BSides London 2021 BSides London 2021

Saturday, November 13, 2021

How we hacked your billion dollar company for forty-two bucks

This talk will be about some common but surprising flaws found during a year of red teaming and how to check for, exploit and defend against them. In particular, combining several seemingly low-risk authentication problems can allow for a successful compromise of a user account without always resorting to phishing, giving the attacker a foothold within the organisation. None of these attacks are particularly novel, but the impact of chaining the individual issues does not seem to be well understood. We also digress slightly into an appeal against traditional infosec gatekeeping – partly because no special magic is required for these attacks, just a month or two’s use of a Linux VPS. Patience, curiosity and outright stubbornness help too, of course.