3 years, 5 continents, 9 countries, 34 cities, 53 events. Not a bad start. As an all-volunteer organization, from the central org to every event, we have done amazing things. We have also left a few things undone, or done at a more leisurely pace than many of us would like. In this session I will quickly review the history of BSides, specifically the central organization, then detail the steps which have been taken in the past year to resolve disagreements and formalize the organization. I have audit results from the first org transaction through the end of 2011, I will present summaries and review the finances. The change in operation of "house events" has a significant impact on BSides finances, I'll discuss this, as well as the consequences, intended and otherwise, of discontinuing Global Sponsorships. I have had several conversations with BSides organizers to discuss direction for the central org, a summary of these discussions will be presented, and hopefully the conversations will continue during and after the presentation.
Intrusion detection and prevention systems monitor a point or set of points such as a network connection. In response, malware authors hide traffic through these points with encryption, encoding, and obfuscation. This presentation will demonstrate a different strategy, based not on another point but on the flexibility to add almost any point dynamically, with a new function call hooking system, capable of intercepting virtually any set of API functions system-wide. This is in contrast to existing HIPS's, which are limited to functions chosen during design and only monitor certain actions, such as file and registry edits. It uses dynamic code generation to expand on existing hooking techniques, overcoming challenges with different function definitions, architectures, and associated calling conventions. This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API's, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.
I'm going to cover the topic of web application security from the worlds biggest "honeypot": 1.2+ million domains and one web application firewall. I will review the trends in new and old attacks, review how impact each new vulnerability was this year (including timthumb.html, php-cgi remote code execution, and more) with raw log data and identify really what is fueling the web based attacks. Once the rhetoric of "vulnerabilities are bad" is over, I will discuss some in house developed tools used to detect malicious files on compromised sites (software released). As well as delve into the evolution and in Darwinian fashion dissection of the backdoors and code the attackers use to compromise sites (including more open source software released to de-obfuscate even the most complex malicious code.)
Variety, Volume, Velocity and Vulnerability. We know many different types of data is being generated at high speed but how much do we know about the new weakness it introduces? Security is often an issue in Big Data but rarely understood or discussed openly. This presentation brings forward the giant elephant in the room and offers the audience some real-world puzzles of big data to solve. Examples of humorous failures as well as some success are presented as examples. You might think your security problems are big until you are asked to help find some solutions for Big Data's Fourth V.
It's a rarity these days to attend a con and not have cipher text jump out of the program at you or find some recreational math hidden on the back of your attendee badge. Just like competing in a CTF, if you want to win, you're going to need to come in prepared. Come join a veteran puzzle hound as he goes over tools, techniques, and team strategies that have helped him take on and win some ridiculous challenges.
First I will provide an introduction to security of Android Apps: we will take a look at them through the eyes of a security engineer, looking at examples of how to reverse engineer them to look for possible security issues through 'Behavioral Analysis'. I will also discuss the limitations of manual research. Then, I will introduce an automated way to scan android devices using an "Automated Security Evaluation Framework" (A S E F). Then I will discuss the framework's design, showing a live demo of how it works, and how to use it. We will also go over interesting results and statistics covering the scope of the tool's functionality and outcome. I will demonstrate how to expand this idea and solve complex problems with most practical ways. I will also discuss what future versions of 'A S E F' has to offer and at the same time will make it available as an Open Source Project.
RFID access cards are often used to secure entry points in the corporate enteprise facilities. They are very convenient, relatively inexpensive, and generally assumed to be highly secure. This session explains how these cards are programmed, what their vulnerabilities are, and the choices available to secure them. Also demonstrated will be how the most common access card can be hacked, cloned, and minted to subvert policies and controls to access corporations, data centers and other critical environments.
The InfoSec field is a hard career field to enter if you have little knowledge of security and no experience, but don’t let that discourage you. I was able to secure a job in the information security field and so can you. I did it by using a few common everyday tools like WordPress and Twitter to put myself out there. In the end it came down to one tweet and one email. That tweet and that email changed my life. During this presentation, I’ll show you how I got my job and how using tools like WordPress and Twitter can aid you in your quest to become a security professional.
In working with Microsoft GP for many years, Microsoft has made improvements to security while ignoring others. I would like to review my findings where GP is lacking in security, how it could be used in a pen test to gather info, and what steps Microsoft should take to fix the problems.
Despite publication of CVE-2007-0977, CVE-2005-2696, and CVE-2005-2428, enterprises continue expose their users' password hashes through insecure deployments of Lotus Notes and related products (Quickr, Sametime, etc.). Over the past year, hashes were collected from approximately 600 sites. Vulnerable sites are not limited to the software versions described by the CVE notices, but also include the latest software releases from IBM. Public and private sector across every conceivable industry with exposures were discovered. This presentation will highlight the impact of these exposures by demonstrating techniques for discovering vulnerable web sites via web searches (Google and ERIPP), new scripts for acquiring password hashes from web sites were developed to accelerate download times when compared with existing scripts. Prior work from other researchers was also used in some cases; proper attribution will be given to these where referenced.
The "Power Grid" is a growing topic in the security industry and Advanced Metering Infrastructure (AMI) is a topic that hasn't been discussed to its full potential. This presentation will discuss the types of vulnerabilities that have been found in Smart Meters, and give examples from real world assessments we’ve conducted. Different methods of accessing the meter will be presented such as over the optical interface and the Zigbee wireless radio. In addition, we will discuss a testing methodology we’ve developed which covers Smart Meter testing. Finally a live demonstration of the attacks that were discussed will be performed on a real Smart Meter during the presentation for the audience. The live demonstration will feature the first public release of a new open-source tool that has been developed for the testing of Smart Meters.
Security and monitoring appliances and applications are introducing all new places for attackers to get in and hide. As enterprise networks mature, they should become more secure. Unfortunately, many appliances are introducing unknown risks to your environment. Some vendors use FUD-laced marketing to hook unwitting managers and then provide a poorly-documented and "closed" product. These products can allow an attacker to get on your network and stay there. We plan to show you how to take back your tools and vet them against the kind of vulnerabilities that are rampant in today's appliances.
SQL Injection vulnerabilities are old-hat, but there are many web applications in production that are still prone to this flaw. One subclass of these are websites that serve PDF documents from dynamically-built URLs. We demonstrate that, in certain cases, trusted websites prone to SQLi that also deliver binary file content such as PDFs can be used surreptitiously for stealthy data extraction and obfuscated malware delivery, even when database security is otherwise configured properly. The talk is based on findings from a real-world application penetration test.
As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.
You'll laugh and cry as DCFluX remembers his experiences in the world of online dating. Over 3 years in the making. Viewer discretion is advised.
Over the past 5 years I have been involved in developing advanced tracking technologies to assist in the recovery of stolen laptops, phones, cameras, flash drives and more: http://www.gadgettrak.com/recoveries/ We have built software that gets location of devices without GPS, uses cameras to capture photos of suspects and technology that indexes the web to extract serial numbers from photos online in search of stolen cameras.Through this process I have worked closely with law enforcement in the recover processes as well as provided training to law enforcement agencies on tracking technology and how to use it in their cases. While working with law enforcement I have learned a great deal regarding processes they go through to get data on suspects from companies, technologies they use and what is on the horizon in terms of surveillance technology and how the data we freely give to companies can be used against us. In my presentation I will be discussing many of the recoveries that I have been involved with, the technologies that were used as well as additional evidence we provided to police via social media networks and other data mining efforts. Many of our cases have not only led to the recovery of stolen devices but also larger crimes such as larger theft rings, a violent car jacking, drugs, identity theft and the recovery of a stolen car. I will also discuss how the same technologies and data mining can be used against you, the data that law enforcement has access to and the processes they go through to get it. I will also discuss newer technologies that are being introduced such as license plate readers, facial recognition software and other tools law enforcement are starting to bring into their arsenal. I would like the presentation to be a discussion regarding how new technology can be used for good and evil and what checks the government should have in place to warrant their use.
Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that's hard. Usually after the pentesters/auditors (or worst - red team) leaves, there's a whole lot of mess of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time - can you fix this so your security posture will actually be better the next time these guys come around? This talk focuses mainly on what should be done (note - no what should be BOUGHT - you probably have most of what you need already in place and you just don't know it yet). Methodically, defensively, decisively. Just like the red-team can play ball cross-court, so should you! This talk will walk through some of the finer lines between legality and ethics to see just how aggressive can the defenders be. Some examples from actual organizations that practice "SexyDefense" will be provided - both at the intelligence gathering aspect, as well as the incident management and re-action to attacks.
March and April 2012, I worked with ~80 security professionals, in remote and local contexts, to break into systems protected by ~500 active defenders across several events. In this talk, I share my experiences from the 2012 Cyber Defense Competition season and use them to analyze Armitage as a red teaming platform. Collaboration, automation, and distribution are discussed as opportunities to coordinate, scale, and protect red efforts. This talk is not about individual features. It's an exploration of how red teams organize themselves, what does and doesn't work, how we work around our tools, and what we need next. Those interested in the future of collaborative hacking should attend this talk.
It would be irresponsible to state that cloud computing is directly responsible for the increased number of vulnerable applications on the Internet. Stating that cloud has likely provided a platform upon which to rapidly deploy vulnerable applications, however, is probably something we can all agree on. Getting your product to market faster than your competitors has always been a primary business goal. Now that organizations rely on web based applications to operate their business, both startups and established businesses continue to relegate security of their applications to a future roadmap item or, even worse, the feature request bucket. In this FUD-free session, CloudPassage Chief Evangelist, Andrew Hay and WhiteHat Security Threat Research Manager, Matt Johansen will break down the top security considerations specific to developing, testing and deploying web applications in SaaS, PaaS and IaaS cloud architectures and offer practical steps to easily secure both your applications and cloud servers.
F-BOMB is a disposable computing project, and Reticle is its software brain: a distributed, leaderless system for transferring data and commands to and from the tiny, distributed, dirt-cheap little boxes. Together, these two systems form a botnet-styled sensor network that can be deployed the same way as a smoke grenade by a field agent, but with intelligent encryption, plausible deniability, and a peer-to-peer command network to ensure that an enemy can't compromise your goals-- whether you're providing Internet access to an Occupy group, or playing distributed hide and seek for cell phones. We discuss the design and implementation of Reticle, which was intended to take some of the networking ideas from modern botnets and apply them in a more useful context. Reticle was created with support from DARPA Cyber Fast Track, and the code, utilities, and documentation created under that project will be released with the talk.
Throw out everything that you know about security tools today. No more six-figure appliances that only do one thing marginally well. No more proprietary protocols. We deserve better and we demand better. Envision a world where your security tools talk with eachother. They communicate and share data in order to leverage eachothers strengths and and help compensate for their weaknesses. They work together to solve problems. Envision "Symbiotic Security". Symbiotic Security is a new term that was coined to describe the ability of a tool to consume data from other tools or provide data to other tools. As part of our research, we have examined various classes of tools on the market and identified these abilities in each of them resulting in a label of "Consumer", "Provider", or "Symbiotic". As a consumer of security tools, this completely revolutionizes the way that we make purchases. As an example, let's pretend that you are purchasing a new Intrusion Prevention System for your enterprise. As you begin to evaluate the various tools from the Gartner Magic Quadrant, you quickly realize that they almost all have the same primary feature set. The key differentiator at this point aren't the rules or the hardware, but rather, the ability for the system to send and receive data with other systems. The IPS itself has some signatures and blocking abilities, but has zero relevancy data. Now, we give the IPS the ability to pull in vulnerability data and system configuration information from network and host scans and we gain relevancy. Add in some additional data on where the potential threat is coming from and now you have the data necessary to take a decisive action on threats. This new system is a "Consumer". Now, if you give the IPS the ability to send information to other devices on things like the source of relevant threats, those devices, like a firewall or HIPS, can now make intelligent blocking decisions as well. Our IPS now has "Provider" abilities. Since our IPS is
Burp Suite has created a name for itself as arguably one of the go-to weapons of choice for web application pentesters, but one of its best features is consistently being ignored: the ability to append or modify functionality through the use of burp extensions. Extensions as a feature have introduced users to numerious possibilities, and have given opportunities to easily develop functionality that’s necessary to complete required test related tasks. With all that is available through Burp extensibility, why have we not seen its users contribute functionality to the same degree as community driven projects such as MetaSploit or the Nmap Scriptability Engine? In this presentation, James Lester and Joseph Tartaro will debut their campaign, which focuses on building demand, support, and an overall desire around the creation of Burp extensions in the hope of bringing extensibility to the forfront of web application testing. As a team, James and Joseph will begin by outlining the current demand, capabilities, and limitations while introducing up to a dozen extensions they created that presently utilize all current accessible functionality within the extensibility suite. Along with the release of these extensions, a campaign will be presented to organize and develop an extension community that documents tool primers, lessons learned, and tips/tricks, along with hosting extensions and tools catered to Burp. As a team, Joseph and James will showcase the benefits to their approach, which include increased efficiency and a simplified way to write new scripts. During development of this talk, James and Joseph took into consideration that re-use is a key factor and development techniques were used to help test user adaptation. Something learned isn't research until it's shared, and they plan to put this statement to practice utilizing B-Sides as a perfect tool to help collect data, convey interests, and share results.
Stiltwalker is a system we designed to break the audio version of reCAPTCHA. At LayerOne, the original Stiltwalker was released. However reCAPTCHA updated its system to break Stiltwalker in the hours before our talk/release. Prior to these changes, Stiltwalker was able to achieve an accuracy of 99.1%. This talk will describe a narrative of the events that lead to us choosing to break the audio version of reCAPTCHA, the methods we used to break it, the events surrounding our LayerOne talk and reCAPTCHA's response, and most importantly how we have worked around their response to break reCAPTCHA again after their changes since LayerOne.
Web Application Firewall. Network Access Control. Intrusion Detection Systems/Intrusion Preventions Systems. Intrinsic Heuristic Detectioneering Devices, this presentation can exploit them all. The security industry is awash with device strategies attempting to remediate the most prevalent security issues in a single stroke. In fact, some of the biggest names in security are attempting to squeeze as many buzz words into one platform as possible to lure in the unknowing. This tactic gives them the ability to market any product as a must-have for IT and security professionals, while rudimentary security procedures are routinely overlooked. There is nothing more basic than an admin portal that, due to incompetence or ignorance, has not been fully customized for the application's needs. Quick Facts: Default Admin Login Portals are enabled on over a ten million websites currently (stats only for /admin and /admin/login.php) There are still portals in wide use on the net that God could get into (Yes, even though he wouldn't be up this late)
Join HD Moore: CSO of Rapid7, Wolfgang Kandek: CTO of Qualys, Ron Gula: CEO/CTO of Tenable Network Security, and Misha Govshteyn: founder/VP of New Products at Alert Logicto discuss/learn about IP6. Topics covered: What is IP6? IPv6 basics How to recognize if you have it on the network? How do you manage it alongside IP4? Practical hands on device to using IPv6. Securing your network with IP6. How are the vulnerability management vendors coping with it? IP6 Jeopardy/Trivia game – Each correct answer will win a free drink card, wrong answer and the panel member gets to drink. Hosted by Alan “Alex Trebek” Shimel.
Mainframes? Unix? TSO (not the chicken)? This talk will try to demystify the mainframe from "that cool big black box"" to "why the hell is NOMIXEDCASE turned on" or "what kind of moron uses 1234 as their password?". Most fortune 500 companies use mainframes, but don't put them through the same rigorous testing as they would their Linux or Windows systems? Why, imagine if you were running Windows XP for 20+ years with all these little addons and custom changes and the only guide to securing your customized OS was four thousand pages long, without pictures. Thats what Mainframe security folks face. This talk will give an overview of how to actually use a mainframe (should you encounter one), how IBM decided to hash z/OS passwords and how to crack them offline using JtR (including the scripts/JCL to get a copy of the password file off the mainframe), how to compile Netcat for z/OS so you can use the Mainframe to pivot on to the corporate network or to create a backdoor on to the mainframe and how you can run a mainframe at home on your own PC.
At B-Sides SF, Dr. Mike Lloyd presented "Metrics that Don't Suck". this presentation aims to improve upon his work, adding the use of bayesian statistical analysis through the use of Pert distributions and the monte carlo simulation to get metrics that suck even less. The attendees will be introduced to a variety of free and open source tools available for analysis so their metrics can suck even less, just like the high paid consultants.
Information Security has an ingrained fear of new technology, which brings with it new complexity. This fear spills over into our own unwillingness to use these 'new-fangled' technologies to make our lives easier, leaving security professionals still working with CSV sheets, trying to locate the APT in the bar chart and struggling to make sense from monolithic SQL databases while the rest of the world shoots forward with AJAX-enabled workflows, advanced visual analytics and distributed expert systems. We justify our luddism with a mix of insistence that our problems are unique and unsolvable outside of the field, willfully dismissive of the possibility that some of the fundamental issues facing Infosecurity today have already been solved in other areas in more elegant ways than we have the time to even imagine today. We'll cover some of the more interesting technologies that could revolutionize information security knowledge and workflow management and drag us from the dark ages of the temporary solutions that we've forgotten were only meant to be temporary.
Social media has become a strong point of economic growth in all over the global. We are interested in studying the unethical or even illegal business that are built around several social networking platforms. Several case studies will show that such business models are very effective to generate enough revenue for sustainable growth. Our first study case is thousands of fake accounts built on Facebook that are tried to promote a group of websites selling fake Nike shoes while claiming authentic. More data statistics show that these fake accounts have gradually evolved to make them harder to detect, even with matured machine learning algorithms. Our second study is another group of users and pages on Facebook which promoted a simple meaningless game while gaining audiences and impressions for further advertising or spamming. This game strategy is more robust and carefully designed than traditional spamming trick, where no terms or rules has been broken yet. A potential use of this may be for legal marketing strategy. Our third study is the business of buying Twitter followers and sending tweets to large audience. Various followers buying and tweets sending services can be easily found through Google and eBay. We had a real case of using their service and monitored the following statistics. Results show that these services can quickly earn lots of cash before Twitter can find these fake followers. Meanwhile, we found many famous Twitter users use their services as well. Compared to the first spam case on Pinterest, Twitter following services can make equally or more profits, and sustainably. Finally, as we reveal the economic benefits out of the "fake" social identity business, warnings are given to audience that either we all start making our "fake" business like them(kidding!), or we will be drowned among these meaningless social activities, if we do not take actions to stop them.
This is more of a privacy talk than a security talk. The nature of mobile WiFi device behavior, combined with a lack of user awareness (or attention), could lead someone not only to know what device you use, but also where've you been (and possible where you're heading to), where you work, and in some cases who you are. Some users are security-cautious and use VPNs when connecting company-provided devices to public hotspots, but still there are a large number of people that use a personal mobile device to check corporate emails and other resources. We will also cover how some applications in mobile devices could be spilling out important information about your privacy. This presentation will introduce the proof-of-concept tool Mobile Snitch, which provides easy access to this information.
Shh…
Kurt Opsahl - Sr. Staff Attorney Trevor Timm - Activist Mitch Stoltz - Staff Attorney Hanni Fahoury - Staff Attorney Marcia Hoffman - Sr. Staff Attorney
The embedded system market is great! They give us the power to make things happen, and give us shiny unicorns. I'm coming at this with the approach of a service provider, producing hardware for end users. The developers, and system engineers seem to think that being a "custom" solution gives them amnesty from security. I will focus on issues that I have identified, and I would recommend for the future of embedded computing for commercial applications. Time permitting (and demo gods) I would love to do a demo of JTAG memory dumping, and show the fun things we can find using IDA Pro.
Christien Rioux will be discussing ‘The Security Industry: How to Survive Becoming Management’. Discussion about what the path to management looks like, what to expect from a start-up experience in the security industry, and how to carry the hacker ethos forward into the culture of a company. Learn the do’s and don’ts of running a hacker company, and how to lose your hair as quickly as possible.
"There are nearly 1,000,000 free and paid Android apps available. A very small percentage of these mean to do you harm. Figuring out which apps are the bad ones is difficult enough for the average user, but it’s not much easier for malware analysts. Analysis tools and automation can help to filter this flood of apps. Towards the end of discovering new unknown malware in a timely manner, we are developing new heuristics. We will cover: * Existing analysis tools: manual and automated * Data leakage and permissions abuse * Development of new tools and heuristics for malicious Android apps * Comparing the results of running the heuristics vs. manual analysis"
Exactly two years ago I gave a presentation on weaknesses in diabetic medical devices, and how similar they were to industrial SCADA systems. Well, I got a new insulin pump, and I have managed to find more problems. This will be a very unique talk where the audience will get to see over a dozen different diabetic devices, touch and poke at them, ask how they work and see them attached to me. Also part of the discussion will be these devices in context: How are they used? What are the implications of their failure? There will also be a live demo of a critical software flaw that has never been discussed publicly! There will be needles. There will be blood. There’s a chance the speaker might not even survive.
"Overzealous Admin: “I bet you can’t break in to my network! I got my stuff together…” Pentester: “I’m just here to help out and find the weaknesses the bad guys might or have used.” Overzealous Admin: “Well I have a corporate network with a level 8 Paladin firewall taking +2 hit points, a level 3 Rouge IDS to disarm your Smurf Attack, a level 5 Wizard SEIM solution with +3 powers of divination, and a level 2 Devoted Cleric antivirus to heal your malware infections!” Pentester: “Um…your CEO shared all his docs on Dropbox. Didn’t your Wizard tell you?” Lets play a game of fantasy tower defense with your infrastructure? Instead of measuring the price of your implementation, lets concentrate on if it can really protect you! If your defense isn’t mobile, agile, or technically relevant to where your users and data are then you’re still waging medieval siege warfare! Who cares about networks, servers, mobile computing, and BYOD! How about we review some modern security practices to protect what’s really important…YOUR DATA…without attending a single vendor song and dance routine. In the end, we’ll collaboratively outline a new approach to securing your assets that doesn’t focus on patching or hardening a single device or buying something. Are we doing this all wrong? You may even be convinced to throw away your firewall altogether!"
Some data is too sensitive or volatile to store on systems you own. What if we could store it somewhere else without compromising the security or availability of the data, while leveraging intended functionality to do so? This presentation will cover the methodology and tools required to create a distributed file store built on top of a JavaScript botnet. This type of data storage offers redundancy, encryption, and plausible deniability, but still allows you to store a virtually unlimited amount of data in any type of file. They can seize your server — but the data’s not there!
This presentation intends to cover the thought process and logistics behind building a better wordlist using github public repositories as its source. With an estimated 2,000,000 github projects to date, how would one store that amount of data? Would you even want or need to? After downloading approximately 750,000 repositories, storing 10TB on multiple usb drives; this will be a story of one computer, bandwidth, basic python and how a small idea quickly got out of hand.
Lair is an open-source project developed for and by pentesters. Built on Meteor and Node.js with a dash of Python, Lair is a web application that normalizes, centralizes, and manages diverse test data from a number of common tools including Nmap, Nessus, Nexpose, and Burp. Unlike existing alternatives, Lair encourages team-based collaboration by automatically pushing updates to team members in real time. Paired with it’s workflow and documentation management, Lair offers a single solution for performing a detailed, thorough penetration test individually or as a team in a manner that has not been done before.
Many social engineering talks focus on the exploitation of trust relationship and the resulting compromise of corporate and personal assets. However, what happens after the pwnage is done? This session opens with the aftermath of a successful social engineering incident on a major automotive financing company. Attendees will learn of the methodical analysis of the interactions which led to the compromise of customer information, as well as employee and executive network credentials. The case study also illustrates how this organization was able to use the forensic analysis of social interactions to enhance its customer service business processes. This information was used to engage employees in protecting information with the associated business processes. Most importantly, the customer care process was transformed such that it was able to frustrate social engineers and enhance the experience of their customers. Attendees will learn: - How the incident response team used log information and incident investigation to determine the social nature of this incident. - How the incident response team employed Open Source Intelligence techniques to profile the social attack surface, narrowing the focus of their investigation. - How the incident response team worked with management to modify business processes to be resilient in the face of social exploits.
Why is the diamond a sign of love and devotion? Why do baseball players always step over the first base line? The history behind these questions are examples of how small manipulations can make changes in the behavior of millions. Kati Rodzon uses her background in behavioral science to demonstrate how easy it is to social engineer your own behavior as well as those around you. Want your dog to fetch you a beer? How about get your friend to think that he has to stand up and point his remote at the wall before the TV will turn on? Done. Changing behavior is easier that you might think. Get ready to learn some history and social engineer your way into anything.
While the past isn’t a direct indication of future performance, knowing the past is essential to predicting the future. In security, this requires reviewing large quantities of vulnerability, defect and exploit data to fully understand how attackers are likely to approach their task. While there have been many annual reports on the vulnerabilities produced by individual tools, this view can be myopic based on the focus of that particular product: Network, Database, Operating System, Dynamic Application, Source code, etc. It is impossible to get a full picture and how the different components relate. This talk is a comprehensive look into a data set that spans all of these. Instead of examining a single tool, this talk represents the aggregation of data from 20 of the leading security tools on the market and a thorough review of the data they generate. First, we examine the overlapping data generated from the aforementioned tools. Next, we will compare and contrast it with the output of multiple breach reports and databases, and extract trends that may be important in helping us reduce the number of breaches in the future. The corpus of this research is from over 30,000,000 vulnerabilities analyzed from the past 12 months, generated from across some of the largest corporations in the world.
Interested in building your own pen test training lab but lack the hardware or software to roll your own? One option is to go the way that most companies are doing these days and build your own “infrastructure” in the cloud. Not only do you get the cloud benefits of only paying what you use and the ability to expand when needed but you also get a range of licensed victim servers to choose from. This talk covers the basics of Amazon’s EC2 cloud infrastructure (e.g., EC2, VPC, basic network and routing, Elastic IPs, Security Groups, VPNs, and Snapshots) and step-by-step instructions on configuring this infrastrucutre to build your own isolated test network complete with licensed victim servers or customized AMIs.
How can you secure your server if you have no idea what files, registry keys, users, groups, services, or other artifacts are created when an application is installed? Most vendor documentation fails to detail the intricacies of an application’s installation footprint down to individual files. This makes securing the application, not to mention the development of enterprise policies and procedures for the application, an arduous and ultimately ineffective task. Using a combination of malware analysis techniques, package management utilities, and some homegrown tools, anyone can understand exactly what an application is going to do to your server and how its installation impacts your attack surface area. With this knowledge in hand, an organization can translate the newly created application map to Chef, Puppet, and RightScale configuration scripts to better automate its server and application fleet deployments. The map can also be used to help tighten controls for more accurate and continuous operational and security monitoring of applications. In this talk Andrew Hay, CloudPassage, Inc.’s Director of Applied Security Research, will present a repeatable and application-agnostic methodology to quickly and easily: - Use malware analysis techniques to profile any application before its installation - Identify undocumented post-installation application artifacts worth monitoring - Build new, and leverage existing, automated tools to expedite the entire identification process
It is possible to eat healthy foods, moderate (or even eliminate) alcohol consumption, and exercise- both at home and while traveling. But life is too short for that nonsense, so let’s enjoy ourselves; if you’re worried about shortening your life with food and drink you clearly have too much to live for. This talk is about exploration and discovery, but in generally low-risk situations- no pith helmet required (but if you can rock one, I say go for it). The presentation begins with an introduction to classic (and no-so-classic) drinks, starting with an exploration of bitters- those magical elixirs which have evolved from impotent herbal remedies to potent flavoring agents. I’ll explore the history, evolution, and popularity boom of bitters, and delve into making your own bitters. The discussion of bitters leads into their use in drinks both tame and wild, and their role in the revival of the cocktail scene- including a few suggestions for drinks both alcoholic and not. The ensuing quest for proper cocktails leads us out of our hotel bar, and into more interesting venues where good drink leads to good conversation, which leads to learning more about drinks- and also leads to local knowledge. Local knowledge leads to more entries in the ever-evolving Erudite Inebriate’s own Traveler’s Survival Guide. This phase of our journey includes discussions of how to find the good stuff, how to have a socially-acceptable amount of fun, and how to stay somewhat safe while doing it. I will close by delivering a short “Business Traveler’s Survival Guide to Las Vegas” as an example of these ideas.
While information security is widely considered a negative-unemployment industry (it’s actually closer to 3%), most of us will look for a job at some point. Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that attract the kind of attention you want, getting short-listed for cool positions before they’re even posted, strategically riding infosec employment trends, and how to most effectively work with those delightful recruiters. This talk will have something for those just entering the workforce, mid-career security professionals, and former VAX hackers alike!
As infosec practitioners, we often operate in a vacuum or within silos. Reaching out to others in the community to share ideas, indicators, and problems helps to build a more relevant, diverse security program. Find out about a specific threat or incident as it unfolds: learn what others are doing tactically to combat this threat along with mitigation strategies. Get out of that vacuum. Once we can accept that security does not provide a competitive advantage, doors to information sharing will open, and everyone will see the benefit. As the saying goes, a rising tide lifts all the ships. In this talk, I will show ways that security peeps at all career levels can effectively share information. Analyst-to-analyst communication is just as important as management-to-management communication. Certain avenues already exist like ISACs, but they constrain the sharing to a sector vertical. There are opportunities I will present that go beyond ISACs. I will discuss the legal challenges as well as solutions we’ve found for overcoming them. An end goal is to facilitate the development of professional and trusted relationships among peers and subject matter experts to protect our organizations. Additionally, I would like to introduce an idea for getting feedback on documentation. Infosec Peer Review is a concept to facilitate sharing of documents such as policies, procedures, and reports and getting constructive feedback on them in a secure way.
It is never too inchoate to commence elucidating your obfuscated intelligence. Have you ever really listened to yourself or read what you have written? How many words can be reworded or dropped from a sentence to make your message clearer? As a listener and reader, it is hard enough trying to remember the various InfoSec-specific acronyms without surrounding them with various $5 words and extra, fluffy crap. In this talk, I will truly show how cheap talk is by not wasting money on wordage.
Despite being l33t technologists, many infosec leaders feel overwhelmed, marginalized and resigned to the notion that CISO stands for “Career is So Over”. This talk is about positive deviants; those who steer clear of the scape goat mentality and establish themselves as business leaders and facilitators. Come hear about one CISO’s “cage rattling questions” and how he harnesses for influence; or another CISO’s “Do not do” list that will make you cringe. If you are responsible for your company’s security program (or would like to be) come participate in this conversation on what it takes to deliver WIN.
Does this sound painfully familiar: After hardening your systems and implementing a firewall, application and vulnerability scanners, network intrusion detection, and comprehensive patch management – Your internal web server was still compromised. To make matters worse it was then used as a pivot point to compromise your whole network. And you didn’t even know it had happened until you got a call from an external security organization. Like the Little Dutch Boy in that famous story, you discover the tiny hole in your network defenses that the bad guys were able to sneak through undetected. And you realize that the clues were there all along. If you had seen those simple clues, you could have plugged the vulnerability before it was exploited and prevented the whole mess. This was the genesis of a new continuous monitoring tool called OMENS. OMENS is a free Windows web server monitoring tool designed to monitor, detect, and block the attackers that traditional Network Monitoring tools can sometimes miss. In this presentation the creator of OMENS will discuss the blind spots that Network Monitoring systems suffer from, and how these holes can be plugged by a distributed, host based monitoring system. He will also discuss how OMENS is being used to monitor for hostile actors, understand their activity, and to remediate the possible flaws they are probing for – Before they can be exploited.
The Hacker Mentality is applied to technology with fervor. Take a thing, learn how it works, make it do cool things, bend it to your will. Yet in other areas, we take things at face value and not question them. We need to learn to apply the line of thinking we have for technology to solve our other issues. The talk is an attempt to give a overview of the journey I have been on for the past few years to identify my issues (depression, anxiety, overweight, self esteem), learn about the topics, dig through the garbage, learn to question everything that has been documented, and then apply it to where it mattered, myself. The point of the talk isn’t to give any mind blowing revelations on how to solve anything, rather to try to say that the only person who can solve the problems are those with the problems. I plan to share random facts that I have picked up during my investigations into mental health, physical health and other topics, talk about my obsessive metrics gathering/biomining and hopefully inspire others to take an educational journey of their own.
There is no one single device that will provide a total security solution. All those “magic” and 4th quadrant solutions will not protect you. Security is not a framework, not a destination, and not a weekend of overtime implementing a new tool. It is not news that organizations need defense in depth or layered defenses. Too many organizations are stuck in a reactive security mode. Businesses react to network alerts, researching events in the morning from the day before. They react to virus detections when the av solution emails them a report. Each security solution only provides a part of the answer to the question “Am I owned?” Network alerts only provide a partial picture, same with host monitoring. By combining logs, network alerts, and system alerts a much clearer picture emerges. This talk will show that you can detect system compromises days, weeks and even months before antivirus will catch it. It will cover key system events and locations to monitor. Network events that you may not currently be watching for that you absolutely should be watching. Plus how simple visualization of log data can make potential compromises really stand out. Examples from compromises will be used to reinforce the concepts presented.
The information security industry is notorious for flameouts of brilliant people. In looking back at the circumstances that lead to a dramatic situation, we can usually find early indicators that bad things lie ahead and fail to take timely action to avoid tripping into the abyss. In some instances, we feel that we are trapped in the darkness and we are alone. How do we identify when we or others near us are on a bad path? How do we recover? Once we’re back in a good mental state, what can we do to protect ourselves from the dark places?
Come one, come all! In this stimulating oral presentation, learn how to harness 3D printing technology for a purpose that we can all get behind: sex toys. You’ll be taken through the ins and outs of erecting your perfect toy right in the privacy of your own bedroom: from design, to material choice, to post-processing, it’s only as hard as you want it to be. You’ll learn how to program your first sex toy’s own unique curves, and you’ll also learn why privacy, anonymity, and choice all dictate that your next 3D model should be for personal use only.
One of your company’s laptops was just stolen. You know that there was sensitive information on the machine. You also know that full disk encryption was deployed. Is your data safe? Can you prove it? Many organizations are flocking to full disk encryption solutions as a solution to their data security requirements. Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets. All too often, these systems are not properly configured and adequately tested. In this talk, Tom will analyze the challenges associated with attacking and defending systems protected with full disk encryption. Many of the examples provided will draw from Tom's personal experience, including several scenarios where a fully encrypted and powered down system was fully compromised as part of a penetration test.
As we are becoming more immersed in technology the “talent” of face to face communication is becoming a commodity. This talk will look at Communication Degradation and its effect on social engineering effectiveness and fundamental communication skills. While Communication Degradation is not new, research into it and its effects are. This talk will explore some of the new research being done in the area as well as look at some future research that is going to be taking place soon.
Much talk has been given to the concept of burnout and recurring feelings of futility by InfoSec professionals.This talk will discuss the Japanese concept of the craftman’s spirit — “shokunin kishitsu”, and how that mindset can help you find some fulfillment in your job in what can be a really frustrating industry.
“See the world. Meet interesting people. Hack the planet.” You don’t have to join the military or the Peace Corps. Just be ready, able and enthusiastic to DROP TABLE status_quo;– There’s nothing stopping you from living your dream except a little bit of information and that first step. Hack Java from Java, Indonesia. Drop O’Day from a Dublin pub. Run Kali from Cali, Colombia. Beau and Taylor want to engage the BSidesLV attendees with stories of our WINS and FAILS. We want to hear your stories and inspire you to live your dreams as we are doing. We’ll tell you what’s worked for us and give ideas for what might work for you. We’ll pay cab fare for anybody who heads straight to the airport to GTFO FTW!
Trying to make non-security people to follow security systems is incredibly difficult when it works, and incredibly difficult and frustrating when it fails. This presentation not only describes what to do and what not to do, but also why the different approaches work or not. There are simple guidelines, based on psychological principles, that can help you develop more successful security systems. Explaining and developing security systems in a way that anyone can understand means you can get them to decide to do what you wanted them to do in the first place.
With all of the recent focus on Android vulnerabilities, the Android landscape seems like an antivirus vendor’s dream. Unfortunately, for those who are using traditional protection software, the Android security software landscape is just as full of holes as Android itself seems to be. In this innovative talk, Allan and Mike will describe the issues within the Android OS’s design and the failure of most security tools to protect it, while at the same time writing active malicious code that will compromise a current Android device with any of the currently available protective software installed while on stage.
Network Video Recorders (NVR) are network devices that record and store video from local and remote IP cameras on HDD storage. These NVRs are increasingly used in surveillance systems of homes and businesses. In this presentation, we will analyze the (in)security of NVRs from one of the reputed manufacturers of these devices. The presentation will cover how NVRs work, analysis of NVR firmware and a step-by-step demo of how an attacker could take complete control of these devices. Once an attacker has control of the device, he can monitor videos from all the cameras connected to the device in real time from anywhere via his smartphone. I will also release a tool to remotely detect and own a vulnerable device in the wild.
Independent researchers are lifeblood of the hacking community. Discovering new vulnerabilities, formulating new strategies and ideas, publishing white papers and blogs, and creating new tools, these visionaries help move our community and industry forward. Unfortunately, many outside of the community look down upon independent security researchers and dismiss their ideas and work. This can be for numerous reasons, such as the research not working for a specific organization or company, the lack of scientific and academic standards, or just a prejudice against the concept of independent research. Even worse, for our community, we have recently witnessed the prosecution of some of these researchers for crossing real or imaginary legal lines during the pursuit of their study. One way to help legitimize the researchers to others in the corporate and academic communities, as well as help them avoid legal trouble, is the creation and adoption of research guidelines. The first half of the talk discusses some of the potential pitfalls and prejudices independent security researchers face, especially in regards to security disclosures. After that, there will be a frank discussion with audience members about their concerns and fears in terms of research, as well as what they would like to see in a research framework. Finally, volunteers will be invited to help create the framework.
Come witness the prognosticators of the SIEM as we travel through the mysterious 5 Ages of Logging and Security. We will reveal the (likely bleak) future of every InfoSec pro’s fave topic, Log Review. Our holy mission is to make you think about log review in a new light, discuss how to make it suck less, and to make you laugh about things that would normally lead to sadness and cutting yourself. The 5 Ages of Logging: Anarchistic - There were no logs, the IT world was a dark & chaotic place, which was pretty cool, albeit kinda scary. Monolithic - There were logs, but no one cared/bothered to look at them. Life was good. Realistic - There was log review, and it sucked, like really – a lot. Craptastic - Miraculously SIEM was created, and it sucked too, but slightly less so. Supercalifuturistic - There will be something ‘better’ and it will also suck. And you will pay too much for it from your favorite greedy vendor(s) because your CISO told you to get some of that stuff that is on the cover of <Insert Garbage Industry Rag Here> or he heard about at the IT Managers happy hour at the local sleaze joint… Why? Come to the talk… Live onstage [redacted] demo included. You will laugh at least once – or your money back! Satisfaction Guaranteed except where noted, especially Nevada.
Sex, drugs and… censorship? This talk includes the Sex + Drugs talk that was censored under duress at BSides San Francisco, and begins by exploring why no topics should ever be off limits in hacker communities – and especially, why no topic should ever be off limits because there are women in the room. Solutions are offered to the community for current dilemmas posed by sex-negative and anti-harm reduction acts by feminist extremists in hacker communities. This Common Grounds Keynote also serves as an introduction to community-focused concepts – including the very necessary refusal to be silenced.
We have some good news and some bad news. The good news is that security is now top of mind for the people of planet Earth. The bad news is that their security illiteracy has lead to very dangerous precedents and this is likely just the beginning. The reactionary stances taken by the hacker community has induced burnout and fatigue with many of us watching our own demise. We’re here to help us all hit rock bottom in the pursuit of something better. At some point the pain of maintaining inertia will exceed the pain of making changes, so it is time for some uncomfortable experimentation. While it may be overwhelming to think about, this is what we do. We hack systems. Finding flaws in the digital world comes naturally to us. We can and must do the same to the physical world; the media, governments, and lawmakers in order to survive the next decade. Let’s get started.
Signatureless attack detection is becoming the hot topic in threat prevention. Client side security vulnerabilities are often found in zero day exploits in the wild, meaning that signature based intrusion detection and prevention systems are not likely to catch these attacks. Signatureless detection systems are designed to detect these kinds of attacks and they do provide some additional layer of security. One of the techniques deployed by signatureless is called sandboxing. In sandboxing , the signatureless attack detection systems executes files that are being transferred in networks in sandbox. They carefully instrument the execution and based on that determine if the file was malicious. We have analyzed signatureless detection and particularly the sandboxing technique, and we have and found several issues in the concept. We have also found ways to completely evade sandboxing. We have taken some peeks into one of the market leading sandboxing product and will discuss about our findings. In this presentation we will highlight the problems we have identified in signatureless attack detection and sandboxing, and present our findings regarding one of the market leading product. The attendees will better understands limits of these systems. Even though they do provide additional layer of security, there are issues one should know.
Cybercriminals persistently challenge the security of organizations through the rapid implementation of diverse attack methodologies, state of the art malware, and innovative evasion techniques. In response organizations deploy and rely on multiple layers of diverse security technologies. This talk examines the “kill chain” and the measured effectiveness of typical defense technologies such as Next Generation Firewalls, Intrusion Prevention Systems IPS, Antivirus/Malware Detection, and browsers internal protection. Empirical data on the effectiveness of security products derived from NSS Labs harsh real world testing is presented together with a live demonstration of successful evasion of malware detection. We find a considerable gap of protection levels within/and across different security product groups. The presentation will be backed up with a paper to be made available to attendees.
With all the security products you use, you still don’t have confidence that your networks are malware-free. And you’re right. They aren’t. You want to know a dirty little secret? There IS a way to discover the most advanced malware! This discussion comes straight from the guys in the trenches who have been dealing with real world advanced malware for years. We are not in pristine labs, but the kind of environments that most of us really have, but won’t admit in public. Through our own wins and losses at defending our environments, we have identified what works and what doesn’t, and have created the Malware Management Framework: A simple methodology for defending your systems against the most advanced malware. We will cover the Malware Management Framework and provide specific, actionable items on how to use it in your environment with tools you may already have, and free tools you have not yet seen. If you are responsible for defending a network, and you want to have higher confidence that systems in your environment are malware-free, you need to attend this discussion.
A detailed analysis of password policies and authentication controls for widely-used websites hadn’t been conducted and seemed to be a daunting effort. To address this I supplemented automated and semi-automated data collection with the utilization of low-cost marketplaces like Amazon Mechanical Turk and the implementation of a system which allows volunteers to add, update, and modify data. I will cover my methodology, analysis of the collected data, challenges, lessons learned, and future plans.sites’ Password Policies and Controls.
This talk is about the ways the many components of governments interact and respond to challenging and anomalous events–highly relevant to hacking by all definitions and at all levels. If you don’t know the lay of the land, you can not engage in appropriate research and reconnaissance, counter-measures, and operations. The proliferation of reliable reports of unidentified flying objects from the 1940s forward represented just such a challenge. The phenomenon was anomalous, well-documented, and certainly challenging—because, as Major General John Samford said, “credible people have seen incredible things.” The UFO History Group includes some of the best researchers in the field. Richard Thieme was privileged to be invited to join the group and their project which resulted, after nearly 5 years of work, in “UFOs and Government: A Historical Inquiry,” an outstanding work of historical scholarship that nevertheless reads like a fascinating detective story. In almost 600 pages and with nearly 1000 citations, the work illuminates the response of the government since the early 1940s. how and why policies were set, and how they were executed. The book has been recommended by CHOICE, the primary resource for academic libraries, for inclusion by libraries at all levels because the book stands out as “an exception” in a field filled with speculation (there is virtually none in this book). Other reviews say, “this is the best book about the UFO phenomena that was ever written” and “UFOs and Government is a triumph of sober, conscientious scholarship unlikely to be equaled for year s to come.” You have never heard a talk like this – about a subject that has been ridiculed and marginalized intentionally for sixty years as a matter of policy and politics. As Don Quixote said, “insanity is seeing things as they really are.” This speech uses UFO phenomena as dye in the arteries of “how things really are.”
There is one very important fact, most people overlook when considering privacy and user data: Data cannot be owned. Personal data cannot be owned. This small fact has astounding implications when considering privacy. Consider the intersection of two distinct, troublesome areas: data broker operations and the computer fraud and abuse act. When considering threats to the integrity of your network, advertisers are not the first thing that comes to mind. Yet the market for user data is so rich right now that it is ripe for exploitation. The brokers can buy and sell any data they wish, with no concern for the origin or means of acquiring data. They are not required to and unwilling to reveal their sources. Some provisions in the Computer Fraud and Abuse Act open up the opportunity to acquire data surreptitiously by discouraging the public from discovering what may be happening to their data. Quiet, quasi-criminal operations could exist that syphon data that is illegitimately collected and sell to legitimate brokers. The result of this alignment of circumstances is that there is an entirely unexplored class of attackers that may operate beneath the radar, yet out in the open. The data market is not something that has the potential for regulation, so it is incumbent on organizations to be aware of the threat and take appropriate measures to contain it.
As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it. At BSides Las Vegas 2013, I would like to formally debut SimpleRisk, a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at http://www.simplerisk.org. With a simple, powerful, and cost-effective tool and some basic risk management knowledge at your disposal, you too can become the security rock star that your business seeks out for risk-based decision making. Let me show you how to convince your management, your peers, and yourself that Risk Management doesn’t suck.
I used to be a security professional, but even my boss didn’t remember my name. My brilliant ideas weren’t listened to, I was never invited to speak at conferences and not even my mother visited my blog. In this talk I will take you down a journey of self-discovery that took me 3 years and went from another faceless security dude, to being slightly less faceless. What worked, what didn’t work and all the behind-the-curtain magic exposed. If you’re interested in carving out your own space, making your voice heard amongst the 100′s of security ‘rockstars’ and dinosaurs who get all the attention – this is the talk for you to attend.
Automation is key when it comes to production. The same is true for malware. Malware production has moved on from the traditional manual method to a more efficient automated assembly line. In this talk, I will take the audience on an over-the-shoulder look at how attackers automate malware production. Discussion will focus on the tools and methodologies the attackers use to produce thousands of malware on a daily basis. The talk will then conclude with a live demonstration of how malware is produced in an automated fashion.
Breaking in is half the battle. I’ve talked to so many people whose only objective is to try and break into systems. I get that. It’s awesome, the rush you get when you bring up that shell. But what then? Ops hardening does not end at the outer shell. Once you’re in, you still have to navigate the maze of files, directories, and permissions that is the Linux file system. This talk will cover discovering services, utilizing simple and moderate netcat commands, combining netcat with crontab to create access windows, utilizing /dev/tcp to create a reverse shell, obfuscation to avoid IDS/IPS, and providing examples of tools at each step of the way. Some Linux experience needed. If breaking in is half the battle, staying in wins the war.
Imagine you have just started a new job and been handed a new (to you) desktop. It’s running Windows 7 and you have no local admin rights. Your new boss has challenged you to find out as much information about the network in the next 45 minutes without downloading any tools. What do you do? What do you do?
Creating and distributing useful software requires significant intellectual, emotional, temporal, and financial resources. Security software tends to require some level of operational security around vulnerability disclosures, and often carries some unique ethical and legal implications. On top of all this, “open source” often means there is no paycheck at the end of the week for programming effort. Why go to all the trouble? Why do some open source security projects succeed while many others fail? What does success even mean for open source? This talk by Thomas d’Otreppe (Aircrack-NG project lead) and Tod Beardsley (Metasploit engineering manager) will explore the unique challenges (and rewards!) faced by open source security projects. They will discuss strategies to keep projects and contributors on track, provide resources that make the life of an open source developer more productive and rewarding, and offer their unique insight into open source security development. Participants in this talk will come away with the tools and knowledge needed to launch a new open source security project or more effectively contribute to an existing one.
Almost every day there are new revelations about violations of user’s online privacy. Usually these infractions are for the monetary gain of an online entity, but at other times it can be part of censorship, a surveillance state or even a government breaking the law when accessing such data. With email being so personal, webmail (which is generally hosted free of charge by for-profit providers) is a particularly vulnerable space where people are not doing enough to protect online privacy. When a highly decorated four-star general is brought down because he couldn’t secure his online webmail, what hope do we have in terms of guaranteeing our own online privacy? The Electronic Communications Privacy Act of 1986 states that after 6 months, email messages lose their status as protected communication and no longer requires a warrant, only a subpoena, for a government agency to force email providers to produce copies of user’s data. Online privacy is a right we have taken too lightly. Attendees of this talk will learn real world techniques that will enable them to make educated decisions about how to properly protect their webmail. Generally, you have little email privacy with US-based email services, so we will focus on offshore hosting where laws better regulate your data protection and online privacy. A survey of current options, with details from the speaker’s own trials of multiple solutions, will provide a framework for you to replicate, allowing you the online email privacy everyone deserves.
WebSockets are HTML5s solution for low latency communications. Support is now stable in major browsers, and developers are starting to use them for chat, games, videoconferencing, and other applications. Despite its growing adoption, WebSockets are difficult for pen testers to mess with. Tools are starting to catch up – wireshark, fiddler & chrome will let you view WebSocket traffic, but there is no simple system currently available to tamper with these messages. This summer I plan to release Socket Puppet, a chrome extension designed to fill this need, and I want to release it at BSides.
Big Data, Data Science, Machine Learning and Analytics are a few of the new buzzwords that have invaded out industry of late. Again we are being sold a unicorn-laden, silver-bullet panacea by heavy handed marketing folks, evoking an expected pushback from the most enlightened members of our community. However, as was the case before, there might just be enough technical meat in there to help out with our security challenges and the overwhelming odds we face everyday. And if so, what do we as a community have to know about these technologies in order to be better professionals? Can we really use the data we have been collecting to help automate our security decision making? Is a robot going to steal my job? If you are interested in what is behind this marketing buzz and are not scared of a little math (not crypto, though ;)), this talk would like to address some insights into applying Machine Learning techniques to data any of us have easy access to, and try to bring home the point that if all of this technology can be used to show us “better” ads in social media and track our behavior online (and a bit more than that) it can also be used to defend our networks as well.
OSINT is often mentioned, but not really covered. Occasionally mention is made of a particular tool, but the aspiring professional is left to their own means to discover how to use the tool, or determine what information is of value. Given a sample case, a real world person, the talk will include some dox freely available in the wild and discuss and demonstrate how some of the information found can easily be used in a penetration test or by an attacker. The purpose of this discussion is multi-parted. By and large it will show some aspiring individuals how to go about gathering some of the information. It will also serve as a warning to those in the audience who might be simply curious about infosec and security in general, how easy it can be to find some information about particular individuals.
In recent years, Application Whitelisting has been one of the new breeds of antimalware technology. However, malware has already developed techniques for dealing with and impeding this new technology’s adoption rate, from causing unwanted behavior in the solution to directly altering the execution of the security solution to avoid detection while making it appear as though it is operating correctly. This talk will demonstrate how malware can accomplish these negative outcomes by manipulating application certificates and using file system filter drivers. This talk will also discuss how to factor these vulnerabilities into your security decisions.
In an ever-changing world where the technological dependence is ever increasing — the government wants to provide transparency, everyone has 500+ friends on Facebook, your kids can use the computer better than you can, your bank allows transfers on the fly, you can meet your next first date (or your future ex) based on an algortihm, you can apply for a loan, or even look up medical records… In a world of Big Data, data mining, network breaches and the cloud, what is the first line of defense for your important, personal, private info?! Software Assurance. This talk will discuss the various definitions of software assurance, who it relates to, as well as the ownership. We will talk about the recent law that was passed National Defense Authorization Act of 2013 (NDAA) and what it means to software assurance and career developers everywhere. We’ll wrap up the discussion by highlighting some common vulnerabilities of software, suggestions for incorporating it into development and testing and finally several options for practice.
Matriux is the first full-fledged Debian-based security distribution designed for penetration testing and forensic investigations. Although it is primarily designed for security enthusiasts and professionals, it can also be used by any Linux user as a desktop system for day-to-day computing. Besides standard Debian software the Matriux Arsenal contains a huge collection of more than 350 most powerful and versatile security and penetration testing tools with around 20-50 more tools being added every release cycle of 6 months. Matriux comes with a custom-built Linux kernel to provide better performance and higher support for hardware to work even with a Pentium IV and 512 MB RAM comfortably. Matriux was first released in 2009 under code name “lithium” and then followed by versions like “xenon” based on Ubuntu. Matriux “Krypton” then followed in 2011 where we moved our system to Debian. Other versions followed for Matriux “Krypton” with v1.2 and then Ec-Centric in 2012. This year we are working releasing Matriux “Leandros” which is currently in beta testing and a major revamp over the existing system. Matriux arsenal is divided into sections with a broader classification of tools for Reconnaissance, Scanning, Attack Tools, Frameworks, Radio (Wireless), Digital Forensics, Debuggers, Tracers, Fuzzers and other miscellaneous tool providing a wider approach over the steps followed for a complete penetration testing and forensic scenario. Although there are were many questions raised regarding why there is a need for another security distribution while there is already one. We believed and followed the free spirit of Linux in making one. We always tried to stay updated with the tool and hardware support and so include the latest tools and compile a custom kernel to stay abreast with the latest technologies in the field of information security. Matriux is also designed to run from a Live environment like a CD/ DVD or USB stick which can be help
ANSI (and ASCII) art dominated online communication for a short time. However, in that small window the medium evolved from a necessary function of early online systems into an art form on its own. Sixteen Colors was created to keep a history of the art form as seen from the production of the underground art scene that began in the 1990′s and continues today. Learn what it takes to compile hundreds of thousands of pieces of artwork and how that artwork has changed over two decades.
You put your credit card in, I take your cash out. Point of Sale systems and Cash Machines are frequently targeted but rarely discussed. This talk will be a frank discussion about the types of attacks we have both seen and executed against these types of machines, where these systems are vulnerable from physical attacks to network and trojan attacks, and how to proactively deal with the problems. We will focus on current, practical, and frequently seen attacks of both POS systems and systems which dispense cash, because THAT’S what it’s all about.
The “China threat” is an incredibly hot topic in government and in the popular media. Information security companies have used the publicity to sell their services, and for the first time, hacking has taken center stage in American diplomatic policy. However, is China really a threat? If so, is the People’s Liberation Army really the worst adversary? As a hacker interested in China or a security researcher interested in profiling threats, where do you even begin? TProphet will share his perspectives based on three years of real-world experience living and working full-time in Beijing.
Once again, the Electronic Frontier Foundation returns to the Underground to answer your toughest Off-the-Record queries. Question some of the greatest minds in the field of internet law, in what is fast becoming an annual BSidesLV tradition. Patent Trolls, Free Speech, Fair Use, CFAA, CISPA (the cybersecurity bill), and the NSA surveillance programs like PRISM. If it matters (or should) to the on-line community, the EFF is researching it, litigating it and defending your rights. Come join us for what has become one of the liveliest, insightful, audience driven panel discussions in InfoSec.
We’ve known for some time that physical access to a device means game over. In response we’ve begun to rely more and more on “secure” container applications to keep our private and company secrets… well… secret! In this presentation I will discuss specific design flaws in the security of “secure” Applications that promise to keep your data / password and even company email safe and sound.
In early 2012 a group of 3 hackers were caught when a mainframe at Logica was no longer running as expected. This was the first warning that hackers had penetrated the once unpenetrable IBM mainframe z/OS. Through some simple and some ungodly technical hacks the attackers were able to gain shell access to the mainframe, harvest accounts and got access to some very private data. The mainframe that was breached was responsible for Swedish police, banks, SPAR (SSN equivalent), Infortorg etc. SoF was able to obtain the detailed investigation to the attack and some extras that weren’t in the report. This talk will go over how the attack when down, what was successful and what wasn’t, how they were caught and investigated and tools that exist today (which didn’t exist at the time of the attack) to perform the same type of pentest on your mainframes. If you learn anything from this talk it will be just how unsecure these mainframes really are when in the wrong hands.
APT, Cyberwar, ANONYMOUS, ACTIVE DEFENSE! All things you will hear along with the word “Attribution” but what is the point of attribution anyway? Are you going to hack back? Will you really be able to tell who really hacked you anyway? This talk is a cry for sanity in a world where the new hotness is attributing who attacked you even though the damage has already been done. In this presentation I will go beyond attribution of who did what to whom and show you methods to use the WHO to perform a 360 degree assessment of WHY you were attacked and HOW it was successfully carried out. This talk will discuss common techniques of OSINT, Psychology, Sociology, Forensics, Asset Classification, and other INFOSEC standard practices within a framework for securing your environment in a more holistic manner while using salty language and imagery.
“A burglar steals an unencrypted powered-down laptop containing PII and is immediately hit and killed by a bus. Data breach?” as more laws are passed there remain many difficult questions to answer. this panel will try. come see opposed minds in the industry debate the ethics and economics of incident response and related regulations. we will debate things like: have the past 10 years of breach legislation helped or hurt our efforts in information security? when is a breach really a breach? is it wrong to say “any loss of control is a breach and must be reported?” do you agree there “no safe harbor for encryption?” is it “unduly costly on society” if our breach definition is too broad?
The contrast between the enthusiasm which brings together the BSides community and the burnout which impacts our professional lives is so blindingly obvious it's easy to miss. This talk will focus in on the key reason that so many burnout: the difficulty of being effective, and discuss ways we as a community can transform.
We've heard a lot about crypto backdoors recently (the flawed Dual_EC RNG, NIST curves and their fishy parameters, etc.). This talk presents new results on crypto backdooring, with the first published backdoor of its kind: a sabotaged version of SHA-1 that allows us to create exploitable collisions, such that we fully control the content of the colliding files: unlike theoretical "breaks" of SHA-1, our collision attacks are practical, although they use sophisticated differential attacks. We'll demonstrate PoCs of colliding binaries (MBR, COM), as well as compressed archives (RAR, 7zip) and JPEG images.
Every day, endless consumer and educational technologies provide learning opportunities in classrooms across the planet. We already live in a world where every moment of a child’s life can be recorded with metadata attached-- but what if sensitive education data became part of metadata profiles, too? While there has been a recent massive influx of investment and resources into education technology, few schools have the appropriate resources to build secure infrastructure for sensitive student data, and few education technology companies take the challenge of securing student information seriously. This talk will examine the current state of (in)security in schools and in the education technology industry that leaves sensitive student data and private information exposed for anyone with a basic understanding of hacking to exploit. In addition to exposing the gaping security holes and lack of minimum encryption standards in educational technology, it will focus on ways that hackers, technologists and parents can advocate for more security protections that will keep the private data of children safe and sound.
Power laws occur widely and irrefutably in economics, physics, biology, and international relations. The root causes of power laws are hard to determine, but a good theory is that proportional random growth causes the phenomenon. This talk will attempt to prove a power law for breach size and breach occurrence volume, using data from over 30,000 businesses. The goal is to show that no matter the set of breaches one picks, the most impactful breach will have more impact than all the others combined. Information security breaches are scale-invariant and distributed according to a power law.
USB mass storage devices are some of the most common peripherals in use today. They number in the billions and have become the de-facto standard for offline data transfer. USB drives have also been implicated in malware propagation (BadBIOS) and targeted attacks (Stuxnet). A USB write blocker may help to prevent some of these issues and allow researchers to examine the content of the attempted writes. USBProxy allows us to build an external write blocker using cheap and widely available hardware that will be undetectable by the host system.
Long ago, during the “Great Age of l33t”, the digital oceans were traversed by notorious bands of pseudonymous ne’er-do-wells. These outlaw fleets, festooned with brightly-colored flags, laden with teenage pomposity and self-importance, roving their way into undiscovered territories . They took whatever they needed, but created many lasting works too. We will take you on a journey back in time, to experience what life was like during this pioneer era, with tall tales of life on the fringe, epic yarns of solidarity amongst outcasts, and discuss how forming your own “Digital Outlaw Biker Club” may be a better idea than it ever was.
So, you've gone to a bunch of conferences, and you've seen the movie Swordfish, and now you think you want to be a super l337 h4x0r, right? This will be a fast-paced, comedy-driven reality check for aspiring pro hackers and others hoping to jump in to infosec as a career.
Code emulation, a technology capable of detecting malware for which no signature exists. It’s a powerful step in the right direction for client security, but it’s a long way from mature. This talk will demonstrate how the code emulation engine in Anti-Virus Guard (AVG) can be reverse engineered by progressively testing its features, and ultimately evading detection. The result is a Command-and-Control (C&C) bot, in a non-obfuscated windows shell script, that AVG and many other leading AV engines will not detect. I will propose solutions on how these code emulation environments can be improved, making the detection of zero day malware far more successful going forward. This is not a jab against AVG, as they get enormous credit for including such a powerful tool in a free antivirus client.
Threat Intelligence feeds are now being touted as the saving grace for SIEM and log management deployments, and as a way to supercharge incident detection and even response practices. We have heard similar promises before as an industry, so it is only fair to try to investigate. Since the actual number of breaches and attacks worldwide is unknown, it is impossible to measure how good threat intelligence feeds really are, right? Enter a new scientific breakthrough developed over the last 300 years: statistics!
At BSides LV 2013, I shared a dream…of a day when all-the-things would be endowed with…with huge…encryption! YES! BIG ENCRYPTION! Where NSA is spelled with F & U! Of a future where I can share my data without sacrificing ownership, confidentiality, or anything else. Where my memes and social awkwardness will be appreciated! Um…seriously though, we played “fantasy defense-in-depth”, sacrificed an “admin dude” dressed like the black knight, and generally shocked the world that the internet isn’t a safe place. Wait…ok…now seriously, we explored why the “escalation of weaponry” means defense is futile; why the networks of the future, pervasive ubiquity, and other unknowns won’t fit into a secure perimeter; that we need to protect data over devices; that if we can’t control how our data is transmitted, processed, or stored we need to figure out how to protect it! Can we create data resilient to attack even when the host it resides on is compromised? How do we not lose availability or the ability to share & collaborate with others? We were on the trail last year, but now we think we have a solution & can’t wait to show you! Fast forward 1 year & we have possibly the first open source destined & patent protected comprehensive framework for data protection. It’s a big idea with big challenges destined for failure without your input and expertise so come join the conga line to crazy town!
Our friends lose their jobs. McJobs don't cut it, and unemployment sucks. We decided to make a framework that would allow them to start their own businesses, and to keep their technical skills sharp. We made an open source MSSP framework. Download it, install it, you're in business. Firewalls, IDS, threat feeds, the work. Hell, we even threw in a ticketing system and marketing fliers. And we want your help. Make it better. Use it. Tweet about it. MAKE MONEY WITH IT!!!
Information security compliance regulations like PCI, HIPAA, SB1386 have been around for many years now, but we continue to suffer large data breaches. In this talk, an experienced PCI QSA will discuss why even the best efforts at compliance fail to prevent breaches, provide examples from the field of what goes wrong despite these best efforts, and how to win by not playing - by getting the sensitive data the thieves want out of your environment.
If (school < hackerspaces) && (textbooks < wikipedia) Then While (self-motivated = true){ experiment; } If knowledge is power, then schools make us dumb and docile. Hackers know that we learn by doing -- by asking the inappropriate questions, breaking the rules, and being too stubborn to fail. Ironically, educational theorists in ivory towers also know this -- and they are all terrified of the future. Learn how we keep them scared.
Suppose there is a stream of packets coming through your gateway, their contents apparently encrypted. They may be from a standard VPN such as OpenVPN or an IPSec implementation running over some non-standard ports or protocol, but you missed the initial negotiation that could tell you what sort of a VPN that might be. Can you still find out what software stack and what cipher are being used? We found out that, if you introduce a periodic disturbance to an encrypted VPN connection, you can fingerprint the VPN and, in particular, the cipher using nothing but packet timings of typical file transfers. We found out also that many things we take for granted aren't necessarily true - e.g., that double encryption may not be better for resisting fingerprinting, and that the most common encryption algorithms differ more in performance than one would think they do. We believe that the fingerprinting signatures are due to the interactions between the cryptographic and the network layers of the VPN, the cross-layer effects that have been largely overlooked to date. Our findings suggest that these interactions between the layers of a VPN implementation should be studied and taken into account to protect implementations against information leaks.
This talk will discuss real world techniques for implementing and optimizing a security program that we call RADIO(Recon, Analyze, Develop, Implement, Optimize). Conventional wisdom has historically presented guidance that works well in textbook scenarios or for very large companies but often does not integrate well with small to medium size companies. Our Five Step approach aims to provide more reasonable guidance for small to medium size companies or those organizations with operational models that might not lend themselves well to traditional methods.
Project Robus is a search for vulnerabilities in ICS/SCADA protocol stack implementations. Most research and commercial tools to date have focused on the PLC/RTU/controller (server). Project Robus tests both the RTU server and the master (client) sides of DNP3 and Modbus protocol stack implementations. Attacking the DNP3 master in the control center can eliminate the ability to monitor and control an entire SCADA system, such as an entire electric transmission or distribution system … all from accessing a serial or IP connection in one unmanned substation.
Predicting your adversary's behaviour is the holy grail of threat modeling. This talk will explore the problem of adversarial reasoning under uncertainty through the lens of game theory, the study of strategic decision-making among cooperating or conflicting agents. Starting with a thorough grounding in classical two-player games such as the Prisoner's Dilemma and the Stag Hunt, we will also consider the curious patterns that emerge in iterated, round-robin, and societal iterated games. But as a tool for the real world, game theory seems to put the cart before the horse: how can you choose the proper strategy if you don't necessarily even know what game you're playing? For this, we turn to the relatively young field of probabilistic programming, which enables us to make powerful predictions about adversaries' strategies and behaviour based on observed data. This talk is intended for a general audience; if you can compare two numbers and know which one is bigger than the other, you have all the mathematical foundations you need.
Intrusion detection systems, Network Security Monitoring. All too often, these countermeasures are portrayed as the ‘boy who cried wolf’, the magical box with blinking lights that does nothing but get the checkbox from $COMPLIANCE_AUDITOR, or that data that gets logged to your magical SIEM somewhere, and is never heard from again. I’m here to show you how to actually cut the shit on your IDS, get actionable intelligence, and make yourself the hunter, instead of the hunted. This talk will primarily be focused around Snort and Suricata, since for the sake of this talk, they operate about the same, and they are where I got most of my battle scars. I’ll also be introducing resources for standing up your own sensors quickly, and cutting the shit rapidly.
Applications rely on generating random numbers to provide security, and fail catastrophically when these numbers turn out to be not so “random.” For penetration testers, however, the ability to exploit these systems has always been just out of reach. To solve this problem, we've created “untwister:” an attack tool for breaking insecure random number generators and recovering the initial seed. We did all the hard math, so you don't have to! Random numbers are often used in security contexts for generating unique IDs, new passwords for resets, or cryptographic nonces. However, the built-in random number generators for most languages and frameworks are insecure, leaving applications open to a series of previously theoretical attacks. Lots of papers have been written on PRNG security, but there's still almost nothing practical you can use as a pentester to actually break live systems in the wild. This talk focuses on weaponizing what used to be theoretical into our tool: untwister. Let's finally put rand() to rest.
Critical Infrastructure security has been on the news and the talk of the town since 2005. While there are many talks and demonstrations about how to penetrate and exploit SCADA systems, little discussions about the pre-exploitation phase were shared and discussed. I'm talking of course about the Vulnerability Assessment phase. Some may have performed such assessment before and many are curious as to how to start it in the first place. Questions like, what are the methodologies used in performing an assessment on SCADA networks? What information is required before we click the 'Start Scan Now' button? What plugins should be used? And do my scans guarantee that these ultra sensitive systems will not go down? And which approach (automatic or manual) should be used in which situation. This talk is to share my personal experience and challenges faced during a SCADA assessment. I will also give an overview of a typical SCADA environment, the tools used for the assessment, the type of vulnerabilities found and how easy it is for an attacker to potentially 'own' the Power Grid and why the US is vulnerable.
So you want to be a non-profit charitable corporation, eh? Do you understand what that means, the amount of work involved, and the restrictions 501(c)(3) places on your fundraising? In this talk, I will review the process Security BSides Las Vegas, Inc. went through to become a 501(c)(3), and discuss the restrictions imposed by being an IRS-recognized charitable organization. I'll also discuss a few options to 501(c)(3), as well as the advantages to federal non-profit status. Participants in this talk will have a better idea of the pros and cons of 501(c)(3) status, and the challenges involved in becoming a 501(c)(3)
Have you ever had to justify to your company why you had to go to that expensive conference and give away all that swag — or why you came back with so much of it? Tired of explaining who “HardOn Soft” is when clients see their coffee mug on your desk? Who needs that many XXXXL T-shirts, anyway?! Guess what — that’s all money that’s flying out of those companies’ hands with almost no return on investment (ROI)! Even worse, with so many ways to repurpose and repackage 90% of the swag out there, they can’t even claim they’re generating brand awareness! Learn from a self-diagnosed Swag Hoarder on how to avoid your company wasting its hard-earned money on swag no self-respecting person would use (without a few “alterations”) — or if you’re just another face in the crowd, how to exploit what other companies are up to both by figuring out how to make sure of all the crap- er, ‘promotional material’ they give you, as well as how to win an iPad or other great prizes! (No, I won’t be GIVING one out at this talk, but there are tricks that will make it a lot easier for you to get one at your next big trade show!)
Everybody is aware of the buzzword BINGO wining square of "Machine Learning", but how can we apply this to a real problem? More importantly what output can we drive from doing some analysis! This talk will cover clustering (unlabeled data) of file types based off various static features. Then, using information from the clusters, is it possible to automatically generate Yara signatures to go hunting for files that are similar? We believe so, and we'll show you how you can do this at home.
Every IT organization accessing sensitive data, regardless of their size, must protect that data. Otherwise, your company is exposed to unacceptable risk. However, since cyber attacks on small and medium size businesses (SMB’s) rarely make headlines, it is easy for these IT organizations to develop a false sense of security. Information security is becoming increasingly challenging as both IT complexity and the threat landscape are evolving at an accelerated pace. During this presentation, I will share my methodology, including key, actionable recommendations to help you meet the challenge and manage your IT risk.
Cedit card stealing RAM scraper malware is running amok compromising point-of-sale (POS) systems. Recent breaches have shown that exposure to such attacks is high and there is a lot at risk. This presentation shows how the attack is carried out by looking at the nuts-and-bolts of a home grown malware sample. During the demo we will pretend to be the bad guy and steal information from the belly of the POS process. Then we switch hats, expose the malware to multiple environmental hazards to study its behavior and identify strategies that can be implemented to make it hard for the malware to behave correctly and deter the bad guys. If all goes well, you will walk away with RAM scraping and prevention mojo.
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the big boys. This presentation covers several analysis environments and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
In Europe, security systems are built with the end goal to safe-keep the privacy of sensitive data. In the U.S, security systems are architected with the goal of securing sensitive infrastructures. Recent revelations about the NSA snooping and international backlash demonstrate the dramatic international differences in privacy vs. security values. Those differences also play out in how security systems are architected. Beginning with “what is the data being protected?” vs. “how do we keep the bad guys out?” will lead to two very different security solutions.
“Can I learn how to use the product my company sells by interfacing with its API?” That was the question I asked myself when I started at OpenDNS in the marketing department. Having learned and used Python in business school, I decided to create an application that would monitor my organization’s DNS queries and email me a daily list of all new domains. This talk walks you through my journey of re-familiarizing myself with Python, interoperating with a new product’s API, and massaging the results into a daily alert. The end goal: to create something useful to reference for future development, to learn about the API, and to impress my colleagues - many of whom have no idea that I’m doing this in the first place. In my talk, I will provide examples of my logic, coding decisions, and any other stumbling blocks I ran into along the way in the hopes that attendees will take the plunge and hack away at something cool to further their knowledge.
In real world systems, operators are often inundated with alarms which alert when various anomalous events are detected. A software tool was developed that makes use of machine learning methods to allow the operators the ability to prioritize events of high interest. This tool relies heavily on the quality and validity of the data used for training.
For years the government has been using CDS to bridge networks with different classification levels. This talk will focus on what CDS systems are, how they’re built, and what kind of configurations are common in the wild. Furthermore, we’ll look at testing techniques to evaluate the security of these systems and potential ways to exploit holes in configuration and design. We’ll also look at the ways the commercial world might benefit from a data and type-driven firewall as well as some of the downfalls and negative aspects of implementing a cross-domain system.
Cluck Cluck presents an architectural, OS-independent method for accessing arbitrary physical memory from kernel shell-code or forensics memory acquisition tools where the virtual addresses of the paging structures are not known -- 'breaking out' of virtual memory. Currently, the virtual address for the page directory is hard coded in the kernel, but this is specific to each OS and version thereof. Cluck Cluck solves the chicken and egg problem (needing access to the page structures to gain access to the page structures) at an OS-independent, architectural level, highlighting how a newer Intel feature violated existing guarantees.
People who know that I have visited all seven continents tell me all the time, “I could never travel as much as you do.” Granted, North Korea, Antarctica and Myanmar are not for everyone, but if you’re living in the developed world, travel is very much within your reach. All you need is flexibility and your hacker ingenuity. In this talk, you’ll learn why you should travel, and how you can do it for little or nothing by applying hacker ingenuity and using travel hacks.
Techniques to fully automate finding certain vulnerabilities while reversing have become much easier due to research using XUtools (extended grep and diff). This talk will explore these newly discovered automated techniques for reversing. Join us while we help to demystify certain aspects of reversing while pissing off prima donna reversers. What more can you ask for in an underground talk?
Critical infrastructure systems are frequently constructed with components never designed for use in today's networked environment. While security conscious enterprises have extensive security mechanisms, these do not immediately transfer to many of our critical infrastructure networks. And yet we still need to move data in and out of them safely. This talk examines how to use the computer science concept of state to provide the equivalent of system isolation from hostile traffic on the network. Forget firewalls, air-gaps, and VPNs, and learn to embrace state transfers. This talk will explore the use of state transfer as a safer alternative to network data transfers. As more and more of our critical infrastructure is using TCP/IP networking and being connected via the Internet, methods to isolate the systems from a traffic signal point of view offer the best current technology to protect our networks, both operational technology (OT) and IT. This talk will give real world examples showing how to maintain all desired functionality, and yet sever the connection to unwanted signals carried in network traffic.
This talk will cover a high level vulnerability analysis of a modern digital home security system, which includes technologies such as an android touch screen, wireless motion sensors, cameras, zigbee components, mobile application(s), digital door locks, and thermostats.
As Big Data and Machine-Learning start to make strides into Infosec, most of the rest of us are still working in SQL databases, CSV files and glueing things together with python and javascript - while the folks with the Math degrees seem to be having all the fun with the data. Well, no more. We're information security practitioners : data is nice, but information is better - but how can we go from wikis, notes and whitepapers to processing the information we generate and doing something fun with that? Semantic Data systems open up machine learning and reasoning to the rest of us, with plain-language operations and natural language storage of information, not data. The Semantic Web has been around since the early days of the web, but is still misunderstood, and difficult to get into - so I've done all the hard work for you already - come and learn some practical tools, technologies and techniques for encoding the 'things we know' on top of the 'things we have' and show the world that you don't need a PhD in Applied Mathematics to come take part in the emerging world of information-drive information security.
Have you ever clicked a phone number in Safari to get the phone app to call that store/car dealership/pizza place you were searching for? In iOS, this interaction between apps happens via URL schemes, which are available to Apple applications as well as third party applications. Everyone uses them without noticing they exist. They are the most flexible of the imperfect methods available right now. They are, however, a source of user input that should never be trusted as safe. In this presentation, we will look at real life examples of implementations of URL Schemes that could lead to issues such as destruction of data or help a malicious person identify an iOS user. We will also look at simple ways to improve URL Scheme security for users of your apps as well as how to find URL Scheme vulnerabilities, for the ones out there who would like to help out.
There is a lot of talk about sharing and the security of our data. A recent Ponemon Report on Exchanging Cyber Threat Intelligence states that current threat sharing mechanisms are broken. Data is not timely enough, scalable or actionable as it often lacks context to a type of threat or actor. Today, government, military, and private organizations do share through unofficial channels (spreadsheets, email listservs, and “fight clubs”), but the time has come for security teams to have a tool to aggregate and analyze the influx of data coming in. More than a feed, and more than a SIEM, the future of threat intelligence lies in the threat intelligence platform. A threat intelligence platform should achieve many things, but most importantly it should offer a singular platform to aggregate, analyze, and act on threat intelligence data as well as offer options for context, sharing, and privacy. Any mature security organization should consider how and from where they are gathering their data, and what they then do with it. Attend this session to learn what a threat intelligence platform is and why you need one, and the real-life use-cases to sharing data, keeping it private to only those you wish to share with, and the benefit to collaboration at a large scale to achieve a predictive defense and ensure your threat data is being optimized to the fullest.
Everyone talks about ATM Malware, we can see videos in Internet hacking these machines but no one explains HOW an attacker can take control of an ATM and command it to dispense the money at will. Is it possible to control an ATM from a cell phone? What about a Man-in-the-middle attack to intercept the traffic between the ATM and the bank? Come to my talk and learn these and many other techniques used from Venezuela to Russia Hackers that are emptying ATMs without restrictions.
Case study of a three year journey of starting and managing a security non-profit. Will talk about lessons learned from the experience and successes and failures. Additionally, will also talk about how the non-profit has made a positive impact on the local community and how the lessons learned are also applicable to other facets of one's life and job. Building a non-profit can help break down "echo chambers".
There's a problem with Internet Explorer's anti-Reflective Cross Site Scripting filter. A problem Microsoft knows about, but has decided not to fix. Drop on by and learn a method for bypassing the anti-XSS filter in all versions of Internet Explorer.
BYOD is a cute and harmless-sounding acronym for a trend that is in reality introducing exponentially more risk to end-users and organizations. The common refrain is to seek out and secure your smartphones and tablets from malware and other malicious software which can wreck havoc on a device and completely ruin its integrity. However, BYOD is about more than just introducing hardware; it also brings the issue of BYOApps. Layers of protection covering both the device operating system as well as the apps running on it is required to have a comprehensive solution to combat this problem, which is actually deeper than it seems. In this co-hosted 45 minute presentation, we will present several real-world case studies of: - How easy it is to App side-jack to gain root (Jailbreak) - How a popular app like Flappy Bird can be trojan-ized to defeat two factor authentication. While the industry loves to talk about sexy malware exploit scenarios, few are exploring the risks that BYOD and BYOApps are introducing, by bringing apps that are hungry for user/private data into the workplace. Does a flashlight app really need access to a corporate address book or calendar? Should a doc-signing app transmit passwords in clear-text? Should a productivity app have access to corporate email attachments and be able to store them to DropBox? As we scratch beneath the surface, the real security issue is deeper rooted in policy decisions that now must be made on which app behaviors should be allowed in an enterprise environment. BYOD has really become BYOApps, bringing with it a new layer of complexity with risks outside of obvious issues like malware. Organizations must make policy decisions about behaviors in apps and look for ways to enforce customized policy. A new approach defines the future of how mobile threats will need to be addressed in an automated and scalable way.
Superpowers, normally used by superheroes in the battle of good versus evil, are also accessible to engineers and hackers in equipment used for failure analysis and verification of PCB fabrication and component assembly processes. In this mostly visual presentation, Joe shares his experiences of using lasers, X-rays, and sound waves to facilitate the reverse engineering of electronic products and circuit boards.
Dynamic malware reverse engineering helps forensic analysts and reverse engineers gather quick data points such as callout domains, file download URLs or IP addresses, and dropped or modified files. These methods have long been used on Windows malware...so why not Mac malware? This presentation introduces the audience to methods, tools, and resources to assist reversing Mac binaries with a Mac. Topics include Mach-O file format, virtualization, analysis VM setup, and various analysis tools (native and 3rd-party). This presentation is intended for those familiar with dynamic analysis (with a touch of static thrown in) or for those reverse engineering masters of the Windows executable to get a introductory idea of how to start analyzing Mac malware.
This is a presentation of case studies from past experience and what I have learned from each case in regards to social engineering and the Human Psyche.
One of the biggest questions facing people trying to learn how to hack is “How do you practice without committing a felony?” Wi-Fi is one of the easiest things to break, but it still requires practice to be proficient. To practice, you can either go after a random Wi-Fi network or you can create your own target network. Using an old router is fine, but the passcode has to be changed manually. A Raspberry Pi was turned into a Wi-Fi access point using Hostapd. The goal was to create a hackable target that changes the access code every time it boots. The Hostapd configuration file has an issue where you cannot store the WEP Key as a variable and then call that variable when the key is defined. This prevents urandom from being used to create a random key. A shell script was written to create the config file every time the Pi boots. This allows for the creation of a random key that can be inserted into the config file before hostapd loads. For verification purposes, the key is logged with creation date and time in a separate monitoring file. To increase the training benefits of using the Pi platform, a web server was added and vulnerable web apps are hosted. This creates a training platform where both Wi-Fi and web app hacking can be practiced. The ultimate goal is to have a device where you break the Wi-Fi, gain root on the Pi, and force it to reboot. Once it reboots, a new passcode is in place, and the process must start all over. This way, the challenge stays fresh and engaging, and previously collected key material cannot be reused.
Some of the most sophisticated rootkit behaviors are implemented by today's anti-cheat gaming software, in a constantly evolving game of cat and mouse. Game hackers often look for flaws in a system or program’s logic, seeking to exploit them for their own performance gains. As cheats evolve to evade detection, so do the anti-cheat software products, employing hooking mechanisms to catch the newest subversions. Often the effectiveness of an anti-cheat implementation will affect legitimate users’ enjoyment (no one likes to play with cheaters, even cheaters themselves!), making it highly profitable for game developers to focus on improving this technology and expediently identifying game hackers. As a natural consequence, anti-cheat software has grown more invasive and intrusive. For example, a recent version of VAC (Valve's Anti-Cheat Software) was found to scrape gamers' system DNS cache in order to spot commercial game cheats and ban users. Just what else is being extricated from our gaming systems and which products are the worst offenders? By analyzing system memory, several anti-cheat software implementations will be isolated. With a cadre of reverse engineers, we will walk through just how these products are monitoring for game hacking behavior and if any of these techniques call into question aspects of their End User License Agreements.
Let’s face it… Many people have better luck at the craps table that they do hiring the right candidate for their INFOSEC opening. Making matters worse, most of us have come from a purely technical background and don’t know the faintest thing about building our own team. There can be nothing more disheartening than finding out that you've hired the wrong guy, or worse yet, let the *right* one walk away. In this presentation we will discuss strategies for making sure the best new employee makes it in the door. This includes everything from recruiting, prescreening, reviewing resumes, conducting good interviews, and asking tough interview questions. This talk is aimed towards both managers who are tasked with hiring and interviewees who want make sure they are at the top of their game.
As pentesters, we all have special techniques and tricks we use that make our jobs a lot easier. A few years back, I presented at BSIDES LV on some of the cool techniques that I use on a regular basis. This talk will dive down into all of the new techniques and latest and greatest hacks to make pentesting something easy and successful. This talk will also discuss how to mitigate some of the techniques and attacks.
Public key certificates are becoming more and more prevalent in software. These certificates are used in more places than just protecting web connections over HTTPS. They are used for authentication, trust, identification and secret trading within apps, behind firewalls and even between services. But, these black magic cryptography tools are only as secure as the code that implements them! Come see how bad practices, designs and testing habits can leave systems vulnerable and prone to exploitation!
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more -- underscoring why understanding how Drupal works and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists, all of which are open-source and can be downloaded and implemented following the presentation.
Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. In the presentation some runtime techniques will be discussed and a tool will be released that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters.
Producing IEEE 802.15.4 PHY-frames reliably accepted by some digital radio receivers, but rejected by others---depending on the receiver chip's make and model---has strong implications for wireless security. Attackers could target specific receivers by crafting ""shaped charges,"" attack frames that appear valid to the intended target and are ignored by all other recipients. By transmitting in the unique, slightly non-compliant ""dialect"" of the intended receivers, attackers would be able to create entire communication streams invisible to others, including wireless intrusion detection and prevention systems (WIDS/WIPS). These scenarios are no longer theoretic. We present methods of producing such IEEE 802.15.4 frames with commodity digital radio chips widely used in building inexpensive 802.15.4-conformant devices. Typically, PHY-layer fingerprinting requires software-defined radios that cost orders of magnitude more than the chips they fingerprint; however, our methods do not require a software-defined radio and use the same inexpensive chips. Knowledge of such differences, and the ability to fingerprint them is crucial for defenders. We investigate new methods of fingerprinting IEEE 802.15.4 devices by exploring techniques to differentiate between multiple 802.15.4-conformant radio-hardware manufacturers and firmware distributions. Further, we point out the implications of these results for WIDS, both with respect to WIDS evasion techniques and countering such evasion. This is joint work with Travis Goodspeed, Rebecca Shapiro, and other good neighbors.
Take a scientific look at information security incidents reported in the public news sources. This talk introduces the VERIS Community Database (VCDB), a research project aimed at gathering news articles about information security incidents, extracting data, and serving as a public repository of breach data suitable for analysis and research. We will discuss how to apply the methodology of the Data Breach Investigations Report (DBIR) to public data to answer research questions, and how this view of information security incidents differs from the DBIR.
Learn the basics of RFID hacking, in this workshop you will be guided through building an RFID sniffer using an arduino and any RFID reader to output the card data of a prospective target. You will also build a complete RFID sniffer/decoder and “RFID exciter” to energize cards and read them from record distances (up to 10ft). Cost for this workshop is: 33$ USD (if you want to build your own boards; coils and batteries included) Required tools/experience: laptop, arduino (not required, but suggested), basic soldering skills are suggested but not required as well. Soldering irons will be provided.
A view into what hackers are about and what auditors are about, comparison and contrasting.
Your organization’s greatest assets are also its greatest threat: People. Your greatest risk are those you trust. The intentions of these insiders can be sabotage, fraud, intellectual property theft or espionage. However, in many cases, patterns of detectable behavior and network activity emerge that provide indicators of risk, assist in early detection and in speeding up response time of an actual incident.
In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its Advanced Metering Infrastructure (AMI) program, formally known as the Smart Meter & Infrastructure (SMI) program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation. An AMI program requires the introduction of many new devices and applications into a utility’s infrastructure. Some of these devices and software may have never been deployed before anywhere in the world. Many are field deployed, outside of the utility’s physical and cyber security perimeters. Security teams within utilities need to take responsibility for the end to end security of an AMI program. Traditional approaches may not be sufficient to deliver this security. A new approach including pen testing specialist and third party labs may form an important part of this security. A standards based approach will be required to ground the security and penetration testing both in best practice and in a common set of principles that utility and its partners can accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force can form the basis for creation of the test plans. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems. For successful outcomes it is important to consider emerging new factors. These are discussed in the presentation.
We've all seen the steady stream of revelations about the NSA's unconstitutional, illegal mass surveillance. Seems like there's a new transgression revealed every week! I'm getting outrage fatigue. So I decided to fight back... by looking for practical, realistic, everyday actions I can take to protect my privacy and civil liberties on the Internet, and sharing them with my friends. Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let's take back the Internet, one encrypted bit at a time.
The demands of Third Party Service Provider vendor due diligence and compliance management are growing rapidly in light of increased emphasis on these programs by regulators as well as outsourcing to reduce operational costs. Historically vendor diligence programs have not adequately and consistently addressed proactive identification of potential risks, ongoing competence of third party service provider, and production of a vendor management program that truly aligns with business strategies, identifies the risks commensurate with the complexity of the business environment, and produces a clear measure of the effectiveness of the provider. In addition, service providers suffer under the burden of the sheer number of diligence questionnaires, lack of consistency in them, inconsistent workload, and resource conflicts with compliance and sales efforts. Diligence response is potentially labor intensive with the possibility of providing no return on the investment. Aimed at third party service providers and businesses with vendor diligence programs, this presentation looks at case studies from real service providers and their customers to exemplify the ways that traditional vendor management fails to meet the objectives of today’s business and the regulatory environment. It then proposes a means to rectify these failures and evolve vendor due diligence programs to the next step. Participants will learn how to establish the goals of the vendor diligence program, understand the scope of the product and its potential impact on their environment, define a central body of knowledge, address only what is important, and iteratively evolve their diligence process to provide a more valuable product in less time.
Contrary to popular belief and media depictions, hacking is a social endeavor. By examining the evolution of various hacking groups and collectives over the years, we can glean valuable insight into the structure of today’s hacking space and security culture. From white hat companies to prison, we look at how innovation in exploits and anonymity have reformed and regrouped the hacking clubs of yore.
Pwning the hapless or How to Make Your Security Program Not Suck Customer data is our business. Whether within the financial or healthcare industries, the root of our business is to safely house and transmit information to and from trusted parties. With the growing demand of increased access – in healthcare, from providers, employees, visitors and patients, from a variety of devices, increased federal enforcements of privacy and security requirements under the new HIPAA Omnibus Rule, there is an ongoing challenge of ensuring patient and customer information is adequately protected. Numerous breaches within both the healthcare and financial fields have involved lost or stolen unencrypted devices, but mistakes by employees continue to be the biggest security threats to all businesses. Even tech-based companies are shown to be at risk for various social engineering attempts. Why do these breaches keep happening? How can you, as an IT professional, or merely an employee with the safety of your customers’ data a concern, help your business create useful prevention strategies that employees will pay attention to? How do you train your non-tech employees to not be susceptible to social engineering attacks? Emily, an insurance professional with ten years experience of working for 3 of the 5 biggest US disability insurance companies, and Casey, a Security Engineer with history working for commercial financial firms, will explore the unawareness non-tech employees have of their actions, discuss useful training and resource organization and allocation. We will walk through a few scenarios (the successful and non) and discuss what we have learned from human behavior and how it can apply to enforcing security policies or creating a culture of care. Technical solutions will not be discussed specifically, as the focus will be on employee awareness, education and how we can do better. By working through a few scenarios that we have personally encountere
Mobile, the Final Frontier. These are the voyages of two researchers. Their 45 minute mission: to explore strange new apps, seek out new mobile SSL bugs and new SSL implementation flaws, to boldly go where no man has gone before. We'll trek across the mobile landscape showing numerous mobile failures, related to encryption.
Our four intrepid debaters will tackle the most pressing issues facing the security community today, as suggested by you, our insightful audience. See them use their amazing powers of speech, logic, and insinuation to best each other. You vote for the most convincing argument, and the loser drinks. This is a funny and thought-provoking session, driven by audience participation, alcohol, and hugs.
Once again, the Electronic Frontier Foundation returns to the Underground to answer your toughest Off-the-Record queries. Question some of the greatest minds in the field of internet law, in this annual BSidesLV tradition.
When the world ends, the only things that will be left on earth will be cockroaches, Twinkies, Keith Richards, and Phishing emails. With easy access to free and low cost cloud services, the Phisher’s job is easier than ever. This session will shed light on the number, variety, and complexity of Phishing emails in an effort to explain why they have not disappeared and why things will get far worse before they get better. Data from OpenDNS’ PhishTank will be collected, analyzed, and presented to reinforce just how serious the Phishing problem is and how you can help Vinny punch a Phisher in the face by joining the growing community.
Mistakes have been made, and mistakes will be made again. Those unfamiliar with the history of the situation may end up going through the same thought processes and making the same mistakes as the previous generations. This presents both problems and opportunities for security; it means that project managers and developers will need to keep a close eye on the development process to avoid making these known mistakes, and it also means that penetration testers and other red-team members have (provided they research the development history of their target) a list of potential avenues for exploit.
IBM has been touting the security of the mainframe for over 30 years. So much so, that the cult of mainframers believes that the platform is impenetrable. Just try showing how your new attack vector works and you'll be met with 101 reasons why it wouldn't work (until you prove them wrong of course). This talk will take direct aim at the cultist! Previous talks about mainframe security only got you to the front door. Leaving many asking 'great, I got a userid/password, now what?!'. That's what this talk is about: the ‘Now what’. You'll learn a few new techniques to penetrate the mainframe (without a userid/password) and then a bunch of attacks, tricks and mischief you can do to further maintain that access, find important files and really go after the mainframe. During this very Demo Heavy talk you'll learn how to take advantage of APF files, SSL key management, cgi-bin in TYooL 2014, what NJE is and why it's bad, why REXX and SETUID are dangerous and how simple backdoors still work (and will likely go undetected).
Over a decade ago, a friend at the National Security Agency told Richard Thieme that he could address the core issues they discussed in a context of ""ethical considerations for intelligence and security professionals"" only if he wrote fiction. ""It's the only way you can tell the truth,"" he said. Three dozen published short stories and one novel-in-progress (FOAM) later, one result is ""Mind Games,"" published in 2010 by Duncan Long Publishing, a collection of stories that illuminates “non-consensual realities:” the world of hackers; the worlds of intelligence professionals; encounters with other intelligent life forms; and deeper states of consciousness. A recent scholarly study of “The Covert Sphere” by Timothy Melley documents the way the growth and influence of the intelligence community since World War 2 has created precisely the reality to which that NSA veteran pointed. The source of much of what “outsiders” believe is communicated through novels, movies, and television programs. But even IC “insiders” rely on those sources, as compartmentalization prevents the big picture from coming together because few inside have a “need to know.” Thieme asked a historian at the NSA what historical events they could discuss with a reasonable expectation that their words denoted the same details. “Anything up to 1945,” the historian said with a laugh – but he wasn’t kidding. Point taken. This fascinating presentation illuminates the mobius strip on which all of us walk as we make our way through the labyrinth of security and intelligence worlds we inhabit of necessity, all of us some of the time and some of us all of the time. It discloses why “post-modernism” is not an affectation but a necessary condition of modern life. It addresses the response of an intelligence analyst at NSA who responded to one of Thieme’s stories by saying, “most of this isn’t fiction, but you have to know which part to have
Jim Christy will discuss the history and future of using Digital Forensics to solve almost any investigation, including his role leading Cyber Ops for the D.B. Cooper Cold Case Team. In 1971, a man named Dan Cooper (Press misidentified him as D.B. Cooper and that name has stuck) hijacked a Northwest Orient flight showing a flight attendant a bomb in his briefcase. He demanded and received $200,000 cash and 4 parachutes. After releasing the passengers, he directed the flight crew to fly him to Mexico with a refueling stop in Reno, NV. Somewhere over Washington State, it is believed D.B. Cooper parachuted out of the airliner via the rear stairway with the ransom, never to be heard from again. For law enforcement, this is the only unsolved skyjacking in American history. Christy put together an online task force to help Colbert’s team prove the real identity of DB Cooper, starting with the evidence from Colbert’s 2016 documentary and continuing through a surprising number of online sources and contacts for a 45-year-old case. It only took them a few years to prove what had eluded countless investigators in all that time. Learn all about the techniques that brought them success and join Jim Christy after the Keynote for an extended Q&A session and meet & greet in our Underground track!
How to (accidentally?) Change The @%!$ World in just ten years and a couple of two-day follow-ups.
Whenever we discover another breach, adversaries give us a friendly reminder that the status quo in network defense isn’t good enough. Everyone’s telling us that we need to evolve our focus beyond indicators toward tactics, techniques, and procedures (TTPs), yet we struggle with how to do this. MITRE ATT&CK is the first public framework derived from real threats for describing detailed post exploitation activities, and the community is increasingly adopting it to help move toward detecting TTPs.Members of the ATT&CK team will engage in a discussion with the community about how ATT&CK can help us all improve. We will suggest ideas for how analysts, defenders, engineers, and red teamers can use ATT&CK as a common language to help change your approach to defense by orienting towards the adversary. Based on our experiences, we will provide practical advice on how to apply ATT&CK to improve cyber threat intelligence and defenses by tracking adversaries and developing analytics to detect their behavior. Most importantly, we want to hear from the audience about how they are using ATT&CK and what could make it better.
Meet SiliVaccine – North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by the government. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, drivers, and other puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product.How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing it. If there is anything we learned, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.
Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research. The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve: * Unexpected consequences (why did it decide this rifle is a banana?), * Data leakage (how did they know Joe has diabetes) * Memory corruption and other exploitation techniques (boom! RCE) * Influence the output (input: virus, output: safe!, as seen on (DEF CON 25 – Hyrum Anderson – Evading next-gen AV using AI)[https://www.youtube.com/watch?v=FGCle6T0Jpc]). In other words, while ML is great at identifying and classifying patterns, and an attacker can take advantage of this and take control of the system. This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage! Garbage In, RCE Out ????
Ethereum dApps (decentralized apps) are a core pillar of why development on the platform has skyrocketed. Many of these dApps work by combining standard web applications with a consensus protocol behind them. In other words, users can interact with a standard web application to issue transactions to a series of Ethereum smart contracts. This produces an expanded attack surface for Ethereum dApps: since smart contracts are publicly visible on the blockchain, an attacker can exploit the dApp either through the web application’s logic or by attacking the smart contracts directly. In this talk, I demonstrate how an Ethereum dApp works from top to bottom. I show what transactions through a dApp look like, how they can be spoofed, and the different attacks we can leverage against a dApp — whether over the web or by targeting the smart contract directly — to try and steal its ether.
We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.The Checkmarx Research Team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips to ensuring security prevails in a serverless environment.
Everyone talks about IoT security failures, but who should actual do all the things? We bring back 80s style, while tackling the question of government involvement in the IoTs in a fast-paced game show format that will highlight the problems of expecting easy solutions. We’ll walk through scenarios from the news and some popular proposals, and highlight how they won’t work quite as well as some may hope. Contestants will reveal that, while snarking about security is fun and games, thinking about the complexity of policies isn’t child’s play.
Nation-state offensive digital attacks are on the rise. Especially considering the news headlines. But, what is cyber warfare and what’s realistic? Come on a journey into a twisted but realistic game scenario with real-world implications. What decisions would you make considering the tools at your disposal? Embassy insider threats, leaked Intel agency data & tools, hacked back the wrong system, all the way up to causing mass casualties on internet connected mass transit. Who are your diplomatic “”friends”” and who can you trust? This presentation gives participants a (sanitised) peek behind the diplomatic curtain, revealing some of the challenges, decisions and tools at their disposal. What US allies are preparing for and expectations. How your organisation can use similar techniques such as cooperating with peers against market-wide attacks, scrutinising data before attribution and how computer emergency response teams can help. Studying the outcome, what can be done to improve the situation.
Cybersecurity in manufacturing environments is becoming more and more critical. However, many organizations do not know or understand the cyber risk in their manufacturing networks and plants. “Red Teaming” can help give the organization an edge in assessing, demonstrating, and communicating this risk.This talk will demonstrate some practical methods of performing penetration testing and Red Team assessments in a manufacturing environment. We will begin with the basics of manufacturing networks -how they work, how they are laid out, and the key components that comprise the network. Next, we will get to the fun part -the basics of Red Teaming in manufacturing, and what to assess, how to evaluate it, and some typical findings and vulnerabilities that we have discovered in these assessments. Finally, some methods of mitigating these common vulnerabilities will be presented.Our goals for this talk are two-fold: Motivate organizations and prepare Red Teamers to perform assessments in their own manufacturing environments, as well as shed light on common issues and vulnerabilities in manufacturing networks to help defenders and management.
Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.
Proprietary software is used throughout the criminal justice system, and the trade secrets of software vendors are regularly deemed more important than the rights of the accused to challenge the results of these complex systems. We will lay out the map of software in this space from DNA testing to facial recognition to estimating someone’s likelihood of committing a future crime. We will detail hurdles that prevent oversight and examples of problems found with third-party review. Adams will demo his findings from reviewing NYC’s FST source code, which was made public by a federal judge after years of the city’s lab fighting disclosure. Greco will provide insight into the wider world of software used in the criminal justice system -from technology that law enforcement admits to using but expects the public to not question to technology that law enforcement denies despite evidence otherwise. Matthews will talk about the wider space of algorithmic accountability and transparency and why even open source software is not enough.
Crusade into the wild world of malicious browser extensions. You will learn how to do keylogging, cookie stealing, credential harvesting and building a C&C server allowing you to execute arbitrary JavaScript remotely of your choosing. We will also be talking about CORS (Cross-Site Resource Sharing) and some interesting quirks with the browser extension environment. If you are a front-end developer and you want to dive into malicious code this would be the best way to start learning.
Active Directory remains the most popular corporate solution for organizing devices and users on a network. Central to its responsibilities is providing user authentication and authorization. In particular, password authentication through Active Directory necessitates the use of the strongest defense mechanisms possible. However, the common corporate pattern of enforcing higher complexity passwords by increasing entropy remains an anachronism. This trend of constantly increasing password complexity is not only counterproductive due to its restrictiveness, but is also insecure due to its lack of defense against dictionary-based attacks. With the plethora of attacks centered on brute-forcing and commonly-used passwords, many corporations are falling victim to these attacks despite supposedly strong password enforcement.The solution to these problems is integration of password blacklisting directly into Active Directory, a countermeasure that has yet to reach widespread corporate adoption. This talk will provide a run-down on how corporations can install their own Password Filtering service directly into Active Directory using either in-house solutions or existing ones, and outline why this helps improve overall security and productivity. As an example, I will talk about how Yelp recently deployed this type of solution to improve our authentication flow.
There has been some confusion about NTLMv1 and NTLMv1-SSP reversing to NTLM hashes using hashcats mode 14000. This was largely due to a talk at Derbycon that had some incomplete information combined with a few forum posts on hashcat.net. In order to simplify the process as much as possible a tool called the NTLMv1 multi tool was created to automate most of the steps in converting an NTLMv1 and NTLMv1-SSP hash into a hashcat challenge file.
There are many eCommerce and SaaS businesses that offer loyalty programs. Some involve gift cards and credit points. Some include cash back and currency that can be used somewhere else.Naturally, all these loyalty programs require user authentication before granting access. The authentication method varies from a four-digit code, to a password of your choice. Yet, once you are authenticated, there are no more hurdles before you can use the credited balance.Since this is a single point of failure, you would assume that more attention would be given to defending against automated attacks. But as we’ll see, that assumption is dangerously wrong.In this talk, we will disprove this assumption by exploring examples based on data from our customers (anonymized, of course). With real world data we will show how automated attacks are used to access the accounts and from there the funds, and subsequently siphon them away.We will also go through the entire process, targeting the demo mobile application. Starting from reversing the APK up to running the automated fraud.We will also cover some approaches to protect both the business and the consumer from such attacks.
Typically the impact of constraints on the maximum number of permutations for a password is not considered much-the-less quantified. Password policies that require a minimum character length and mandate the use of lowercase letters, uppercase letters, numbers and symbols may reduce the number of viable passwords by more than 60% of the unconstrained character set. Mandating 12 character password length immediately eliminates 95^11 potential passwords. Every combination of character constraints reduces the number of viable passwords even further. Websites with maximum character lengths and character set constraints can easily eliminate over 50% of the viable eight character password for the allowed and required character sets. In this paper we will quantify the effects of multiple combinations of constraints on 8, 12, and 16 character passwords, and provide the Python script used in our calculations and as a starting point for further analysis by others.
“Talking outside the community about security basics and teaching security awareness without resorting to FUD-tactics can be both challenging and satisfying. Challenging because you don’t want to be accused of being too shrill or dogmatic. Satisfying because when someone hears you about why security is important, you know you are making a difference. Over the past year, I spoke about security awareness to local community groups, professional organizations, and schools. Along the way, I learned that one way to avoid sounding shrill is to tailor the conversation to the audience’s age and perspective. This is partly finding the right examples, but also picking topics that are relevant to how the audience interacts with technology.Less “”parental tech support,”” and more like a “”community awareness training”” event. This talk will help adjust conversations so that the group “”Gets”” why the security topic is important. The audience will walk away with concrete ideas on how they can reach out to their own communities. There will also be a checklist of things that worked, and things to avoid doing again. The goal is to improve security and encourage people to go into their communities and help more people become security-conscious.”
The instant a device is connected to the internet, it gets scanned and interrogated for open ports, software versions, and default passwords. Who conducts these scans? Why? What kind of attacks will you see? The days of mass exploitation are upon us. When every device is connected, a new paradigm for mass exploitation emerges. Vulnerabilities, specifically in core computing components, linger for decades. Many White Hat organizations scan IPv4 constantly to assess the potential impact of a vulnerability, or to understand the shifting technology landscape while less reputable actors scan for more nefarious purposes. We will explore the economics of simple port scans at scale and the associated costs for enthusiasts and enterprises.There are a number of insights you can gain into the systems and tools being used to conduct these scans. From Massscan to Zgrab to AutoSploit, internet scanning tools are prevalent and can reveal patterns of threat behaviors. Anyone in cybersecurity should be aware of how these tools work, what they reveal, and what threats they can uncover.To visualize internet scans, a demonstration of “Internet Radio” will show scans converted into music. This allows visitors to “hear” the background noise of the internet in real time.
Managing security for the WordPress project is a challenge to say the least. The sheer volume of reports, the resulting noise, securing an aging codebase, handling disclosure -all difficult to handle, but just the tip of the iceberg. How do you motivate and organize a volunteer team? How do you keep sites and users secure with so much third-party code? How do you educate users? When is it okay to break things to fix security issues and how do you manage reputation when you do? Should you backport? How far? They may not have it all figured out, but over the years they’ve learned a lot -often the hard way. Aaron has led the WordPress Security Team since the end of 2016 and been a part of it for over five years. He’ll share what he’s learned along the way, how things have improved, what changes didn’t help (even when they were sure they would), and what things they still struggle with. He’ll also share an overview of the tools they use and processes they follow, in hopes that no one else has to learn the hard way.
The value promised and expected by investing in data analytics simply can’t be delivered unless you can GET the data and get THE data. This case study will detail how a global energy company is building out its Security Data Operations program to lay down the fundamental building blocks of an effective data pipeline, that ships the right data to the right platform for the right users. It will also detail ‘the snag list’ of things that can go wrong when trying to get valuable insight out of data, so you can avoid that happening in your organization.
Machine learning is the science of developing programs that can automatically learn from data. First, this talk will give some simple examples of machine learning. Next, we’ll delve into deep learning: a popular, modern subset of machine learning used for things like image recognition, self-driving cars, and malware detection. We’ll walk through exactly how deep learning programs (neural networks) work. This will allow us to touch on why deep learning is such a good tool for detecting never-before-seen cyber threats. Finally, we’ll walk through a demo of a deep learning program developed at Sophos.
The proliferation of ransomware has become a widespread problem culminating in numerous incidents that have affected users worldwide. Current ransomware detection approaches are limited in that they either take too long to determine if a process is truly malicious or tend to miss certain processes due to focusing solely on static analysis of executables. To address these shortcomings, we developed a machine learning model to classify forensic artifacts common to ransomware infections: ransom notes. Leveraging this model, we built a ransomware detection capability that is more efficient and effective than the status quo.I will highlight the limitations to current ransomware detection technologies and how that instigated our new approach, including our research design, data collection, high value features, and how we performed testing to ensure acceptable detection rates while being resilient to false positives. I will also be conducting a live demonstration with ransomware samples to demonstrate our technology’s effectiveness. Additionally, we will be releasing all related source code and our model to the public, which will enable users to generate and test their own models, as we hope to further push innovative research on effective ransomware detection capabilities.
Deep learning architectures have been used with great success to mimic or exceed human visual perception in well-scoped tasks ranging from identifying cats in Youtube videos to cars in self driving systems. Rarely have these techniques been applied to information security. Attacks that attempt to exploit visual perception, such as phishing documents that persuade humans to enable malicious macros and URL (e.g., www.rnicrosoft.com) and file-based (e.g., chr0me.exe) homoglyph attacks, are ripe for similar automated analysis. Our research introduces two methods – SpeedGrapher and Blazar – for leveraging artificial vision systems and features generated by image creation to detect phishing. SpeedGrapher analyzes the appearance of Microsoft (MS) Word documents and leverages an object detection network to identify relevant visual cues to classify samples. Blazar analyzes strings for possible domain or filename spoofing and uses a siamese convolutional neural network and a nearest neighbor index to compare visual similarity of spoofs to known domain or file names with a much greater accuracy than edit distance techniques.
Social engineering is a big problem but very little progress has been made in stopping it, aside from the detection of email phishing. We observe that any social engineering attack must either ask a question whose answer is private, or command the victim to perform a forbidden action. Our approach uses natural language processing (NLP) techniques to detect questions and commands in the messages and determine whether or not they are malicious.Question answering approaches, a hot topic in information extraction, attempt to provide answers to factoid questions. Although the current state-of-the-art in question answering is imperfect, we have found that even approximate answers are sufficient to determine the privacy of an answer.We have tested this approach with over 187,000 phishing and non-phishing emails. We discuss the false positives and false negatives and why this is not an issue in a system deployed for detecting non-email attacks. In the talk, demos will be shown and tools will be released so that attendees can explore our approach for themselves.
To kick off Hire Ground, Lesley Carhart will share how best to leverage your time at BSidesLV and in Hire Ground to help your career. You may be either just starting out or a seasoned professional, but we all need to know tips and strategies to help move along our career paths. Lesley will share her advice just as she does on Twitter, her vlog and at other cons.
Matt DeVost has been hacking for over 25 years and has become one of the leading experts on cyber and security domains. One of Matt’s key phrases is HACKthink – applying the hacker mindset to analyze and dissect complex problems and develop innovative solutions. Matt will share how he has used this mindset to create his career path, and launch several companies.
Everyone knows that security talent is scarce. When interviewing for a position, it is important to fully appreciate what that means. As an interviewee, you have the opportunity to be choosy about where you spend your time and energy. Make sure that the company is just as worthy of that time and energy as you are worthy of theirs. This doesn’t give a potential candidate a license to be rude or snobby but rather levels the playing field in a way that not many other careers have. Ensuring that the company and the candidate are the best fit for each other is a dual responsibility. However, before any of this can matter, a candidate must first know themselves. What motivates you? What tempo are you looking for in a work environment now – what about in three years? This talk will cover the many different aspects of an organization that can impact your enjoyment of the work you’ll be doing in the short-term, and help set you up for success, happiness, and fulfillment in the long-term.
A career in Cyber Security does not always follow a linear path. In some cases, a successful career in cyber security can result from breadth of experience in seemingly unrelated disciplines and roles, with security implications woven throughout. I will share how my varied roles and experiences over 15 years have ultimately led to a career in cyber security.
Many women and underrepresented groups have faced adversity and lack of inclusion in their careers in Security. We have been able to rise above and “hack” through the obstacles. This talk is about overcoming the adversity we face (as Black, Asian, Latina, Indian, Women, self-made students, economically disadvantaged and culturally repressed groups) is a form of hacking in itself. We have been able to rise above the obstacles and elevate our privileges to be active members of the cyber security community.
Panelists of recruiters debate and expand upon the major points brought up in today’s sessions. And every question you wanted to ask a recruiter, you can do so now!
Cybersecurity needs more and better ambassadors, particularly on topics that relate to cybersafety, where creating positive social change is more time-sensitive to avoid public harm. A significant part of this is learning how to work with the many media outlets and publications that regularly cover cybersecurity stories. Unfortunately, security coverage can often be sensationalist and counter-productive. It falls to us to provide reporters with the right information to cover complex and sensitive cybersafety topics appropriately. To help attendees learn how best to work with reporters, the I Am The Cavalry Track will have two complementary back-to-back sessions on “Engaging the Media.” Come for one or stay for both. In “Know Your Target,” four highly respected reporters that regularly cover cybersecurity will share their war stories of working with the security community. They will give you insight into the potential pitfalls of both intentional and unintentional media engagement, and will help you understand how best to build productive relationships with cybersecurity writers. They will also highlight tips and tricks for successful media briefings. This session is an informal panel discussion.
Cybersecurity needs more and better ambassadors, particularly on topics that relate to cybersafety, where creating positive social change is more time-sensitive to avoid public harm. A significant part of this is learning how to work with the many media outlets and publications that regularly cover cybersecurity stories. Unfortunately, security coverage can often be sensationalist and counter-productive. It falls to us to provide reporters with the right information to cover complex and sensitive cybersafety topics appropriately. To help attendees learn how best to work with reporters, the I Am The Cavalry Track will have two complementary back-to-back sessions on “Engaging the Media.” Come for one or stay for both. “Telling your story” is a short interactive workshop, during which, three of our expert reporters will walk attendees through tips and tricks for building compelling and credible cybersecurity stories. The session leads will take you through what makes a story “newsworthy”, how to create “hooks” to grab a reporter’s attention, and how best to get your message across. They will also explain how you can pitch your story to other reporters like them, and you may get a chance to get them interested in your story right then and there. This session will include opportunities for brave audience members to engage in live practice with the reporters, but participation is not mandatory.
IoT security is a known hard problem. A number of efforts are devoted to addressing risks in new devices by codifying and standardizing better security and development practices. The broader challenge will be to understand how these technical and policy efforts overlap–and where they don’t. Moreover, things that were built with better security when new can emerge as risks as they –and the underlying code–ages and more vulnerabilities are discovered. This panel will explore the dynamics of three different IoT security proposals, focusing on coordination around the underlying standards, components, and end-of-life decisions. We will first share work that picks up where the National Telecommunications and Information Administration’s IoT working groups left off, mapping overlapping security controls in existing IoT standards. Amongst this blooming buzzing confusion, and despite unique sectoral attributes, these IoT security standards face similar challenges with respect to patching, cryptography, and supply chain security. By initiating conversations across sector and technical layer we hope to accelerate learning, and improve on current best practices. We’ll then highlight a new NTIA initiative on transparency around third party software components, sometimes referred to as a “software bill of materials.” We’ll review that initiative, and highlight a sometimes overlooked feature of an SBOM–helping vendors and customers make better end-of-life decisions for connected products. Lastly, we’ll explore a topic that some have suggested to help navigate the complexity and information asymmetries of the IoT space: a device registration database. In our vision, hierarchical governance model, device registration with a trusted entity could allow new nodes to be securely authenticated, creating a network of trusted devices. Registration allows the cross-referencing of known threats to preexisting IoT networks, and, upon discovery o
Vulnerability disclosures for safety-critical systems are f’n hard. Even when the finder/reporter and receiver/manufacturer are working closely in good faith, things get weird AF. When there’s low levels of trust, the weird go pro and things quickly break down. But no matter how frustrated we get with each other, we can and must find common ground around the desire to protect patients. Time to put the hard problems on the table and fight together to address them, rather than keeping on fighting each other. This discussion will cover ways to overcome some of the hard problems from vulnerability disclosure in safety-critical systems, through a lens of healthcare and medical device disclosures. This session will cover: The problem with understanding severity and criticality. CVE, CVSS, etc. – CVE and CVSS have issues (see also, our BSidesLV talk), but even when we agree they work well, it’s not generally for safety-critical industries. Communications – Reporter, manufacturer, FDA, DHS, AHA, NH-ISAC, and others all put out information on the same issue, often in conflict. Where is the single source of truth? Who does a doctor/patient listen to? How do you drive alignment? Timelines – Comms takes time. Fixes take time. Often these are staggered, not in parallel. Often they rely on outdated methods like newspaper notices, snail mail, etc. Relay Race – Write the bug -> find the bug -> fix the bug -> test the fix -> publish the fix -> apply the fix. And if you skip a step, or someone doesn’t do their job, patients may be at risk from going public. Year-0 for Healthcare – Medical device makers don’t have 20+ years experience with disclosures like in software/internet. Sometimes they think they don’t MAKE mistakes, or they’re sufficiently bounded to prevent harm from vulnerabilities. Technical Event Horizon – Even when you can show a hack is possible, it may not cause physical effects; even when it does there may be non-technical miti
I’ve spoken elsewhere about the tech and social ecosystems surrounding massive social engineering using misinformation and other forms of “fake news”. Now it’s time to talk about the practicals of doing this yourself, at scales ranging from personal attacks to nationstate.
User interaction is fundamental to successful IT operations within an organization. A disconnect between the end user point of view and the IT professional is growing. For many IT professionals, the so-called “soft skills” required to have successful interactions with end users are non-existent.Users become dissatisfied and unwilling to adopt change, while the IT professional struggles to maintain policy. The solution to help bolster these trying interactions is by emphasizing the use of the three Cs: courtesy, clarity, and comprehension. It has been observed that when engaged, user satisfaction and willingness to comply increases greatly and allows success for the IT professional to accomplish their goals.This talk takes a deeper dive into these meanings and provides useful, applicable tips on how an IT professional can apply them.
Effective security monitoring is an ongoing process. How do you get everyone participating? How do you on-board junior colleagues to continuous improvement? The purpose of this presentation is to show methods for encouraging participation from all members of the security monitoring team as well as tactics for communicating effective with the organization.This presentation will cover the methods I’ve employed for a teaching / improvement focused SOC. Our practice has been focused around partnering analysts with business units to demonstrate our value as well as identity oppertunities for our improvement.
Political warfare is back. Political warfare or political war is the “use of political means to compel an opponent to do one’s will, political being understood to describe purposeful intercourse between peoples and government affecting national survival and relative advantage.” Political warfare among nation-states is practiced with hostile intent and is by definition an offensive art. Political warfare has been reintroduced to the threat environment because as a strategy it can be implemented cheaply, possesses a high reproducibility, can be automated, waged largely through technical means and has a good rate of return. This presentation seeks to define political warfare as a strategy and then walk through common TTPs.
As a practicing Information Security consultant, I’ve seen many organizations fail at implementing effective security programs, not as a result of having incorrect technology, and not even the result of having the wrong people within the organization. However, it’s different individuals and groups (“The Paladins”) within IT each acting as their own “lion”, with different priorities and goals. Only when they come together and act as one (“Voltron”), can the enemies of the organization be defeated. This is not a technical talk, rather a “from the trenches” style presentation.
This talk will describe the password policy at Pure Storage, which involves the security team actively attempting to crack employee passwords, forcing a change when discovered, and allowing them to keep the password. Nearly two years into this program, I will review our mature implementation and present an analysis of the collected password data demonstrating how this approach has markedly raised security awareness of our employees and improved the strength of their passwords. Day-to-day blue team security is hard and draining; this approach gives the defense team members a chance to play the role of attacker with a fun task quite different from their day-to-day.
Vulnerability management, in the context of information security, is a critical, but often overlooked aspect in a comprehensive security posture. Many organizations are limited by time and resources to simply fighting fires and operating in a reactive methodology. Without a clear, defined, and management-supported vulnerability management effort, an organization may continue to operate indefinitely with a reactive methodology. There are three overarching components of vulnerability management that are to be considered in this process: Vulnerability discovery -how does an organization become aware of existing or newly published vulnerabilities?Vulnerability notification -how does an organization communicate discovered vulnerabilities to those responsible for the affected system(s)?Remediation verification -how does an organization validate the remediation/justification responses of those responsible for remediation? In considering these three factors, I intend to communicate successful examples of vulnerability management from discovery to notification, remediation, and, finally, verification. Recommendations for organizations new to vulnerability management are also included.
Hands on network security monitoring training with Bro. Students will ssh into a live training environment and analyze PCAPs for common types of attacks – brute forcing, smb related attacks and more.
Industrial Control Systems (ICS) are the silent machines that control the world all around us. ICS systems are used to control elevators, subways, building HVAC systems and the electricity we use. The convergence of information technology (IT) and operational technology (OT) in the ICS marketplace has been taking place over the last 20 years. This convergence, while increasing ICS operational efficiency, is also increasing cyber risk. In this full day course, you will learn how to identify the protocols being used in OT networks, how to decode them and the tools and procedures to perform network assessments on these networks.
Inspecting the internals of Microsoft Windows and discovering interesting attack surface for local privilege escalation can be a dark art. Outside of trivial enumeration and fuzzing of drivers there’s little documentation about how you’d find interesting privileged attack surfaces such as brokers, internal RPC/DCOM services and badly configured applications to escape sandboxes and get administrator privileges.This workshop we’ll go through how to use a number of PowerShell tools such as NtObjectManager (https://www.powershellgallery.com/packages/NtObjectManager) that I’ve written to help identify interesting attack surfaces and from that extracting information through reverse engineering to discover how they can be exploited. The workshop will also contain an overview of important areas of Windows internals as they relate to privilege escalation and how PowerShell can give you more a better understanding of how these internal features work together.
Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.
Mobile Application Hacking is a hands-on class designed to teach participants with techniques and tools for mobile application (both iOS and Android) penetration testing. The class covers a wealth of techniques to identify, analyze and exploit vulnerabilities in mobile apps. The class also covers inbuilt security schemes in both iOS and Android platforms and teaches how to bypass those security models on both the platforms. The class is equipped with labs that contain intentionally crafted real-world vulnerable Android and iOS apps by the author and enables participants to learn the art of finding and exploiting flaws in mobile applications. The class also has a CTF in the end which gives the participants the opportunity to test their skills which they will learn in the class. The platform used for the training will be iOS 10 and Android 8. Note: This is a major upgrade of the previous class by the author “Mobile App Attack” which was delivered around the world at conferences such as OWASP AppSec USA, DeepSec, DEFCON, NullCon and BSides LV.
This will be an in-depth dive into network scanning with NMAP and the proper way to approach a target network. In this hands-on-the-keyboard training, you will learn recon, scanning, scripting and enumeration using NMAP. Scanning is one of the most important components of Pen Testing. This course will teach you some of the tricks of the trade to take your NMAP usage to the next level! You will also spend some time late in the afternoon with NMAP’s scripting engine to perform basic vulnerability scans, and by the end of the day come away with an amazing skill set. If you’ve ever wanted to really, truly learn NMAP, then you must attend! This is hands-on training. After a brief overview of the methodology, you will fire up Kali Linux and spend the rest of the day scanning our lab network. Students should have a basic understanding of Bash commands and be able to navigate around in Kali.
Security B-Sides is a DIY, open security conference that is free to all attendees. These events are corporate sponsored, centrally managed (though locally organized) and do coincide with other major conferences, but the goal is not to draw people away from such events. The fact of the matter is that many people attend Black Hat, RSA Conference, and SOURCE Boston to meet with their friends event if they never attend the conference. Security B-Sides offers them another venue to spend their time during the day by either attending or presenting on "next best thing" material. Help Net Security attended this year's Security B-Sides Las Vegas and in this video you can see co-founder Chris Nickerson talk about the history of the event, what's happening this year, as well as some future plans.