BHIS | Demystifying Web3 Attack Vectors, with Beau Bullock and Steve Borosh | 1 Hour

Join us in the Black Hills InfoSec Discord server here: https://discord.gg/BHIS to keep the security conversation going! Reach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services -- https://www.blackhillsinfosec.com 00:00 - Demystifying Web3 Attack Vectors, with Beau Bullock and Steve Borosh 02:07 - About Us 03:05 - Topic Roadmap 04:44 - What is Web 3 08:04 - Web3 - Backend 10:41 - Repeat Offender 11:39 - Ethereum Name Service (ENS) 13:03 - Keys to the Kingdom 15:08 - Social Engineering 15:30 - Private Key and Seed Theft 17:20 - Token Approvals 20:21 - Malicious Token Airdrops 21:45 - Discord Hacks 26:45 - SIM Swaps 27:32 - Rugpulls 29:44 - Honey Contracts 31:21 - Offensive dApps 32:48 - Web 2 Attacks Affecting Web3 Apps 32:59 - WebApp Frontend Attacks 35:27 - Node Compromise 37:20 - Traditional Vulnerabilities 39:37 - Administrative Issues 41:57 - Centralized Exchange Attacks 43:06 - Cloud-Hosted Secrets 44:07 - Smart Contract Attacks 48:25 - What Are Attackers Doing With Stolen Funds? | Transaction Tracking (Blockchain Explorers) 49:31 - Transaction Tracking (Debuggers) 50:20 - Tracking Transactions (Investigation Tools) 52:21 - Mixing 54:12 - Tornado Deposits Discord Bot 55:06 - Cash-Out 55:49 - Start Hacking Web3 56:02 - Web3 Books 56:13 - Solidity Coding 56:46 - Web3 CTFs 57:16 - Web 3 Bug Bounties 57:40 - Blockchain HAX Quickstart Hacking Guide 58:04 - Key Takeaways 59:26 - Follow Us Resources | The End 59:50 - Post-Show Banter & Questions Description: In 2021, an estimated $10 billion was lost due to attacks against DeFi applications. This webcast will highlight many of the common security issues plaguing the web3 ecosystem. Ways that attackers can steal funds and NFTs via social engineering attacks will be discussed. Web3 applications can be susceptible to common web2 frontend and backend vulnerabilities, but with an added layer of complexity. Slides:https://s1hb.sharepoint.com/Content&Community/Shared%20Documents/Slides/BHIS%20Webcast%20Slides/BHIS328%20&%20BHIS329%20SLIDES_DemystifyingWeb3AttackVectors.pdf?CT=1674054764792&OR=ItemsView Black Hills Infosec Socials Twitter: https://twitter.com/BHinfoSecurity Mastodon: https://infosec.exchange/@blackhillsinfosec LinkedIn: https://www.linkedin.com/company/antisyphon-training Discord: https://discord.gg/ffzdt3WUDe Black Hills Infosec Shirts & Hoodies https://spearphish-general-store.myshopify.com/collections/bhis-shirt-collections Black Hills Infosec Services Active SOC: https://www.blackhillsinfosec.com/services/active-soc/ Penetration Testing: https://www.blackhillsinfosec.com/services/ Incident Response: https://www.blackhillsinfosec.com/services/incident-response/ Backdoors & Breaches - Incident Response Card Game Backdoors & Breaches: https://www.backdoorsandbreaches.com/ Play B&B Online: https://play.backdoorsandbreaches.com/ Antisyphon Training Pay What You Can: https://www.antisyphontraining.com/pay-what-you-can/ Live Training: https://www.antisyphontraining.com/course-catalog/ On Demand Training: https://www.antisyphontraining.com/on-demand-course-catalog/ Educational Infosec Content Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ Wild West Hackin' Fest YouTube: https://www.youtube.com/wildwesthackinfest Active Countermeasures YouTube: https://youtube.com/activecountermeasures Antisyphon Training YouTube: https://www.youtube.com/antisyphontraining Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/ #bhis #infosec