09:30 - 09:55
Opening Remarks

This is the 10 year anniversary of BSides LV. A lot has changed and even improved over the past decade, but some persistent challenges remain. We’ve seen high-profile attacks, the rise of nation-state attacks, and many other changes in the threat landscape. More recently we’ve seen some attackers favoring disinformation and hybrid attacks. We’ve also seen some products inching towards a “secure by design” model. Bob has had a front row seat to some of these events and transformations. He’ll share some of his observations and a few key reasons to be optimistic about the future, and ways you can help.

Bob Lord
11:30 - 12:25
BEEMKA / Electron Post-Exploitation When The Land Is Dry

Now that you have a shell, you need to establish persistence. How about this time, you use slack.exe without modifying its signature? Or Skype, WhatsApp, or even Visual Studio Code?

An architecture decision makes backdooring legitimate applications easy, and enables attackers to egress data from both within the application (your stored passwords / application session etc) and from the operating system. And as ElectronJS is cross-platform, the sky’s the limit! Batteries included – yes, there’s a tool for that!

Pavel Tsakalidis

We are hackers, we won’t do as you expect or play by your rules, and we certainly don’t trust you. JAR files are really ZIPs…unzip them! So are DOCX, XLSX, PPTX, etc. Open them up! macOS applications (.app “”files””) are really browsable directories?! Sweet, let’s do that.

Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives containing many plaintext files (including scripts) with plenty to examine without installing.

In this presentation I’ll walk through extracting the contents of these installer packages, understanding their structure, and how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I’ll include examples of security issues I’ve seen in the wild and show how they can be exploited to elevate privileges and gain code/command execution.

After this talk, .pkg files will no longer be opaque blobs to you. You’ll walk away knowing tools and techniques to examine, understand what they’re really doing, and a methodology for finding bugs in them. As a final bonus, I’ll include a subtle trick or two that can be used on red teams.

Andy Grant

Imagine yourself looking through a myriad number of crash dumps trying to find that one exploitable bug that has escaped you for days!

And if that wasn’t difficult enough, the defenders know that they can make us chase ghosts and red herrings, making our lives waaaay more difficult (Chaff Bugs: Deterring Attackers by Making Software Buggier)[https://arxiv.org/pdf/1808.00659.pdf]

Offensive research is a great field to apply Machine Learning (ML), where pattern matching and insight are often needed at scale. We can leverage ML to accelerate the work of the offensive researcher looking for fuzzing->crashes->exploit chains.

Current techniques are built using sets of heuristics. We hypothesized that we can train an ML system to do as well as these heuristics, faster and more accurately.

Machine Learning is not the panacea for every problem, but an exploitable crash has multiple data points (features) that can help us determine its exploitability. The presence of certain primitives on the call stack or the output of libraries and compile-time options like libdislocator, address sanitizer among others, can be indicators of “”exploitability””, offering us a path to a greater, more generalized insight.

A demo would be shown live on stage (and if the gods permit, a tool released)!

Guy Barnhart-Magen, Ezra Caltum

Following the reveal of speculative execution vulnerabilities, Meltdown was mitigated in software by separating the address space to ring0 and ring3 views. Though it sounds simple, it changed the memory management in all major operating systems drastically and introduced a new hidden area between user-mode and the kernel where code can execute.

In this talk we cover the fundamental details of Meltdown, dive deep into KVA Shadow internals and show how we used it to bypass PatchGuard and HyperGuard.

Moreover, as the mitigation was implemented in all the major operating systems and on some it was even backported to all supported versions, we’ll discuss the security issues it presents, new avenues it opens for rootkits and what countermeasures should be taken in light of them.

Omri Misgav, Udi Yavo

Direct brain-machine interface (BMI) has moved from science fiction to daily fact,and a new frontier of Infosec is emerging: neurosecurity. Invasive and non-invasive BMIs now augment operators in many walks of life. Neuroimplants treat an range of neurological and psychiatric conditions: traditionally chronic pain, depression, Parkinson’s, and recently obesity and drug addiction. Advances in neural and neuronal interface now allow direct connections to machinery (computers, robotics, cars, artificial limbs, etc.) providing either human control of the machine, or introduction of machine data into the human. Apple iOS devices are two years into being the largest digital ecosystem to directly support information feeds to brain-connected implants A patent search reveals that over 3800 patents were filed for BMI technology in 2018 alone. Entirely new attack surfaces are therefore available to be exploited by malicious cyber-criminals, making the security of these devices of paramount importance, and not a consideration to be ignored until these attacks have already occurred.This presentation will chronicle and categorize present and near-future threats, known and potential countermeasures, and cut through hyperbole and sensationalism to expose and discuss the reality of the emerging neurosecurity landscape.

Ben D Sawyer, Matt Canham
09:00 - 09:25
Opening Remarks
09:30 - 10:25
Board Communications
11:00 - 11:55
Zero Trust
13:00 - 13:55
Supply Chain Security
14:30 - 15:25
AppSec/SDLC/DevSecOps
15:30 - 16:25
Crisis Communication & Brand Monitoring
16:30 - 17:25
CISO Unconference
17:30 - 17:55
Closing Remarks
11:30 - 12:25
DLP Sucks and Why You Should Use It

Everyone hates DLP. It’s hard to implement, never lives up to its promises, users hate getting block messages, and admins get buried in alerts. Unfortunately, organizations often need to meet regulatory or audit requirements and DLP is the only viable solution. In this presentation, participants will hear how one company grudgingly adopted DLP and turned it into a value-added service.

John Orleans

Hacktivists. Disgruntled employees. Terrorists. Countries or people that just hate each other. We all know about increasing frequency of attacks, but the majority of malicious actors are driven by a clear profit motive. Where are the damaging but not financially-motivated attacks, the folks that just want to mess things up? Think of it like Drake’s famous equation on the probability of extraterrestrial life: a small percent with the means and a small percent with the motive still means a non-zero probability of overlap. If a criminal gang can take down a organization for money, why haven’t more people done it for petty vengeance, politics, or just the lulz? We tackle these weighty questions at the intersection of geopolitics, public safety and infosec in the format with the most gravitas: a game show. Our panel of experts will try to win points, predict the future, and avoid overly obvious innuendo.

Allan Friedman, Chris Kubecka, Bryson Bort

IT and Security Teams collect data from as many sources as possible with the mindset of detecting malicious activities, anomalies, performance monitoring or troubleshooting.
Data can tell more than just what the log shows.
The contemplator approach is about understanding your data and what else it can tell through enrichment, even if it is not related to the primary purpose of the log. For this approach, data enrichment is classified in 5 categories: format, geospatial, categorical, intelligence and labeling. Each category helps in understanding what type of enrichment can be applied to given fields in a log.
Data enrichment increases the context, opening human and machine learning eyes to a wider picture of happenings.
Happenings can be used for security monitoring, security reporting or business intelligence.
Data enrichment can be used to detect licensed software downloaded from an embargoed country, acquisitions involving competitors, network scans and DDoS orchestrated using a given network carrier, scam calls, pricing espionage in ecommerce websites, companies looking at your website content, and more.
You only see what your logs want you to see. What else can you see?

Rodrigo Brenes, Pedro Rodriguez

Information security has a diversity problem, study after study have shown this to be true. Women, People of Color and other groups are sorely under-represented and there are few signs of any tangible improvement. Why should we care? Why don’t typical diversity efforts work? What can we do to make information security more inclusive and attract members of these under-represented groups? This interactive, moderator-led, panel discussion will dig into the issues and talk about actionable actions that individuals and organizations can take to improve inclusion and diversity in security. As part of the session, the panel will invite attendees to share their experiences for further discussion. This will be a chance to join a casual, safe, and productive conversation focused on idea sharing and problem-solving. Working together, we can help the security community do better and be better.

Alyssa Miller, Chloe Messdaghi, Stephanie Ihezukwu
A panel of four CISOs from our CISO track & Ian Amit as moderator
11:30 - 12:25
SSO Wars: The Token Menace

It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation.

In this talk, we will present two new techniques:
1) A new breed of SAML implementation flaws that break XML signature validation and enable arbitrary modification of the SAML assertion, which enables attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims. Although any implementation may be affected by this flaw, we will show how it affects Microsoft Windows Identity Framework (WIF) applications, Windows Communication Foundation (WCF) web services, and flagship products such as SharePoint and Exchange Servers.
2) A bug in the .NET crypto library, which may allow attackers to gain Remote Code Execution (RCE) or Denial of Service (DoS) depending on the availability of code gadgets in the target server.

Alvaro Munoz, Oleksandr Mirosh

Many solutions offer a variety of features that help combat against credential stealing malware, but tools like BloodHound often fall under the radar. When nearly 40% of organizations do not actively discover their privileged accounts, a new approach to protect against more advanced threats the problem is needed. In this talk I will cover the following:

Techniques – How attackers exploit privileged access gaps
Discover – How to gain insights into privileged accounts and their activities
Enforce – Ideas for auto-remediation and innovative approach to mitigate advanced threats

Nir Yosha

If identity is the new perimeter, it is also the new battleground. Each new breach of credential data leads to a ripple effect of identity theft and fraud across enterprises, regardless of industry. A single leaked password from an obscure forum can result in the full compromise of enterprises today. Every week brings a new dump of passwords to add to the conveniently packaged and widely distributed combolists that feed wide-scale credential-based attacks.

We need to start thinking of data breaches, particularly those of identity-related data, as a systemic problem—not something that only impacts the breached organization.

This talk will detail not only how and why breached credentials affect every organization—including a look at some of the methods and tools used by attackers—but also introduce new best-practices and an open source tool for defending against these threats.

Robert Paul

We’re moving from pets to cattle when it comes to infrastructure. How has the adversary adopted? Given servers are ephemeral, stateless and usually well secured, is brute-forcing still a top priority? This talk will identify brute forcing patterns and timing metrics on fully-patched SSH servers in public clouds. It also comes with a twist: what happens when we give them a hint. Are reconnaissance and attacking tools so automated that they ignore useful information?

John Brunn

User authentication is hard. It’s a constant struggle between ease of use and effectiveness. Passwords are still the default choice, but password problems continue to grow in occurrence and complexity. User education about ‘good passwords’ and phishing has not been sufficient. We need something better.

Fortunately, better options already exist. U2F proven effective over the years, and its successor, WebAuthn, is even better.

This talk will discuss how WebAuthn provides strong authentication, where FIDO security keys are already supported, and how to add support to your own stuff.

Jen Tong
11:30 - 12:25
Applying Information Security Paradigms to Misinformation Campaigns: A Multidisciplinary Approach

A misinformation attack is the deliberate promotion of false, misleading, or mis-attributed information, often designed to change the beliefs of large numbers of people. Misinformation is an information security problem in part because information technology and the internet are how misinformation messages are generated, transmitted and received. Historically, large-scale misinformation (propaganda) has been the domain of nation-states, but the Internet has also enabled non-state actors to have effects formerly only available to nation-states. Additionally, the Internet has enabled nation-states to conduct influence campaigns in a new manner that is less attributable and can therefore be conducted without substantial risk of starting a war.

Power-motivated misinformation has been studied as an information security problem, information operations problem, a form of conflict, a social problem and a news source pollution. Each of these studies uses a different framing and ontology; we cover the adaptation of existing information security frameworks and principles into a framework and common ontology for these communities to share information about misinformation campaigns incidents and conduct component-wise response to them. We also describe the links between information operations, artefact-based data science and narrative analysis of misinformation campaigns.

Pablo Breuer, SJ Terp

The majority of security teams are stuck between a rock (almost static risk registers, updated quarterly from hand-curated spreadsheets), and a hard place (a SIEM – or several! – aggregating 1000s of alerts). But neither of these create, deliver, nor easily link inputs and outputs and reasoning to business context.

If you forgot the status quo existed, and imagined nirvana, what might that look like?

For the Photobox Group Security team, the answer was: “”A continuously updating knowledge graph, that automatically links security and business data to create relevant relationships between all the parts of our enterprise ecosystem, and which enables us to input, query, vizualize, share, update and distribute information. In seconds.””

This talk demos the technology stack we’ve built to achieve that, using commercially available SaaS-based components including JIRA, Slack and ELK. We’ll open-sources the code to run the robot army and give you an introductory handbook for how to adopt a graph-based approach to security in your own organisation, (starting with data you already have!)

Jon Hawes

Historically, detection has been performed on point anomalies – a log comes in, the log is analyzed, and a decision is made to alert based on that analysis. Similarly, investigations are based on searches over isolated events – an alert fires and you manually try to find related events based on ad-hoc queries.

Grapl aims to move beyond individual events as the fundamental abstraction and focus instead on relationships. Logs are parsed into graph representations and merged into a master graph representing all actions occurring across your environments. This approach allows for relationship-based detections and more efficient, ergonomic investigations.

Grapl handles the work of turning logs into subgraphs, orchestrating signatures executing across the graph, and automatically scoping investigations through expansion of the graph.

Colin OBrien

The fields of business intelligence, marketing, and user behavior research all make use of user segmentation to help organizations develop a better understanding of their userbase. Oftentimes users are segmented based on attributes such as demographics, geography, or purchase and usage behavior. When based on data around user account security practices, this methodology can also be applied to understanding the security of a userbase. This talk will explore the application of various segmentation techniques to security-related attributes of user accounts, such as 2FA adoption, unusual sign in notifications, and more. We’ll also cover how results from this research can be directly applied to help protect your users. No previous machine learning or data analysis experience is necessary; this talk will be introductory in nature.

Emily Austin

A SOC requires trust in the alert process, especially for machine learning models; alerts which cannot be mapped back to system logs or seem as obvious false positives to an analyst endanger that trust. Rule-based whitelists are one attempt at circumventing these issues, but they can cause detection teams to miss legitimate attacks. For example, preventing alerts from being generated when both the source and destination of a network flow are inside the network boundary will obscure attackers proxying through internal hosts.

We demonstrate how modeling improves upon whitelists to solve the problem of inactionable alerts. For our detection models, we stack a new model answering the question, “”How likely is this event to be characterized as inactionable?”” in a policy layer. This serves two purposes: it deprioritizes alerts that are unable to be investigated because of detectable data correlation loss, and it acts as a blanket policy to suppress results which investigators will see and throw away as obvious false positives. We show how doing so drastically decreases our false positive rates while continuing to alert on truly suspicious events.

John Seymour

Recent research has shown that many machine learning algorithms are susceptible to misclassification via the construction of adversarial examples. These cleverly crafted inputs are designed to toe the line of classifier decision boundaries, and are typically constructed by slightly perturbing correctly classified samples until the classifier misclassifies it, even though the sample is largely the same. Researchers have published ways to construct these examples with full, some, or no knowledge of the target classifier, and have furthermore shown their applicability to a variety of domains, including in security.

In this talk, we’ll discuss several experiments where we attempted to make Meterpreter – a well-known and well-signatured RAT – into an adversarial example. To do this, we leveraged the open-source gym-malware package, which treats the classifier as a black-box and uses reinforcement learning to train an agent to apply perturbations that result in evasive malware. Deviating from existing work, our approach trained the agent on differently-compiled versions of Meterpreter, as opposed to a large corpus of unrelated malware samples. The results of our experiments were underwhelming, showing little difference between our trained agent and random perturbations. However, further analysis of the results highlight interesting trends and areas for future research.

Andy Applebaum

Over the past year several researchers gave talks proposing the use of embedding models for measuring code similarity. At least four different embedding models are currently available, however there has not been an evaluation of these methods. In this talk I will provide an overview of the four methods, as well as a comparison of their computational complexity. I will also attempt to measure how well these embeddings encode interesting information by comparing the similarity of the embeddings generated between systems.

Rob Brandon
11:30 - 11:55
Now that you hacked the plane, what are you going to do about your career?

We all know how to do the really cool hacking stuff but what do we really want to do about our careers. We can hack, pentest and reverse code all day long but does that mean we are really enjoying ourselves in our career? Chris will share some insights from his career and share his thoughts on what participants need to take full advantage of while at BSidesLV for their career development.

Chris Roberts

Sarah has worked in tech for about a decade now, but she had a not-so standard start into the IT industry, and eventually found her way into security.

Many professionals entering the information security work force start out by doing a computer science degree or diploma or some kind of tertiary qualification. Sarah is the proud owner of an Arts degree and only ever did a bit of IT on the side at school. Information Security needs people to perform all types of roles, not just penetration testers. We need educators, mentors, blue teamers, compliance teams, etc. etc.

This talk will show no matter your background how this industry and changing and we need professionals from all areas etc etc. During this talk I will discuss my research into people who have worked in tech for a few years or a long time and who have non-linear paths into IT, and how their contribution is making a difference to the industry. My research shows statistically how diverse educational backgrounds is benefiting the industry, in terms of both technical capability and even culturally.

Sarah Young

I will discuss my personal journey into cybersecurity, how to identify needs, and creating your own educational path to support your goals. Fill in the gaps in cybersecurity by creating your own path and finding your sense of purpose. Cybersecurity is a new field and in a way, we are the pioneers of this field. There is no “right way” to get into cybersecurity, and the opportunities are endless.

Cherie Burgett

Our field is full of extremely creative people who have a lot to offer the industry. But often we lose focus because we are working for a company that has their own goals and competing priorities. This leads to long hours of work, a declining quality of life, and various other troubles. In this talk I focus on the tidal wave of DOD-related opportunities that exist to fund novel research and cutting edge technology, all while allowing autonomy of the individual. I’ve personally used these sources to transition to running my own company and have helped a lot of folks in the industry do the same. I’ll discuss why people should consider this as a career path, where to find these resources, and walk through exactly how to apply.

John Grigg

“You need to fail in order to succeed. – Roy” A successful career path in information security comes from a wide variety of different opportunities, experiences, networks, roles, failures and having good luck.

I will share how my unique roles and experiences over 20+ years have ultimately translated to a career in information security. I will also additionally share my experiences of how I FAILED to become the healthcare information security professional, faculty member and community builder that I am today.

Roy Wattanasin

A common saying is that is a full-time job finding a job, but who really has the time? According to the Department of Labor, most professionals will have at least 15 jobs in their lifetime, and in our community, that number is almost double. What are the tools and strategies to always have on hand so that you can navigate your career search. A frank discussion with a panel of recruiters about career strategies and fails.

Matt Duren, Richard Cho, Kris Rides, Megan Calidonna, Erica Schneider
11:30 - 11:55
I Am The Cavalry Track Welcome and Overview

Our dependence on connected technology is STILL growing faster than our ability to safeguard ourselves – security failures impact human life and public safety. This talk gives an overview of what’s changed in the past year, introduces I Am The Cavalry to those unfamiliar with the initiative, and sets up the next two days of talks in this track and in Public Ground.

Joshua Corman, Beau Woods

“Hackers of the world – unite?”
We are taught there is strength in coming together, but, must we all speak the same language? do the same things to achieve impact? I think not. This talk, will be an international point of view about the global and different state of hacker communities, and the meaning of the word hacker – Past present and future.

Keren Elazari

This discussion would be a reflection of past public, good and bad, disclosures based on past experiences and data collected by CISA. It would also attempt to highlight vendor disclosure policies, software development lifecycles and describe common asset owner patching cycles from the industrial control system perspective in comparison to researcher disclosure policies.

Jay Angus

Bladerunner was supposed to be science fiction. And yet here we are today with bots running loose beyond their intended expiration and with companies trying to hire security people to terminate them. This is 2019 and we have several well-documented cases of software flaws in automation systems causing human fatalities. Emergent human safety risks are no joke and we fast are approaching an industry where bots are capable of pivoting and transforming to perpetuate themselves (availability) with little to no accountability when it comes to human aspirations of being not killed (let alone confidentiality and integrity).

This talk will frame the issues for discussion in the Public Ground track later. Perhaps you are interested in building a framework to keep bot development pointed in the right direction (creating benefits) and making AI less prone to being a hazard to everyone around? Welcome to 2019 where we are tempted to reply “”you got the wrong guy, pal”” to an unexpected tap on the shoulder …before we end up on some random roof in a rainstorm with a robot trying to kill us all.

Davi Ottenheimer

A “software bill of materials” (SBOM) that lists third party components can help the open source community, developers, software vendors, and enterprise customers address security risks, vulnerabilities, and supply chain concerns. Visibility into the underlying third party components the undergird software can help those across the supply chain make better security decisions about a range of risks. To date, however, there has not been a widely accepted practice on how to assemble and communicate this data between those developing software and those securing it or using it. Without visibility into third party components, developing organizations cannot understand the deeper security risks in what they assemble, organizations lack insight into security risks from outdated or insecurely sourced open components in what they are building or buying, and security teams cannot easily and efficiently determine whether their systems are potentially at risk from newly discovered vulnerabilities.

What was once heresy is becoming a reality! This talk will present on progress made in a recent cross-sector effort convened by NTIA, and give an overview on the whats, the whys, and the hows of SBOM and software component transparency.

Allan Friedman

While the hacker community has sounded the alarm on IoT security issues in the past several years the companies producing these vulnerable devices often lack the security skills and funds to deal with the problems. What we don’t need is another expensive commercial security product. We need Free Software tools. In this talk, we introduce ByteSweep: A Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. First, we will walk through our process for firmware extraction, file data enrichment, key and password hash identification, unsafe function use detection, 3rd party component identification and CVE correlation. Then we will demonstrate the ByteSweep platform using the firmware from a couple of wireless security cameras.

Matt Brown

Loss of the flying public’s trust in reliable, safe, & trustworthy air travel could impact national security. While the US government & the aviation industry are working hard, individually and cooperatively, hackers are trying to get their attention and contribute, too. Understanding government work is a daunting effort that often leads to confusion, concern, and ultimately frustration that results in great work going unnoticed or unused. By providing insight into how the government makes decisions, hackers can better understand what is going on behind the scenes in aviation cybersecurity, hopefully, leading to increased trust and willingness to contribute in bolstering the cybersecurity of air travel.

Steve Luczynski
11:30 - 11:55
Bestsellers in the Underground Economy - Measuring Malware Popularity by Forum

While you can patch against malware has been infecting your tech stack or targeting your competitors, what about malware that hasn’t been in the news? This presentation will cover what malware and tools are popular among underground criminal forums based on prevalence in forum advertisement, how they differ between forums, and why understanding that difference matters.

Winnona DeSombre

In July 2018, over a decade after the DES encryption algorithm was retired, 3DES was also officially deprecated. While previous work suggests a successful deprecation of DES, with less than 1% of observed SSL/TLS handshakes using some form of DES up until 2018, such work tends to be limited in scope and does not necessarily capture the true persistence of DES across the entire TLS ecosystem. We actively investigate online support for DES and DES-derivative ciphers by querying IP addresses responsive to port 443 connection attempts. To achieve this, we design and implement our own Internet scanning tool built upon ZMap and attempt to negotiate handshakes exclusively using DES ciphers. In total, we have scanned over 24 million unique IP addresses and found that nearly half of them can still successfully establish an HTTPS connection using at least one DES cipher. Moreover, we also find that many servers still support DES40 (which can be broken in seconds) and anon ciphers (which offer no certificate verification and are vulnerable to man-in-the-middle attacks). Our investigation demonstrates the biases and misunderstandings in previous weak cipher studies within the TLS ecosystem, and discloses the severity of this problem by targeting DES-based cipher suites.

Vanessa Frost

Over the years, Salesforce has grown and evolved exponentially. Companies are leveraging Salesforce in many ways, adding even more sensitive customer data to the platform. While Salesforce is very secure, it’s still a platform that can be implemented in a way that puts your org at risk.

So how do you know Salesforce is implemented in a way that meets your compliance needs? And how do you actually align your Salesforce implementation to your Security Posture?

It all starts with Data Governance, the foundation for Salesforce security. Data Governance provides the ability to effectively manage data using appropriate controls throughout the information lifecycle process to meet various internal and external requirements.

We’ll explain the basics and then dive into the more complex topics on how Salesforce, the lifecycle of customer data, and regulatory compliance can all effectively co-exist. We will explain the capabilities available to implement the 4 pillars of Data Governance (Data Inventory, Data Security, Data Privacy and Data Compliance).

You’ll walk away with tangible next steps for governing Salesforce, like data classification, access management, encryption at rest, user access management, compliance reporting and more.

Pete Thurston

The number of phishing websites on the world wide web is steadily increasing as a popular attack vector towards potential victims. Phishing websites can be differentiated by legit websites using a select set of identifiers like content, URL and the use of SSL certificates. In this research, two websites with visual similarity are built: one resembles a legit website, the other one contains specific characteristics of phishing website (and thus resembles a phishing version of the earlier mentioned website). With a custom built API, mouse movements, mouse clicks and key presses were captured on both websites to record user behaviour. With this captured data, which resulted in more than 100.000 records, data science models were applied to find statistical relevance. And the results? Attend This Session And You Will Be Surprised!

Sanne Maasakkers

I will discuss applying InfoSec principles and also forensic principles to assisting domestic abuse victims cutting the electronic cord to their abuser.

The very same Internet of Things which are installed for convenience can form a gilded, velvet lined cage with an Alexa or Siri voice.

I will discuss applying the counterintelligence mindset to the domestic situation- what can be gathered, what sources and methods can be used against a person in their own house and how to detect the threat.

The talk will discuss the use of social media to detect physical surveillance, technical countermeasures for surveillance devices, lessons learned with forensics…and the ways to protect oneself against leaving data behind.

Will Baggett

Hacking and Security is becoming a lot less about Computer Science and more about Human Behavioral Science.

First, I will be discussing principles to better understand the Human API. Beginning with the two most fundamental elements of lived experience. I will talk about how these two different modes of looking at the world are necessary for survival and how we come with pre-programmed features to reconcile to the two for maximal desired outcome.

Next, I will discuss the first dichotomy of Security and Business. If Security is neglected then a business is chaotically vulnerable. If Security is so stringent that business is rendered inoperable then security is drawing up excessive order and has exceeded its utility. I will be discussing how to find the sweet spot in the dichotomy by leaning on the principles we discussed in the previous two topics.

The final dichotomy will be IT and End Users. Using real world examples of Security Professionals, we will go over the best ways to grow from viewing our End Users as authorized adversaries on our networks to becoming our best line of defense.

Ty Atkin

During large scale engagements against multiple applications teams often split the workload across many testers. Currently, sharing Burpsuite sessions requires exporting large files that cannot be merged with a running state restricting the ability for teams to collaborate on an application. With this new plugin, coupled with a lightweight server, multiple testers can share traffic in real time across multiple applications allowing for quick collaboration! Have a repeater payload your team needs to see? Simply right click the request and select share to populate their repeater tabs! Come listen and see how this plugin can help your teams hack collaboratively!

Tanner Barnes

Canary tokens are not a new idea, but are woefully underused. In this talk I will outline particular use cases and techniques to get more mileage out of the base concept. Rather than just a simple tripwire with limited environments it can be set in, we’ll cover how you can bait these canaries to provide additional context, such as the attackers IP or useragent, which victims visit a phishing page, or the accounts used in exfiltration. Depending on the context, you could even replace creds attackers are trying to phish for without the attackers attackers knowledge, or expand the beacon into something more C&C.

The implementations I will cover include a stealthy JS-based payload designed to trigger when ran outside it’s normal domain, a G-suite payload, as well as PDF/DOCX bait files. Additionally, explanations of how you can use various communication channels such as DNS to expand the reliability and stealthiness. For the DNS channels, a quick coverage of the necessary constraints you need to be aware of will be included, such as allowable character sets, subdomain lengths, # of subdomains, and multipacket stitching for longer messages.

Gregory Caswell

Have you ever wondered if the file permissions on a directory were correct? Have you worried that you were allowing too much access or too little? You’re not alone. File permissions are both difficult for humans to reason about and important to cybersecurity practitioners.

File permission errors can reveal sensitive information, including private education, medical and defense data. We present XRAY, a system to find errors in systems with Unix style file permissions.

XRAY uses a constraint based approach coupled with an expressive domain specific language to find file permission errors. XRAY represents permissions as a set of constraints allowing an action at a location in the file system. This representation allows efficient answers to questions about who can perform an action and where they can do so across an entire file system. XRAY provides the user with an expressive domain specific language for stating security properties a file system in part or as a whole. XRAY finds examples where properties hold and counterexamples showing violations on real world scale datasets. We present the results of three case studies employing XRAY for finding file permission errors and detail the future work for this system.

Jared Chandler

Over the years we have been increasingly been surrounded by technology. Some of us, particularly my generation, and gen z have almost been raised by it. This means that things like “”Don’t clicks likes from people you don’t know.”” has now become the new “”Don’t take candy from strangers.”” making it harder for us to perform old tricks like redirecting users to pages with malicious scripts.

But what if I told you that could change with a small injection and a little social engineering? With a small chip in your hand, you could convince your target to let you wreak havoc on their device, and them be none the wiser.

This presentation covers the offensive uses of NFC implants and how you can use this new technology to your advantage, as well as its limitations out in the field.

James Dietle

How to leverage the Mitre ATT&CK Framework to improve your organization security posture and bring your SOC/BlueTeam up to speed with the current Tactics, Techniques and Procedures (TTP) that modern Threat Actors uses. Our goal is to answer a few questions we often see or hear: “ATT&CK is nice and all, but how do I (we) get started?”, “How can I (we) detect those TTP?”, “Why use the ATT&CK Framework?”

Mathieu Saulnier
8:00 - 9:55
Professionalization - Possibilities and Potholes

The question of some form of professionalization has long been a topic of conversation (third rail?) in security. This workshop will introduce various different models of professionalization from professions outside of security, identifying each model’s key features and limitations. It will also explain the relationship that the law creates among self-imposed ethical codes, licensing, and malpractice liability across various professions.

Andrea Matwyshyn

“Breakup up big tech” or “Secure the elections” are national news headlines. Privacy, cybersecurity, and digital rights are critical issues being discussed by lawmakers. Technologies like facial recognition, machine learning, and cloud computing are at the core of almost every one of these issues, however Congress lacks the in-house technical expertise it needs to help inform the discussions leading to new policies and laws. Of the 3500 legislative staff in Congress, there are exactly *seven* that have an actionable technology background. IT professionals and security researchers can help bridge the gap between government and the technology community by tapping into the tech policy API to become a voice for informed change within the legislative process to help prevent unintended consequences before it’s too late.

Maurice Turner, Katherine Pratt

This is an interactive listening session. The idea here is that each person that would like to provide CONSTRUCTIVE feedback both positive and negative about DHS’ Role in Vulnerability Disclosure can step up to the mic and have 45secs‚Ķ. Like speed dating but with your thoughts. There will be a loud outlandish buzzer to count the time. The DHS lead for Vuln Management will listen to the feedback provided and will not respond. The DHS Lead will only be allowed to respond “Thank you for your feedback.” This is a listening session. The DHS Lead will make the public commitment to each participant that if they provide their contact information the DHS Lead will personally contact each participant for a follow up conversation.

Katie Trimble

Bladerunner was supposed to be science fiction. And yet here we are today with bots running loose beyond their intended expiration and with companies trying to hire security people to terminate them. This is 2019 and we have several well-documented cases of software flaws in automation systems causing human fatalities. Emergent human safety risks are no joke and we fast are approaching an industry where bots are capable of pivoting and transforming to perpetuate themselves (availability) with little to no accountability when it comes to human aspirations of being not killed (let alone confidentiality and integrity).

Are you ready to discuss very real and discrete risks for global survival, to help leaders see what they’re missing and make a terminal change to a bot’s existence? Perhaps you are interested in building a framework to keep bot development pointed in the right direction (creating benefits) and making AI less prone to being a hazard to everyone around? Welcome to 2019 where we are tempted to reply “”you got the wrong guy, pal”” to an unexpected tap on the shoulder …before we end up on some random roof in a rainstorm with a robot trying to kill us all.

Davi Ottenheimer
08:00 - 17:55
Malware Traffic Analysis Workshop

This training is a one day workshop that provides a foundation for investigating packet captures (pcaps) of malicious network traffic. The workshop begins with basic investigation concepts, setting up Wireshark, and identifying hosts or users in network traffic. Participants then learn characteristics of malware infections and other suspicious network traffic. The workshop covers techniques to determine the root cause of an infection and determining false positive alerts. This training concludes with an evaluation designed to give participants experience in writing an incident report.

Bradley Duncan

This course covers tools, techniques and procedures to break out of execution restricted environments, escalate privileges from a low-level user and gain SYSTEM privileges on modern Windows systems. Previously delivered at conferences such as DEF CON and BruCon, the course is updated with new techniques every year.

High-level Summary:
• Circumventing Windows system lock-downs implemented via AppLocker, Software Restriction Policy (SRP) and Group Policies in environments such as Microsoft’s Terminal Services, Citrix’s Virtual Apps or CyberArk’s PSM.
• Elevating privileges on Windows systems via discovery and exploitation of insecure configurations, permissions and system defaults.
• Understanding Windows remote administration techniques and establishing persistence.

Automated tools aid in the post-exploitation process; however, a focus on manual identification, analysis and exploitation is critical to attacking real-world systems successfully. This course leverages practical case studies to provide reliable vulnerability identification and exploitation skills.

The requisite techniques for this course will be demonstrated on a modern 64-bit Windows 10 Enterprise platform.

Rohan Durve

Practice finding flaws in real Android apps in this fun, CTF-style hands-on workshop, and you will be ready to avoid making security errors in your own apps.

Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from Wells Fargo, Microsoft, Lyft, WhatsApp, Whole Foods, IBM, Harvard, Progressive, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections.

We will analyze Android internals in details, using the Drozer attack framework.

All class materials are freely available on the Web, and will remain available after the workshop. All vulnerabilities were reported to the affected companies long ago, where appropriate.

Equipment: participants must bring a laptop that can run VirtualBox machines. The host system can use Mac OS (best), Linux (OK) or Windows (usable but limited). We will use free Android emulators and a Kali virtual machine. They will be available as free downloads, and also locally on USB sticks

Sam Bowne, Elizabeth Biddlecome

As networks become increasingly complex, the ability to break an unknown protocol down and understand its base components and how they interact is a critical element of network security.

Protocol reverse engineering allows security analysts to understand not just how the protocol works, but the ways it can leave your enterprise vulnerable. This is especially true at the application level, where insecure or poorly managed applications can leak sensitive data.

In this workshop, attendees will learn how to reverse engineer real application-layer protocols via a deep technical dive into the network traffic of a common remote access application. The workshop will culminate with an example of identifying connections between attacker traffic in the real world.

David Pearson

This session will teach participants how to use the open source CALDERA tool to automate post-compromise adversary emulation exercises. CALDERA was originally released in 2017 as an R&D-heavy tool designed to run fully automated end-to-end adversary emulation exercises aligned with the MITRE ATT&CK framework. In 2019, the team pushed out a major update featuring a completely redesigned core architecture – now letting users create “”plugins”” to extend functionality – as well as a new operating mode (“”chain””) that allows users to leverage CALDERA to orchestrate atomic unit tests without the overhead needed in the original release.

In this course, we’ll teach participants the basics of CALDERA – focusing on chain mode – including how it works, its core design, and some of the ways it can be used. Then, we’ll switch to hands-on mode where we’ll guide attendees on how to use CALDERA, walking through its UIs and setting up and running built-in adversaries. Once attendees are familiar with the core concepts behind CALDERA, we’ll run through exercises showing how it can be extended, including building new adversary profiles, adding techniques, and, time allowing, how to develop new plugins. Attendees should be familiar with the terminal and bring a laptop.

David Hunt, Alexander Manners

(Spoiler alert) During a cyber-attack, the Active Directory is one of favourite target in every firm. Very, very (very) often, to not say always, the active directory is compromised … Sadly, pentester or attacker often exploit the same obvious vulnerabilities to bounce and perform a privilege escalation. Come learn how to exploit and mitigate them. With something a little different, we are convinced that most common attacks against Active Directory could be prevent.

Remi Escourrou, Nicolas Daubresse
11:30 - 12:25
Duck and (Re)Cover - The missing link in the security evolution

I talk about the disturbing notpetya outbreak that hit and crippled (almost) all of the conglomerate A. P.Moller Maersk. I will address the many challenges and lessons learned encountered from both the business perspective and its information technology.

Then transition over to my 20+ year infosec journey using the Maersk war story as my base to go to Birdseye view and through those optics explain how and why I see us as having failed as an information security community and industry.

“Are you a security hobbyist or a security professional?” My opinion is most are security hobbyists and in my opinion in there lies the problem and but also parts of the solution. As a collective we very rarely venture outside our information security silo.

I will show how we can change from being self-indulgent and a tiny bit narcissistic to making us succeed in business arena. We speak security and risk with a very little or no business accent. We must learn to speak business with little or no IT accent. We must stop taking certifications and instead get business degrees. We must take the fight to the business and fight the battle on a business playing field.

Peter Lidell

What if I told you that there was an alarming number of security flaws in most major cities’ mass transit apps? And what if I told you I could demonstrate the successful exploitation of these apps? In this talk, I will do precisely that. The results of successful exploitation can range from the relatively harmless “”stealing”” (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers.

Often, mobile apps are synonymous with thick clients – meaning they run locally and cannot trust their runtime, and come with the same vulnerabilities as their ancestors. As such, I will explore dynamic instrumentation using Frida and demonstrate practical use-cases to bypass security.

During my presentation, you’ll learn about the analysis of client-side obfuscation measures such as encrypted HTTP body and encrypted application storage (flat files/SQliteDb/Custom mobile SDK-based encryption) in mobile applications, which can be instrumental in uncovering security vulnerabilities.

Priyank Nigam

Deep and Dark Web “card shops” are the primary means through which criminals obtain card data. Card shops lower the barriers to entry for less-skilled criminals to facilitate card not present (CNP) fraud for online transactions. Rather than stealing the data themselves, all the criminals need to do is buy the card data from a card shop. The rise of Joker’s Stash (2014) seems to correspond with the timeline of the rise of EMV in the U.S. The EMV Chip (and thus the decreased use of magnetic stripe) makes what were once tried-and-true tactics for in-store carding‚ ‘
i.e. skimmers & POS malware’, much less feasible, criminals shifted towards CNP fraud, which is easier, and cheaper, and less resource intensive. We will analyze the data that is currently available on credit card shops, including sources of card data, card information, price, and geographic heat maps of the carded information. Fighting CNP fraud is much more difficult than fighting in-store fraud. We will use this information to better understand targets of carders and carding shops, like Joker’s Stash, and how to fight this growing form of fraud.

Ian Gray, Maxwell Aliapoulios

Chinese underground cybercrime profits exceeded US$15.1 billion in 2017, while causing more than $13.3 billion worth of damage relating to data loss, identity theft and fraud. Over the years, Chinese non-state threat actor groups have gradually transformed from small local networks targeting mostly Chinese businesses or citizens to larger and well-organized criminal groups capable of hacking international organizations. The development of commercial-scale exploit toolkits and criminal networks that focus on monetization of malware have amplified the growing risks of cybercrime in the region to include a DDoS attack against the People’s Bank of China in December 2013, $1 billion SWIFT hack against Bangladesh Bank in February 2016, $14 million theft from Far Eastern International Bank in Taiwan in October 2017, to name just a few. How do the increased complexity and scope of attacks by Chinese non-state threat actors signal a new level of cyber threats emanating from China? How do Chinese cybercriminals compare to their Russian counterparts, and are they using a similar playbook? What is the impact on businesses in the Asia Pacific region and around the world? What new challenges do these developments pose against law enforcement agencies as they strive to detect, prevent, and mitigate cyberthreats?

Anne An

“Ask the EFF” will be a panel presentation and question-and-answer session with the Electronic Frontier Foundation, featuring Kurt Opsahl, Deputy Executive Director and General Counsel; Eva Galperin, Director of Cyber Security; Nathan ‘nash’ Sheard, Grassroots Advocacy Organizer and India McKinney, Legislative Analyst. Half the session will be given over to question-and-answer, so it’s your chance to ask EFF questions about the law and technology issues that are important to you.

Kurt Opsahl, Eva Galperin, Nathan Sheard, India McKinney
10:00 - 10:55
Loki: Add a little chaos to your USB drive

If you’ve never thought USB devices could become even less trustworthy, then this is the talk for you. We already know USB devices might try to automatically run code when connected, or act like a hyperactive keyboard and mouse, or attempt to physically destroy the host, or masquerade as an innocent charging/data cable. But it can, actually, get worse. Say hello to the Loki Drive, a USB drive with just a little too much chaotic energy. I’ll demonstrate how a USB mass storage device can change the storage it presents to the host computer based on a set of user-defined conditions. On the offensive side this can be used to circumvent USB scanning procedures and on the defensive side this can be used to store private files that will be undetectable without time-consuming analysis. Attendees will learn the steps I took to build the POC, see what it can do, and discover, anew, just how much they fear USB devices.

Michael Rich

Exploit Kits haven’t disappeared, they’ve simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.

This talk will provide an in-depth overview of the vulnerabilities and exploitation techniques used by the ThreadKit and VenomKit documents to spread well known malware families, and how they are being used in targeted attacks.

Joshua Reynolds

Email addresses are one of our most public piece of PII. We are comfortable sharing it with strangers, publishing it on the internet and it is generally our public way of communicating.

However, when it comes to phone numbers things change. We are more selective with who we share it with, mostly because receiving unsolicited phone calls is much more invasive. There are also security implications when making your phone number publicly available. SS7 attacks, SIM swapping, phishing and scam calls are just a few of the threats that originate from the target’s phone number.

What if it were possible to obtain someone’s phone number by only knowing their email address? Beyond the criminal advantage, it could be very useful to investigators, red teams and OSINT lovers.

In this talk, I will discuss techniques which when combined will let you discover someone’s phone number via their email address. I will also demo and release a tool that helps automate the process.

Martin Vigo

Efficient, reliable trapping of execution in a program at the desired location is a linchpin technique for dynamic malware analysis. The progression of debuggers and malware is akin to a game of cat and mouse – each are constantly in a state of trying to thwart one another. At the core of most efficient debuggers today is a combination of virtual machines and traditional binary modification breakpoints (int3). In this paper, we present a design for Virtual Breakpoints — a modification to the x86 MMU which brings breakpoint management into hardware alongside page tables. In this paper we demonstrate the fundamental abstraction failures of current trapping methods, and rebuild the mechanism from the ground up. Our design incorporates the lessons learned from 40 years of virtualization and debugger design to deliver fast, reliable trapping without the pitfalls of traditional binary modification.

Gregory Price

While a Turing-complete set of ROP gadgets can easily be found in libc, many existing ROP compilers are not Turing-complete or do not include essential programming language constructs, such as subroutine calls.

ROPC is a proof-of-concept ROP compiler for 64-bit x86_64 architectures that achieves Turing-completeness by maintaining a second, shellcode-accessible stack, which most notably makes possible subroutine calls within the exploit itself. Turing-completeness allows shellcode to avoid suspicious behavior such as calling system(3) and to return control to the target process.

As input, ROPC accepts (i) source files written in so-called ROPC-IR, (ii) rules for translating ROPC-IR instructions to sequences of gadget addresses, and (iii) static configuration parameters about the victim process. As output, it produces a two-stage shellcode (a sequence of gadget return addresses) that can be injected onto the target process’ stack.

The distinguishing features of ROPC is its emulation of a second stack available to the ROP shellcode and its consequent support for nondestructive invocation of library and system calls (with variable parameters) as well as shellcode subroutine calls.

Nicholas Mosier

The Service Workers API is a modern web API that grants web developers advanced capabilities, such as acting as a proxy server, intercepting network requests and improving offline experience as a background service.

In Akamai, we have unique visibility into the world wide web traffic. We have witnessed a dramatic increase in usage of legitimate service workers in our customers web applications in the past year. We believe this trend also applies to malicious service workers as well.

In this talk we will cover new and emerging web based attacks that (ab)use the Service Worker web API. We will cover and demonstrate the attack flow where a potential attacker can amplify and persist his foothold on the client and exfiltrate sensitive information by abusing the service worker API.

Along showcasing those kind of attacks, we will also discuss and explain how to find those attacks and methods to mitigate and prevent them.

Daniel Abeles, Shay Shavit

Do you want to know how you can exploit DNS rebinding 10x faster, bypass prevention mechanisms, interactively browse the victim’s internal network, and automate the whole process during your next red team exercise?

This talk will teach you how and give you an easy-to-use tool to do it.

First, we will cover in detail the subtleties that make DNS rebinding attacks more effective in practice, including techniques and operational conditions that make it faster and more reliable. We’ll also explain how to bypass commonly recommended security controls, dispelling attack and defense misconceptions that have been disseminated in blogs and social media posts.

This talk will include a number of demos using Singularity, our open source DNS rebinding attack framework that includes all the parts you need to get started pwning today, including:
– Remote code execution and exfiltration payloads for common dev tools and software
– Practical scanning and automation techniques to maximize the chance of controlling targeted services

We’ll also show an interesting post-exploitation technique that allows browsing a victim browser network environment without the use of HTTP proxies.

Gerald Doussot, Roger Meyer
10:00 - 10:55
The Road to Hell is Paved with Bad Passwords

Ever wonder what incident management is like when an embassy gets hacked by ISIS? Come on a journey that includes international threat actors, a state sponsored intelligence agency, and a foreign sovereign embassy. This journey includes a walk through a series of cyber challenges that includes surprisingly weak security, insider threats, a 50 million dollar extortion attempt, diplomatic immunity, city wide security lock down, all while >400 dignitary’s lives dangle in the negotiation crossfire. Join Chris, the lead investigator and resolver, as she takes you along on a super-secret squirrel mission that includes high adventure, nation state, cyber threat actors, and cyber terrorism. Solve the crime and save lives, all in a day’s work for cybersecurity professionals, who said STEM was boring? In this talk, you will discover the key takeaways and gain insight on how to protect yourself from the investigation and response to a real-life cyber terrorism incident. No classified information will be shared, some terrorists were harmed in the making of this talk.

Chris Kubecka

In the 1968 television series, the Prisoner, a former British intelligence agent is imprisoned on an island, called “”the Village’, with other former spies. This pretty prison is a retirement home for those like him who “”know too much””.
On the island (called ‘The Village’) prisoners are only referred to by their numbers, with our prisoner being Number 6.

In this session, we play a game in which we are Prisoner Number 6, a containerized application that “”knows too much’ and our Village is a “”privileged’ Docker container, which “”imprisons”” us.
During the game we constantly try to escape the Village and return home to the mainland.
Do we succeed to escape the Village? Join our session to find out.

During this session we will show how we attempt to escape the privileged container to reach the underlying host, using a number of different methods, such as loading a Linux kernel module into the underlying kernel, exploiting devices present inside the container to read and write host’s files, and more.

At the end of the session we will attempt a real live escape from a Docker training website to remotely run code on the host.

Nimrod Stoler, Lavi Lazarovitz

It’s almost 2020 and it’s time to reset how we think about the traditional “”phases of hacking”” and responding to modern intrusions.

The Classic attack paradigm: traditionally Windows focused, Active Directory/Domain Admin emphasis, port scanning, privilege escalation, stealing hashes, exploiting vulnerabilities.
The here and now: hybrid MacOS environments, cloud emphasis, SSO/SAML, 2FA, 3rd party SaaS, zero exploit code.

As companies adapt their businesses to new technologies, attackers change with them, and so should incident responders. In this talk I will discuss how my security team and I respond to modern intrusions from Red Team engagements and “IRL” threats that no longer follow the “Classic” methodologies of attack. If you’re a defender that’s tired of hearing about Powershell, sysmon, mimkatz, and “Red Teaming 101”, this may be for you. This talk is primarily targeted at incident responders working in complex, modern, environments and aims to provide practical guidance on improving your teams capability to detect bad actors and respond to intrusions in 2019 and beyond.

Jeremy Galloway

Effective third-party security risk management requires collecting a significant amount of information from vendors. That information gathering process often starts with the customer sending the vendor a lengthy infosec questionnaire.
Katie’s team was on the receiving end of those questionnaires, and the significant time and effort required to complete them interfered with progress on imperative security projects. To address this problem, the team created documentation and a new process that lessened their workload, reduced sales cycle friction, and gave customers increased visibility into Rapid7’s security program. Katie will share her approach, the lessons she learned along the way, and the metrics she used to measure success, ensuring you leave this session ready to apply these strategies at your organization.

Katie Ledoux

Organizations are routinely required to present their risk and security posture to customers, management, and auditors. There are a myriad of vulnerability datasets and online risk scoring tools available, but how can you use them to your advantage? This talk will focus on not only getting those troublesome scores and online databases to cooperate, but also setting them up to do your work for you. We will review current standard data sources and scoring models; various ways common environmental factors mitigate risk and how they apply in CVSS scoring calculations; and how to aggregate and use the results to inform security decisions within your organization.

Matthew Hahn, Luke Szczutowski

In June 2019, the open-source drand project will be jointly announced by its developer, Nicolas, and its current members, EPFL, Cloudflare, NIST and Kudelski Security.
Its goal? Providing a trusted source of distributed randomness that would enable new applications and could be a way to allow blockchains to provide actual randomness to smart contracts in the future.
This talk is about what distributed randomness is, what it means for developers, and why you’d want to use it. I will also present to you drand, a Go application implementing distributed randomness that was developed at EPFL.

Don’t worry though: we will first discuss an overview of how it works without diving too deep into the gory cryptographic details. In addition, I’ll demo how this cool new open-source tool works and explain you how you can use it in your own applications.

Disclaimer: this is NOT a blockchain talk, but rather a distributed system one.

Yolan Romailler

When a company moves to the Cloud, the Security team will need to figure out how to adjust how the go about day-to-day operations for Cloud environments. We will go over how to accomplish different requirements that a SOC would have, including war stories of when I’ve implemented solutions that worked very well, and solutions that blew up in my face. From native services, to open-sauce tools, and then some commercial tools (no this isn’t an advertisement). We will go over the pros and cons, so you can accelerate your decisions in how you secure your cloud.

Kyle Dickinson

Join us in the studio for rousing commentary, insightful observations, and witty banter as we walk through breaking reports on vulnerability disclosures from around the world. Our three experts will discuss, debate, and dissect the dos and don’ts of vulnerability disclosure. In talk show format, our irrepressible, opinionated, and occasionally controversial pundits will offer legal, researcher, and vendor perspectives on this week’s news in vulnerability disclosure. We’ll provide candid reactions to how various tales of vulnerability disclosures unfolded – highlighting what works, what doesn’t, and what’s likely to get you punched or arrested. Or both. We may not be Emmy-nominated (yet), but we’ll bring you the hottest news and informed reactions from across the coordinated disclosure landscape.

Jen Ellis, Leonard Bailey, Colin Morgan, Tod Beardsley
10:00 - 10:55
Breaking Smart [Bank] Statement

In Mexico it’s possible to send bank statements via standard email, anyhow the law requires that certain security mechanisms are in place so any unauthorized party is unable to read it. The user must provide a password in order to read the bank statement.

Most banks in Mexico use a password protected ZIP file or a password protected PDF in order to obey the law. One particular bank took a different approach and used an HTML file to achieve the same job. In this presentation, I analyze, from a security standpoint, the behaviour of such new bank statement, a vulnerability that I found (and has been fixed) and I end the presentation with an explanation and a demo on how such vulnerability could be exploited to view a bank statement without knowledge of the password.

Manuel Nader

There have been several studies on country based passwords by authors but there has been a lack of focused study on the type of passwords that are being created in Africa and whether there are benefits in creating passwords in an African language.For this research, password databases containing LAN Manager and NT LAN Manager hashes extracted from South African organisations, were obtained to gain an understanding of user behaviour in creating passwords. Analysis of the passwords obtained from these hashes showed that many organisational passwords are based on the English language. This is understandable considering that the business language in South Africa is English even though South Africa has official 11 languages. African language based passwords were derived from known English weak passwords and some of the passwords were appended with numbers and special characters. The African based passwords were then uploaded to the Internet to test the security around using passwords based on African languages.Most of the passwords were able to be cracked by third-party researchers, we conclude that any password that is derived from known weak English words marked no improvement in the security of a password written in an African language,especially the more widely spoken languages.

Sibusiso Sishi

Most databases worth mentioning include authentication and authorization capabilities.
However, devils emerge in the details when edge cases of these capabilities are investigated.
We’ll see that popular databases (e.g. MySQL, PostgreSQL, Cassandra, MongoDB …) can have unexpected and sometimes unintended auth behavior.
This includes a fresh authentication vulnerability.
Ideal auth behaviors, with regard to security, will be reviewed.
Then we’ll demo how popular databases stack up against them.
Attendees will walk away knowing which auth properties to look for when including a database in their tech stack.

Mitch Wasson

In today’s ecosystem, verification of identity is no longer applicable just to the user; extending to microservices, cloud providers, IoT devices and many other emerging systems as well. 81% of discovered breaches are due to broken authentication, indicate it as a prevalent issue. Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often lose context on best practices.

In this context, we talk about popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed in disclosed reports related to these schemes. Finally, we will conclude with actionable solutions to correct these flaws realized in the form of practical guidelines. These would be security design patterns that developers or designers could refer to in their daily tasks

Lakshmi Sudheer, Dhivya Chandramouleeswaran

In this talk, Group Policy expert Darren Mar-Elia (a.k.a. the GPOGUY) looks at Active Directory Group Policy from an attacker’s perspective, illustrating techniques that can be leveraged to gain insight into an organization’s Windows security posture, privileged use and opportunities for compromise. He’ll start by explaining how GP works under the covers, then dig into tools and techniques you can use to take advantage of GP’s “readability” to map out how an organized has deployed security hardening and privileged access, including how you can specifically identify admin tiering and work around it. Then Darren will dig deep into the bowels of GP to show several approaches to exploiting Group Policy, including linking exploits, write-permission/settings abuse, GPT redirection, external paths abuse and some newly documented ideas for abusing GP processing at the client to run arbitrary code. He’ll finish up by presenting some defensive techniques that can be used to harden GP against this kind of abuse.

Darren Mar-Elia

Do you dance madly on the lip of the volcano regarding your own research, or would like to research a particular topic that you feel might have a non desirable personal outcome?

Do you know someone who does these things?

If so, you should come to this session and learn about some new process and relationships where more people can benefit than before.

NOW, FOR THE FIRST TIME EVER- NOT IN UNDERGROUND!
Welcome to the new age of Glasnost and the end of an era.

Russell Handorf, Kurt Opsahl
10:00 - 10:55
Security data science -- Getting the fundamentals right

A data science team is now table stakes for most security operations, however data science for security poses unique challenges that are different from both traditional data science as well as traditional security. Rather than clean data sets with reliable ground truth labels, obvious metrics, and clear featurization strategies, security data sets tend to be messy, ambiguous, and noisy, with metrics that can be difficult to operationalize, and require significant expert knowledge build good features.

In this self-contained and broadly accessible talk, drawing from real-world experience leading basic research in a global anti-malware/security company, we’ll cover everything *but* the modeling bit of security data science, and give attendees a roadmap for how to maximize their effectiveness when starting their own security data science teams and/or projects. From how to collect, clean, and label security-relevant data, how to approach feature construction and extraction, organizing and managing reproducible experiments, to finally addressing how to manage evaluation both for head-to-head comparison of candidate models as well as mapping model metrics to business outcomes, we’ll cover the major pitfalls in both doing security data science with an experienced team as well as the areas that ‘traditional’ data scientists often have trouble with.

Richard Harang

Sometimes, the link you clink on is harmless like a Magikarp using splash. However, sometimes the link you click on might be a Gyarados using Hyperbeam to misuse PHP and steal your credit card credentials.

Phishing campaigns remain as one of the most timeless, and prevalent attacks against a corporation. However, phishing detection and prevention used today are still rooted in archaic methodologies of producing, obtaining, and maintaining blacklists. As an alternative, research into implementing a heuristic-based approach, rooted in fundamental machine learning algorithms, for phishing prevention is becoming more common. This talk will include a discussion on the heuristically approach of extracting features from a website and assessing if they are malicious or not, exploring how to effectively use various modeling for classification on the features of a website, and the stages to build out a repository for phishing research.

Veronica Weiss

Machine Learning models ostensibly offer excellent detection rates at low false positive rates for detecting malware statically at the pre-execution stage. Importantly, they generalize well to new malware samples, evolving families and polymorphic strains. However, often neglected is the fact that “old-school” signatures actually perform *better* at the narrow role for which they were designed: signatures detect *known* and well-behaved malware families at detection rates approaching 100% and false positive rates approaching 0%. Should these not be a powerful complement to static malware detection using machine learning?

I present automatic malware signature generation via n-grams, but with one significant upgrade: I consider ludicrously large n-grams for n up to 1024 using “KiloGrams”, an approach co-developed by government, academic and industry partners. Since memory burden using straightforward approaches grows exponentially with n, previous research for n>6 is exceedingly rare, and to our knowledge has never been attempted for n>8. But more than 1 in 50 observed x86 instructions exceed 6 bytes, so that a byte 6-gram is insufficient for capturing telling sequences. KiloGrams discovers the K dominant n-grams (for very large n) with very modest memory requirements, and the resulting signatures provide both impressive predictive performance, and intrinsic interpretability.

Hyrum Anderson

This talk comprises two parts: How to reduce Alert fatigue in security analysts so as to automatically fuse alerts from disparate log sources; and How to Reuse/recycle ML models from one security domain to another. Both systems are in production in Azure Sentinel, Microsoft’s Cloud SIEM. Attendees will takeaway three core concepts: how to encode uncertainties in attacks using probabilistic kill chains; compressing ML models using high capacity LSTMs; and finally the trials and tribulations of building large scale ML systems for security.

Ram Shankar Siva Kumar

Machine learning has already proven itself an extremely useful tool for blue teams and defensive products. Organizations and their vendors have access to millions of endpoints, logs, and events. Extending talks and research given at previous DefCon events, this presentation will discuss research at integrating operationally relevant machine learning techniques into offensive operations. Through a few practical examples, we’ll explore basic statistics for operator efficacy, detecting a sandbox for payload security using a simple neural network, analyzing command sequences from previous operations to provide command recommendations for current operations, and using reinforcement learning to teach malware to pivot across a network. PhD NOT required!

Will Pearce, Nick Landers

Just looking at your logs is extremely unappealing for many security analysts. This leaves specialized tools and scripts to do the analysis before anything is investigated. This leaves any threat actor with access to the tools at an advantage and you with tunnel vision. With the math presented here we show the odds of finding something is quite high for hunting and the effectiveness of $CYBER_ML_PRODUCT might be closer to a list of your assets picked at random.

Jack Burgess

Browser (Chrome) extensions can often be overlooked in an enterprise environment. They offer would-be attackers’ access to all sorts of potentially sensitive information. In order to find interesting ones there are a number of tools and data analysis techniques available. Some of these tools and techniques will be covered so you can hunt through your organizations Chrome extensions in a meaningful way, and understand the risk they pose.

Mike Sconzo

With myriad threats facing organizations, eliminating all avenues for attack is impossible. Accepting this reality means organizations need to focus resources where they are most likely to be impactful. But this begs many questions: What types of hosts are most likely to have vulnerabilities? Are those same hosts critical parts of the business? What about cloud infrastructure that isn’t fully controlled? Are hosts on foreign soil in compliance with local laws?

We could tap into prevailing FUD and personal opinions to answer these questions, but haven’t we all had enough of that? We’d prefer to know what the data says. In this talk we introduce the concept of risk surface and explore its shape by tapping into a fascinating data set spanning millions of internet-facing hosts from tens of thousands of firms and major hosting providers around the world. We find that for most organizations risk is global with more than half locating infrastructure in multiple countries. Not only are hosts spread far and wide, but vulnerabilities are too: more than half of organizations have high or critical vulnerabilities on external infrastructure. Armed with this new perspective, we can make recommendations to organizations on where their resources are best deployed.

Benjamin Edwards, Wade Baker
10:00 - 10:55
CTFs for Fun and Profit: Playing Games to Build your Skills

Capture the Flag competitions (CTFs) have become quite popular among hackers and those in the security community, but it remains unclear whether these are fun pastimes or genuine learning opportunities. I’ll examine the skills learned through playing CTFs and compare those to the skills needed for a career as a security engineer. Additionally, I’ll examine the different styles of CTFs available and compare them to the necessary skills.

David Tomaschik

Infiltrating into internal networks by targeting people into visiting malicious websites is still being used by attackers. However, as the modern browsers are being automatically patched and endpoint protection improves, depending on either a browser 0day or the victim to click and deploy a malware on his machine narrows down attacker’s opportunities. But did you ever wonder how could someone obtain access to internal network by only relying on the victim’s browser as the main weapon?

In this talk, we will propose an attack concept that brings a whole new attack surface to infiltrate internal networks. The attack will work even on the latest patched browsers and without deploying any malware. By combining and advancing existing concepts of JavaScript reconnaissance techniques and DNS rebinding attacks, internal applications could be now exposed to the outside world while going unnoticed.

We will explain how going from theory to practice requires overcoming several limitations of the current DNS rebinding attack. We will go through the steps of evolving the current possibilities into establishing a full tunnel to internal network applications. We will tackle the challenges with handling all HTTP methods, proxying authentication and downloading binaries via the tunnel.

Nimrod Levy, Nicholas Mosier

DNS Tunnels are fun for bypassing Wi-Fi restrictions and breaking out of networks. Today there are many defence options in place to detect or block DNS Tunnels. However, exfiltration of data via DNS is still very possible and continues to plague corporate environments. We will look at some unique and new ways to exfiltrate data via DNS. We’re not looking to get free internet here, we’re looking at how attackers can send sensitive data out of a company without being detected by the usual DNS tunnel detection mechanisms.

Dimitri Fousekis

Microsoft has added a significant number of features to Windows 10 that affect the types of evidence that can be found both on disk and in memory during digital forensic and incident response investigations. These features include new event logging sources, new artifacts of program execution and file access, compression of in-memory data stores, native support for Linux virtual machines, and much more. The inclusion of these features necessitate that blue team members update a significant portion of their workflow to fully capture events that previously occurred on the system. These features also force red team members to update their workflows if they wish to operate in a stealthy manner. During this presentation, the full range of these new features will be presented along with how they can be accessed, analyzed, and understood. This will include discussion of open source tools along with analysis methodologies. By the end of the presentation, attendees who work in a wide variety of information security roles will understand how Windows 10 changes their daily workflow and how to best take advantage of the new features. With Windows 7 reaching its official end-of-life in January 2020, now is the time to learn these new skills.

Andrew Case

Many organizations struggle with keeping track with the flood of information regarding threat actor groups, malware, and other security vulnerabilities being released each day. Although many people understand the importance of keeping up to date with this information, it can often become a lower priority to other defensive security operations functions.

This talk will cover how to take various forms of cyber threat intelligence and operationalize that information into behaviors that can create actual detections relevant to the organization. We will walk through the process of identifying said behaviors, how to create detections, and how to actually test those detections using open source tools.

Jamie Williams, Sarah Yoder

This briefing quickly introduces the DoD Cyber Crime Center (DC3) and then gives into a discussion about what cyber threat intel is, the cyber kill chain (using movie gifs) and ends with a brief intro of some APTs. The talk is geared at an introductory level for people who don’t specialize or would like to learn more about CTI and APTs.

John Stoner, Ronnie Obenhaus

Picture it: Sicily, 1922. I’m reporting to a great CISO who gets an opportunity to lead security for a global law firm. A few minutes later I’m in the hallway with the CIO and accepting the role of interim CISO. Fast forward a few years, I’m in a place that I never expected and doing things I wasn’t sure I knew how to do. The purpose of this talk is to share lessons I’ve learned going from a practitioner to the guy in charge and how practitioners at any level can lead and inspire change within the community.

Brian Markham
10:30 - 11:25
The Importance of Culture in Security

Culture is a hot topic in today’s business climate. Many books have been written on building a high performance culture, but few of them take in to account the special nature of security organizations. Building on 20 years of experience managing high performing security teams, Mike will examine the nuances to build a culture that enables you to recruit and retain talent within security. Additionally, he’ll focus on how to identify what kind of culture you’re in, ways to impact culture even if you’re not formally in a management role, and tactics for how to make the kind of culture that makes you and your team excited to come to work every day.

Mike Murray

Bad management is regularly one of the reasons cited for why people change jobs. Plenty of books exist out there for the topic on how to manage and lead people, but there often isn’t a good vision for people with strong technical skills can transition into leadership roles. Some of the pitfalls and issues that come with these transitions can be tricky to navigate, but the potential reward can be very high.

Joey Maresca

The security industry complains about a lack of talented people, but most of our jobs require Senior Engineers with 8 years experience. New grads and non-grads struggle to get a foot in the door, so they never get those 8 years of experience. Google has made progress towards solving that problem. We created a team that hires people at entry level and grows them until they can take more senior jobs. The team manages operational security work, like exception requests, that senior engineers find boring but new engineers find interesting and educational. The team also writes code to automate away as much work as possible.

We’ve also created a feeder program to train non-security people up to entry level in security, and we’ve created a rotation program to transition software engineers into security. Together, these programs have resulted in many hires and promotions and multiple rising stars. Additionally, the team is substantially more diverse than average.

After attending this talk, you’ll understand how we achieved these results and how you can create a similar program in your own organization.

David Seidman

Are you working in a mature enterprise security team, but have been exploring the idea of transitioning into a security leadership role in a startup or smaller, less mature organization? Tech debt is a real issue in any role, but perhaps instead moving into a new role in a new organization where the perception is that the grass is greener, you want to truly try your hand at a true evergreen environment where you build the program from scratch at a startup. Specifically, are you thinking about making a career change as a security specific domain expert to moving into a startup role where you may develop domains within InfoSec, Compliance, Privacy, and more. While it may be intimidating, it’s not impossible, come learn about specific examples of how to apply enterprise security lessons to build a security program at a tech startup.

Ty Sbano
10:00 - 10:55
How to Treat Your Hacker (and Responsible Vulnerability Disclosure)

Imagine:
Someone just called your organization’s switchboard (the only phone number they could find) and declared they had discovered what they think is a serious security problem in your product or service. They said they are planning to publish the information soon, but wanted to call you first.

What would your organization do with such advanced notice?

Monta Elkins

Three years ago, a team of nerds at the Pentagon brought in hackers and launched the federal government’s first bug bounty and coordinated disclosure programs. Today, the Defense Digital Service’s (DDS) ‘Hack the Pentagon’ program has run nearly twenty bug bounties across the Department of Defense, engaged thousands of ethical hackers, and uncovered thousands vulnerabilities. The program has been replicated at agencies across government and is helping feds to rethink many of the government’s security approaches. While these programs are what DDS is best known for, the military also manages thousands of vehicles, ICS systems, and medical devices, in some of the most unique and challenging circumstances or any organization. Hear from DDS Director and noted data scientist Brett Goldstein about going beyond checklists and attested security, shifting culture in the world’s largest bureaucracy, and working to incorporate diverse perspectives and talent to contribute to our country. Under Brett, the DDS team is helping to push better security norms and best practices – recognizing talent, diverse perspectives, and creativity are critical to remaining a step ahead of our adversaries. You’ll learn how this passionate group of citizens have been effective and how they’re inviting BSidesLV participants to get involved.

Brett Goldstein

Nowhere is the interconnected relationship between technology and the home more evident than the rapidly growing world of IoT.

What we see time and time again is that consumers care about security within their products, but most assume that a product is safe simply because it is for sale. We recognise it is not reasonable to expect everyone to become a cyber security expert, so we need to shift the burden off end users, support manufacturers of all sizes to embed strong cyber security principles, champion those that already do, and regulate to protect citizens from manufacturers that don’t take security seriously.

The talk will outline the work we have done to date and our approach to protecting consumers. In the past twelve months, we have published the Code of Practice for Consumer IoT Security, have worked to develop the first globally applicable standard for consumer IoT- ETSI 103 645 and have been supporting organisations at all scales to implement these standards as a manufacturer and buyer of IoT. It is clear that action is needed, and we published our ambition to regulate in May 2019, outlining possible options for consultation, as well as a proposed labelling option.

Richard Manning

Ransomware attacks and confidentiality breaches tend to make the news as it relates to healthcare security challenges. But what about attacks directly on a patient?

During this session, we’ll look at some of the common security issues pervasive throughout the Internet of Things, and tie them directly to real-world attack scenarios using connected medical devices. We’ll discuss the anatomy and risks of an attack against a patient in a hospital, review common mechanisms and tools used for these attacks, and identify effective solutions to evaluate and better understand the inherent risks of the connected healthcare ecosystem.

Paul Dant

The press must translate complex digital security issues for the public, bringing a sense of urgency to the subject without scaring people into inaction. To do this job right, we need to talk to hackers. An open and earnest dialogue on how reporters navigate these challenges is in everyone’s interest – unless, of course, you have something to hide.

This panel will feature a frank discussion about what works and what doesn’t in uncovering some of the most important infosec storylines of the day. Discussion topics will include how companies and agencies disclose data breaches; how reporters are involved in the flawed and difficult process of vulnerability disclosure; the responsibilities of more “”mainstream”” outlets in explaining cybersecurity issues to readers; and what to do when policymakers draw the wrong conclusions from your reporting.

Journalists to include Sean Lyngaas from CyberScoop, Joseph Cox of Motherboard, Lily Hay Newman from Wired, and freelance journalist Kim Zetter.

Sean Lyngaas, Kim Zetter, Joseph Cox, Lily Hay Newman

Most US federal agencies lack a formal mechanism to receive information from third-parties about potential security vulnerabilities. Many agencies have no defined strategy for triaging reports about flaws reported by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith will not be subject to legal action by the government.

These circumstances create an environment that discourages people from reporting potential information security problems to the government, which delays or prevents the discovery, prioritization, and remediation of these issues.

Representatives from the Office of the Federal CIO and the Cyber & Infrastructure Security Agency will talk about potential approaches and solicit feedback on addressing these concerns in the enterprise of enterprises that is the US Government.

Cameron Dixon, Matthew Cornelius

Mass Attack Campaign with Hands-on Webcam Exercise will teach participants about the IOT threat landscape (what have we seen) and common oversights made in the development, configuration, and deployment of IoT devices. And, while IOT may not be interesting itself as an end target, it’s easy to build an automated campaign at scale which can access operational systems and sensitive data. I’ll do a hacking demonstration to show the stages of an IOT campaign from OSINT/recon to exploitation to lateral movement to steal interesting things.

Bryson Bort

Over the past five years, I Am The Cavalry has helped shape public policy and industry practice toward better outcomes, as well as to introduced security researchers into significant industry and government conversations. This talk will cover some of those achievements, the methods used, and show the audience what they can do to help make the world safer, sooner, together.

Beau Woods
10:00 - 10:25
Making your website vulnerable for fun and security awareness

What if you could understand the consequence of a vulnerability in your web application before it is being introduced? As part of our security awareness month, our company website was cloned and several vulnerablities were intentially introduced. We then let a selection of our developers attack our website in order to have them see our website from the attacker’s point of view. This presentation will demonstrate the methodology used, how the methodology was applied as well as advantages in running a capture the flag event in the context on your company’s own website.

Kenny Jansson

Over the years we have been increasingly been surrounded by technology. Some of us, particularly my generation, and gen z have almost been raised by it. This means that things like “Don’t clicks likes from people you don’t know.” has now become the new “Don’t take candy from strangers.” making it harder for us to perform old tricks like redirecting users to pages with malicious scripts.

But what if I told you that could change with a small injection and a little social engineering? With a small chip in your hand, you could convince your target to let you wreak havoc on their device, and them be none the wiser.

This presentation covers the offensive uses of NFC implants and how you can use this new technology to your advantage, as well as its limitations out in the field.

Nick Koch

I want to talk about the struggles of teaching teammates how to learn python. Specifically I want to talk about how to motivate or keep people working towards the goal without using financial incentives and creating the correct culture around learning. I’ve been working with my team to have each one learn. All of them come from very different starting points. Some of the struggles have been finding the right projects to work on and what resources I used and which ones worked well and which ones did not.

Joe O'Connell

As one of Humanity’s global commons, the frontier of space is the responsibility of the international community. Satellites are the most important space asset for the daily life of both civilians and militaries on Earth. They are used by billions of people, often without actively thinking about their use. Space services have become analogous to electrical service – utilities that people take for granted until they have an outage. This talk will first delve into a basic description of satellite infrastructure in order to establish a baseline of understanding for the range of vulnerabilities present in the satellite ecosystem.

Elizabeth Wilson

Game Theory is a wide ranging subject with practical applications that we are beginning to apply to information security. Many are familiar with the Prisoner’s Dilemma, but there are many other games that also illustrate strategic advantage. In this presentation, two games will be discussed in the context of infosec and identifying practical strategic applications– Col Blotto and FlipIt. Col Blotto games use a militaristic example of identifying where to put troops on a battlefield to best defend a territory. FlipIt games cover what to do when you have incomplete information, including situations in which you don’t see your opponent’s moves. This presentation aims to use these games demonstrate a dynamic methodology in network hardening as well as a plan in an assumed compromise scenario

Vanessa Redman

The term “Threat Hunter” and “Threat Researcher” seem to be buzzing around these days. But what does it mean? What do those people do? Where do they fall in?
I’m going to tell you my thoughts on what the skills and abilities of seasoned hunter might look like and how having one could help an organization.
I will talk a little about the common types of hunters, but I will talk more about my passion that is also my job.
My goal is to help clear a couple of things up and maybe spark some interest in this field that I love.

Yasmine Johnston-Ison

What do the front line protectors of this world need to be aware of when the adversary’s turn tech on them? No longer is it just a matter of catching bullets. Physical security teams now have more to consider. We give an insight to the world of close protection, the threat landscape and how they could be attacked.

Chrissy Morgan

There is a lot of swirl (and some crappy documents online) about how to CYA when you’re an independent consultant or a third party vendor doing pen testing / red team work for a client.

But what do you really need to know? And where do you draw the line/ walk away from a client? We’re going to talk about how you don’t end up on the hook for damages or screwed in a lawsuit by getting the paperwork right on the front end.

I’ll bring the information (and some docs you can adjust for your needs), and you bring the questions!

Suchi Pahi

Many cybersecurity textbooks dictate that we disconnect from the network when a compromised PC is detected. In the case of sophisticated attacks like an APT, however, we can benefit significantly if we can observe how the adversary performed their attack and understand their TTPs and eventually their purposes and intentions. To realize these benefits, the observation needs to be conducted safely and covertly so that the adversary continues the attack.
We propose a new technique that transfers the attack to a safe observation environment without alerting the adversary so that we can keep observing their activity in real time. We propose first to prepare the Deception Network (D-Net) configured identically to the Operational Network (O-Net).
After a compromise is detected, the relevant network packets are modified so that communications between the compromised PC and the O-Net are seamlessly redirected into the D-Net, minimizing any further compromise of operational data and assets. In order to not let the adversary knows that their attack was transferred from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking technology.

Toru Shimanaka

Deepfakes, or videos that utilize AI-based technology to create or alter content to misrepresent reality, are becoming more indistinguishable from reality. These videos frequently utilize face-swapping to falsify statements or actions of others. Threat actors could utilize this technology to create content that would cause significant market disruption- for example, a high ranking finance executive declaring their firm is no longer liquid, or the Chairman of the Fed stating that the US is unable to pay debt requirements. Proliferation of the content via social media has the potential to cause immediate impact to global economies, plausibly causing potential losses in the billions. Previous actions by threat groups have demonstrated this threat is not out of reach, as the necessary technology is low cost or free and technical barriers to entry are minimal. Financial institutions must be prepared to react accordingly.

Anna Skelton

Mental health issues such depression, substance abuse, and burnout are huge issues in the world of cybersecurity. Acknowledging that we have a problem, what can we, as individuals, do about it? Are we just powerless victims in the face of relentless attacks on our sanity and constant personal and professional pressures? What can we do to help ourselves and those around us?

Serenity Smile

You are looking for a way to continuously check the security of your Web/Mobile application before pushing new code to the production ?

The talk explain how to design and create a Disposable, Agile, and Scalable security automation tool set according to your security business requirements. The idea is to convert security tooling into micro services, and deploy them into a Kubernetes cluster.

This talk provide also some pitfalls to avoid in your journey to build a secure software supply chain.

Abdessamad Temmar

Malware authors are always looking for new ways to achieve code injection. By using such techniques, a malware can run itself as another legitimate process on the system.
This is done for a few reasons which include:
• To hide the malware presence in the operation system
• To use other process context (for example, to bypass an application firewall)
• To mine data from the process (for example, form grabbing in browsers)
In general, by using such techniques, the malware writes part of its code in a remote process memory, and then causes the remote process to execute the injected malicious code.

Achieving code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions. I found a new injection-less method to inject code to a remote process.
In this method I don’t use any of the known methods to inject code. To achieve the injection-less injection the remote process is made to read data from the injecting process by calling ReadProcessMemory. This code injection works only on x86_64 architecture.
In addition to this method, I found another way to copy data in the remote process. By copying data inside the remote process, I can recreate a shellcode from the injecting process. The second method should work on x86 and x86_64 architectures.

Alon Weinberg
8:00 - 9:55
Free and Fair Elections in an Internet Era

From blockchain to ballot selfies, new technologies hold the promise of making voting easier and better. Unfortunately, sometimes that promise falls short in unexpected ways. In this workshop we will review the impact of new technologies on voting in America. We will examine the intended and unintended consequences of new technologies introduced to address specific problems, explore the friction caused between new technologies and old policies, and work together to develop a framework that can be used to assess potential solutions that aim to avoid creating new problems.

Maurice Turner, Andre McGregor

Do you ever wonder how you can influence the Department of Justice’s cybersecurity and law enforcement efforts? Over the last 5 years, the Computer Crime & Intellectual Property Section (CCIPS) has undertaken projects intended to improve cybersecurity by supporting the computer security researcher community. CCIPS, which is responsible for implementing DOJ’s national strategies for combating computer and intellectual property crimes worldwide, has helped DoD implement its “”Hack-the-Pentagon”” Program, published a vulnerability disclosure framework to help organizations adopt vulnerability disclosure policies, and advocated for the expansion of a researcher exception under the Digital Millennium Copyright Act’s Triennial Section 1201 Proceeding. Come listen to a status report from CCIPS, hear about DOJ’s upcoming plans, and tell them what you think DOJ should do next to help researchers.

Leonard Bailey

Nowhere is the interconnected relationship between technology and the home more evident than the rapidly growing world of IoT.

What we see time and time again is that consumers care about security within their products, but most assume that a product is safe simply because it is for sale. We recognise it is not reasonable to expect everyone to become a cyber security expert, so we need to shift the burden off end users, support manufacturers of all sizes to embed strong cyber security principles, champion those that already do, and regulate to protect citizens from manufacturers that don’t take security seriously.

In the workshop, I will seek feedback on how effective legislation can be implemented, and how to ensure a system is set up to continue to protect citizens and the wider economy. Among this, I would like to explore the following questions…
– How can we ensure all manufacturers act responsibly and meet the baseline?
– How can we ensure the ‘floor’ doesn’t become the ‘ceiling’: ensuring transparency is built in above the baseline?

Richard Manning

The more connected our world becomes, the more vigilant we
should be. We have a shared global responsibility to prevent the
Internet from becoming “weaponized” by increasing attacks by
criminal groups and state actors alike. We already have global
organizations to tackle physical emergencies and now we need new ones
to help with their counterparts in cyberspace. They should assist
those in need following a large-scale systemic cyber attacks and they
should bring the international cybersecurity community together to
prevent new attacks.

A CyberPeace Institute, an independent non-profit organization, should
be created to convene and fill three critical gaps in the current
cyber policy ecosystem: (1) investigating attacks against civilians
and civilian infrastructure that cause widespread harm and publishing
peer-reviewed analysis of such attacks; (2) assessing the harm caused
by attacks and how those attacks transgress international norms of
responsible behavior in cyberspace; and, (3) providing security tools
and assistance to affected organizations and individuals to help them
recover and be resilient. The Institute would rely on a robust array
of partnerships with leading civil society, academic, private sector,
and other interested parties to carry out its tripartite mission.

Eli Sugarman
8:00 - 17:55
Using Wireshark for Incident Response and Threat Hunting

This workshop will take student’s Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and malicious network traffic analysis. We will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Placement, techniques, and collection of network traffic will be discussed in detail. Throughout the day, we’ll examine what different attacks look like in Wireshark, which can improve both Red Teams and Blue Teams skills. Students will then have hands-on time in the lab to search for Indicators of Compromise (IOCs) and a potential breach to the network.

Michael Wylie

Hacking with good tools is a blast.

Sign up for the Storm Ethical Hacking Workshop and you’ll learn how to hack using the EC Council Ethical Hacking toolkit (Kit). In the workshop you’ll use iLabs to practice hacking skills on a live range with apps, from nmap, to Metasploit, from Aircrack-ng, to OWASP ZAP. You’ll learn the hacking process using the Kit, in addition to upgrading, installing, integrating and adapting your kit for hacking.

You’ll also learn how to move through a “”Capture The Flag”” challenge, hacking a vulnerable machine step-by-step, using the Storm Ethical Hacking Toolkit.

Weather you are a Maker/Hacker who already had his own code and tools, or a system admin who is interested in hacking, the Storm Ethical Hacking workshop is for you.

Join us! Ride the storm into the Storm Ethical Hacking Workshop and let’s hack!

Justin Whitehead, Kevin King

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.

Matt Cheung

You often hear that one of the first steps is to harden your servers and services – buy how exactly do you do that?

In this workshop, we will go through the various stages of hardening a Linux environment (Ubuntu) against attackers. During this workshop, we will consider common attack vectors and their mitigations, deploying security “feelers” and properly configuring the operating system and services against attacks.

This is an introductory level workshop (2-6 hours), hands-on, that allows participants to practice basic security hardening steps and customize their journey from that launch point.

Guy Barnhart-Magen

Join Secure Code Warrior’s live tournament to prove your web application security knowledge of the OWASP Top 10 or if you simply want to learn more about secure coding.
Players will be presented with a series of vulnerable code challenges that will ask them to identify the problem, locate the insecure code, and fix the vulnerability.
Watch as you climb to the top of the leaderboard and be crowned the Secure Code Warrior. Prizes will be provided to the top 3 winners.

Steve Allor, Jim Manico

Have you ever wanted to learn how attackers break into websites and mobile apps?

At this BSides workshop, we explore a purposefully vulnerable web application and show you 15 common ways that attackers try to cause harm.

The workshop includes hunting techniques, exploit techniques, self directed vulnerability hunting and team based vulnerability hunting.

Some of the vulnerabilities are simple to find while others are much more difficult.

This event is open to participants with all skill-sets including people with non-technical backgrounds, developers, DEVOPS admins, Quality Assurance professionals, pen-testers, and more.

Chris Hanlon

ICS cybersecurity has been a new subject for years now, especially since Stuxnet. Has the security level of ICS improved?
Well, we can probably say yes for network segmentation and patching. And it is mostly true for critical infrastructures that must comply with multiple laws. But what about the most critical components such as PLCs?

In this workshop, you will learn how to attack PLCs, by attacking ICS protocols: a legacy protocol, Modbus, and an open source protocol considered as the future of ICS communications, OPC-UA. To do so, what could be better than giving you hands-on experience on real devices by hacking our model train?

We will start by defining industrial control systems and its main components, and explaining the key risks and vulnerabilities that affect them. We will then focus on their key assets, Programmable Logic Controllers, and discover how they work, how they communicate, how they can be programmed to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs on a dedicated setup featuring robot arms and a model train! And to conclude, probably the most difficult, let’s discuss how to secure ICS.

Alexandrine Torrents, Arnaud Soullie

Find out how Mitre’s ATT&CK can be used as a baseline for threat hunting. Starting with data hygiene and ending with an example hunt, we’ll show you how the Elastic Stack can help you find bad actors in a standardized and auditable way. Learn how the Elastic Stack’s latest capabilities enable interactive exploration and automated analysis.

Matteo Rebeschini, Kent Brake

This page last updated July 7, 2019