BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Shopping for Vulnerabilities - How Cloud Service Pro vider\n Marketplaces can Help White and Black Hat Vulnerability Research \n When: Friday\, Aug 12\, 11:30 - 11:59 PDT\n Where: Flamingo - Sunse t-Scenic Ballroom (Cloud Village) - [1]Map\n\n SpeakerBio:Alexandre Siei ra\n Alexandre (or Alex) Sieira is a successful information security\n entrepreneur in the information security field with a global footprint\n since 2003. He began his security career as a Co-Founder and CTO of\n CIPHER\, an international security consulting and MSSP headquartered in\n Brazil which was later acquired by Prosegur. In 2015\, he became\n Co- Founder and CTO of Niddel\, a bootstrapped security analytics SaaS\n sta rtup running entirely on the cloud\, which was awarded a Gartner\n Cool Vendor award in 2016. After the acquisition of Niddel by Verizon\n in Ja nuary 2018\, he became the Senior manager and global leader of the\n Man aged Security Services - analytics products under the Detect &\n Respond portfolio tower at Verizon. Currently is the CEO and\n Co-Founder of Te nchi Security\, a company focused on cloud security.\n\n Alex is also an experienced speaker having presented at Black Hat\,\n BSides SF\, FIRST Conference\, DEF CON Cloud Village and local events in\n Brazil several times over his career.\n\n Twitter: [2]@AlexandreSieira\n\n Descripti on:\n Recently the Conti ransomware group internal chat leaks was\n fa scinating reading. Among other things\, it reminded us that both\n well- intentioned and malicious actors are constantly trying to find\n ways to find vulnerabilities and develop exploits to widely used IT\n products. This is particularly true those that are externally exposed\n firewalls \, VPNs and load balancers\, or security products that might\n thwart th eir techniques and tools. The timeline from the chats seems\n to show a gap of several months between Conti members trying to\n procure either a ppliances or commercial software that they were trying\n to get for thes e purposes. This got us thinking about how the major\n cloud service pro viders these days have marketplaces where you can\n easily buy virtual a ppliances or SaaS licenses for lots of widely used\n IT and security pro ducts with little more than a valid credit card\, in\n minutes. And we d ecided to check how feasible it is to use this to\n conduct vulnerabilit y research. In this presentation we will show what\n kind of access one can get to the internals of IT and security\n products using these marke tplaces\, particularly in the case of\n products only typically offered in hardware appliances. Which cloud\n providers try to prevent this sort of activity\, how they do it\, which\n ones simply don't care\, and wha t techniques we were able to use to\n access these appliance's internals . The objective here is threefold:\n 1) help well intentioned vulnerabil ity researchers find an easier\n avenue to do their work\; 2) allow clou d providers to get a better\n understanding of how their marketplaces ca n be abused and which\n controls they could implement to mitigate that r isk\, and 3) let IT and\n security vendors realize the added exposure of publishing their\n products on these marketplaces.\n '\n\n 1. https ://defcon.outel.org/consolidated_page.html#FlamingoThirdFloor\n 2. https ://twitter.com/AlexandreSieira\n\n\n DTEND:20220812T185900Z DTSTART:20220812T183000Z LOCATION:CLV - Flamingo - Sunset-Scenic Ballroom (Cloud Village) SUMMARY:Shopping for Vulnerabilities - How Cloud Service Provider Marketpla ces can Help White and Black Hat Vulnerability Research END:VEVENT END:VCALENDAR