Security Night March 2023

Dear Berlin Security Community,
TL;DR | Join our next Security Night on March 2nd from 7 PM CET at c-base, Rungestr. 20, 10179 Berlin.

The following speakers are ready to share their insights with you:

1. Hashing - what's not to be confused about? by Hendrik Spiegel
2. Oh SSH-it, I didn't know about SSHFP RRs in the DNS! by Sebastian Neef (@gehaxelt)
3. A GraphQL tale: What else is in there besides introspection? by Antonio Mello

--> WHAT TO EXPECT
With some delay, we're excited to announce our next Security Night on the 2nd of March 2023!

We will host this Security Night at a new location: the famous c-base!
Please be aware of this and do not go to the previous location :-)

However, we're going to stick to the usual format (one change at a time is easier to debug). This means we're going to have presentations, beer, and time to socialize!

This Security Night will feature three speakers:
First, we'll have Hendrik Spiegel, who will tell us about hashing and use-cases you might want to consider. After a short break, we'll continue on with Sebastian Neef, who will elaborate on SSH Fingerprints and how to handle them more effective using DNS. After another break, we will conclude the evening with Antonio Mello, who is going to teach us about leaking various resources from GraphQL. What why it matters and why the hell it is everywhere!

Looking forward to seeing you around!

--> THE TALKS
(1) "Hashing - what's not to be confused about?" by Hendrik Spiegel:
In theory hashing is very simple: take an input of arbitrary length and map it to an output of fixed length, and you are done. It can be used to solve a bunch of relevant problems - and that's where the trouble starts. One needs to think of use cases, security concerns, runtimes and all the other fluff that makes life hard and sad.
This short talk intends to shed light on relevant use cases, describe important security considerations, and give you some pointers what to look out for in your next code review/project/bug bounty/etc.

(2) "Oh SSH-it, I didn't know about SSHFP RRs in the DNS!" by Sebastian Neef (@gehaxelt):
Are you annoyed of "the authenticity of host '...' can't be established" messages and "Are you sure you want to continue connecting (yes/no/[fingerprint])?" prompts shown by SSH when connecting to unknown hosts? Are you skipping these checks or taking your time to verify these properly? In this talk, Sebastian will show you a possible solution that uses SSHFP RR in the DNS to automatically verify SSH host key fingerprints. Further, he'll show the results of an analysis of over 500 million domains.

(3) "A GraphQL tale: What else is in there besides introspection?" by Antonio Mello:
Finding and extracting GraphQL endpoints / queries / mutations / data types (partially) without relying on introspection or fuzzing, from publicly available javascript files.

--> THE NIGHT
We are happy to invite you to our next Security Night conference on March 2 at c-base: Rungestr. 20, 10179 Berlin (https://openstreetmap.org/node/260050809).

Our agenda for this Night:
07:00 PM -- Welcome
07:10 PM -- Hendrik Spiegel's talk
07:40 PM -- Sebastian Neef (@gehaxelt)'s talk
08:10 PM -- Antonio Mello's talk
08:30 PM -- Networking
09:00 PM -- Closing

Attendance is free. Emergency phone number, in case of any problems: +4917634326568.

--> CONTACT US
Berlin Security Nights are organized by Akendo, Hendrik and Martin as a contribution to the scene. We like bringing great people together. You can find us offline at our Nights or online on Slack: https://join.slack.com/t/berlin-infosec/shared_invite/enQtNTY3ODU0OTU5NjcwLTAzMmZiNDQxNDk0NzE4NGJjOTE0ODJiOWRkMGY2Y2QwZTUxYzgzYTVlMGQ3YTllNjQ0YjFiNzVlYjZiMWU2MWY
See you around!

Your Security Night Owls,

Akendo, Hendrik, Martin

PS: We are always looking for interesting talks and projects. If you have a talk proposal, an interesting project or something you would love to share with the community, please write us an email or reach out on Slack.