WWHF @ Mile High 2025

Looking to beat the Jetlag, get an easy workout in or just meet some cool people?

Join us Thursday and Friday morning for a mix of mobility training, self defense skills and other technique practice.

Everyone is welcome! It does not matter if you have never thrown a punch or just got your black belt in JiuJitsu. Instruction will be led by Cameron Cartier, but others are welcome to share their favorite tools, techniques, and tradecraft as well.

Amazon's AWSCompromisedKeyQuarantineV2 policy is not the panacea it might seem. Join us on an adventure of all the myriad ways to work around this policy, when you discover leaked keys in the wild. This presentation is a fun, multimedia exploration of all the shortcomings of the AWSCompromisedKeyQuarantineV2 policy that is attached whenever Amazon detects that a key and secret pair have been leaked in the wild. We'll include demos of actual exploitation and color commentary on how this policy and defender strategy can be improved.

Over the years, I've managed to get into numerous security and other conferences, and this talk will share some of the most intriguing stories of how I did it. By using a mix of social engineering, reconnaissance, insider knowledge, and quick thinking, I was able to navigate these events successfully. Social engineering played a key role, where I manipulated human psychology to gain access, often by exploiting the natural tendency to trust authority or the desire to be helpful. Reconnaissance was crucial, as gathering information about the event and its organizers helped me identify potential entry points. Quick thinking allowed me to adapt to unexpected situations, such as changes in security protocols. Throughout these experiences, I carefully considered the ethical implications, ensuring my actions didn't harm others or violate laws. I'll share specific stories where I gained entry by posing as an authority figure or creating a believable scenario to gain trust. Each experience taught me valuable lessons about human behavior and security vulnerabilities, highlighting the need for increased awareness and training in cybersecurity to defend against such tactics. This talk emphasizes the importance of ethical considerations in using social engineering techniques

Tired of taking screenshots of alert boxes? Join me for a working session to discuss how to use JavaScript and DOM manipulation to craft a believable XSS phishing payload resulting in code execution in a target domain. This session was inspired while working on a web application pentest with some colleagues. They asked me to generate an XSS payload to help demonstrate impact within existing CSP restrictions. Today, I am hosting a learning session to show an approach for turning a reflected XSS bug from alert(1) to P1. This includes a live demo / working session to turn a target domain into a phishing page (and maybe some cat pics) and a discussion about how to turn that into a shell. Attendees are encouraged to follow along in their browsers. Following this session, you will emerge with additional knowledge of (1) manipulating the browser's DOM with JS, (2) CSP Limitations (and bypasses), and (3) a methodology for how to turn XSS into a phishing payload from scratch.

It only takes minutes for an attacker to compromise an account with access.  And the account doesn't even need to have obvious privileged rights for the attacker to own the cloud environment. This talk covers methods in Entra ID to go from standard user access to Entra ID Global Admin.

Cybercriminals increasingly leverage Artificial Intelligence (AI) and Generative AI in Open Source Intelligence (OSINT) activities to enhance reconnaissance efforts targeting individuals and organizations. By utilizing AI-driven techniques, attackers can efficiently gather, analyze, and exploit publicly available data, facilitating the creation of highly targeted and convincing social engineering schemes, phishing campaigns, and other forms of cyber attacks. The role of AI in OSINT not only broadens the scope of potential attack vectors but also raises significant considerations for cybersecurity strategies focused on detecting and mitigating AI-enhanced threats.

Surveyor is a free and open source tool for quickly baselining your environments to help identify abnormal activity. You can use it to query supported endpoint detection and response (EDR) products in search of potentially dangerous software that shouldn’t be in your environment. In this session, we’ll look at remote monitoring and management (RMM) tools as an illustrative example—they have a variety of legitimate use cases, but bad guys use them as well. You’ll learn how to use Surveyor to list all of the RMM tools present in your environment, including ones you might not expect to be there.

2024 was the year of fear, uncertainty, and doubt about generative AI. Many organizations moved rapidly to deploy AI solutions for "fear of being left behind" while others struggled with understanding their security implications. Regardless of how you feel about AI, one thing is for sure: AI is being embedded in the products your organization deploys. That means stakeholders will be looking to you to secure it. In this talk, Jake will break down the real risks of generative AI applications while helping to dispel the FUD. You'll walk away better equipped to answer questions from stakeholders and the confidence you're focusing your limited security resources in the right places.