!


Cindy Murphy

Cindy Murphy

KeyNote: Now you see it, now you don’t: The magic of forensic artifacts hiding in plain sight

In the field of digital forensics, we have our tried and true artifacts and methods to find them. However, occasionally we uncover information or methods that challenge what we’ve always known, especially when we expect to see nothing and instead uncover a wealth of information. Digital forensics expert Cindy Murphy, M.Sc. will use this session to unpack the myths of digital forensics she uncovered since her career pivot from law enforcement to private digital forensics work. For example, when an SD card shows all zeros, is it actually empty? Or, are we really getting a full forensic image from this hard drive? From there, she will discuss how to navigate those myths and most importantly, how to keep moving forward in an ever-changing industry. Session attendees will walk away feeling empowered to ask questions and challenge the status quo in the digital forensics profession.


Brad Swanson

Brad Swanson

Phreaking for fun and profit (Historical Talk)

This talk will be about phreaking back in the late 80’s, up until the mid 90’s roughly. It will cover what phreaking was, why it worked, and why we did it. We will discuss some of the devices used, the theory behind them, as well as some entertaining stories about those devices. We will also talk about the slew of ‘secret’ numbers that existed in the phone system, including but not limited to, ANI, loops, and sweep tones. Finally, we will discuss the decline in phreaking with the newer versions of ESS, as well as how VOIP has brought forth an entirely new generation of folks interested in how the phone systems work.


Michelle Evans

Michelle Evans

The X-15 Rocket Plane, Flying the First Wings into Space

With the Soviet Union’s launch of the first Sputnik satellite in 1957, the Cold War
soared to new heights as Americans feared losing the race into space. This
presentation tells the enthralling yet little-known story of the hypersonic X-15, the
winged rocket ship that met this challenge and opened the way into humancontrolled spaceflight.

This remarkable research aircraft held the world’s altitude record for 41 years,
and still has no equal to match or better its speed of more than 4,500 mph.
Beyond the X-15 are the stories of the 12 men who guided it into space, and all
the people who kept the rocket plane flying for nearly a decade. This is the story
that has never been told of the vehicle that was the true precursor to the Space
Shuttle by being the first piloted and winged vehicle to exit Earth’s atmosphere,
and make a controlled reentry to a landing on hard-packed dry desert lakebeds.

In her research, Ms. Evans interviewed nearly 70 people, including 9 of the 12
pilots, including Neil Armstrong, Scott Crossfield, and Robert White, with family
representatives for the remaining pilots. Others she spoke with include
managers, flight planners, and the technicians and engineers who made the X-15
ready to fly its next research mission at high altitude and high Mach.


Josh Frantz

Josh Frantz

Thrift Shoppin’ with your data

Do you ever wonder what happens with disk drives, flash drives, even floppy drives when you drop them off at thrift stores or e-recycling centers? You signed an agreement saying they would wipe your data, so that no one could ever find those text files filled with passwords and sensitive information. Well, even though you signed that piece of paper, these thrift stores and e-recycling centers have not been making good on their contractual obligations.

We all have a box of wires, 10 flash drives and 5 hard drives laying around. How do you properly dispose of those devices safely and securely? In this presentation, we take a dive into thrift shopping all around Wisconsin, in particular, buying your data back from those who agreed to destroy it. You signed an agreement saying that your disks would be wiped, your data destroyed, but based on what i found, that couldn’t be further from the truth.


Jim Nitterauer

Decrypting the Mess that is SSL /TLS Negotiation – Preparing for the 2020 Apocalypse

Recently, all major browser vendors agreed in principle to end support for TLS (Transport Layer Security) versions 1.0 and 1.1 in 2020. SSL (Secure Sockets Layer) version 3.0 support was removed from Chrome in early 2015 effectively ending the use of SSL completely. Akamai will discontinue support for TLS 1.0/1.1 on January 7th, 2019. These protocols have all been found to have various vulnerabilities that no longer make them safe for use in the negotiation of secure connections between end points.

With the deprecation of these cryptographic protocols, several new security exploits have come to light. These exploits including Heartbleed, POODLE, BEAST, CRIME and others attempt to disrupt the availability of services or stealing data. The most common service using TLS is obviously web traffic that is transmitted via https. Since SSL and TLS are secure connection negotiation protocols, the process for establishing a secure connection can be used for almost any type of traffic. Some of the more common ones aside from https are DNS, VPN, SMTP, POP3 and IMAP. All rely on the ability of client and server to understand a common protocol and the ability to negotiate a connection based upon a commonly understood version.

Many server-side instances still utilize older versions that support deprecated SSL/TLS versions leaving them vulnerable to availability and integrity attacks. Many client applications have the same issues with many of those built into IOT devices which are rarely upgraded.

We needed to find a means to understand what types of conversations were happening on our publicfacing proxy services. We noticed a rash of SSL downgrade attacks that resulted in intermittent outages.

We also wanted to be able to proactively engage our customers by letting them know that they had devices on their network reaching out to us using deprecated or soon to be deprecated SSL/TLS versions.

This talk will provide a quick overview of the major SSL/TLS versions along with their major vulnerabilities. I will then discuss how we were able to use some F5 iRule magic on our load balancers combined with Graylog (a log aggregation platform) to track as well as block undesirable client and server connections to our proxy end points. This strategy can easily be adapted to any protocol scenario that uses TLS connection negotiation.


Ian Sindermann

Ian Sindermann

Unhinging Security on the Buffalo TeraStation NAS

Often times it only takes a small oversight to cause a vulnerability, even when it comes to severe vulnerabilities. The Buffalo TeraStation NAS demonstrates this idea beautifully in that it has a variety of features that do just a tad more than they should. Using these oversights as examples, I’ll provide an overview of the thought processes, mindset, and skills used to turn happy little oversights into happy little shells. There will be an abundance of facepalms and IoT war stories, and if that wasn’t enough, there’s a good chance these vulns will still be unpatched.


Edd Black

Edd Black

Tracking the Adversary’s Learning Curve

Attackers are commonly broken into two camps: low skilled opportunists (script kiddies) and the APT – Advanced Persistent Threats (funded organized crime, nation states). In between lurks a skilled persistent threat, capable of doing more damage than either. Their skills have developed past script kiddies while lacking the resources of the APT. Their ability to fly under the radar makes them a significant threat. These adversaries require human responders to identify, track, and oppose. Understand the constraints of the persistent threat, and you can learn to counter them.


Chris Roberts

Chris Roberts

Security lessons from the Woofmutt

· Curiosity killed the cat, but in OUR world, that’s the job of an OSINT analyst.

· Speaking of cats, plan ahead, they are faster and more agile… think BEFORE acting

· Puppy eyes, drool AND sideways looks work…social engineering IS a good skill to have

· Try everything at least once, even if it means sticking your head in the trashcan…

· Always be upfront, that way there’s no miscommunication

· If at first you fail, try again; eventually you will get the chew toy on top of the bookcase.

· Never underestimate the need for a good hug

· Nothing is forever; live every moment as if it were your last.

These lessons and more will be covered, dissected AND somehow related to us as humans and us as tech folks.


 Ian Klatzco

Ian Klatzco

Building a Cohesive Undergraduate Security Club

Building good teams (either in the “elite” sense or the “healthy culture” sense) is hard. Our university security club had its ups and downs between boring meetings and inaccessibility to newcomers — we stepped it up this year with on a tighter meeting format, approachable 24-7 internal CTF, and internal documentation. We saw better attendance, more people staying after meetings, and freshmen successfully completing projects with upperclassman mentorship. Other exciting developments include reusable published meetings and writing our own fuzzers.


Chris Merkel

Chris Merkel

Shifting Security Left: Self-Service Security for Developers and Beyond

The shift to the cloud, Agile and DevOps is making it more difficult than ever for security teams to control what happens in their organizations and secure systems.

The obvious solution is more security tools, more security people, and ever-inventive ways to reign in your environment.

You. Will. Fail.

The only way to get better is by giving up the illusion of control and the delusion that you can achieve control.

Instead, we’ll talk about how engineering automation to create a culture of empowerment, self-reliance and trust can result in better security outcomes. Along the way, we’ll learn about how the adoption of Agile and DevOps is creating value in some unexpected ways…


Stephanie

Stephanie "Snow" Carruthers

Everything old is new again: A look at historic cons and their transition to a digital world

What does a pig in a poke, pigeon drops, and salting have in common? They are just a few of old school confidence tricks (cons) used from the late middle ages to more recently which swindled marks out of money. In this presentation Stephanie will cover how some famous historic cons were used in their day, and how they are now being transitioned into today’s digital world.


Eric Escobar

Eric Escobar Matt Orme

Matt Orme

Remote Wireless Pentesting in a nutshell (or ammo can)

Wireless pentesting typically requires physical proximity to a target which requires time, limited resources, and constant traveling. Eric & Matt have pioneered an inexpensive device to covertly perform wireless pentests anywhere on earth. Their unique solution to the problem centers around the ability to perform a wireless pentest remotely. To achieve this lofty goal they did what any hackers would do; scrounge up pieces and parts until they had a workable prototype that could phone home via multiple LTE connections and give remote access to the wireless environment surrounding their device. Much improved since it’s tangle of wires and packing peanuts, a year later their device has compromised dozens of enterprise networks spanning 3 continents. In this talk we’ll discuss why we built it, how it works, and why we think it will revolutionize wireless pentesting.


James Arndt

James Arndt

Always Look a Gift (Trojan) Horse in the Mouth

It could be said that the city of Troy needed to update its antivirus or intrusion detection signatures. Maybe they needed to dust off their acceptable use policy on their SharePoint site? Or did their end users need more security training? Didn’t anyone warn the CEO of Troy that it is dangerous to push the “Enable Content” button on strange horses that show up outside the city wall? If only the city of Troy had a citizen that could have torn apart the Trojan Horse to see what was really going on inside.
The same goes for malicious emails. Someone will report a suspicious email because they think it might be malicious. But how bad is it really? Unless you are able to dig into the email and perform a thorough analysis on its attachments, you’ll never know how bad it is, how it behaves, and what it may be trying to contact.
In this talk, attendees will learn various tools and techniques that can be used to thoroughly analyze a malicous attachment and everything that comes after it. In order to get as many stones as possible, we will want to leave no stone unturned. This information can then be used to look for indicators of compromise throughout your environment.

Keenan Skelly

Keenan Skelly

Beat the APTs: Explore Digital Forensics through Gamified Cyber Learning

Ever cyber professional wants to stop an APT from hurting their company. But when they can’t stop an attack, they seek to expose the criminal, so they can learn from the incident and identify preventative measures. To beat the bad guys and keep pace with today’s evolving cyberattacks, we need an equally dynamic, adaptive, and engaging cybersecurity skills strategy to save our enterprises. Digital forensics—the process of identifying, preserving, analyzing, and presenting digital evidence—is one of many cyber skills necessary in today’s hacking culture.

To support this discipline, Keenan will share how gamified cyber range environments are emerging to assist investigators in the capture, analysis, and preservation of evidence. She will explain how these virtual environments can deliver realistic cybersecurity scenarios for professionals to train both individual and overall team competencies. Keenan will share how users can engage in life-like cyber scenarios inspired by modern-day hacking events to not only refine digital forensic investigation processes but also help professionals learn from beginning to end how and why a hacker attacks in the first place.

Keenan will explain the benefits of gamified cyber range learning and how it can benefit cyber teams. As a result of this new game-inspired learning method, digital forensic professionals gain the ability to “beat the hacker” at their own game—through a game-like cyber range that most authentically represents future scenarios they will encounter. Cyber professionals can learn new, more efficient approaches to deploying computer/network/mobile digital forensics leveraging real-world examples of incidents. Further, gamifying cybersecurity exercises allows teams to better protect enterprises from future attacks and bring cybercriminals to justice.


Dustin Heywood (EvilMog)

Dustin Heywood (EvilMog)

Automating Hashtopolis

This talk will cover the basics of using the Hashtopolis user-api to automate functions in Hashtopolis. This talk will cover connecting to an HTP instance, creating hashlists, creating attacks, recovering plaintext, user creation and more.

Amit Elazari Bar On

Amit Elazari Bar On

“Bug Bounty” Law: Navigating the Vulnerability Disclosure Legal Landscape

Bug Bounties and Vulnerability Disclosure Program (VDP) are one of the fastest growing, most popular ways for companies to engage with the security research community and uncover unknown security vulnerabilities. They also raise a variety of legal issues for researchers and corporations to consider. This talk will explore how the law interacts with bug bounties and VDP, how it might affect security researchers, and suggest pathways for bug bounties and vulnerability disclosure programs to foster research and ethical hacking. Highlights will include anti-hacking laws, unpacking some myths concerning bug bounties legalese, and contract standardization efforts already widely adopted across the industry.

 


Benjamin Brown

Benjamin Brown

More Than Tor : Shining a Light on Different Corners of the Dark Web

When the terms darknet or dark web are invoked it is almost always in reference to the Tor network, but what about the other extant darknet frameworks? A true understanding of the dark web would be impossible and misleading if it only included the Tor network. In this talk I will expand the field of view to include frameworks such as Freenet, I2P, and OpenBazaar. We’ll take a quick look at the origins and technical underpinnings of these darknets as well as their actors and offerings. I will also discuss the differentiators that set these networks apart from Tor and highlight why they too should be included in modeling our knowledge of the dark web. Audience members will walk away with a fuller understanding of the internet’s hidden corners, the goals of its users, and the technologies that help keep them in the dark.


Johnny Xmas

Johnny Xmas Sam Crowther

Sam Crowther

Sorry About your WAF: Modern Bypass Techniques for Autonomous Attacks

Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, penetration tester or otherwise. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python Requests to Selenium, Puppet and beyond.


Ed Skoudis

Ed Skoudis

KeyNote: I, For One, Welcome Our New AI Over Lords

Title: I, For One, Welcome Our New AI Over Lords
Subtitle: The Ultimate Insider in the Cloud
By: Ed Skoudis and Surprise Guest
Amazing new AI-based services from Amazon, Google, and Microsoft let organizations rely on automated technology to crawl through their cloud-based data stores to identify sensitive data, security weaknesses, and hacking attempts. These AI offerings are impressive and can automate security at a scale impossible to achieve by humans alone. But, to use these commercial services, organizations must allow their cloud providers access to all of that information, exposing it to the deep gaze of an AI. In this talk, Ed will analyze the security implications of such offerings, along with the ethical, business, and privacy issues they raise as cloud-based AI intertwines itself in our lives more deeply every day. Oh, and it can turn on and off your lights too!

Michelle Meas

Michelle Meas

What happens when a genome database is breached?

DNA sequencing has gotten exponentially cheaper since its invention, and is rapidly becoming a popular consumer good, given as Christmas presents and advertised on Facebook. However, the companies that perform this sequencing are effectively unregulated, and what they do with the mountains of data accumulated in this process is hardly transparent. This talk will begin with an overview of gene sequencing technology, then discuss the data actually collected by many popular companies. The talk will conclude with a discussion of how this data could be weaponized by bad actors after a data breach, both now and going forwards.


Nick Wersel

Nick Wersel

Urban Foraging: Back to our Beginnings

Someone in the 1860s one day decided ‘Imma order this houseplant from Asia on Amazon and plant it in my garden!’ They clicked that Buy Now button and SIX MONTHS LATER the package arrived. Because we all know Amazon was still working on their package drone prototypes back then. Anyway now that little plant grows in all your back yards.


Vi Grey

Vi Grey

Bet You Never Played an NES Game like This: Innovating Under Limitations

We all know someone who has a Nintendo Entertainment System (NES) sitting around collecting dust.  The 1980s gaming console was limited in its capabilities, but just how much wiggle room does that leave for mischief?  In this talk, Vi Grey will demonstrate how it is possible to innovate under the limitations the NES restricts us with to create new ways a person can interact with a game.  You will see NES games that are also fully functioning web pages and ZIP files, console memory dumps that can be opened as JPEG images, game cartridges that secretly contain other entire NES games, and much more.


Josh Bressers

Josh Bressers

Spelunking the Bitcoin blockchain

There are few topics that capture the imagination and headlines like Bitcoin. Many of us understand what Bitcoin is and how it works on a technical level. Bitcoin’s blockchain is a bit like art; sometime you just have to see it with your own eyes.
What if we use modern big data tools to store the blockchain data in a format that can be searched, viewed, and explored? Once you can see the data you can start to discover what Bitcoin is and how it works. It stops being ones and zeros and becomes a story we can watch unfold.
We tend to think about Bitcoin in the context of moving coins around. The coins that get mined and traded are certainly interesting but they’re not the whole story. There are plenty of other interesting aspects in the Bitcoin data. Watching the difficulty of the work, seeing how time of day and seasons affect the transactions flowing through the system. Even understanding what some of the upper bounds on what Bitcoin will be able to accomplish are. We can explore this data in a visual way that can be understood.
The most interesting part of Bitcoin isn’t the coin however. It’s something called nonstandard transactions. Most transactions in the blockchain are strings of data that move coins around. But a transaction isn’t limited to only moving around coins, it can be any random string of data. There are a substantial number of transactions that contain unique and interesting strings. Strings that don’t move the coins around, strings that contain messages. Strange things that only the anonymous person who placed it there may ever understand. There are hundreds of thousands of nonstandard transactions in Bitcoin’s blockchain. We have the ability to see them now, it feels like finding a secret note someone left behind.
Let’s spend some time looking at all this data. What can we learn about how Bitcoin works. What are some trends we’re seeing. And most importantly what are some of the secrets the blockchain holds for us to find. The best part is everything we look at is open data and all the tools we use are open source. You can continue the investigation on your own using what you learn in this session as your inspiration and guide.


J Wolfgang Goerlich

J Wolfgang Goerlich

Encryption, Silver Bullets, and Holy Water

Werewolves attack? We have silver bullets. Vampires attack? We have holy water. Criminal hackers attack? We have encryption. Or at least, that’s how we’d like it to play out. The villains come and the heroes beat them back. But too often, encryption is like water without the holy, bullets without the silver. The configuration is wrong, or the code is incomplete, or other simple flaws trip us up. This talk will cover how and where to architect for encryption to get real protection


Antoinette Stevens

Antoinette Stevens

A Kinesthetic Approach to Learning Encryption

Kinesthetic (also sometimes referred to as tactile) learning style usually means that someone learns best by physically doing something to fully learn and memorize a topic. As a kinesthetic learner, it is a must for me to see and fully engage with a topic before I grasp it fully. I’ve found that Capture The Flag (CTF) competitions are the best way for me to fully understand security concepts because I can read about it and understand the concepts and then apply it and watch it in action, creating a full multi-sensory learning experience that helps me to retain those concepts in my memory for later use. This talk explores my approach to learn more about RSA and AES through the recreation of CTF challenges. We’ll look at my (very long and extremely frustrating) process of recreating an AES ECB challenge and an RSA short key-length challenge, the lessons I learned from both, the lessons I’m still trying to understand, and why I believe it doesn’t matter whether you’re a novice or an expert, CTFs are the best way to learn something new —especially if you have a kinesthetic learning style.


Matthew Werner

Matthew Werner

Anatomy of a Hotwallet – Bitcoin at Scale

Anatomy of a Hotwallet – Bitcoin at Scale
Coinbase has become one of the leading cryptocurrency exchanges in the world. The systems we’ve built to satisfy the increasing volume of sends and receives on a variety of blockchains is called our “hot wallet”. Operating these systems require special technical expertise and a strong understanding of the nuances of these new technologies. This talk describes how the systems operate, challenges we’ve faced, and how we’ve overcome these constraints to provide our customers with a world-class cryptocurrency product. The talk will include topics such as fee estimation, coin selection, change splitting, UTXO consolidation, and child pays for parent.

Arden Meyer

Arden Meyer

Privilege Escalation in Mechanical Master-Key Systems

The mechanical pin and tumbler locks we use on our homes, schools, and businesses have not changed much in over 100 years. Sure, there have been some exotic new designs but most are just not fiscally feasible compared to their relatively minor improvements (if any) in security. A feature desired on large scale deployments is called Master Keying, which allows for many unique key/lock combinations while supporting multiple permission levels commonly referred to as “janitor keys” or “security keys” that can open multiple locks. While these systems are still in use around the globe in medium-to-large scale businesses, schools, and government buildings, they are also susceptible to what some consider to be the original privilege escalation attack. We will talk about an optimization attack against the most common master keyed lock systems in use today, reducing the potential attack surface from 1,000,000 permutations for an SC4 keyway system down to 42 steps to find the highest privilege key.


Russ From

Russ From

Micro And Nano-Segmentation: Lessons Learned From The Field, Thoughts On The Future

This presentation introduces Micro-Segmentation and includes industry adoption statistics, strategies, and implementation examples. This presentation came from my personal experience implementing Micro-Segmentation in a fully virtualized hosted infrastructure environment for many large hospital systems. This talk will cover why we need segmentation, what the benefits are, how it evolved, and what it enables before explaining a flaw of Micro- Segmentation and how it is addressed using the recently defined term Nano-Segmentation. I also briefly touch on the famous Zero Trust Model and how Micro-Segmentation makes security more effective by following the principles of the Zero Trust Framework. Last, I will briefly cover how any organization can implement Micro and Nano-Segmentation using Tanium in a physical and/or virtual environment that scales up to millions of endpoints.


Rick Ramgattie

Rick Ramgattie

Journey to Command Injection: Hacking the Lenovo ix4-300d

Fully comprising an embedded device isn’t always as easy as sending a GET request with admin=true. Sometimes, owning an embedded device takes multiple different vulnerabilities, creativity, and a little finesse. In this live demo, we show how we were able to chain multiple vulnerabilities in the Lenovo ix4-300d network attached storage (NAS) device into a remote exploit that can be executed with little user interaction. As a result, an adversary can provide the victim with a link to a malicious page that grants the attacker the ability to extract all information stored on the victim’s NAS, and the ability to execute arbitrary operating system (OS) commands on the compromised NAS. In the talk we cover how we first identified command injection, then used cross-site scripting (XSS) and cross-site request forgery (CSRF) to build an exploit that would hijack values stored in the victim’s browser storage, issue a malicious request on the user’s behalf, and issue an OS command to open a remotely accessible operating system shell.