I am incredibly grateful that @rk and I had a chance to speak at Black Hat and DEF CON this year (https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24_Moore_Secure_Shells_in_Shambles_Wednesday.pdf).

Even after 20+ years of speaking at security conferences the entire process is anxiety-inducing, and nothing ever seems cool enough to share with the community. I've had two other talks rejected this year (BSidesLV & a public sector event) and I agree with their reasoning. I'm also excited to keynote LASCON (https://lascon.org/) and hoping to get accepted for JawnCon (https://www.jawncon.org/). I love that our community cares about the quality and appropriateness of a submission over favoritism to (what must now be) the "old guard".

If you have something unique to share with the world, please do so, and don't let the rejections keep you from continuing to apply to CFPs. A great resource for upcoming conferences is CFP Time: https://www.cfptime.org/home

SSHamble v0.0.3 is live with support for compromised host key detection through a data integration with Hanno Böck's lovely @badkeys project:

https://github.com/runZeroInc/sshamble

$ go install github.com/runZeroInc/sshamble@latest

$ sshamble badkeys-update

$ sshamble scan --checks=badkeys-blocklist 192.168.0.0/24

[*] 192.168.0.9:22 badkeys-blocklist found compromised hostkey: https://github.com/SecurityFail/kompromat/blob/master/src/firmware/rapid7-ssh-badkeys/host/Trendnet_tew816drm_rsa.key

A great post by Ben Hawkes on the then and now of OpenSSH backdoors: https://blog.isosceles.com/openssh-backdoors/

Some highlights:

>In practice though, everyone runs a systemd-based Linux distribution of some sort – in which case you end up running code from around 30 different packages in your OpenSSH address space (including our friends xz and zlib of course). That's already starting to get uncomfortable.

>That means the supply chain integrity for practically everything relies on the integrity of a2hosting.com and the absence of any remote exploits in CPanel or exim.

Tune into a special edition of runZero Hour for a deep dive on the Secure Shell (SSH) research we presented at Black Hat and DEF CON. This webcast covers even more research along with recent updates to SSHamble, our open source tool for conducting security audits of SSH implementations:

https://www.runzero.com/sshamble/

Hello DEF CON 32! @rk and I will be presenting "SSHamble: Unexpected Exposures in SSH" today at 1:00pm in room L1 - HW1-11-02 (Track 2). Please swing by if you like SSH and/or free shells:

https://defcon.org/html/defcon-32/dc-32-speakers.html#54452

This is a really cool use for IP fragmentation + TCP segmentation (in 2024!): Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit: https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/

Attending BSidesLV? I really enjoyed working with the @HexxedBitHeadz duo to support their first speaking engagement in the Proving Ground at 14:00pm on Wednesday. Their presentation is 🔥 and if you love Skyrim, even better!

A New Host Touches the Beacon

>Join us on an epic journey through the enchanting realms of Skyrim and the shadowy world of hacking in our first-ever technical blog turned talk. As passionate Skyrim players and modders, we stumbled upon an unexpected revelation – malicious Skyrim mods with the potential for real-world impact. In this presentation, we explore the intersection of gaming and cybersecurity by demonstrating a malicious Skyrim mod. This mod, triggered by the seemingly innocuous in-game item "Meridia’s Beacon," unleashes a reverse shell to an attacker host. Our journey unfolds as we probe into the complexities of crafting this mod, touching on research, development, and testing. Discover the unexpected dangers lurking in the world of gaming and gain insights into the fascinating realm of hacking studies. Prepare for a “Fus Ro Dah” of a time as we showcase not only the capture of a netcat reverse shell but the transformation of our payload into a full-blown Command and Control (C2) beacon.

https://bsideslv.org/talks#FELX39

"How many slides are there in a 40-minute talk Michael, 100?" @rk and I are super excited to share our investigation into the Secure Shell protocol and implementations this Wednesday at Black Hat USA (3:20pm-4:00pm in South Pacific F, Level 0).

This presentation may feel more like a rap battle than a lecture given the quantity of material and available time, but it should be a blast.

If you would like to be notified when our new open source tool, "SSHamble", is released, you can sign up here:

https://www.runzero.com/sshamble-access/

CrowdStrike attempts takedown of parody site: https://clownstrike.lol/crowdmad/

(cue references to https://en.wikipedia.org/wiki/Streisand_effect)

@screaminggoat thanks! amazing year so far (and how easy it is to forget about previous events)