Director at Laburity
4
Talks Delivered
4
Events Spoken At
4
Countries Visited
2
Years Speaking
4
Total Talks Given
Hassan Khan is a highly experienced Security Researcher with a proven track record of internet-wide scanning, red teaming, and penetration testing. A sought-after speaker, Hassan recently presented at the BlackHatMEA 2022, 2023, MCTTP 2024, and ThreatCon 2023 conferences. He is an OSCP certified professional with a research background.
Worked with a diverse range of companies and clients in different sectors for their cyber security hardening and penetration testing.
OSCP Certified and successful bug bounty hunter on both HackerOne and Bugcrowd.
Reported vulnerabilities extensively and was listed in the Google Security Hall of Fame (2017), Twitter Security Hall of Fame (2017), and Microsoft Security Hall of Fame (2017).
Areas of Expertise
Presentation Types
Audience Types
Infostealer malware is built to collect and dump anything useful from a device. This includes saved browser credentials, autofill data, session cookies, API tokens, wallet addresses, and app-specific passwords. Once collected, these logs are uploaded to Telegram bots, marketplaces, or leak sites.
The research walks through how these logs are typically structured and what credentials they contain. Examples include login details for GitHub, Slack, AWS, Gmail, Notion, Discord, Office 365, database dashboards, and internal dev tools. Logs often include SSH private keys, JWT tokens, and webhook URLs. In many cases, cookies allow attackers to access services without even needing passwords.
By analyzing some incidents using OSINT methods, the research maps the lifecycle of credential stealers. It covers the path from infection, to log exposure, to potential misuse. The examples are based on public stealer log collections and show how much sensitive access data ends up in the open. + Working and defense from common infostealers like Raccoon, Redline, and LummaC2.
Infostealer malware is built to collect and dump anything useful from a device. This includes saved browser credentials, autofill data, session cookies, API tokens, wallet addresses, and app-specific passwords. Once collected, these logs are uploaded to Telegram bots, marketplaces, or leak sites.
The research walks through how these logs are typically structured and what credentials they contain. Examples include login details for GitHub, Slack, AWS, Gmail, Notion, Discord, Office 365, database dashboards, and internal dev tools. Logs often include SSH private keys, JWT tokens, and webhook URLs. In many cases, cookies allow attackers to access services without even needing passwords.
By analyzing some incidents using OSINT methods, the research maps the lifecycle of credential stealers. It covers the path from infection, to log exposure, to potential misuse. The examples are based on public stealer log collections and show how much sensitive access data ends up in the open. + Working and defense from common infostealers like Raccoon, Redline, and LummaC2.
Supply chain security conversation is booming these days after attacks like log4j came to the scene.
In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)
This could pose a risk to anyone using those packages as dependencies or plugins so that this chain of not re-inventing the wheel could become a disaster that stops the wheel once and for all.
We are presenting our research done on a large scale after in-house scanning on:
Around 2 Million+ NPM Packages. (almost all publicly available at the time of research)
About 60,000 WordPress Plugins. (almost all publicly available at the time of research)
Ruby Gems (almost all publicly available at the time of research)
We will demonstrate the numbers and the impact and will provide ways to prevent this and automation to integrate in your own ci/cd pipelines to prevent such disasters from happening.
WHY THE COMMITTEE CHOSE THIS TALK
After log4j, libxz more will come. Managing code security will be the big task for all defenders in the future.
Supply chain security conversation is booming these days after attacks like log4j came to the scene.
In this in-house research, we have conducted research on publicly available open-source assets like (JS packages), WordPress Plugins, and Ruby Gems to find out the presence of mistakenly or deliberately publicly exposed secrets (including private API keys and so on) i.e. AWS, Google, etc. (33 different types!)
This could pose a risk to anyone using those packages as dependencies or plugins so that this chain of not re-inventing the wheel could become a disaster that stops the wheel once and for all.
We would be presenting our research done on a large scale after in-house scanning on:
We would be demonstrating the numbers and impact to an audience in this talk and we would also be providing ways to prevent this and automation to integrate in your own ci/cd pipelines to prevent such disasters from happening
