ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK
Whenever we discover another breach, adversaries give us a friendly reminder that the status quo in network defense isn’t good enough. Everyone’s telling us that we need to evolve our focus beyond indicators toward tactics, techniques, and procedures (TTPs), yet we struggle with how to do this. MITRE ATT&CK is the first public framework derived from real threats for describing detailed post exploitation activities, and the community is increasingly adopting it to help move toward detecting TTPs.Members of the ATT&CK team will engage in a discussion with the community about how ATT&CK can help us all improve. We will suggest ideas for how analysts, defenders, engineers, and red teamers can use ATT&CK as a common language to help change your approach to defense by orienting towards the adversary. Based on our experiences, we will provide practical advice on how to apply ATT&CK to improve cyber threat intelligence and defenses by tracking adversaries and developing analytics to detect their behavior. Most importantly, we want to hear from the audience about how they are using ATT&CK and what could make it better.Katie Nickels, John Wunder
SiliVaccine: North Korea's Weapon of Mass Detection
Meet SiliVaccine – North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by the government. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, drivers, and other puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product.How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing it. If there is anything we learned, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.Mark Lechtik, Michael Kajiloti
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and face recognition - and frankly, everywhere else
Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:
* Unexpected consequences (why did it decide this rifle is a banana?),
* Data leakage (how did they know Joe has diabetes)
* Memory corruption and other exploitation techniques (boom! RCE)
* Influence the output (input: virus, output: safe!, as seen on (DEF CON 25 – Hyrum Anderson – Evading next-gen AV using AI)[https://www.youtube.com/watch?v=FGCle6T0Jpc]).
In other words, while ML is great at identifying and classifying patterns, and an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage!
Garbage In, RCE Out 🙂Guy Barnhart-Magen, Ezra Caltum
Attacking Ethereum dApps
Ethereum dApps (decentralized apps) are what separates Ethereum from other cryptocurrencies: they allow issuing transactions to the Ethereum blockchain over standard web protocols. Smart contracts, the Ethereum dApp’s backend, store data and often Ether as a result of interacting with a dApp’s front-end.Since smart contracts are publicly visible on the blockchain, attacking Ethereum dApps requires a two-pronged approach: through the front-end, where we can spoof our Ethereum address and transactional fields, and through the back-end, where we attack the smart contract behind it directly. In this talk, I demonstrate how a dApp works and its entire attack surface. I show what web requests containing Ethereum transactions look like, how they can be spoofed, and how we can attack the smart contract behind the dApp directly to try and steal its Ether.Brandon Arvanagh
Serverless Infections: Malware Just Found a New Home
We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.The Checkmarx Research Team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips to ensuring security prevails in a serverless environment.Maty Siman
Who Wants to Be A Regulator: The IoT Security Game Show
Everyone talks about IoT security failures, but who should actual do all the things? We bring back 80s style, while tackling the question of government involvement in the IoTs in a fast-paced game show format that will highlight the problems of expecting easy solutions. We’ll walk through scenarios from the news and some popular proposals, and highlight how they won’t work quite as well as some may hope. Contestants will reveal that, while snarking about security is fun and games, thinking about the complexity of policies isn’t child’s play.Allan Friedman, Jen Ellis, Wendy Knox Everette, Whitney Merrill
How to Start a Cyber War: Lessons from Brussels -EU Cyber Warfare Exercises
Nation-state offensive digital attacks are on the rise. Especially considering the news headlines. But, what is cyber warfare and what’s realistic? Come on a journey into a twisted but realistic game scenario with real-world implications. What decisions would you make considering the tools at your disposal? Embassy insider threats, leaked Intel agency data & tools, hacked back the wrong system, all the way up to causing mass casualties on internet connected mass transit. Who are your diplomatic “”friends”” and who can you trust? This presentation gives participants a (sanitised) peek behind the diplomatic curtain, revealing some of the challenges, decisions and tools at their disposal. What US allies are preparing for and expectations. How your organisation can use similar techniques such as cooperating with peers against market-wide attacks, scrutinising data before attribution and how computer emergency response teams can help. Studying the outcome, what can be done to improve the situation.Chris Kubecka
Red Teaming a Manufacturing Network (Without Crashing It)
Cybersecurity in manufacturing environments is becoming more and more critical. However, many organizations do not know or understand the cyber risk in their manufacturing networks and plants. “Red Teaming” can help give the organization an edge in assessing, demonstrating, and communicating this risk.This talk will demonstrate some practical methods of performing penetration testing and Red Team assessments in a manufacturing environment. We will begin with the basics of manufacturing networks -how they work, how they are laid out, and the key components that comprise the network. Next, we will get to the fun part -the basics of Red Teaming in manufacturing, and what to assess, how to evaluate it, and some typical findings and vulnerabilities that we have discovered in these assessments. Finally, some methods of mitigating these common vulnerabilities will be presented.Our goals for this talk are two-fold: Motivate organizations and prepare Red Teamers to perform assessments in their own manufacturing environments, as well as shed light on common issues and vulnerabilities in manufacturing networks to help defenders and management.Johnny Medina,
An Encyclopedia of Wiretaps
Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.Wendy Knox Everette
You're just complaining because you're guilty: A Guide for Citizens and Hackers to Adversarial Testing of Software Used In the Criminal Justice System
Proprietary software is used throughout the criminal justice system, and the trade secrets of software vendors are regularly deemed more important than the rights of the accused to challenge the results of these complex systems. We will lay out the map of software in this space from DNA testing to facial recognition to estimating someone’s likelihood of committing a future crime. We will detail hurdles that prevent oversight and examples of problems found with third-party review. Adams will demo his findings from reviewing NYC’s FST source code, which was made public by a federal judge after years of the city’s lab fighting disclosure. Greco will provide insight into the wider world of software used in the criminal justice system -from technology that law enforcement admits to using but expects the public to not question to technology that law enforcement denies despite evidence otherwise. Matthews will talk about the wider space of algorithmic accountability and transparency and why even open source software is not enough.Jeanna N Matthews, Nathan Adams, Jerome Greco
The Chrome Crusader
Active Directory Password Blacklisting
Active Directory remains the most popular corporate solution for organizing devices and users on a network. Central to its responsibilities is providing user authentication and authorization. In particular, password authentication through Active Directory necessitates the use of the strongest defense mechanisms possible. However, the common corporate pattern of enforcing higher complexity passwords by increasing entropy remains an anachronism. This trend of constantly increasing password complexity is not only counterproductive due to its restrictiveness, but is also insecure due to its lack of defense against dictionary-based attacks. With the plethora of attacks centered on brute-forcing and commonly-used passwords, many corporations are falling victim to these attacks despite supposedly strong password enforcement.The solution to these problems is integration of password blacklisting directly into Active Directory, a countermeasure that has yet to reach widespread corporate adoption. This talk will provide a run-down on how corporations can install their own Password Filtering service directly into Active Directory using either in-house solutions or existing ones, and outline why this helps improve overall security and productivity. As an example, I will talk about how Yelp recently deployed this type of solution to improve our authentication flow.Leeren Chang
Anatomy of NTLMv1/NTLMv1-SSP
There has been some confusion about NTLMv1 and NTLMv1-SSP reversing to NTLM hashes using hashcats mode 14000. This was largely due to a talk at Derbycon that had some incomplete information combined with a few forum posts on hashcat.net.
In order to simplify the process as much as possible a tool called the NTLMv1 multi tool was created to automate most of the steps in converting an NTLMv1 and NTLMv1-SSP hash into a hashcat challenge file.Evil Mog
Fighting Fraud in the Trenches
There are many eCommerce and SaaS businesses that offer loyalty programs. Some involve gift cards and credit points. Some include cash back and currency that can be used somewhere else.Naturally, all these loyalty programs require user authentication before granting access. The authentication method varies from a four-digit code, to a password of your choice. Yet, once you are authenticated, there are no more hurdles before you can use the credited balance.Since this is a single point of failure, you would assume that more attention would be given to defending against automated attacks. But as we’ll see, that assumption is dangerously wrong.In this talk, we will disprove this assumption by exploring examples based on data from our customers (anonymized, of course). With real world data we will show how automated attacks are used to access the accounts and from there the funds, and subsequently siphon them away.We will also go through the entire process, targeting the demo mobile application. Starting from reversing the APK up to running the automated fraud.We will also cover some approaches to protect both the business and the consumer from such attacks.Amir Shaked
The Effect of Constraints on the Number of Viable Permutations of Passwords
Typically the impact of constraints on the maximum number of permutations for a password is not considered much-the-less quantified. Password policies that require a minimum character length and mandate the use of lowercase letters, uppercase letters, numbers and symbols may reduce the number of viable passwords by more than 60% of the unconstrained character set. Mandating 12 character password length immediately eliminates 95^11 potential passwords. Every combination of character constraints reduces the number of viable passwords even further. Websites with maximum character lengths and character set constraints can easily eliminate over 50% of the viable eight character password for the allowed and required character sets. In this paper we will quantify the effects of multiple combinations of constraints on 8, 12, and 16 character passwords, and provide the Python script used in our calculations and as a starting point for further analysis by others.Randy Abrams, Briana Butler
From CTF to CVE: How Application of Concepts and Persistence led to a Vulnerability Disclosure
From CTF to CVE: How Application of Concepts and Persistence led to a Vulnerability Disclosure Abstract As an industry, we are always looking for ways to sharpen our skills. We have education, certifications, and mentorship programs. A staple at Defcon as well as most other conferences is the Capture the Flag (CTF) competitions. As a blue teamer, in an effort to sharpen my skills, I started downloading CTF VMs and working through them. For more applicability, I started applying these concepts to things outside the CTF for bug bounties, but to no avail. As luck would have it, I left Burp on and logged in to configure my lab wireless router to use for testing and learning wireless hacking. While the antennae that I bought to attack wireless were being used, they weren’t being used in the same sense of attack. I logged into the router and noticed several vulnerabilities in the router’s authentication scheme. This presentation breaks down the concepts of the CTF and how I applied them through the research and responsible disclosure process.Joe Gray
Who Watches the Watchers?: Understanding the Internet's Background Noise
The instant a device is connected to the internet, it gets scanned and interrogated for open ports, software versions, and default passwords. Who conducts these scans? Why? What kind of attacks will you see? The days of mass exploitation are upon us. When every device is connected, a new paradigm for mass exploitation emerges. Vulnerabilities, specifically in core computing components, linger for decades. Many White Hat organizations scan IPv4 constantly to assess the potential impact of a vulnerability, or to understand the shifting technology landscape while less reputable actors scan for more nefarious purposes. We will explore the economics of simple port scans at scale and the associated costs for enthusiasts and enterprises.There are a number of insights you can gain into the systems and tools being used to conduct these scans. From Massscan to Zgrab to AutoSploit, internet scanning tools are prevalent and can reveal patterns of threat behaviors. Anyone in cybersecurity should be aware of how these tools work, what they reveal, and what threats they can uncover.To visualize internet scans, a demonstration of “Internet Radio” will show scans converted into music. This allows visitors to “hear” the background noise of the internet in real time.Curt Barnard
Lessons Learned by the WordPress Security Team
Managing security for the WordPress project is a challenge to say the least. The sheer volume of reports, the resulting noise, securing an aging codebase, handling disclosure -all difficult to handle, but just the tip of the iceberg. How do you motivate and organize a volunteer team? How do you keep sites and users secure with so much third-party code? How do you educate users? When is it okay to break things to fix security issues and how do you manage reputation when you do? Should you backport? How far? They may not have it all figured out, but over the years they’ve learned a lot -often the hard way. Aaron has led the WordPress Security Team since the end of 2016 and been a part of it for over five years. He’ll share what he’s learned along the way, how things have improved, what changes didn’t help (even when they were sure they would), and what things they still struggle with. He’ll also share an overview of the tools they use and processes they follow, in hopes that no one else has to learn the hard way.Aaron D Campbell
Hillbilly Storytime - Pentest Fails
Whether or not you are just starting in InfoSec, it is always important to remember that mistakes happen, even to the best and most seasoned of analysts. The key is to learn from your mistakes and keep going. So, if you have a few minutes and want to talk a load off for a bit, come and join in as a hillbilly spins a yarn about a group unfortunate pentesters and their misadventures. All stores and events are true (but the names have been be changed to prevent embarrassment).Adam Compton
Get on the Eye Level: Tailoring the Security Talk
Talking outside the community about security basics and teaching security awareness without resorting to FUD-tactics can be both challenging and satisfying. Challenging because you don’t want to be accused of being too shrill or dogmatic. Satisfying because when someone hears you about why security is important, you know you are making a difference. Over the past year, I spoke about security awareness to local community groups, professional organizations, and schools. Along the way, I learned that one way to avoid sounding shrill is to tailor the conversation to the audience’s age and perspective. This is partly finding the right examples, but also picking topics that are relevant to how the audience interacts with technology.Less “parental tech support,” and more like a “community awareness training” event. This talk will help adjust conversations so that the group “Gets” why the security topic is important. The audience will walk away with concrete ideas on how they can reach out to their own communities. There will also be a checklist of things that worked, and things to avoid doing again. The goal is to improve security and encourage people to go into their communities and help more people become security-conscious.Fahmida Y Rashid
101 ways to fail at getting value out of your investments in security analytics, and how not to do that
The value promised and expected by investing in data analytics simply can’t be delivered unless you can GET the data and get THE data. This case study will detail how a global energy company is building out its Security Data Operations program to lay down the fundamental building blocks of an effective data pipeline, that ships the right data to the right platform for the right users. It will also detail ‘the snag list’ of things that can go wrong when trying to get valuable insight out of data, so you can avoid that happening in your organization.Jon Hawes
An Introduction to Machine Learning and Deep Learning
Machine learning is the science of developing programs that can automatically learn from data. First, this talk will give some simple examples of machine learning. Next, we’ll delve into deep learning: a popular, modern subset of machine learning used for things like image recognition, self-driving cars, and malware detection. We’ll walk through exactly how deep learning programs (neural networks) work. This will allow us to touch on why deep learning is such a good tool for detecting never-before-seen cyber threats. Finally, we’ll walk through a demo of a deep learning program developed at Sophos.Hillary Sanders
Stop and Step Away from the Data: Rapid Anomaly Detection via Ransom Note File Classification
The proliferation of ransomware has become a widespread problem culminating in numerous incidents that have affected users worldwide. Current ransomware detection approaches are limited in that they either take too long to determine if a process is truly malicious or tend to miss certain processes due to focusing solely on static analysis of executables. To address these shortcomings, we developed a machine learning model to classify forensic artifacts common to ransomware infections: ransom notes. Leveraging this model, we built a ransomware detection capability that is more efficient and effective than the status quo.I will highlight the limitations to current ransomware detection technologies and how that instigated our new approach, including our research design, data collection, high value features, and how we performed testing to ensure acceptable detection rates while being resilient to false positives. I will also be conducting a live demonstration with ransomware samples to demonstrate our technology’s effectiveness. Additionally, we will be releasing all related source code and our model to the public, which will enable users to generate and test their own models, as we hope to further push innovative research on effective ransomware detection capabilities.Mark Mager
Sight beyond sight: Detecting phishing with computer vision.
Deep learning architectures have been used with great success to mimic or exceed human visual perception in well-scoped tasks ranging from identifying cats in Youtube videos to cars in self driving systems. Rarely have these techniques been applied to information security. Attacks that attempt to exploit visual perception, such as phishing documents that persuade humans to enable malicious macros and URL (e.g., www.rnicrosoft.com) and file-based (e.g., chr0me.exe) homoglyph attacks, are ripe for similar automated analysis. Our research introduces two methods – SpeedGrapher and Blazar – for leveraging artificial vision systems and features generated by image creation to detect phishing. SpeedGrapher analyzes the appearance of Microsoft (MS) Word documents and leverages an object detection network to identify relevant visual cues to classify samples. Blazar analyzes strings for possible domain or filename spoofing and uses a siamese convolutional neural network and a nearest neighbor index to compare visual similarity of spoofs to known domain or file names with a much greater accuracy than edit distance techniques.Daniel Grant
Catch me, Yes we can! -Pwning Social Engineers using Natural Language Processing Techniques in real-time
Social engineering is a big problem but very little progress has been made in stopping it, aside from the detection of email phishing. We observe that any social engineering attack must either ask a question whose answer is private, or command the victim to perform a forbidden action. Our approach uses natural language processing (NLP) techniques to detect questions and commands in the messages and determine whether or not they are malicious.Question answering approaches, a hot topic in information extraction, attempt to provide answers to factoid questions. Although the current state-of-the-art in question answering is imperfect, we have found that even approximate answers are sufficient to determine the privacy of an answer.We have tested this approach with over 187,000 phishing and non-phishing emails. We discuss the false positives and false negatives and why this is not an issue in a system deployed for detecting non-email attacks. In the talk, demos will be shown and tools will be released so that attendees can explore our approach for themselves.Ian G. Harris
Lesley Carhart Kicks Off Hire Ground
To kick off Hire Ground, Lesley Carhart will share how best to leverage your time at BSidesLV and in Hire Ground to help your career. You may be either just starting out or a seasoned professional, but we all need to know tips and strategies to help move along our career paths. Lesley will share her advice just as she does on Twitter, her vlog and at other cons.
Resume Review & Career Coaching
From Hacker to Serial Entreprenuer
Matt DeVost has been hacking for over 25 years and has become one of the leading experts on cyber and security domains. One of Matt’s key phrases is HACKthink – applying the hacker mindset to analyze and dissect complex problems and develop innovative solutions. Matt will share how he has used this mindset to create his career path, and launch several companies.
You're Good and You Should Feel Good
Everyone knows that security talent is scarce. When interviewing for a position, it is important to fully appreciate what that means. As an interviewee, you have the opportunity to be choosy about where you spend your time and energy. Make sure that the company is just as worthy of that time and energy as you are worthy of theirs. This doesn’t give a potential candidate a license to be rude or snobby but rather levels the playing field in a way that not many other careers have. Ensuring that the company and the candidate are the best fit for each other is a dual responsibility. However, before any of this can matter, a candidate must first know themselves. What motivates you? What tempo are you looking for in a work environment now – what about in three years? This talk will cover the many different aspects of an organization that can impact your enjoyment of the work you’ll be doing in the short-term, and help set you up for success, happiness, and fulfillment in the long-term.Victor Wieczorek
The Long Way Around – from Software Engineering to Cyber Security (How Choosing Wrong Turned out to be Right)
A career in Cyber Security does not always follow a linear path. In some cases, a successful career in cyber security can result from breadth of experience in seemingly unrelated disciplines and roles, with security implications woven throughout. I will share how my varied roles and experiences over 15 years have ultimately led to a career in cyber security.Margaret White
Redefining the Hacker
Many women and underrepresented groups have faced adversity and lack of inclusion in their careers in Security. We have been able to rise above and “hack” through the obstacles. This talk is about overcoming the adversity we face (as Black, Asian, Latina, Indian, Women, self-made students, economically disadvantaged and culturally repressed groups) is a form of hacking in itself. We have been able to rise above the obstacles and elevate our privileges to be active members of the cyber security community.Manju Mude
What Did We Learn from Today? (Recruiter Panel)
Panelists of recruiters debate and expand upon the major points brought up in today’s sessions. And every question you wanted to ask a recruiter, you can do so now!Paula Ewanich, Scott Handley, Briana Fernandez, Kris Rides
Engaging the Media: Know Your Target
Cybersecurity needs more and better ambassadors, particularly on topics that relate to cybersafety, where creating positive social change is more time-sensitive to avoid public harm. A significant part of this is learning how to work with the many media outlets and publications that regularly cover cybersecurity stories. Unfortunately, security coverage can often be sensationalist and counter-productive. It falls to us to provide reporters with the right information to cover complex and sensitive cybersafety topics appropriately. To help attendees learn how best to work with reporters, the I Am The Cavalry Track will have two complementary back-to-back sessions on “Engaging the Media.” Come for one or stay for both.
In “Know Your Target,” four highly respected reporters that regularly cover cybersecurity will share their war stories of working with the security community. They will give you insight into the potential pitfalls of both intentional and unintentional media engagement, and will help you understand how best to build productive relationships with cybersecurity writers. They will also highlight tips and tricks for successful media briefings. This session is an informal panel discussion.Steve Ragan, Joe Cox, Sean Gallagher, Jen Ellis, Paul Wagenseil
Engaging the Media: Telling Your Story
Cybersecurity needs more and better ambassadors, particularly on topics that relate to cybersafety, where creating positive social change is more time-sensitive to avoid public harm. A significant part of this is learning how to work with the many media outlets and publications that regularly cover cybersecurity stories. Unfortunately, security coverage can often be sensationalist and counter-productive. It falls to us to provide reporters with the right information to cover complex and sensitive cybersafety topics appropriately. To help attendees learn how best to work with reporters, the I Am The Cavalry Track will have two complementary back-to-back sessions on “Engaging the Media.” Come for one or stay for both.
“Telling your story” is a short interactive workshop, during which, three of our expert reporters will walk attendees through tips and tricks for building compelling and credible cybersecurity stories. The session leads will take you through what makes a story “newsworthy”, how to create “hooks” to grab a reporter’s attention, and how best to get your message across. They will also explain how you can pitch your story to other reporters like them, and you may get a chance to get them interested in your story right then and there. This session will include opportunities for brave audience members to engage in live practice with the reporters, but participation is not mandatory.Steve Ragan, Sean Gallagher, Paul Wagenseil, Iain Thomson
A Good Day to Die? IoT End of Life
IoT security is a known hard problem. A number of efforts are devoted to addressing risks in new devices by codifying and standardizing better security and development practices. The broader challenge will be to understand how these technical and policy efforts overlap–and where they don’t. Moreover, things that were built with better security when new can emerge as risks as they –and the underlying code–ages and more vulnerabilities are discovered. This panel will explore the dynamics of three different IoT security proposals, focusing on coordination around the underlying standards, components, and end-of-life decisions.
We will first share work that picks up where the National Telecommunications and Information Administration’s IoT working groups left off, mapping overlapping security controls in existing IoT standards. Amongst this blooming buzzing confusion, and despite unique sectoral attributes, these IoT security standards face similar challenges with respect to patching, cryptography, and supply chain security. By initiating conversations across sector and technical layer we hope to accelerate learning, and improve on current best practices.
We’ll then highlight a new NTIA initiative on transparency around third party software components, sometimes referred to as a “software bill of materials.” We’ll review that initiative, and highlight a sometimes overlooked feature of an SBOM–helping vendors and customers make better end-of-life decisions for connected products.
Lastly, we’ll explore a topic that some have suggested to help navigate the complexity and information asymmetries of the IoT space: a device registration database. In our vision, hierarchical governance model, device registration with a trusted entity could allow new nodes to be securely authenticated, creating a network of trusted devices. Registration allows the cross-referencing of known threats to preexisting IoT networks, and, upon discovery of a security problem after the fact, allows the identification and sunsetting of compromised devices. Yet, an IoT registry – whether mandated through government regulations or an industry-based initiative – requires a trusted anchor to seed the system, a serious security drawback. Certain registration schemes could also have lasting implications for privacy, censorship, and permissionless innovation.Jessica Wilkerson, Allan Friedman, Karl Grindal
Cyber Safety Disclosure
Vulnerability disclosures for safety-critical systems are f’n hard. Even when the finder/reporter and receiver/manufacturer are working closely in good faith, things get weird AF. When there’s low levels of trust, the weird go pro and things quickly break down. But no matter how frustrated we get with each other, we can and must find common ground around the desire to protect patients. Time to put the hard problems on the table and fight together to address them, rather than keeping on fighting each other.
This discussion will cover ways to overcome some of the hard problems from vulnerability disclosure in safety-critical systems, through a lens of healthcare and medical device disclosures. This session will cover:
- The problem with understanding severity and criticality. CVE, CVSS, etc. – CVE and CVSS have issues (see also, our BSidesLV talk), but even when we agree they work well, it’s not generally for safety-critical industries.
- Communications – Reporter, manufacturer, FDA, DHS, AHA, NH-ISAC, and others all put out information on the same issue, often in conflict. Where is the single source of truth? Who does a doctor/patient listen to? How do you drive alignment?
- Timelines – Comms takes time. Fixes take time. Often these are staggered, not in parallel. Often they rely on outdated methods like newspaper notices, snail mail, etc.
- Relay Race – Write the bug -> find the bug -> fix the bug -> test the fix -> publish the fix -> apply the fix. And if you skip a step, or someone doesn’t do their job, patients may be at risk from going public.
- Year-0 for Healthcare – Medical device makers don’t have 20+ years experience with disclosures like in software/internet. Sometimes they think they don’t MAKE mistakes, or they’re sufficiently bounded to prevent harm from vulnerabilities.
- Technical Event Horizon – Even when you can show a hack is possible, it may not cause physical effects; even when it does there may be non-technical mitigations already in place; even when there aren’t, the harm may be detectable before it becomes truly harmful. Researchers can’t see that from their vantage point.
Social engineering at scale, for fun
I’ve spoken elsewhere about the tech and social ecosystems surrounding massive social engineering using misinformation and other forms of “fake news”. Now it’s time to talk about the practicals of doing this yourself, at scales ranging from personal attacks to nationstate.Sara-Jayne Terp
Implementing the Three Cs of Courtesy, Clarity, and Comprehension to Optimize End User Engagement
User interaction is fundamental to successful IT operations within an organization. A disconnect between the end user point of view and the IT professional is growing. For many IT professionals, the so-called “soft skills” required to have successful interactions with end users are non-existent.Users become dissatisfied and unwilling to adopt change, while the IT professional struggles to maintain policy. The solution to help bolster these trying interactions is by emphasizing the use of the three Cs: courtesy, clarity, and comprehension. It has been observed that when engaged, user satisfaction and willingness to comply increases greatly and allows success for the IT professional to accomplish their goals.This talk takes a deeper dive into these meanings and provides useful, applicable tips on how an IT professional can apply them.Courtney K
Building A Teaching / Improvement Focused SOC
Effective security monitoring is an ongoing process. How do you get everyone participating? How do you on-board junior colleagues to continuous improvement? The purpose of this presentation is to show methods for encouraging participation from all members of the security monitoring team as well as tactics for communicating effective with the organization.This presentation will cover the methods I’ve employed for a teaching / improvement focused SOC. Our practice has been focused around partnering analysts with business units to demonstrate our value as well as identity oppertunities for our improvement.Andrew Gish-Johnson
Modern Political Warfare: A Look at Strategy and TTPs
Political warfare is back. Political warfare or political war is the “use of political means to compel an opponent to do one’s will, political being understood to describe purposeful intercourse between peoples and government affecting national survival and relative advantage.” Political warfare among nation-states is practiced with hostile intent and is by definition an offensive art. Political warfare has been reintroduced to the threat environment because as a strategy it can be implemented cheaply, possesses a high reproducibility, can be automated, waged largely through technical means and has a good rate of return. This presentation seeks to define political warfare as a strategy and then walk through common TTPs.Sina Kashefipour
Legendary Defender - The Voltron Analogy
As a practicing Information Security consultant, I’ve seen many organizations fail at implementing effective security programs, not as a result of having incorrect technology, and not even the result of having the wrong people within the organization. However, it’s different individuals and groups (“The Paladins”) within IT each acting as their own “lion”, with different priorities and goals. Only when they come together and act as one (“Voltron”), can the enemies of the organization be defeated. This is not a technical talk, rather a “from the trenches” style presentation.Brian Carey
Not your Grandpa's Password Policy
This talk will describe the password policy at Pure Storage, which involves the security team actively attempting to crack employee passwords, forcing a change when discovered, and allowing them to keep the password. Nearly two years into this program, I will review our mature implementation and present an analysis of the collected password data demonstrating how this approach has markedly raised security awareness of our employees and improved the strength of their passwords. Day-to-day blue team security is hard and draining; this approach gives the defense team members a chance to play the role of attacker with a fun task quite different from their day-to-day.Kevin T Neely
Vulnerability Management 101: Practical Experience and Recommendations
Vulnerability management, in the context of information security, is a critical, but often overlooked aspect in a comprehensive security posture. Many organizations are limited by time and resources to simply fighting fires and operating in a reactive methodology. Without a clear, defined, and management-supported vulnerability management effort, an organization may continue to operate indefinitely with a reactive methodology. There are three overarching components of vulnerability management that are to be considered in this process: Vulnerability discovery -how does an organization become aware of existing or newly published vulnerabilities?Vulnerability notification -how does an organization communicate discovered vulnerabilities to those responsible for the affected system(s)?Remediation verification -how does an organization validate the remediation/justification responses of those responsible for remediation? In considering these three factors, I intend to communicate successful examples of vulnerability management from discovery to notification, remediation, and, finally, verification. Recommendations for organizations new to vulnerability management are also included.Eric Bryan
What is Agile and how can I use it well?
Are you a person who works with Agile developers? Are they driving you nuts? This presentation will explain the core tenets of Agile and how they apply to you, the security wonk. What you may not realize is that at its core Agile is about delivering a product, fast. Agile teams are focused on delivering a minimal viable product, getting feedback, and improving both the product and the process through iterative and continuous improvement. With a keen understanding of Agile forged in the trenches of large deployments, this presentation shows you how to effectively scale your team in order to have security be an integrated part of the Agile iterations.Nicole Schwartz
Advanced Wireless Attacks Against Enterprise Networks
This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and perform replay attacks to gain administrative control over an Active Directory environment. External wireless adapters and networking hardware will be provided to all workshop attendees, and material learned in the lectures will be practiced within a realistic lab environment. Areas of focus include: Wireless reconnaissance and target identification within a red team environmentAttacking and gaining entry to WPA2-EAP wireless networksLLMNR/NBT-NS PoisoningFirewall and NAC Evasion Using Indirect Wireless PivotsMITM and SMB Relay AttacksDowngrading modern SSL/TLS implementations using partial HSTS bypassesGabriel Ryan, Justin Whitehead
Intro to Industrial Control System Network Analysis
Industrial Control Systems (ICS) are the silent machines that control the world all around us. ICS systems are used to control elevators, subways, building HVAC systems and the electricity we use. The convergence of information technology (IT) and operational technology (OT) in the ICS marketplace has been taking place over the last 20 years. This convergence, while increasing ICS operational efficiency, is also increasing cyber risk. In this full day course, you will learn how to identify the protocols being used in OT networks, how to decode them and the tools and procedures to perform network assessments on these networks.Dennis Murphy
Windows Internals and Local Attack Surface Analysis using Powershell
Inspecting the internals of Microsoft Windows and discovering interesting attack surface for local privilege escalation can be a dark art. Outside of trivial enumeration and fuzzing of drivers there’s little documentation about how you’d find interesting privileged attack surfaces such as brokers, internal RPC/DCOM services and badly configured applications to escape sandboxes and get administrator privileges.This workshop we’ll go through how to use a number of PowerShell tools such as NtObjectManager (https://www.powershellgallery.com/packages/NtObjectManager) that I’ve written to help identify interesting attack surfaces and from that extracting information through reverse engineering to discover how they can be exploited. The workshop will also contain an overview of important areas of Windows internals as they relate to privilege escalation and how PowerShell can give you more a better understanding of how these internal features work together.James Forshaw
Introduction to Cryptographic Attacks
Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.Matt Cheung
Mobile Application Hacking - Master Class
Mobile Application Hacking is a hands-on class designed to teach participants with techniques and tools for mobile application (both iOS and Android) penetration testing. The class covers a wealth of techniques to identify, analyze and exploit vulnerabilities in mobile apps. The class also covers inbuilt security schemes in both iOS and Android platforms and teaches how to bypass those security models on both the platforms. The class is equipped with labs that contain intentionally crafted real-world vulnerable Android and iOS apps by the author and enables participants to learn the art of finding and exploiting flaws in mobile applications. The class also has a CTF in the end which gives the participants the opportunity to test their skills which they will learn in the class. The platform used for the training will be iOS 10 and Android 8. Note: This is a major upgrade of the previous class by the author “Mobile App Attack” which was delivered around the world at conferences such as OWASP AppSec USA, DeepSec, DEFCON, NullCon and BSides LV.Sneha N Rajguru
Attack & Defense in AWS Environments
AWS is the most widely used cloud environments today and almost every security professional have to encounter this environment whether you are attacking an organization or defending it. In this fast-paced workshop we will teach participants with some neat tools, techniques and procedures to attack the most widely used AWS services as well as to defend them.
– Recon / Information Gathering on AWS Services
– Attacking S3 buckets
– Exploiting web application flaws to compromise AWS services (IAM/KMS)
– Attacking Serverless applications
– Disrupting AWS Logging
– Attacking Misconfigured Cloud SDN
Takeaways: Students will be able to understand and appreciate the delta in attack surface which gets added due to moving to cloud. And subsequently design architecture and develop applications to defend them.Vaibhav Gupta, Sandeep Singh
Deep Dive into NMAP & Network Scanning
This will be an in-depth dive into network scanning with NMAP and the proper way to approach a target network. In this hands-on-the-keyboard training, you will learn recon, scanning, scripting and enumeration using NMAP. Scanning is one of the most important components of Pen Testing. This course will teach you some of the tricks of the trade to take your NMAP usage to the next level! You will also spend some time late in the afternoon with NMAP’s scripting engine to perform basic vulnerability scans, and by the end of the day come away with an amazing skill set. If you’ve ever wanted to really, truly learn NMAP, then you must attend! This is hands-on training. After a brief overview of the methodology, you will fire up Kali Linux and spend the rest of the day scanning our lab network. Students should have a basic understanding of Bash commands and be able to navigate around in Kali.Michael Wylie
Snake Oil & The Security Industry
Every true disaster is a tangled mess of factors. The security industry is rife with hyperbole, faulty products and shameless pitchmen that would make even PT Barnum blush. How did our highly technical, quirky industry end up such a cesspool? This talk will explore the myriad failings and missteps that have led to the rise of the Snake Oil Strawman in security.dave cole
A peek into the cyber security of the aviation Industry.
The aviation sector is not immune to the cyber security risks that have been critical issues for all the other industries. Aircraft like the Boeing 777 are very complex systems that rely on many transponders to communicate their position to air traffic control. It’s quite difficult to hack all systems at once, including the on-board radios and the Aircraft Communications Addressing and Reporting System (ACARS), used to send messages or information about the airplane rather than voice transmissions. Consequently, an attacker with a deep knowledge of the plane’s system could intentionally cause serious problems with its normal operation. In this talk, we are going to take a look at the data communications of an aircraft, previous cases of the vulnerabilities that were exposed and the different threats and their corresponding attacks vectors. Additionally, the talk describes how the current recommendation standards address the security needs in the industry and the way forward for a secure future.Nitha Rachel Suresh
That Buzzword Bingo Rapid Debates Panel Thing
This session is designed to titillate, delight, and possibly even educate BSidesLV attendees. Come challenge our panel of Certified Cybersecurity Thought Leaders‚Ñ¢ to debate the most pressing critical issues of the day, including tackling the hard questions like whether becoming a l337 hax0r makes you irresistible to potential partners, whether quantum cryptography adversely affect deep or backdoor access, and whether all we need to stop the rise of the machines is a decent next-gen firewall. YOU propose the topics for our panelists to debate, and after their two-minute arguments are made, YOU decide who was most convincing. And then the loser drinks. And all the while, you can play along, filling in your Buzzword Bingo cards to win (some likely quite lame) prizes.joshuaJen Ellis, Josh Corman, Chris Nickerson, Robert Graham
Your taxes are being leaked
80% of U.S. small business accounting data is entered and stored on one company’s software. Major professional CPA firms around the world use this company’s tax preparation software and trust the security controls are doing their job. During a Penetration Test, I discovered, and disclosed to the manufacture, a critical unauthenticated information leak/man-in-the-middle vulnerability in the way the tax preparation software transfers customer data between client and server. This vulnerability exposes all customer’s names, addresses, phone numbers, email addresses, social security numbers, job, spouse information, and more.Michael Wylie
iOS Runtime Hacking Crash Course
Over the past few years there have been a number of significant changes and trends in the iOS ecosystem that have complicated reverse engineering and exploiting iOS applications for penetration testing purposes. The introduction of Swift, the move to 64bit only and the rise of cross platform frameworks such as Xamarin, Cordova and React Native have affected the techniques and tools traditionally used for these tasks. This talk will provide a crash course in exploiting iOS applications through the manipulation of the application runtime. The aim is to provide practical examples of how to observe and manipulate the inner workings of applications on iOS to defeat security protections including jailbreak prevention, anti-debugging and certificate pinning, obtain credentials and other sensitive information and subvert business logic.Michael Gianarakis
Tuning The Warp Drive with Laforge: New Tool for Building Security Competitions
Security competitions such as the Collegiate Penetration Testing Competition have fundamentally changed the landscape for training the next generation of security professionals. The ability of competition organizes to build the competition infrastructure directly impacts the immersive experience of the competition. These events aren’t just for college students either. Companies are taking note and trying to use these same techniques to assess and train their staff. At this talk, the presenters will introduce a new tool called “”laforge”” for automating the deployment and creation of these competition environments. Using the latest technologies in cloud DevOps, the presenters have created one of the most feature rich and easy to use tools, allowing competition environments to be rapidly developed and deployed.Alex Levinson, Dan Borges
Securing Robots at Scale
International Federation of Robotics estimate that 2.6 million industrial robots will be installed in factories wordwide by 2019. Robots are not only in industrial environments, they also exist in homes and around us as toys, companions, assistants and serve various roles in our daily lives. In this talk we will talk about our journey to secure our robots at scale. This talk will help a spectrum of different audiences including developers, testers, consumers, manufacturers to understand the threats to their products and guide developers, product builders towards building security from the start. We will talk about software, applications, operating system, hardware and supply chain security challenges as well as our strategy to mitigate threats from ground up. We will also talk about some emerging and upcoming threats as it pertains to complex sensors, and autonomous systems that make decisions based on ML / AI algorithmsTalha Tariq
Pacu: Attack and Post-Exploitation in AWS
Cloud infrastructure security and configuration has been shown to be a difficult task to master. Sysadmins and developers with years of traditional IT experience are now being pushed to the cloud, where there is a whole new set of rules. This is what makes AWS environments particularly exciting to attack as a penetration tester. Best practices are often overlooked or ignored, which can leave gaps throughout an AWS environment that are ripe for exploitation. With an increasing number of breaches leaking AWS secret keys, companies are working to be proactive and are looking for red-team-like post exploitation penetration tests, so that they can be sure that their client data is as safe as possible post-breach. Due to this need and the lack of AWS specific attack tools, I wrote Pacu, an Amazon Web Services post exploitation attack tool created and used for Rhino Security Labs pentests. In this talk I will cover how red teamers can use Piranha to simulate real-world attack scenarios against AWS environments, starting from IAM enumeration and scanning through exploitation, privilege escalation, data exfiltration and even providing reporting documentation.Spencer Gietzen
Overlooked tactics for attacking hardened Active Directory environment
Cyber-attackers have been very successful at rapidly gaining administrative access to Enterprise Active Directory environments. Microsoft Enhanced Security Administrative Environment (ESAE) known as “Red Forest” has become a very popular architecture solution to enhance the security of Active Directory for the past few years. It is designed to limit exposure of administrative credentials via hardened admin environment and credentials partitioning. Can ESAE be used to completely prevent cyber attackers from compromising Active Directory and obtain domain dominance? How do organizations better secure ESAE? In this talk, we will demonstrate multiple overlooked tactics, techniques and procedures (TTPs) that can be used to escalate privileges and move laterally within the hardened Active Directory environment, and conclude the presentation with strategic countermeasures. We want to use this talk to educate the industry and arm Enterprise defenders with the knowledge to enhance the security controls of Active Directory.Hao Wang
Turning (Page) Tables - Bypassing advanced kernel mitigations using page tables manipulations
Over the past several years Microsoft introduced many new kernel exploit mitigations techniques to Windows 10, most notable are: page table randomization, Kernel Control-Flow-Guard and VBS based protections such as KMCI (Kernel-Mode Code Integrity). All these protections make local privilege escalation vulnerabilities significantly harder to exploit. Moreover, most of the kernel exploitation techniques assume KMCI is disabled, in coming releases of Windows 10 this assumption will no longer be true as KMCI will be enabled by default. In this talk we will present a new novel exploitation technique based on page-tables manipulations that allows an attacker to bypass all the above mitigations and achieve privilege escalation, even when KMCI is enabled. The concept behind this new technique is not limited to Windows and the ideas behind it can also be leverages on other modern operating systems.Omri Misgav, Udi Yavo
All Your Cloud Are Belong To Us - Hunting Compromise in Azure
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017.Attackers have shifted tactics, incorporated nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn’t exist and customers may not realize they’ve exposed insecure services to the Internet until it’s too late.In this talk I’ll discuss hunting, finding and remediating compromised customer systems in Azure – a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we’ll also cover how we applied the lessons learned to proactively secure Azure Marketplace. Finally, I will present research I’ve done into the default security configuration of Azure & AWS Marketplace images and present a call to action for teams working on Azure security offerings.Nate Warfield
Security Awareness Training Refresh
What’s the first thing that comes to mind when you think of security awareness training? If it exists at all, it’s typically a painfully dry and boring user experience, and provides little to no context to employees. Instead of producing an interactive and educational experience for users, many organizations miss the mark, inevitably turning an incredibly valuable and critically important training into another checkbox on a questionnaire.Organizations should view security awareness training as an opportunity to disseminate relevant and timely information to the users who ultimately determine their level of risk. During this talk, Lauren Clausen, Security Governance Analyst at Rapid7, will discuss the current state of security awareness trainings, the ways in which organizations can create engaging content that conveys this important information, as well as the win, losses, and lessons learned from Rapid7’s own security awareness training refresh.Lauren Clausen
Where are the reinforcements?
The demand for inforamtion security skills have far outpaced the supply. The stories and surveys indicate a growing problem with shortages of trained professionals. The problem isn’t being addressed adequately by any entity. This discussion will propose that we the information security community must bridge the gap by training our own reinforcements.The vocational education system, such as community and technical colleges, are a great location to build a better platform for training the skills needed in our industry. We cannot sit by and wait for the government or academia to fill the employee void. Make your job and life better by building the system to train someone else to be on call for a change.An open discussion facilitated by a security guy turned academic about what we can do to help ourselves.brady nielsen
Who Maed Dis; A beginners guide to malware provenance based on compiler type.
Malware Researchers must take into account a wide range of factors in order to effectively triage, reverse, and address the threat of modern malware. Provenance, or being able to infer the origins of a given sample, is an important but often overlooked characteristic of most malware that may not be apparent to those entering this field. With added knowledge, and new tooling we can make our lives easier. Being able to determine the compiler provenance of a sample is valuable to a reverse engineer as it can speed up the detection of anomalous or otherwise interesting sections of a given binary. I’ll discuss how different compilers and build systems produce different Windows (PE) binaries, where ‚Äòinteresting’ bits of code exist across different kinds of binaries, their expected behaviour and defining characteristics and most importantly how to leverage this information to make heuristic conclusions that will improve one’s reverse engineering efficiency. The talk also coincides with the public release of two things; 1. A package of Yara rules to fingerprint binaries by compiler type and 2. A tool which facilitates the analysis of a given binary by providing a graphic and diagnostic output that can denote malicious and benign segments.Lucien Brule
LibreSSL - Moving the Ecosystem Forward
In response to the Heartbleed vulnerability disclosure of April 2014, the OpenBSD team created LibreSSL, a fork of OpenSSL focused on removing obsolete code and dangerous features, improving security, and simplifying the interfaces, while maintaining backward compatibility as much as possible. Since that time, OpenSSL has also had significant investments both in developers and money. But the principal forks of OpenSSL, BoringSSL and LibreSSL, continue to grow and find unique places in the TLS stack ecosystem. Four years later, has the ecosystem improved? Are there too many forks? Why not merge everything back into OpenSSL?This talk will discuss the impact of OpenSSL, BoringSSL, and LibreSSL on applications and operating sytem, why forks still exist, and with TLS 1.3 right around the corner, where the projects are heading.Brent Cook
Solving for Somebody Else's Problem: Hacking Devs for Better Security
Getting developers to take security findings seriously can feel like an uphill battle. Security can be seen as an outside function that is separate from engineering, and somebody else’s problem. Reported findings are frequently dismissed or ignored.Using the framework of social engineering, we’ll discuss techniques and strategies for bringing developers to the conclusion that they should fix their security bugs. From pretexts to recon, to recognizing people as emotional state machines, the tools of social engineering are usually used as part of the testing phase in security. In this talk we’ll cover how to bring developers over to your side and understand why security findings matter to them.Sarah Gibson
Watch Out For That Bus! (Personal Disaster Recovery Planning)
You bank online. PDFs have replaced paper. Bills come via email and are paid automatically. Your thermostat even has an account online in some cloud! Your daily life heavily uses technology, and it’s great. As a good digital citizen, you may even use a password vault, two-factor authentication, full disk encryption, and cloud backups.But then you get hit by a bus. Or, less morbidly, your home burns down, floods, or is robbed. If you don’t have a tested personal disaster recovery plan, you and your family may find yourself struggling to return to normal life. You may lose access to your treasured pictures, important documents, online accounts, and digital currencies. Companies understand and mitigate this risk by (hopefully) revising, reviewing, and testing their plans, but individuals rarely even think about this risk, much less plan for it.But backups! And the cloud! They may turn out to be useless if you haven’t fully tested out a disaster recovery plan – mine were worthless because of a circularly dependency. Come learn about how to make your own disaster recovery plan so you can sleep a little better a night and make a disaster a little less disastrous.David Minch
Using Lockpicking to Teach Authentication Concepts
When we teach security, we often face challenges in conveying our knowledge to a non-security audience. Ideas such as authentication bypass, password uniqueness and complexity, and defense-in-depth are abstract and can be difficult to grasp for those who aren’t already well-versed in the language of security. We need novel approaches to teaching security that go beyond language.Driven by the educational theory of embodied cognition — using hands-on, concrete metaphors to build a better understanding of abstract concepts — I explore teaching lockpicking alongside teaching authentication and security concepts. As security professionals, we deal largely in abstractions, but experiencing physical representations of those abstractions helps solidify understanding of them, both for us and for end users.Kat Sweet
How I Met Your Password
“How I Met Your Password” is an interactive talk and session around password cracking techniques. Passwords are still getting much notice in the world especially with leaks constantly occurring. As such, people are interested in password cracking. However this session is not a recap of simple Wiki’s on how to crack passwords. It is an in-depth analysis of advanced cracking techniques, methods of cracking difficult and “impossible” passwords as well as how to use the plethora of tools out there to be successful. The target audience is more intermediate than beginner, with attendees needing to already understand what “hashing” is, how some of the algorithms work and also know their way around Linux and tools such as JTR and Hashcat. What we will do is fill the gaps between simple cracking techniques and how to elevate your cracking capabilities to return much higher hit-rates and better results.Dimitri Fousekis
Abusing Password Reuse at Scale: Bcrypt and Beyond
In this talk we will cover a new attack methodology based on the concept of “offline credential stuffing”. This approach makes use of large amounts of correlated data and abuses the commonality of user password reuse to efficiently reduce the workload required to attack large lists of slow, salted hashes.Sam Croley
Deploying WebAuthn at Dropbox Scale: Second Factor and Beyond
WebAuthn is a new standard for strong authentication on the web, giving users an easy to use, phishing-resistant way to authenticate. This talk will look at how the standard enables key use cases of second factor authentication (2FA) and primary login with WebAuthn capable devices and explore practical considerations for deploying it. I’ll talk about lessons learned adding WebAuthn 2FA support to Dropbox and discuss policy and usability questions around using WebAuthn for primary login. To get to a world where WebAuthn replaces passwords, we’ll need to figure out how to handle varying device capabilities and account recovery. Even before resolving these questions, WebAuthn offers clear benefits that encourage deployment.Brad Girardeau
Guardians of GitHub
Over 10,000 AWS access keys are currently exposed on GitHub. Are one of them yours? GitHub is the world’s leading platform for software development. The problem is it’s insecure by default. Access is inherently difficult to manage, repos can be left inadvertently public which could expose intellectual property, company passwords and keys to the internet, or could include vulnerable third-party libraries that may pull your company into the spotlight as was seen with Equifax, Uber, and Tesla. With GitHub being increasingly used as an initial attack vector, the platform is finding itself as the root cause for some of the industry’s largest breaches. In the case of Uber and Apple, public repositories resulted in exposure of proprietary code and AWS credentials. The answer? GitHub Guardian. GitHub Guardian is a solution that utilizes GitHub’s Rest APIs to ensure your accounts are safeguarded with multi-factor authentication, repository privacy control and ensuring credentials are not present in code. As the threat landscape continues to evolve – what’s next? GitHub Guardian will evolve to cover use cases around federated identity and authentication management, API security, and credential encryption enforcement for repositories.Joshua Danielson, Dileep Gurazada
Ransombile, yet another reason to ditch SMS
The general belief is that a mobile device that is locked, encrypted and protected with a PIN or biometrics is a secure device. Personal assistants on mobile devices are very popular like Siri and OK Google. They can perform multiple tasks including calls, sending emails and reading SMS. How secure are they? Can we trust our personal assistants to keep our data safe?With the proliferation of cheap SDR hardware, DIY IMSI catchers, open source tools and still supported broken GSM protocols, targeting mobile communications is easier than ever. But what are the real consequences? It is well known that SMS is not a secure channel but the industry is still hesitant to move away from it. This presentation is yet another nail in the SMS coffin and aims to help push the industry away from supporting it. Ransombile is a tool that can be used in different scenarios to compromise someone’s digital life in less than 2 minutes. Email accounts, financial data, social networks… all gone. Have you ever left your phone on the desk unattended? Do you belief losing your phone only impacts your wallet? This presentation is for you.Martin Vigo
Set during the Great Marshalling of Pickles Apocalypse; in the year 2015, the internet at large was made aware of a little-known kind of attack: Deserialization of Untrusted Data. Jenkins, JBoss, Oracle WebLogic, IBM WebSphere, Apache Struts and many more were destroyed by Remote Code Executions via complicated deserialization attacks. Gadget Chains smashed through WAFs and rooted systems. By the year 2017, OWASP declared deserialization attacks critical enough for its own OWASP Top 10 category.SQL Injection? Pass√©.XSS? Weak.Code Injection? Improbable.Deserialization of Untrusted Data? HELL. YES. <explosion.gif>Curious? Join this AppSec session to:Learn what (de)serialization isDiscover how deserialization can be exploitedFind out how unsafe deserialization can be mitigatedReceive a full breakdown of the issues we’re currently facing, including live demosErez Yalon
Applied Quantitative Risk Analysis
My experiences with qualitative risk analysis have never been satisfying. The categories used to bin the risks seemed arbitrary. I couldn’t see how to consistently compare one risk to another. I couldn’t combine risk assessments from multiple sources. I wasn’t sure how many “Low” risks it took to overwhelm a “High” risk and I couldn’t easily defend my analyses. In 2016 Douglas Hubbard and Richard Siersen released the book “How to Measure Anything in Cybersecurity Risk” which covers the science of measurement, the Monte Carlo simulation technique, and their application to cybersecurity risk. I was instantly hooked. Here was a repeatable, consistent, statistically valid method to really get a grasp on my risks. But learning about something is easy; applying it is hard. This talk will go over the basics of quantitative risk analysis techniques and my experiences with applying them at my current job. Attendees will leave with guidelines for practical application of the techniques as well as a link to a GitHub repo where the tools I use are freely available.Michael Rich
For defenders Powershell is a major challenge when for attackers it is an opportunity (if it is enabled). This talk will open with a quick explanations and examples for Powershell abuse by malware in the wild and why it is so common. Then, the main dish will be served, InvokeNoShell -a new framework for generating infected documents containing embedded Powershell executed even if powershell.exe is disabled without admin privileges, bypassing app whitelisting and AV solutions. The tool is fully automatic and capable of generating multiple variants of bypassing output to optimize the test of solutions claiming to block Powershell. It will be shown that using the InvokeNoShell framework enables easy automation of the payload generation process from scratch. This allows to create multiple similar payloads automatically, allowing an individual to poke advanced ML unicorn next-NG AV engines efficiently, generating dozen payloads with a single command.Gal Bitensky
Security and DevOps are really Best Friends
DevOps teams still think of Security as “the people who say no.” However, DevOps are Security’s best allies in getting basic security improvements in place. Using the framework of the CIS Critical Security Controls (chiefly the ones classified as Basic), we will explain the ways that Security teams can sell security improvements to the DevOps/SRE/Automation teams and help them get their priorities addressed.For example, while having an inventory of all hardware and/or cloud assets is critical to speedy investigation of incidents, it is also critical to keeping systems within SLAs for their lifecycle and ensuring that billing for resources is correct. Likewise, the other Basic Critical Security Controls line up directly with DevOps and Automation teams’ priorities, and Security teams can meet their goals of improving the security of the company at the same time.Emily Gladstone Cole,
Don't Bring Me Down: Are You Ready for Weaponized Botnets?
We’re seeing an evolution in botnets. The impact of Mirai bringing down a huge swath of the internet two years ago raised awareness but the release of the Mirai code has raised a new army of botnets that are capable of more than just DDOS on basic systems. But Mirai isn’t the only botnet in town. There are some serious contenders with unexpected enhancements looking for new recruits to work in the bitcoin mines. Routers and cameras and toasters -oh my! The ongoing deluge of devices that connect to the Internet is an IoT nightmare, and an attacker’s dream. Default credentials and weak passwords are only the beginning. Especially with a bevy of unpatched, vulnerable systems on which to unleash some substantial exploits. Persistence and lateral movement ftw! DDoS isn’t just child’s play when attacks are in the realm of terabytes. What happens when we move past outages, and into destructive payloads? And what happens when weaponization meets automation? In this talk, we’ll explore what may come next when nation states move into the turf once held by script kiddies, and build-a-bot gets leveled up in a very bad way.Cheryl Biswas
Not your Mother's Honeypot - Another name for Threat Intel
Gathering Threat Intelligence is an art. Using it to your advantage is magic. Do you even know what your real security profile is and who/what is attacking you? Vulnerability scans are great, but are you really vulnerable? Using OSS across honeypots and even Raspberry Pis, none of which requires rocket-science technical skills to deploy, allow you to see the profile of those who might be attacking you. Gathering real Threat Intel, in a live environment, directed at your systems and using the data to be more secure! This live session will use a network of worldwide honeypots to show how “Live” threat intel can be gathered and analyzed to more thoroughly understand your environment and the threats facing you.Kat Fitzgerald
Another one bites the dust: Failed experiments in infrastructure security analytics and lessons learned from fixing them
In most academic and industry conferences, we get to learn about the success stories of security analytics systems but we rarely explore what to do when these systems don’t work as intended. This talk address the gap: we share the lessons learned from deploying failed machine learning intrusion detection systems and more importantly, how to fix them. Specifically, we will focus on the unsuccessful experiments when attempting to solve two important security problems: detecting lateral movement in the cloud environment and identifying geo login anomalies. This talk has three parts wherein in each section we first explain the security problem, present the approach that failed to produce the desired outcome, followed by a deep dive into why the system failed and finally conclude with how we fixed the machine learning system. The goal of this lecture is to emphasize that it is important to recognize that security data science systems are imperfect, and share different options to proceed when security analytics experiments don’t go as expected. This talk represents the work from Microsoft Research, Azure Security Data Science and the Microsoft’s Cyber Defense Operations Center.Ram Shankar Siva Kumar
PowerShell Classification: Life, Learning, and Self-Discovery
By now, many security practitioners know that PowerShell is a powerful scripting language used by administrators and adversaries alike. Many blue team professionals may also know that effective detective controls are very difficult to develop due to the flexibility of PowerShell. This presentation covers the journey where I try to develop effective detective mechanisms for malicious PowerShell, shortcomings of this attempt, my first attempt at developing a classifier, the problems I encountered, the lessons I learned, and the success in the end. I will cover the development of the initial prototype from start to finish but the greatest value is in the lessons that were learned during the journey.Derek Thomas
Can data science deal with PAM?
PAM is climbing the security charts, coming in at no. 4 in the latest CIS controls, up from no. 5 in the previous version. It has also piqued the interest of ‚ ‘the Board’ -the concept of a superuser and the potential impact on critical business systems is easy to grasp.Security teams now find themselves thrust into the spotlight, with the C-suite demanding answers while they grapple with this seemingly intractable problem. It’s uniquely challenging as some people need admin rights to do their job, so we can’t just lock everything down -but “who?”, “when?”, “how?”, “why?”. As one CISO put it, PAM is “at the intersection of human behaviour and technical controls and often brings IT and security into conflict” .There are many tools to administer privileged access but installing a vault to manage PAM is only the beginning.Once you’ve identified how people should be accessing assets, how do you clean up the tangled web of permissions that exists in most big orgs, without hindering BAU?In this talk, we’ll reframe PAM as a data science problem and explore what insight you can glean from your data about where the problem lies and how to fix it.Leila Powell
Tracking Malicious Logon: Visualize and Analyze Active Directory Event Logs
In the lateral movement phase of APT incidents, analysis of Windows Active Directory event logs is crucial since it is one of the few ways to identify compromised hosts. At the same time, examining the logs is usually a painful task because Windows Event Viewer is not a best tool. Analysts often end up exporting the entire logs into text format, then feeding them to other tools such as SIEM. However, SIEM is neither a perfect solution to handle the increasing amount of logs. In this presentation, we would like to introduce a more specialized event log analysis tool for incident responders. It visualizes event logs using network analysis and machine learning so as to show correlation of accounts and hosts. Proven with our on the ground response experience, most importantly it is an open source tool.Shusei Tomonaga, Tomoaki Tani
Decision Analysis Applications in Threat Analysis Frameworks
In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. This research seeks to develop a framework which adapts existing methods such as the cyber kill chain to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor. In addition, the framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.Emily Shawgo
Looking for the perfect signature: an automatic YARA rules generation algorithm in the AI-era
Given the high pace at which new malware variants are generated, antivirus software struggle to keep their signature database up-to-date, and AV scanners suffer from a considerable quantity of false negatives. Creating a high-quality signature able to be effective against new malware variants, while avoiding false positives detection, is a challenging task, and it requires a substantial portion of human expert’s time. Artificial intelligence techniques can be applied to solve the malware signature generation problem.The ultimate goal is to develop an algorithm able to automatically create a generalized family signature, eventually reducing threat exposure and increasing the quality of the detection. The proposed technique automatically generates an optimal signature to identify a malware family with very high precision and good recall using heuristics, evolutionary and linear programming algorithms.In this talk I will present YaYaGen (Yet Another YARA Rule Generator), a tool to automatically generate Android malware signatures. Performances have been evaluated on a massive dataset of millions of applications available in the Koodous project, showing promising results: in few minutes the algorithm is able to generate precise ruleset able to catch 0-day malware, better than human generated rules.Andrea Marcelli
Hackademia: The 2018 Literature Review
Ever wonder how static analysis tools figure out not only what lines contribute to a buffer overflow, but by how much it can be overflown? Ever get the sense developers might get insecure solutions from StackOverflow, and wonder what can be done about it? Curious about what you might be able to do if only you could get your hands on some industrial robots, field forensic equipment, voting machines, or avionics? We discuss some of the latest developments in infosec coming from academia, what they’re likely to result in, and of course, where more work is needed."Falcon Darkstar Momot, Brittany ""Straithe"" Postnikoff
Arbitrary Albatross: Neutral Names for Vulnerabilities at Volume
Vulnerability identification is critical defensive security infrastructure. We have CVE, which is improving scope and coverage, but CVE assigns numbers, and people like words. Phrases. Names. From Heartbleed to Efail, there’s a trend in security research to market disclosure events with catchy brand names. Some are annoyed by this trend. Is annoyance justified? Names imply importance. Is the claimed importance justified? It may be that a more human-oriented handle is beneficial. We explore the issues around named vulnerabilities and present a system to generate names separate from implied importance.Art Manion
The Key to Managing High Performance Security Teams
For many early career managers, getting high performance from teams can seem like a magic art. While many of us find getting performance from technical projects to be easy, people seem to be harder. This talk will show you some of the challenges of getting security professionals to work together as a team and walk you through some of the more interesting parts of recruiting, managing, leading and retaining rock-star level talent in the hardest, most difficult industry.Mike Murray
Increasing Retention Capacity
Why do organizations work so hard to recruit a talented workforce, but fall flat when it comes to retention? After all, rapid turnover negates investments in recruiting and training, stalls projects and innovation, and is often a gauge for the health of a company. Given the growing workforce deficit, it is essential to improve retention in security, especially among underrepresented groups. But what are those factors that improve and hinder retention in security? I conducted a survey and integrated existing social science research to identify those core factors. I will first describe the research design and the main findings. Next, and building upon existing social science research on social change and organizational structure, I will offer several concrete steps organizations can take to improve retention, including a nuanced approach to professional growth and addressing burnout, as well as key cultural factors within the workplace environment. This discussion also includes what the security industry writ large can do to help augment retention, especially when it comes to professional conferences, marketing, and some of the biases embedded in them.Andrea Limbago
Resume Review & Career Coaching
Fast-track your Hacking Career – Why Take The Slow Lane?
Confused how to get into the security field? Unsure how to grow your skills, knowledge, and certifications? Uncertain where to find training that fits your budget? If you have any of these questions, then this presentation is for you!
With over 40 years in this field as a security practitioner, I have learned many tricks and tips, which I have shared to help others start and quickly advance in their careers. The goal of this presentation is to:
- Help you identify the starter roles which will best help you make it to your dream job
- Plot a path, which includes understanding credentials, skill sets, and salaries, associated with each role
- Understand how to level up from entry level, through mid-level, advanced-specialists to expert
- Have fun doing it!
If you are someone that is hiring, there are also a few tidbits for you.
Community Career Panel or How to Get More than a TShirt Working at a Con
Career development is typically seen as a progression of education, certification and job moves. However, to progress in our careers it is helpful to build both technical and non-technical skills in different environments to challenge us and give us the opportunity to learn. Community involvement strengthens not only the overall community but provides opportunities to stretch and learn new skills that support personal growth. We will review presenting, con management and competitions as ways to strengthen your career. We will hear from a recruiter involved in the community how they evaluate these experiences and recommendations on presenting this information in your job search. Finally, we will address burnout, exhaustion and how not to burn bridges.Cindy Jones, Magen Wu, Kristen Renner, Kathleen Smith
Stupid Hacker Tricks: Bridging Airgaps and Breaking Data Diodes
The impossible is just what we haven’t done yet.
This light and fun talk (with demos) will examine network “Air Gaps” and other physical based protection schemes for Industrial Control Systems and Critical Infrastructure are considered the best protection available. That is not always the case.
The world’s foremost cordless drill hacker/musician, and host of the totally-safe-for-work “Coke and Strippers” YouTube channel (https://www.youtube.com/playlist?list=PLrbk0Yr3eCh2N6v-OLlMYmHEs74ui2t_z), will discuss technologies old and new used to jump air gaps, including a brand new example of potentially compromising the technology that has been labeled unhackable, the Data Diode.
Once the impossible has been demonstrated, it becomes easy.Monta Elkins
Building ambassadors to reduce friction, drive change, and get sh*t done
Whether your goal is to push a vulnerability through remediation, change user behavior, or secure funding for your dream project, you can get it done with the right ambassadors in your corner. We’ll review several case studies and discuss strategies that have worked – and strategies that haven’t – for getting buy-in and achieving your infosec #squadgoalsKatie Ledoux
Hacking the Public Policy API
Technology experts are all over the country except on Capitol Hill, where they are needed most. Of the 3500 legislative staff in Congress, there are exactly *seven* that have an actionable technology background (though dozens are getting very smart, very quickly). Policymakers, the security community, and technology users all benefit when we embed real tech expertise on the Hill to inform discussion on critical issues like privacy, cybersecurity, and digital rights. The CFAA, DMCA, FOSTA are all examples of short-sighted laws written by people who didn’t realize the unintended consequences until it was too late. Security experts can help bridge the gap between government and the technology community by tapping into the tech policy API to become a voice for informed change within the legislative process.
This session explores ways for security professionals to engage policymakers through the real world experiences of two types of experts in this area. Travis Moore and Maurice Turner will talk about the amazing impact Tech Congress fellows are having by taking on one year placements in Congressional offices. Then we’ll hear from the other side of the equation as House Energy and Commerce Committee staffer, Jessica Wilkerson, talks about how she leverages security and technology industry experts to help educate her Committee Members and drive a more productive and informed discussion around security issues.Travis Moore, Maurice Turner, Jessica Wilkerson
CVE CVSS NVD OMGWTFBBQ
The Common Vulnerabilities and Exposures (CVE) list, the Common Vulnerability Scoring System (CVSS), and the U.S. National Vulnerability Database (NVD) are fundamental pillars of infosec, providing a common taxonomy for discussing vulnerabilities and their potential severity. Despite their critical role, and how much depends on these frameworks, there remain issues with each, especially when applied to human life and public safety impacts.
This panel will educate the audience on why so many acronyms are necessary in our collective attempt to grapple with the proliferation of security vulnerabilities in basically everything. We’ll talk about approaches that have tried and been somewhat successful; approaches that have tried and seem to have failed; and what we want to see change for the future, because your existence depends on good wi-fi now.
Each panelist (and the moderator, in a clear violation of the rules) will an issue they believe are wrecking, or are about to wreck, modern civilization (in the scope of networked technology. Not in scope: ultraviolet rays, WMD proliferation, the greenhouse effect, or other non-digital things). After the panelist round-robin, we’ll go to open Q&A with the coalition of attendees, who are encouraged to be constructive. At the end, the mighty Casey will most likely strike out, but Sisyphus always has a shoulder to cry on.Tom Millar, Katie Trimble, Art Manion, Margie Zuk, Josh Corman, Seth Carmody
Engaging Policymakers at the State Level
From federal data breaches to foreign governments phishing political campaigns to malware shutting down city services, our nation is under attack. You can help – starting right in your own community. We are using the election process as an example of how you can get involved in the policy of cybersecurity. The 2016 elections and last year’s DEF CON Voting Village showcased vulnerabilities in voting systems. Local and state officials are working to build a more resilient electoral process, but their capacity is limited. We need government leaders and civic-minded infosec professionals alike to start building bridges and combine their knowledge and talents. Join a conversation with policymakers to explore how they should be looking in their own communities to find individuals with security research or systems administration skills who are interested in acting as technical volunteers for Election Day and beyondMaurice Turner, Joe Hall, David Forscey
Transforming Industries for Fun and Safety
I Am The Cavalry presents two case studies on shifting mindsets of security researchers and a focus on cyber safety. The first outlines first positive steps in the aviation industry toward safer skies. The second looks at security research community contributions to US and UK government policy documents.
The aviation industry has long managed the risks of physical attacks, now it must also manage the risks of digital attacks. To do this will take a close collaborative effort between the aviation industry, government, industry bodies and security researchers. Yet those relationships are strained. This panel will discuss the current challenges and how we can help foster a collaborative relationship between all the key stakeholders so that we can keep the aviation industry as safe as it currently is.
For the past several years, ideas from the security research community have been quietly making their way into public policy positions. When the FDA, DHS, NHTSA, and UK government have put together new policies on IoT security, privacy, and safety, some have had an ace up their sleeve: direct contact with security researchers. This discussion will cover some of the relevant policies, how researchers have contributed, and what this looks like in the aggregate.Pete Cooper, Jeff Troy, Beau Woods, David Rogers, John Sheehey
Cavalry is ALL OF US
“The cavalry isn’t coming; it falls to us,” were the words five years ago at BSidesLV that launched I Am The Cavalry. The cavalry still isn’t coming; it still falls to all of us to make the change we want to see in the world. This session will recap a number of highlights from the past five years, and will introduce several ways ALL OF US can walk out of the room and immediately contribute our experience and passion to transforming the world around us for the better. These will include:
- Rod Soto – CHIRON open source, home-based IoT security
- Travis Moore – Is a Congressional Fellowship in your future?
Cruising the MJ Freeway: Examining a large breach in legal Cannabis
Recently a major Cannabis POS provider – with over 11 million in funding, 23 million pounds tracked to date, and operating in 30+ states & 4 countries – found itself on the business end of a “sophisticated digital attack” not once, not twice, but thrice. Or maybe four times; Gross mismanagement of the situation and a lack of transparency made it hard to tell. Their story went from “our 3rd party security auditors verified that only an unsuccessful attempt was made”, to “no wait, make that a successful attempt, but with no loss of PII”, to “ok, all our source code and much of your patient data is on ThePirateBay and our systems will be down for the next month”. Through a combination of OSINT, (ethical) social engineering, and close examination of source code, I hope to shed light on what actually happened, and how a large portion of all dispensaries in the country can be forced to manually write down sales & gov contracts be lost w/out more outrage from the industry. All eyes are on the industry right now and, given its precarious federal legal status, the next moves made will be crucial.Rex
Unifying the Kill Chain
To hunt attackers on their networks and raise resilience, enterprises can use various attack models such as Lockheed Martin’s Cyber Kill Chain© and MITRE’s ATT&CK™ framework. These models are individually valuable but limited in their scope of application. The modus operandi (MO) of APTs also does not necessarily coincide with these models, which limits their predictive value and leads to misaligned investments in defensive capabilities.In this presentation, Paul Pols will detail a “Unified Kill Chain” that overcomes these deficiencies and covers modern cyber-attacks end-to-end. The model was iteratively developed in a master’s thesis through literature research and case studies. The Unified Kill Chain can be used to defend against expected attacker behavior through layered defense strategies that adopt the assume breach and defend in depth principles. The Unified Kill Chain offers an improvement over the scope of the Cyber Kill Chain© and the time-agnostic nature of the ATT&CK™ model.The Unified Kill Chain has been used to analyze and compare the tactical MO of a red team and that of APT28 (Fancy Bear), to improve threat emulation and to raise resilience. The comparison shows the potential to improve the predictive value of red team assessments.Paul Pols
Incorporating Human Intelligence (HUMINT) into An Information Security Team
At a time when new innovations and developments in IPS, detection, big data, anti-virus, and other automated solutions are offeredon a seemingly daily basis, another equally important asset remains misunderstood, or simply under-appreciated – the human. This is not an offensive social engineering tutorial or proof of concept. Rather, this session will discuss the value of humanintelligence (HUMINT) and collection efforts within the growing discipline of Cyber Intelligence, how HUMINT/collections contributesto, and supplements, an organization’s detection, prevention, and research solution alongside other cyber threat teams, and how this skillset can be leveraged to elicit information and context that tools and appliances simply cannot.Aamil Karimi
Disabling Encryption to Access Confidential Data
For many years, remote Access Systems, Medical Records Systems, SSL Certificate Generation and many other systems rely email for authentication.This presentation explains how to well known weaknesses in opportunistic email encryption can be used toCompromise accountsHijack computersGenerate fraudulent SSL CertificatesAccess confidential medical/financial records.Intercept, hijack, and modify https sessions.Capture bank credentialsPerform social engineering / fraudChristopher Simon Hanlon
Bypassing Antivirus Engines using Open Sourced Malleable C2 Software, MSFVenom, Powershell and a bit of Guile
Abstract There are a multitude of Open Sourced C2 software that are readily available for a quick git clone and deployment during a red team engagement. These softwares, though new and sometimes kind of buggy, can offer a unique way to bypass antivirus engines, allowing for undetected entry into a network and lateral movement that can allow you to move around undetected from many modern defenses. The usage of PowerShell scripting in Windows and MSFVenom payload generation in Kali make it all the easier to apply these methods for quick and easy wins. Using these methods and a bit of guile about delivering the payload will allow a Red Teamer to enter into the network easily and bypass perimeter defenses in play and lead to exfiltration of data and ultimately the end goal of your assessment, get as much win as you can.Full Example Locate at: https://informersecurity.com/antivirus_bypass/Michael Aguilar
Firmware Security 101
More often than not, firmware is seen as an intriguing no man’s land -neither software nor hardware exclusively. However, increasing interest in firmware binaries is challenging their security, which has depended on obscurity for decades. As attackers focus more on them, understanding the fundamentals of firmware become more relevant to be able to defend ourselves better. This talk is derived from my personal experiences of tinkering with firmware without any formal learning in it. It is intended as an introduction for anyone who is interested in firmware security but doesn’t know where to start from.I will talk about:(1) System architecture.(2) Firmware flavors – BIOS and UEFI(3) Attack vectors(4) Defensive approaches.(5) Open source firmware tools.Hopefully, by the end of this talk, the audience will have a big picture of firmware architecture and security measures.Arpita Biswas
The current state of adversarial machine learning
Machine learning is quickly becoming a ubiquitous technology in the computer security space, but how secure is it exactly? This talk covers the research occurring in adversarial machine learning and includes a discussion of machine learning blind spots, adversarial examples and how they are generated, and current blackbox testing techniques.Heather Lawrence
Treble or Trouble: Where Android's latest security enhancements help, and where they fail
In today’s security world it is well understood that it is impossible to eliminate all bugs. This is why in order to limit vulnerabilities, security enhancements are introduced as an extra line of defence. Attack surfaces are being narrowed and mitigations are added to make exploitation harder. This is an approach that is well used by Google in Android. They add more security enhancements in each major Android version, including Project Treble, recently added in Android 8.We decided look deeper into Project Treble and examine how beneficial to security it really is. During our research, we found a very dangerous vulnerability in areas related to Project Treble. Not only did Project Treble do nothing to prevent this vulnerability, it was actually the reason it was introduced.In this talk we will review the inner works of Project Treble. We will look at the refactoring that Android services went through and point out multiple issues with it. We will also cover the details of the vulnerability we found, and its impact. We found that while Google were keen to announce a new enhancement with a flashy name, its implementation was somewhat neglected.Tamir Zahavi-Brunner
Advanced APT Hunting with Splunk
You wanna learn how to hunt the APTs? This is the workshop for you. Using a realworld* dataset we hunt through the APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre Att&ck framework and how these concepts can frame your hunting. Then we look deep in the data using Splunk and OSINT to find the APTs riddling a small startup’s network. We walk you through detecting lateral movement, the P of APT, and even PowerShell Empire. Then at the end, we give you a similar dataset and tools to take home and try yourself.Ryan Kovar, Dave Herrald, John Stoner
Ham Crams and Exams
Drop-in ham radio operator exams. First come, first served.Falcon Darkstar Momot
Evil Mainframe Hacking Mini
Come live your cyberpunk dreams! Mainframes are the workhorse behind almost every fortune 500. It’s probably time you learned how to hack one. This workshop provides a one of a kind experience, allowing you to get hands on mainframe hacking experience with multiple labs. This workshop lays the groundwork for mainframe penetration testing. Walkinging you through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to “own” the mainframe. After a brief overview of how z/OS works and how to translate from Windows/Linux to “z/OS” the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the workshop. The areas explored include VTAM, CICS, TSO, and Unix. Students will be given access to a mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some easy wins, and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, and JCL.Soldier of FORTRAN
Network Security Monitoring
Hands on network security monitoring training with Bro. Students will ssh into a live training environment and analyze PCAPs for common types of attacks – brute forcing, smb related attacks and more.Liam Randall
Smart Contracts: Hello World
This half-day workshop will be a hands-on introduction to the Ethereum smart contract. We will cover tools necessary to create, deploy and interact with smart contracts on an Ethereum blockchain. We will explore and interact with high profile bugs that have caused millions of dollars in losses. There will be a CryptoCurrency CTF at the end of workshop.John Amirrezvani
Endpoint Monitoring with Osquery and Kolide Fleet
Deep down we all know that perimeter defenses aren’t enough to keep the bad guys from your assets. As soon as an outsider compromises one endpoint, they effectively become an insider. Having a power-tool to monitor endpoints is key for incident detection and an organization’s overall security posture.
But how should you query and monitor your infrastructure? How should you deal with so many different operating systems and environments? To help meet this challenge, the Facebook Security team created Osquery, which is under active development by Facebook and the open source community. Osquery is actively used by many companies to collect data from hosts and proactively hunt for abnormalities.
Osquery makes it easy to ask targeted or broad questions about a heterogeneous infrastructure. Besides being open source, osquery is multi-platform (Windows, Linux, Mac, and FreeBSD), powerful and provides countless query possibilities with hundreds of tables with thousands of fields in a simple SQL query syntax.
In this training you will learn about osquery internals, how to understand queries, how to deploy a interface to manage and gain visibility to improve detection and threat hunting, and more.Rodrigo "Sp0oKeR" Montoro, Felipe "Pr0teus" Espósito
How A Fortune 500 Company Suppressed Our Research Through Legal Threats
ABSTRACT: When we took on a consulting project to audit an alcohol breath testing machine for a group of DUI attorneys, we never expected that a Fortune 500 company would threaten legal action to suppress our results. We also didn’t expect that the attorneys who engaged us would run for cover, and that we’d be left entirely on our own. However, that’s exactly what happened, and it effectively put our company out of business. Through this experience, we learned first-hand that what happens in the legal system often has little to do with justice, and also that the legal system can be an effective weapon against the public interest.Of course, we also learned a lot about the inner workings of alcohol breath testing machines, some of which we absolutely can’t talk about, but a lot of which is public. We hope to inspire hackers to build on this foundation of public data and shed more light on what is known about machines that can–in a very real sense–control your life.T Prophet, Falcon Momot
Why Can't We Be Friends? (Get Spotted With A Fed)
Do you dance madly on the lip of the volcano regarding your security research? Or would like to research a particular topic that you feel might have a non-desirable personal outcome? Do you know someone who does these things? If so, you should come to this session and learn about some processes and relationships where more people can benefit than before.Russell Handorf
Ask The EFF
“Ask the EFF” will be a panel presentation and unrecorded question-and-answer session with several staff members of the Electronic Frontier Foundation, the nation’s premiere nonprofit digital civil liberties group. Each staffer will discuss a particular issue that has been in the news or on EFF’s docket this year.Nate Cardozo, Kurt Opsahl, Nash Sheard, Eva Galparin