BSides Las Vegas is a nonprofit organization formed to stimulate the Information Security industry and community.

NCC Group Cryptography Services team assessed security aspects of several implementations of the QUIC NCC Group Cryptography Services team assessed security aspects of several implementations of the QUIC protocol. During the course of their reviews, the team…

A walkthrough of OpenBSD's BSD Authentication framework

Exploiting Flipper Zero's NFC file loader

In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attac...

Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subnoscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex…

Surprisingly, a sizable number of submissions for dApp Start Here level was by swapping int32 with uint. These submission fail for a good reason. The security vulnerability has not been fixed! Let’s find out why. uint is an alias for uint256. It has…

So you got access to a Laravel .env file, now what?

Flutter applications can be found in security analysis projects or bugbounty programs. Most often, such assets are simply overlooked due to the lack of methodologies and ways to reverse engineer them. I decided not to skip this anymore and developed the reFlutter…

When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using VPC Endpoints.

Firecracker is a microVM manager in Rust that powers AWS services like Lambda and Fargate. It's also one of the key components of Grapl's multi-tenant isolation. A critical dependency deserves some red teaming - here's how we attacked AWS Firecracker.

In my first blog post covering bugs in Ivanti Avalanche, I covered how I reversed the Avalanche custom InfoRail protocol, which allowed me to communicate with multiple services deployed within this product. This allowed me to find multiple vulnerabilities…

Several years ago, when I spoke with people about containers, most of them were not familiar with the term. Today, it is unquestionably one of the most popular technologies being used in DevOps...

Aggressornoscript that turns the headless aggressor client into a (mostly) functional cobalt strike client. - GitHub - CodeXTF2/cobaltstrike-headless: Aggressornoscript that turns the headless aggresso...

Shiba Inu developers leak AWS Access keys on a public code repository, resulting in a compromise of their infrastructure.

Posted by Jonathan Metzman, Dongge Liu and Oliver Chang, Google Open Source Security Team Recently, OSS-Fuzz —our community fuzzing servi...

A look at the open-source confidential computing landscape

Contribute to google/silifuzz development by creating an account on GitHub.

Table of Contents

Partially encrypting victims' files improves ransomware speed and aids evasion. First seen in LockFile, the technique is now being widely adopted.