The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
TimeSpeaking DayTrackOrderTalk TitleTalk DescriptionName(s) of speaker(s)TwitterBio
9:00 - 9:50FridayKeynote1How to influence security technology in kiwi underpantsTBABenjamin Delpy@gentilkiwiTBA
10:00 - 10:50FridayKeynote2Panel Discussion - At a Glance: Information Security
Welcome to DerbyCon 8.0! This year we have panelists from a number of different areas around INFOSEC. We will be sharing our experiences, where we think INFOSEC is heading, as well as looking at the current state. We are super excited at our panelists for this keynote and look forward to engaging questions from the audience as well as the moderator. Our panelists will be sharing war stories, how they got started, where the industry is heading, and questions from the audience. This will be a free form panelist discussion and audience participation is expected!
Ed Skoudis, John Strand, Lesley Carhart. Moderated by: Dave Kennedy
@edskoudis, @strandjs, @hacks4pancakes
12:00 - 12:25FridayStable1Red Teaming gaps and musings
Red Teaming is currently the closest most companies get to adversary emulation. While Red Teaming can do a good job pointing out security gaps, blind spots, and human weaknesses within an organization, there are also limitations. Engagement SOW’s, timelines, and laws impose limitations which can unwittingly push a Red Team engagement far from adversary emulation. Some thoughts on the current status quo, and ways to mix it up.
Samuel Sayen
Sam has served in the State Department's Foreign Service as a security engineer who worked on threat hunting and red teaming. He is currently a proactive consultant for Mandiant.
12:30 -12:55FridayStable2A Process is No One: Hunting for Token Manipulation
Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk begins with the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a detailed case study of detecting access token impersonation/manipulation from concept to technical execution by way of the Hypothesis Generation Process.
Jared Atkinson, Robby Winchester
Jared - @jaredcatkinson, Robby - @robwinchester3
Jared Atkinson is the Adversary Detection Technical Lead at SpecterOps who specializes in DFIR. Jared spent two years at Veris Group’s Adaptive Threat Division (ATD) and four years with the U.S. Air Force Hunt Team. Passionate about PowerShell and the open source community, Jared is the lead developer of the PowerForensics project, Uproot, and PSReflect Functions. Robby Winchester is an experienced threat hunter and penetration tester. Over the course of his career, he has developed and supervised penetration testing, physical security, and breach assessments for several private sector and government clients. Previously, Robby worked for the U.S. Air Force Information Aggressors, providing full-scope network and physical red team operational assessments, and worked to integrate information security operations within traditional military operations for the U.S. Air Force’s RED FLAG exercise.
1:00 -1:25FridayStable3Fuzz your smartphone from 4G base station side
In this upcoming IoT world, more wireless transmission technique are used for IoT devices, such as WiFi, Bluetooth, ZigBee, Z-Wave, and cellular network (2G/3G/4G). We can fuzz the wireless transmission technique as well, but there are rare fuzzing tools, especially for cellular network. The most difficult part of fuzzing cellular network is building the cellular network environment, not make the corresponding fuzzer. In our representation, we will introduce how to build the 4G LTE environment yourself with limited budget. Afterward, we rewrited the 4G LTE base station and send the malformed LTE message to fuzz your smartphone. After our fuzz testing, we found the vulnerability which could cause your smartphone cannot work as normal and this vulnerability will affect the smartphone which use the specific Qualcomm CPU.
Tso-Jen LiuN/A
The search researcher and technology service director of Onward Security. Familiar with web security and fuzzing technique, loves to find the security vulnerabilities in different field, such as web application, cloud service, ICS/SCADA, mobile application, automotive and IoT device.
1:30 - 1:55FridayStable4
Clippy for the Dark Web: Looks Like You’re Trying to Buy Some Dank Kush, Can I Help You With That?
The dark web’s inherent hostility to observation makes it the perfect place for whistleblowers, freethinkers… and criminals. This design, build with anonymity and fully private operations in mind, also makes it almost impossible to use. Is there a future where the dark web is both easy to use and still maintains the core functionality necessary to protect its users? Does making the dark web easier to use inherently open it up to unchecked monitoring by private companies and law enforcement? Will legal users of the dark web be swept up in efforts to crack down on illegal activity on the dark web? And if we do see a growth in ease of use tools, is someone finally going to make a Clippy for the dark web? This session will cover the underlying structure of the dark web and the of “ease of use” tools developed for dark web users over time, specifically the tools that facilitate ecommerce for buyers in a diversified criminal market. This talk will also address the inherent tension between the dark web as a bastion of privacy and anti-authoritarian sentiment and the dark web as a usable, functional repository of institutional knowledge. If you’ve heard of the dark web before but your first thought is “I think I remember Silk Road was a thing,” this talk may be for you.
Emma Zaballos
Emma Zaballos is an Analyst at Terbium Labs, working on evaluating and contextualizing threats to customer data. She specializes in visualizing trends in the sale and trade of stolen payment cards, reading forum drama on the dark web, and studying the many ways companies fail to secure user data. Terbium Labs provides proactive data monitoring solutions - beginning with the assumption that your critical data is always at risk - and specializes in systems designed to detect your sensitive information wherever it may appear on the dark web.
2:00 - 2:25FridayStable5Synfuzz: Building a Grammar Based Re-targetable Test Generation Framework
Fuzzers have played an important role in the discovery of reliability and security flaws in software for decades. They have allowed for test case generation at a rate impossible by hand and the creation of test cases humans may never conceive of. While there are many excellent fuzzers available most are designed for mutating source files or input in random ways and attempting to discover edge cases in the handling of them. Some others are designed with structured input in mind and use grammars to more strategically generate and mutate possible inputs that adhere to the format defined. These specifically are the ones we care about for the goals of identifying differences between multiple implementations of a single language, finding bugs in parse tree generation/handling of tokens, and handling of the data at runtime once it has been successfully lexically and syntactically analyzed. We’ll look at some of the shortcomings of existing fuzzers and discuss the implementation for a new platform designed to make fuzzer creation easier with the goal of being able utilize grammars from the implementations of the languages themselves.
Joe Rozner@jrozner
Joe is an engineer at Prevoty where he has built semantic analysis tools, language runtimes, generalized solutions to common vulnerability classes, and designed novel integration technology leveraging runtime memory patching and instrumentation. He has a passion for reverse engineering, exploitation, teaching, and sharing research with others.
2:30 - 2:55FridayStable6Escoteric Hashcat Attacks
Ever wonder how to get past the 70% password cracking barrier, EvilMog will talk about the Infinite Monkey Theory of Password Cracking, unique attack methods such as Raking, Purple Rain, Prinception and other high entropy attack techniques including live demos.
EvilMog is a Senior Managing Consultant for IBM X-Force Red, a Bishop in the Church of Wifi and a Member of Team Hashcat, he is also the self proclaimed chief shenanigator of DerbyCon
3:00 - 3:25FridayStable7NOOb OSINT in 30 Minutes or less!
OSINT is more than making a fake Facebook account and looking up your EX. We will cover the basic level skills and places to get a Noob on the correct path in 30 minutes or less. Social Media, Government Sites, Paid Sites and free Training sites will be demonstrated.
Greg Simo and Guest Speaker
Speaker 1 has a Degree in Information Security, Advance training from The National White Collar Crime Center in Social Media and currently works as a contractor for several different agencies. Speaker 2 is a Student in a Information Security College program and a Intern in the Cyber Security Dept of a fortune 250 Company.
3:30 - 3:55FridayStable8RFID Luggage Tags, IATA vs Real Life
IATA and Airlines have been testing RFID equipped luggage tags since the early 2000's. Their RFID standard includes multiple PII fields and security information, but, how are these tags actually used? With over a year of luggage tags donated by traveling hackers, I have compiled a survey of these tags as implemented by US carriers.
Daniel Lagos@admford
Independent Security Researcher and member of the Chicago Burbsec community.
4:00 - 4:25FridayStable9#LOL They Placed Their DMZ in the Cloud: Easy Pwnage or Disruptive Protection
Uber Did It To Taxis, AirBnB Did It To Hotels, Could External Cloud DMZ Models do it to IT and InfoSec? The perimeter is open, Swiss cheese firewalls, compromised endpoints, vulnerable URLs, malware and ransomware... Things that make pentesting reasonably easy.... What if this all goes away in a new design model that truly limits movement based on simple principals; requiring two factor authentication from everyone, only white listed application connections, and the enabling of Drop all other "All Inbound and Outbound Traffic" Firewall Rules. Sound like a Pentester's nightmare, Welcome to your future.
Carl Alexander@DrHaxs
Carl is an eternal security soldier from another world who loves breaking stuff, watching systems burn to the ground, sampling aged Kentucky creek water, and laughing in the face of pain and stress. Teaching security is painful, we need to keep it simple, helping others to rise from the ashes more knowledgeable and secure. 10000 binary years in the security industry, reluctant CCSP/GSTRT.
4:30 - 4:55FridayStable10Maintaining post-exploitation opsec in a world with EDR
How a modern pentesting or red team can remain stealthy during post exploitation activities. Will go in depth on various code execution and lateral movement techniques and indicate ways to improve upon these methods.
Michael Roberts, Martin Roberts
@TheWindowsTwin, @MartinR407
Michael Roberts is currently a student at the University of Central Florida. Has competed in many offensive and defensive competitions including CCDC nationals. Interned at X-Force Red (IBM) in the summer of 2018. Focus is on Windows security and post-exploitation. Martin Roberts is currently a student at the University of Central Florida. Has competed in many offensive and defensive competitions including CCDC nationals. Interned at X-Force Red (IBM) in the summer of 2018. Focus is on Linux security and Linux pentesting.
5:00 - 5:25FridayStable11Hey! I found a vulnerability – now what?
You found a vulnerability in a product and decide to responsibly disclose the issue. Thank you! This should be an easy task to do - right, but what are the steps? This talk will cover what to consider in submitting a vulnerability report and how to submit a good vulnerability report. We will discuss why you should submit a report and will cover the pros and cons of supplying a disclosure date and what Coordinated Vulnerability Disclosure really means. You will also get a behind the scenes insight into what really goes on after the issue was disclosed. We will also touch on scenarios such as what if the issue affects more than one company, and who can help if you don’t feel like reporting the issue directly to a company. The talk will also cover some tips and choices you have for after the issue is disclosed/addressed. The ups and downs of your end goal – are you there to help protect yourself and other consumers, protect the company, or go for fame – or can you do it all?
Lisa Bradley, CRob
Lisa Bradley - Dr. Lisa Bradley is currently the Senior Program Manager for NVIDIA’s Product Security Incident Response Team (PSIRT). Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. She has 5 years of experience leading PSIRT programs as she previously worked at IBM for 17 years. Lisa has served as a spokeswoman for many tech-related events including 2016-2018 FIRST PSIRT Technical Colloquium, 2017 FIRST Annual Conference and the Security Journey White Belt modules. Lisa received her BA degree in both Mathematics and Computer Science from SUNY Geneseo. She also has a Masters and PhD in Applied Mathematics from NC State University. Outside of her role with NVIDIA, Lisa has been an adjunct professor at local universities for the past 12 years. Lisa enjoys spending time with her three kids, James (10), Jesse (7) and Anna (5). CRob Bio - Christopher Robinson (aka CRob) is the Manager of Red Hat Product Security Assurance Team. With 20 years of Enterprise-class engineering, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals. He is a contributor to the FIRST PSIRT Services Framework and other industry groups. CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 Red Hat Summit. CRob is the former President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program.
5:30 - 5:55FridayStable12Foxtrot C2: A Journey of Payload Delivery
Execution of an offensive payload may begin with a safe delivery of the payload to the endpoint itself. When secure connections in the enterprise are inspected, reliance only on transmission level security may not be enough to accomplish that goal. Foxtrot C2 serves one goal: safe last mile delivery of payloads and commands between the external network and the internal point of presence, traversing intercepting proxies, with the end-to-end application level encryption. While the idea of end-to-end application encryption is certainly not new, the exact mechanism of Foxtrot's delivery implementation has advantages to Red Teams as it relies on a well known third party site, enjoying elevated ranking and above average domain fronting features. Payload delivery involves several OpSec defenses: sensible protection from direct attribution, active link expiration to evade consistent interception, inspection, tracking and replay activities by the defenders. Asymmetric communication channels will also be used. And if your standalone Foxtrot agent is caught, the delivery mechanism may live on, you could still manually bring the agent back into the environment via the browser. A concept tool built on these ideas will be presented and released. It will be used as basis for our discussion.
Dimitry Snezhkov
Dimitry Snezhkov, X-Force Red @IBM Corporation. Focused on offensive security testing, code hacking, and tool building.
12:00 - 12:50FridayTrack 11IRS, HR, Microsoft and your Grandma: What they all have in common
Vishing is quickly becoming one of the most dangerous vectors in the world of social engineering. With 1000's of hours of vishing recorded, dozens of pretext's used and thousands of compromises under our belt, Chris will analyze some giant data sets to examine what these threats look like, and how to prepare for the future of vishing. He will delve deep into what we can learn from one of the largest recorded data sets of vishing calls in the world and what that means for the future of social engineering.
Christopher Hadnagy, Cat Murdock
@humanhacker @SocEngineerInc @catmurd0ck
Christopher Hadnagy, is the founder and CEO of Social-Engineer, LLC. Chris possesses over 16 years experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today.Chris established the world’s first social engineering penetration testing framework at, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals.Chris is also the best-selling author of three books; Social Engineering: The Art of Human Hacking, Unmasking the Social Engineer: The Human Element of Security and Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails.Chris specializes in understanding how malicious attackers exploit human communication and trust to obtain access to information and resources through manipulation and deceit. His goal is to secure companies by educating them on the methods used by attackers, identifying vulnerabilities, and mitigating issues through appropriate levels of awareness and security.
12:00 - 12:50FridayTrack 21I Can Be Apple, and So Can You
Cryptographic verification of executables is a core security feature that many third-party developers and security personnel have learned to trust. During this talk, the speaker will cover the most recent Apple code signing bug that was found to affect everyone that uses Apple’s documented APIs for conducting code signing checks of signed applications. This will include the methodology for finding the issue, the reporting process, working with vendors, and a path forward for organizations that use Apple code signing as a measure of trust.
Josh Pitts
Josh Pitts is a Staff Engineer at Okta with over 15 years’ experience conducting physical and IT security assessments, IT security operations support, penetration testing, malware analysis, reverse engineering and forensics. He also served in the Marines working in SIGINT during the last part of the 20th Century. He likes to write low level code and flip bits for fun. Sometimes this leads to the discovery of funny bugs and to Russians patching stuff over the Internet and code signing issues.
12:00 - 12:50FridayTrack 31Invoke-EmpireHound - Merging BloodHound & Empire for Enhanced Red Team Workflow
Empire & BloodHound are two great Post-Exploitation Tools. Since I am a PowerShell fanboy, I decided to glue them together, just to see what could happen... and so I created 3 modules: EmpireStrike - to control Empire Server(s). CypherDog - to interact with the BloodHound Database. EmpireDog - to automate CypherDog/EmpireStrike interactions. In this presentation I will demonstrate how to add the Empire infrastructure to the BloodHound Graph and control both BloodHound & multiple Empire servers from a single PowerShell prompt, with changes to Empire automatically reflected in the BloodHound Database and Graph.
Walter Legowski
French guy living in the Netherlands. PowerShell Automation Engineer by day, n00bing around InfoSec by night. Like Lego Bricks, Tools-Tools-Tools, and PowerShell. Like to build things to challenge myself and learn new stuff. Spoke at BSides Amsterdam, PSConfAsia & PSConfEurope. Won the photoshop face-swap contest last year and thus needed to find another way to come to Derby this year.Really would love to get Iced... so made a really cool tool.
12:00 - 12:50FridayTrack 41The History of the Future of Cyber-Education
When I think about what cybersecurity education in the future should look like it almost immediately falls into place like a game of Asteroids: and another triad was born. I believe in threes. For all the reasons. The premise is that cybersecurity is often laser focused on an insanely complex specific subset of a set of threats and/or vulnerabilities; perhaps an IoT MQTT-SN protocol weakness. Where, though, do we teach in greater overarching strategic generalities? The following notional triad for the future of cybersecurity education is, I believe, synergistic – self-reinforcing, and would complement more traditional approaches, yet arrive at different, more efficacious results. They all tie together. Engineering. History. Humans….It’s a triad.
Winn Schwartau
Can Send PDF if you need....
1:00 - 1:50FridayTrack 12#LOLBins - Nothing to LOL about!
You have probably heard the term LOLBin, LOLScript or LOLLib by now. Want to get more insights on that? Then this is the talk you want to attend.This talk will cover the Living Off The Land Binaries and Scripts (LOLBAS) project, what the project is, how it became and how you can help this evolve into the future. The talk will also go over some of my favorite LOLBins that has came to light due to this project (at least that's what I like to think) and show you some cool stuff! I mean, everybody loves to see binaries misbehave.
Oddvar Moe
Oddvar is a Cloud and Datacenter Management MVP, security researcher, blogger, trainer, penetration tester, speaker and he works at Advania Norway as a Chief Technical Architect. He has more than 17 years of experience in the IT industry. He is passionate about Windows Security and he loves to share his knowledge with everyone. Oddvar has delivered top-notch sessions in the past at conferences such as IT Dev Connections, HackCon, Nordic Infrastructure Conference and Paranoia. Oddvar loves to work with both offensive and defensive security.
1:00 - 1:50FridayTrack 22
From Workstation to Domain Admin: Why Secure Administration Isn't Secure and How to Fix It
Organizations have been forced to adapt to the new reality: Anyone can be targeted and many can be compromised.This has been the catalyst for many to tighten up operations and revamp ancient security practices. They bought boxes that blink and software that floods the SOC with alerts. Is it enough? The overwhelming answer is: No. The security controls that matter most are the ones that best protect those with the keys to the enterprise, the Active Directory administrators. With this access, an attacker can do anything they want in the environment: access all sensitive data, change access controls and security settings, embed to persist (for years), and often fully manage and control routers, switches, the virtualization platform (VMWare or Microsoft Hyper-V), and increasingly, the cloud platform. Administrators are being dragged into a new paradigm where they have to more securely administer the environment. This involves protecting privileged credentials and limiting access Again the question is: Are the new ways to securely administer Active Directory enough to protect against attackers? Join me in this session to find out. Some of the areas explored in this talk: * Explore how common methods of administration fail. * Demonstrating how attackers can exploit flaws in typical Active Directory administration. * Highlight common mistakes organizations make when administering Active Directory. * Discuss what's required to protect admins from modern attacks. * Provide the best methods to ensure secure administration and how to get executive, operations, and security team acceptance.
Sean Metcalf@PyroTek3
Sean Metcalf is founder and principal consultant at Trimarc ( a professional services company which focuses on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a former Microsoft MVP, and has presented on Active Directory attack and defense at Black Hat, BSides, DEF CON, DerbyCon, Microsoft BlueHat, Shakacon and Walmart Sp4rkCon security conferences. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog,
1:00 - 1:50FridayTrack 32When Macs Come Under ATT&CK
Macs are becoming commonplace in corporate environments as a alternative to Windows systems. Developers, security teams, and executives alike favor the ease of use and full administrative control Macs provide. However, their systems are often joined to an active directory domain and ripe for attackers to leverage for initial access and lateral movement. Mac malware is evolving as Mac computers continue to grow in popularity. As a result, there is a need for proactive detection of attacks targeting MacOS systems in a enterprise environment. Despite advancements in MacOS security tooling for a single user/endpoint, little is known and discussed regarding detection at a enterprise level. This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
Richie Cyrus@rrcyrus
Richie Cyrus is a Senior Threat Hunter at SpecterOps where he specializes in detection of advanced adversaries with a focus in MacOS and Linux environments. Richie has a background in incident response, forensics and security operations spanning across Fortune 500 companies and the public sector, to include Apple Inc. and CME Group Inc. He currently maintains a DFIR focused blog at
1:00 - 1:50FridayTrack 42State of Win32k Security: Revisiting Insecure design
Win32k.sys is infamous for being the prime target used by hackers for modern exploitation and browser/sandbox escapes on Windows: the driver managing the user and graphics subsystems. With its legacy spanning as far back as NT 4 (released in 1996), there are significant challenges with its security attestation. This talk while touching a bit of Win32k history covering its various design shifts at the expense of security, but will mostly focus on how long standing insecure design were revisited and remediate. In hindsight the talk will give a deeper analysis on various mitigations added in latest Windows release (RS4), resulting in exploits getting more expensive, unreliable and in some cases impossible.
Vishal Chauhan@axsdnied
Vishal Chauhan is a Security Engineering Lead in Microsoft Security Response Center (MSRC) team. His background includes deep kernel security expertise and has driven and developed multiple security mitigation approaches in Windows kernel space, including but not limited to Win32k security.
2:00 - 2:50FridayTrack 13Everything Else I Learned About Security I Learned From Hip-Hop
Come along on a fantastic voyage and learn Hip Hip and how it relates to information security! When I was growing up there were two things that intrigued me, computers and rap music. Using examples from my favorite genre or music, we’ll explore some interesting facets of rap music, and discuss the lessons and parallels to security today. There will be no half steppin’. It will be dope as it allows us to dig into topics such as: Is security a fad? How do we differentiate a fad from something here to stay? Encouraging youth to become security engineers, a call-to-action for the community. Deviating from established norms and setting trends, few truly change the industry, and who will change the security industry in the near future? Remembering those who have passed on and learning from their work. How true experts practice their craft (and how to best utilize their skills and share the knowledge) Few things are truly original (and it’s okay, in most cases) Not all legends reach the same pinnacle of success. What separates the best from the rest? How experts make career pivots, and actually pull it off New isn’t always better. We all have beefs (and better ways to resolve them. And no, we’re not going to dig into social media beefs) You can expect to learn a little about rap music, and the history of the rap genre, in this talk. We’ll focus on the security side by exploring industry trends and fads, tips on how to manage your career, and how to continue positive trends in the security community. Don’t be whack, attend this talk! This is a sequel to “Everything I Learned About Security I Learned From Kung Fu Movies”, and expectations should be set as such. I will share my favorite lists of rap artists, albums and tracks, and even a few Spotify playlists.
Paul Asadoorian
Paul Asadoorian is the founder and CEO of Security Weekly, a security podcast network providing free security information to the community and security market validation to a wide array of security companies. Paul is the primary host to several shows, including Paul’s Security Weekly, Enterprise Security Weekly, providing the security community with valuable knowledge. Paul is also a founding member of Active Countermeasures, a startup dedicated to providing reliable sources of actionable intelligence. Previously Paul has held positions at Tenable Network Security, penetration testing firms, university and other industries. Paul is an IANS faculty member and has presented at various security conferences including RSA, Derbycon, Brucon, SOURCE Conference and more. Paul loves Kung Fu movies, hacking, listening to old school rap and is currently training hard for being iced at Derbycon.
2:00 - 2:50FridayTrack 23MS17-010?
MS17-010 is the most important patch in operating systems history. The ultimate high profile and damaging attacks, such as WannaCry, NotPetya, and Olympic Destroyer, have taken advantage of the vulnerabilities patched in MS17-010. Created by Equation Group, and leaked by Shadow Brokers, the ETERNAL family of exploits provide the most reliable and creative ways for remote code execution on Windows ever performed. Unnoticed for over 20+ years, the mechanisms behind these exploits has only been scratched at the surface by researchers, and remains an enigma for most. Take years of research into Windows internals and the SMB protocol and cram it into 45 minutes. You simply can't. But this talk will try. Descriptions of full reverse engineering of internal structures and all historical background info needed to understand how the exploit chains for ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY work will be provided. Get detailed information about the historical and technical context for these vulnerabilities that will haunt us still for years to come.
zerosum0x0 is the author of all MS17-010 ETERNAL Metasploit exploit modules and was the first to reverse engineer the DOUBLEPULSAR backdoor. He has taught workshops on Windows internals at DEF CON and to US government agencies.
2:00 - 2:50FridayTrack 33Abusing IoT Medical Devices For Your Precious Health Records
This talk discusses the risks of connected healthcare devices. It looks at the benefits of adopting IoT for medical devices, current exposure, common communication channels in use as well as interconnectivity approaches used with other critical components. Based off output from security assessments performed against medical devices widely deployed at various hospitals and medical institutions, we will present an in-depth analysis of the target medical device and elaborate on how we were able to compromise them to gain access to plethora of medical records from all the medical institutions they were deployed at and not just the one where our target devices were hosted.We will introduce the threat surface exposed by various medical devices and present some of the real-world attacks against some popular devices & their impact on humans as well as the overall ecosystem they are connected to. Some devices rely on proprietary hardware on licensed bands, which reduces the risk of interference from consumer connected devices, but doesn’t provide security as implied in marketing materials. Others rely on standard WiFi security measures for confidentiality and are prone to MitM attacks. Healthcare devices that implement IrDA could yield interesting results when interfaced with cheap $10 hardware.There are many consumer items that fall under the umbrella of IoT and while it may be hard to understand the impact of hacking a toaster, we can all agree that manipulation of a medical device could lead to rather serious consequences. Apart from putting a patient's life at risk, an attacker could compromise a healthcare device to steal patient data. This presentation will primarily focus on the latter with real-world examples and a case study. We will demonstrate the compromise of a healthcare device to steal medical records, which typically include PII, health insurance data, medical history, SSNs, prescriptions etc.
Saurabh Harit, Nick Delewski
Saurabh Harit - @0xsauby, Nick Delewski - @r4ndom_handle
Saurabh works at Spirent SecurityLabs as a Managing Security Consultant where he is primarily responsible for delivering penetration testing services to Spirent clients across the globe. During his industry experience of over 15+ years, Saurabh has worked across diversified industry verticals such as Banking, Aerospace, building solutions, Process & Control Systems and has developed expertise is various aspects of Information security. Saurabh specializes in web application & network security, with secret crush on binary reverse engineering. He has contributed towards proof-of-concept exploits and white papers in the infosec domain as well as delivered security trainings to various fortune 500 clients globally and at reputed security conferences such as CansecWest and Black Hat. Saurabh has presented his research at several security conferences including Derbycon, Toorcon, BSidesTO, Hack3rcon, Blackhat US & Europe Tools Arsenal, Blackhat Europe and is author of open-source tool, Yasuo ( Nick is an offensive-security focused professional with 11+ years of technology experience who leads project teams and functional teams in the assessment of complex systems and business processes. He has performed technical penetration tests and social engineering campaigns in a diverse set of industry verticals, organizational sizes, and regulatory environments. His practice is informed by years of exposure to information technology infrastructure and years of close collaboration with application development teams. As a Certified Information Systems Security Professional (CISSP) and GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), Nick strives to advance the Information Security field by applying the latest in research and techniques to every project that he executes.
2:00 - 2:50FridayTrack 43Offensive Browser Extension Development
For the past few years, malware authors have abused the extension development functionality of Chrome and Firefox. More often than not, these extensions are abused for standard crimeware activities, such as ad click fraud, cryptocurrency mining, or stealing banking credentials. But this is only scratching the surface of what is possible if the appropriate browser APIs are abused. Extensions can act as a foothold into a target's internal network, provided a single user can be convinced to click two buttons. As a post-exploitation mechanism, extensions can be side-loaded with the ability to read and write files to disk. These actions will all be performed from the browser process(es) and likely go undetected by conventional endpoint protection solutions. This talk will discuss the creation, deployment, and usage of malicious browser extensions so that other red teamers can add this attack vector to their toolkit.
Michael Weber
Michael Weber is a senior security consultant with NCC Group. Michael loves making .NET do things that no sane human would ever expect it to perform, running amok on red team engagements, and taking apart antivirus products. Prior to NCC Group, Michael worked as a malware reverse engineer where he learned that 4 byte XOR is the ultimate way to circumvent all signatures.
3:00 - 3:50FridayTrack 14Hackers, Hugs, & Drugs: Mental Health in Infosec
The information security community is difficult to compare to any other. We are composed of intelligent, driven, passionate, opinionated individuals. When you combine the pressure and stress we put on ourselves in the form of research, learning, teaching, and creating it starts to build up. Not only do we put pressure on ourselves, but we also take it on from our bosses, co-workers, and family in many different forms. The majority of roles we fill cater to our drive and willingness to be behind a keyboard for hours on end. The end result is that many of us are broken. Broken in different ways, at different times, and for different reasons. We need to bring to light a topic that shouldn't be as faux pas as it is. I'll share my personal struggles, stories of friends and family, and hopefully help us come closer together as a community to help you or people around you.
Amanda Berlin@infosystir
Amanda co-authored the best practices book called "Defensive Security Handbook: Best Practices for Securing Infrastructure” with Lee Brotherston through O'Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. Amanda has been involved in implementing a secure Payment Card Industries (PCI) process and Health Insurance Portability and Accountability Act (HIPAA) compliance as well as building a comprehensive phishing and awards-based user education program. Amanda is an avid volunteer and has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, O’Reilly Security, GrrCon, and DEFCON. While she doesn't have the credentials or notoriety that others might have, she hopes to make up for it with her wit, sense of humor, and knack for catching on quick to new technologies.
3:00 - 3:50FridayTrack 24The Unintended Risks of Trusting Active Directory
Will Schroeder (@harmj0y) is a offensive engineer and red teamer at SpecterOps. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON, Black Hat, DerbyCon, Troopers, BlueHat Israel, and various Security BSides. Matt Nelson is an active red teamer and security researcher. He brings a passion for researching and pushing new offensive and defensive techniques into the security industry. He is the primary developer on the PowerSCCM toolkit, a co-developer on the Empire framework, and contributes to many other open source security projects. Matt has spoken at numerous security conferences, and has been recognized by Microsoft for his discovery of new offensive techniques and bypasses. He maintains his blog at Lee Christensen is a senior operator, threat hunter, and capability engineer for SpecterOps. He has performed red team and hunt engagements against Fortune 500 companies for several years, and has trained at events throughout the world. Lee enjoys researching and building tools to support offensive engagements and detection capabilities. He has contributed to several offensive/defensive tools and is the author of UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and KeeThief.
Lee Christensen, Will Schroeder, Matt Nelson
Will Schroeder - @harmj0y, Matt Nelson - @enigma0x3, Lee Christensen - @tifkin_
Your crown jewels are locked in a database, the system is patched, utilizes modern endpoint security software, and permissions are carefully controlled and locked down. Once this system is joined to Active Directory, however, does that static trust model remain the same? Or has the number of attack paths to your data increased by an order of magnitude? We’ve spent the last year exploring the access control model of Active Directory and recently broadened our focus to include security descriptor misconfigurations/backdoor opportunities at the host level. We soon realized that the post-exploitation “attack surface” of Windows hosts spans well beyond what we originally realized, and that host misconfigurations can sometimes have a profound effect on the security of every other host in the forest. This talk will explore a number of lesser-known Active Directory and host-based permission settings that can be abused in concert for remote access, privilege escalation, or persistence. We will show how targeted host modifications (or existing misconfigurations) can facilitate complex Active Directory attack chains with far-reaching effects on other systems and services in the forest, and can allow new AD attack paths to be built without modifying Active Directory itself.
3:00 - 3:50FridayTrack 34Detecting WMI exploitation
Windows Management Instrumentation (WMI) is loved by the Red Team, Pentesters, and the criminals. There are a few exploitation tools available such as WMImplant, WMILM, and Metasploit. Utilizing WMI in attacks is popular since it does not log much, is very good for remote attacks, and includes a database to hide persistence and payloads. The use of WMI has also been used in what is referred to as fileless malware, and can even include PowerShell. WMI attacks CAN be detected, and everyone should understand how to search for, detect, and all the Fu that goes along with WMI attacks. The reason? By default, Windows does log much to detect WMI exploitation, so there is some work to do you need to know about. This talk will show a few examples of WMI exploitation, what and why it can be detected, what you need to configure to catch attacks, what additional things you will need to hunt for WMI pwnage across your environment. Also discussed will be some examples of log management queries, tools you might use to capture malicious WMI activity.
Michael Gough
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael also blogs on on various InfoSec topics. Michael also is co-host of the “Brakeing Down Incident Response” BDIR Podcast to education on Incident Response daily tasks. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.
3:00 - 3:50FridayTrack 44Protect Your Payloads: Modern Keying Techniques
Our payloads are at risk! Incident responders, threat hunters, and automated software solutions are eager to pick apart your new custom dropper and send you back to square one. One answer to this problem is encrypting your payload with key derivation functions ("keying") which leverages a variety of local and remote resources to build the decryption key. Throughout this talk I will present modern keying techniques and demo some tools to help along the way. I will start with showing how easy it is to discover attacker infrastructure or techniques in the payloads we commonly use every day. I will then quickly review how keying helps and the considerations when generating keyed payloads. Throughout the presentation many practical examples of keying techniques will be provided which can be used for typical pentests or full red team operations. Finally I will introduce KeyServer, a new piece to add to your red team infrastructure which handles advanced HTTP and DNS keying. Using unprotected payloads during ops should be a thing of the past. Let’s regain control of our malicious code and make it harder on defenders! This talk is based on the original research of environmental keying by Josh Pitts and Travis Morrow.
Leo Loobeek
Leo Loobeek is a senior consultant with Protiviti performing offensive security operations ranging from textbook whitebox pentests to stealth and red team exercises. With plenty of areas within offensive security, Leo finds his niche in command-and-control, novel execution techniques, and safeguarding precious new droppers with keying techniques. Leo knows enough to know he doesn’t know anything.
4:00 - 4:50FridayTrack 15Android App Penetration Testing 101
Join us for a fun journey through the steps we use as penetration testers to find vulnerabilities in Android applications. The talk will introduce the audience to testing environment creation, and demonstrate how to shorten the learning curve to in order to obtain meaningful results when performing mobile application security assessments. As part of the talk, we will provide a free mobile application that will contain vulnerabilities from the OWASP Mobile Top 10 that can be used to practice vulnerability discovery.
Joff Thyer, Derek Banks
@joff_thyer, @0xderuke
Derek has over 20 years of experience in the IT industry as a systems administrator for multiple operating system platforms, and monitoring and defending those systems from potential intruders. He has worked in the aerospace, defense, banking, manufacturing, and software development industries. Derek has experience with creating custom host and network based monitoring solutions. Joff has 22+ years of experience in the IT industry in roles such as enterprise network architect and network security defender. He has experience with intrusion detection and prevention systems, penetration testing, engineering network infrastructure defense, and software development. Joff co-hosts the Security Weekly podcast, and teaches SANS SEC573 - Automating Information Security with Python.
4:00 - 4:50FridayTrack 25Lessons Learned by the WordPress Security Team
Managing security for the WordPress project is a challenge to say the least. The sheer volume of reports, the resulting noise, securing an aging codebase, handling disclosure – all difficult to handle, but just the tip of the iceberg. How do you motivate and organize a volunteer team? How do you keep sites and users secure with so much third-party code? How do you educate users? When is it okay to break things to fix security issues and how do you manage reputation when you do? Should you backport? How far? They may not have it all figured out, but over the years they’ve learned a lot – often the hard way. Aaron has led the WordPress Security Team since the end of 2016 and been a part of it for over five years. He’ll share what he’s learned along the way, how things have improved, what changes didn’t help (even when they were sure they would), and what things they still struggle with. He’ll also share an overview of the tools they use and processes they follow, in hopes that no one else has to learn the hard way.
Aaron D. Campbell
Aaron is the WordPress Security Team lead, has been a regular contributor to WordPress for more than a decade, and is currently funded by GoDaddy to work full time on the WordPress open source project. He has over eighteen years of web development experience and worked with clients ranging from small local businesses to Google, Yahoo, Disney, and Harvard. He’s been called both a coffee snob and a beer snob, but considers both to be compliments. When not buried in code, he enjoys spending time with his wife and son, riding his motorcycle, and reading sci-fi/fantasy books.
4:00 - 4:50FridayTrack 35Gryffindor | Pure JavaScript, Covert Exploitation
Network defenses are evolving at an unprecedented rate. Our open source toolkit has become ever more difficult to use while pentesting or red teaming on the top tier of networks. Moving into the next generation of offensive operations, we will need to begin testing with tools that closely mirror legitimate application and network behavior. Gryffindor is a pure JavaScript post-exploitation agent that splits the standard model for command and control. It weaponizes the target's web browser to perform all network communication and leverages the Windows Scripting Host (WSH) for the purposes of system execution. In this talk we will walk through the model for idealized remote access including the use social media sites as a platform for covert communication. By leveraging inherent JavaScript capabilities, security professionals can acquire interactive sessions within a browser, harvest sensitive information against arbitrary origins, and pivot into internal networks. Between the browser and the host, there is ripe potential for catastrophic damage.
Matthew Toussain@0sm0s1z
Matthew Toussain is a penetration tester with Black Hills Information Security and an instructor for the SANS Institute. Matthew regularly hunts for vulnerabilities in computer systems and releases tools to demonstrate the effectiveness of attacks and countermeasures. He has been a guest speaker at many conference venues, including DEFCON. Matthew is an author of SEC460: Enterprise Threat and Vulnerability Assessment. After graduating from the U.S. Air Force Academy, where he architected and instructed the summer cyber course that now trains over 400 cadets per year, Matthew served as the Senior Cyber Tactics Development Lead for the U.S. Air Force. He directed the teams responsible for developing innovative tactics, techniques, and procedures for offensive operations as well as for cyber protection teams (CPT). Later, as a member of the 688th Cyber Warfare Wing he managed the Air Force's transition of all 18 CPTs to fully operational capability. He earned his master's degree in information security engineering as one of the first graduates of the SANS Technology Institute and supports many national and international cyber competitions including the CCDC, Netwars, and the National Security Agency's Cyber Defense Exercise as a red team member and instructor.
4:00 - 4:50FridayTrack 45Jump Into IOT Hacking with the Damn Vulnerable Habit Helper Device
In this talk, husband and wife team Phoenix and Nancy Snoke introduce the Damn Vulnerable Habit Helper (DVHH) IOT device. DVHH contains a hardware device, mobile application, web application and associated api calls / network communication. DVHH was built to make getting started in IOT hacking more accessible to everyone. This talk will introduce the DVHH. We discuss why we created DVHH, how it is architected, and how to get started using it. As hardware hacking seems to be the sticking point for many on hacking IOT, this talk will include Phoenix talking an audience member through a live hardware hacking demonstration on the DVHH device (chosen at random). A parts lists and instructions / schematic will be given for the hardware inclined who wish to build their own device. All necessary parts can be bought for under 30 dollars. Several prebuilt hardware devices will be available for demo purposes.
Nancy Snoke, Phoenix Snoke
Nancy and Phoenix Snoke have given joint talks at NOLACON, BSides and SkyDogCon. Phoenix would like to remain a mystery, and Nancy specializes on web and mobile application security. Her work experience includes senior software engineer responsible for web application security at PGAC, and a penetration tester for Cisco Systems. Nancy has previously spoken (solo) at Derbycon and NOLACON. She got her undergraduate degree in Computer Engineering in New Orleans at Tulane University, and her Masters in Computer Science at University of Illinois Urbana-Champaign.
5:00 - 5:50FridayTrack 16Draw a Bigger Circle: InfoSec Evolves
InfoSec has never been more needed, or more in demand. Against a geopolitical backdrop of escalating tensions and drama, there are new attack methods and IoT nightmares as we drown in data. How do we, as a community, evolve to find the people we need to grow into the future? This talk explores our extraordinary strengths as a community, and how InfoSec needs to grow forward to address the challenges ahead. We'll explore some existing mindsets and open the door to unconventional backgrounds. Where does our communal knowledge benefit by drawing from more sources to enhance our big picture? What can we gain from where we aren’t we looking? We'll look at how we see ourselves within this community. Imposter syndrome and elitism are two sides of the same coin. What are the definitive benefits we derive as members of this collective? How do we find out who is part of our community? While our ability to close ranks against intruders is a strength, is it holding us back by holding us in? Infosec is more than a career. It’s a community we call home, an extraordinary incubator of skill and talent that needs our help to keep growing. But to bring in the people we need, we have to think outside the box and draw a bigger circle.
Cheryl Biswas
Cheryl Biswas, aka @3ncr1pt3d, is a Strategic Threat Intel Analyst with TD Bank in Toronto, Canada. Previously, she was a Cyber Security Consultant with KPMG and worked on security audits and assessment, privacy, breaches, and DRP. Her experience includes project management, vendor management and change management. Cheryl holds an ITIL certification and a degree in Political Science. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building threat intel. She actively shares her passion for security online, as a speaker and a volunteer at conferences, and by encouraging women and diversity in Infosec as a founder and member of the "The Diana Initiative".
5:00 - 5:50FridayTrack 26IronPython... omfg
Over the course of the last few years, PowerShell has been the number one way of conducting essentially any type of offensive operation on Active Directory networks and Windows endpoints. It allows offensive personnel to execute implants completely in memory, stealthily conduct situational awareness, and dynamically leverage the underlying power of .NET. Due to recent protections put in place by Microsoft, PowerShell is becoming increasingly less viable to use offensively. These protections are "baked in" to the latest versions of the Windows operating systems and allow AV/EDR/Logging solutions to gain an overwhelming amount of insight into PowerShell execution, and even, in some cases, completely shut down any type of malicious PowerShell tooling/tradecraft. It’s been a good run, and PowerShell has served us well. However, the future is upon us, and it's our job to adapt; we have to go deeper! With that in mind, what if I told you that everything PowerShell does can also be done with Python--without dropping anything to disk and bypassing every protection that Microsoft has put in place for PowerShell? Welcome to the wonderful world of IronPython, where rainbows and unicorns *still* gallivant as if it were 2009! In this talk, we will be looking at my approach to solving the tradecraft problem of gaining complete, unrestricted, and dynamic access to the .NET runtime without going through PowerShell in any way. I'm going to be walking through the entire process of how I discovered this possibility existed, starting from "not knowing what I'm doing" and going to a "somewhat understanding of what I'm doing". The talk will cover the progression from creating an initial weaponization PoC all the way up to building an Implant/C2 framework around it and all the success/failures/roadblocks I encountered along the way. Finally, at the end of the talk, I will be releasing the implant/C2 framework which I named SILENTTRINITY to the infosec community.
Marcello Salvati
Marcello Salvati (@byt3bl33d3r) is a security consultant at BlackHills Infosec by day and by night a tool developer who discovered a novel technique to turn tea, sushi and dank memes into somewhat functioning code. He's also really good at writing bios. I know, at this point you're probably asking yourself: " Wait, how good of a bio writer is this guy? I need a quantifiable metric in order to come to a conclusion! The suspense is killing me!". Well John Strand hired him so that he could continue to write them. Yeah... that's how good. Checkmate Atheists! *dab* *mic drop*
5:00 - 5:50FridayTrack 36Instant Response: Making IR faster than you thought possible!
This talk will leverage some of the latest PowerShell research that Mick and Josh have been doing. They will be releasing three different scripts to make your network hostile to the attackers and significantly easier to manage. Additionally, they'll leverage the earlier research from Mick's Derbycon talk last year to pause attackers in their tracks.
Mick Douglas, Josh JohnsonN/A
Mick Douglas has been doing information security work for over 10 years. He is the managing partner for InfoSec Innovations. He is always excited for the opportunity to share with others so they do not have to learn the hard way! By attending his talks, security professionals of all abilities will gain useful tools and skills that should make their jobs easier. Josh Johnson has been working in the Information Security industry for nearly 10 years in varying roles and with responsibilities ranging from penetration testing to incident response. He is passionate about using his knowledge of offensive security concepts and techniques to help organizations improve their defensive capabilities. He holds a Master of Science Degree in Information Security Engineering from the SANS Technology Institute, is a CISSP, and holds 8 GIAC certifications including the GSE. Josh's own experience with SANS training as a student drives him to share his passion and knowledge of information security with others.
9:00 - 9:25SaturdayStable1Tales From the Bug Mine - Highlights from the Android VRP
Every month, Google releases the Android Security Bulletin, the latest collection of public vulnerabilities found in Android, along with their patches that must be accepted if a device can be considered up-to-date. Join us for this fast-paced, light-hearted retrospective of some of the most subtle, complicated, or interesting bugs from the last year of the Bulletin. Many of these bugs were submitted through the Android Vulnerability Rewards Program, with cash rewards going to the researchers that discovered them.
Brian Claire Young@memnus
Brian has been a software engineer and vulnerability analyst in the Android Security Development Lifecycle group at Google since 2016. They review bugs and features and determine which ones are which.
9:30 - 9:55SaturdayStable2Decision Analysis Applications in Threat Analysis Frameworks
In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. This research seeks to develop a framework which adapts existing methods such as the cyber kill chain to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor. In addition, the framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.
Emily Shawgo
Emily has recently graduated from Carnegie Mellon University with a master's degree in Public Policy and Management with a concentration in Cybersecurity Management. She also has an undergraduate degree in Psychology and Political Science from Carlow University. Emily's interests lie in penetration testing, threat analysis, and applying the study of human behavior to the field of cybersecurity.
10:00 - 10:25SaturdayStable3How Russian Cyber Propaganda Really Works
How does PSYOP really work? Did the Russians actually influence anyone? Could they do it again? This talk will use NATO counter propaganda methodologies to answer the burning questions about online propaganda, given by the former Chief Counter Propagandist for United States Forces - Iraq.
Jonathan Nichols
Jonathan Nichols is an independent Security Contractor. He has played a role in predicting, detecting, and mitigating some of the largest hacking campaigns in recent years. As part of Operation Iraqi Freedom and Operation Enduring Freedom, Jon spent 10 years deployed with or working in support of US Psychological Operations (PSYOP) and NATO Special Operations. Merging the capabilities of PSYOP and Cyber, Jon has years of experience in building cyber security teams which focus on the humans behind the keyboards and the underlying influences which motivate their actions. He can be seen discussing cyber security topics on CNN and Vice documentaries, and regular contributes to many mainstream media articles on cyber security issues.
10:30 - 10:55SaturdayStable4Make Me Your Dark Web Personal Shopper!
Ever wondered what it would be like to have a personal shopper on the black market? This is your chance. This talk outlines everything you need to know about the goods and services available on the dark web - from human skulls and Sephora points to identity data and payment cards. This talk will provide attendees with a comprehensive overview of the the variety of physical and digital goods available on the dark web, along with a framework to evaluate the the structure and size of dark web marketplaces. Attendees will come away with an understanding of the dark web supply chain, the role the dark web plays in demand for physical and digital goods, and the social structure of dark web marketplaces. This session will also cover the day-to-day realities of transacting on the dark web: sourcing, pricing, scamming, and the lengths buyers will go to shop safely - and anonymously - on these underground marketplaces. This talk is ideal for professionals interested in the trade of data and goods on the dark web, cyber-enabled fraud, or emerging trends in the trade of exploits and vulnerabilities amongst cyber criminals.
Emma Zaballos
Emma Zaballos is an Analyst at Terbium Labs, working on evaluating and contextualizing threats to customer data. She specializes in visualizing trends in the sale and trade of stolen payment cards, reading forum drama on the dark web, and studying the many ways companies fail to secure user data. Terbium Labs provides proactive data monitoring solutions - beginning with the assumption that your critical data is always at risk - and specializes in systems designed to detect your sensitive information wherever it may appear on the dark web.
12:00 - 12:25SaturdayStable5Driving Away Social Anxiety
Social anxiety can be a common problem and one that can be detrimental in a field where it may be necessary to interact with people as part of our jobs.This talk looks at how I managed to help deal with my personal anxiety issues by being a ride-sharing driver for nearly a year. Why I feel like this method of social interaction and pseudo-therapy help me, and what lessons I learned if I were to repeat the process in the future.
Joey Maresca
One does not simply write a biography about l0stkn0wledge. He is a life-long hacker and twelve year information security professional who has his own twisted way to approach life's problems. From being a nervous know nothing at his first conference to a multi-time speaker who still knows mostly nothing, he has learned a lot and still has a lot more to discover.
12:30 - 12:55SaturdayStable6Off-grid coms and power
You want ways to stay connected even when not being on the grid. Join me in a rundown of what should be in your bug out bag for emergency communications and off grid power. We will cover ham radio as well as other methods of communications. In addition we will discuss how you can make your own off grid power solution easily acquired scrap.
Justin Herman
Justin Herman, KD8ASA, is a lifetime learner, tinkerer, infosec nut, and self described "breaker of things". He is an organizer of BSidesCleveland, a board member of NEOISF - the Northeastern Ohio Information Security Forum.
1:00 - 1:25SaturdayStable7CTFs: Leveling Up Through Competition
CTFs are fun and informative enough as they are, but if you approach them from a deliberate angle, you can use them to level up your career. This talk aims to break down the pedagogy behind competitive learning and how acquired knowledge can be applied in real life to chase an offensive security job.
Alex Flores@4lex
Last year, during a 6 week hiatus while his bosses staged some Red Wedding shit with the company, he went heads down into OSCP, and CTFs for a year after that. He emerged having attained a long-held dream of belonging to the InfoSec community. Alex started out supporting tech as IT, building it as a SysAdmin, creating it as a Software Engineer, and now breaking it as a Red Teamer for WalMart.
1:30 - 1:55SaturdayStable8Mapping wifi networks and triggering on interesting traffic patterns
Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area AND see all devices connected to each network? Or maybe you want to know who's hogging all the bandwidth (and maybe deauth them if they use too much)? Or, what if you want to know when a certain someone's cell phone is nearby. Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud? For all these use-cases, I've developed a new tool called "trackerjacker". In this talk, we'll use this tool to explore some of the surprisingly-informative data floating around in the radio space, and you'll come away with a new skill point or two in your radio hacking skill tree, as well as a new magical weapon... I mean tool.
Caleb Madrigal
Caleb Madrigal is a programmer who enjoys hacking and mathing. He is currently working as an applied security researcher/senior software engineer at Mandiant/FireEye. Most of his recent work has been in Python, Jupyter, Javascript, and C. Caleb has been into security for a while... in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". Recently, Caleb has been finding "evil" on the endpoint with Machine Learning (and other things) and hacking various wireless devices (including many IoT devices) with SDR, WiFi, packet crafting, etc.
2:00 - 2:25SaturdayStable9Extending Burp to Find Struts and XXE Vulnerabilities
How do you test for Struts vulnerabilities in clients' web apps? Have you tried writing a Burp plug-in to help? Extending Burp is easier than you might think. We'll cover Burp Extension programming in Python, the power of Burp's Collaborator, and adapting Struts and XXE exploits to find vulnerabilities automatically. This will culminate in the discovery of a web app zero day.
Chris Elgee@chriselgee
Chris is a full time husband, father of four, and pen tester; he's a part time Army officer, an aspiring SANS instructor, and the back-up church bass player. He is active in (ISC)2 and has brought online safety presentations to dozens of Maine schools. CISSP, OSCP, GPEN, GWAPT.
2:30 - 2:55SaturdayStable10Introduction to x86 Assembly
Windows, Linux, and Mac all run x86 assembly. From your favorite software application down to their system kernels. Ever wondered what happens under the hood when programs execute? What does printf("Hello World!"); actually do? Whether your focused on improving the efficiency of your applications, securing your applications against known exploitation techniques, reverse engineering software or going on the offensive with exploitation development a firm grasp on assembly is essential. Come get an introduction to the world of x86 Assembly, learn how to write, build, debug, and tear apart your first x86 assembly application.
Stephanie Domas has been doing x86 security research for a decade. She is Vice President of Research and Development at MedSec, where they perform a plethora of security services for medical devices. Christopher Domas "@xoreaxeaxeax" is a cyber security researcher, currently investigating low level processor exploitation. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), and Turing-machines in the vi text editor. His more relevant work includes the binary visualization tool ..cantor.dust.. and the memory sinkhole x86 privilege escalation exploit.
3:00 - 3:25SaturdayStable11Pacu: Attack and Post-Exploitation in AWS
Cloud infrastructure security and configuration has been shown to be a difficult task to master. Sysadmins and developers with years of traditional IT experience are now being pushed to the cloud, where there is a whole new set of rules. This is what makes AWS environments particularly exciting to attack as a penetration tester. Best practices are often overlooked or ignored, which can leave gaps throughout an AWS environment that are ripe for exploitation. With an increasing number of breaches leaking AWS secret keys, companies are working to be proactive and are looking for red-team-like post exploitation penetration tests, so that they can be sure that their client data is as safe as possible post-breach.Due to this need and the lack of AWS specific attack tools, I wrote Pacu, an open source Amazon Web Services post exploitation attack tool created and used for Rhino Security Labs pentests.In this talk I will cover how red teamers can use Pacu to simulate real-world attack scenarios against AWS environments, starting from IAM enumeration and scanning through exploitation, privilege escalation, data exfiltration and even providing reporting documentation.
Spencer Gietzen@SpenGietz
With a background in software development, Spencer Gietzen is a penetration tester with Rhino Security Labs. His primary focus as a penetration tester is security relating to Amazon Web Services post exploitation and configuration, where he has found success in discovering vulnerabilities and attack vectors through extensive research.
3:30 - 3:55SaturdayStable12An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
Soya Aoyama
Soya Aoyama is security researcher at Fujitsu System Integration Laboratories Limited. Soya has been working for Fujitsu more than 20 years as software developer of Windows, and had been writing NDIS drivers, Bluetooth profiles, Winsock application, and more, and started security research about 3 years ago.Soya has gave presentation in AVTOKYO 2016 and BSides Las Vegas 2017 in the past.
4:00 - 4:25SaturdayStable13Brutal Blogging - Go for the Jugular
Blogging in InfoSec is a great way to improve your visibility in the community and build personal brand. It's easy to do, but hard to do exceptionally well. I've been editor of a corporate blog for over 4 years and been blogging in InfoSec for 6 years, and I'd like to share what I've learned. Talk will focus on how to search engine optimize (SEO) your blog, how to select topics, using graphics, how to socialize and how to measure the impact of your blogs. I’ll cover the essence of an excellent job and show some examples of great blogs versus good blogs. Basically, don’t be tentative in your blogging. Have deliberate intention (what you want to accomplish) deliver with findings, research and helpful info. Don’t do clickbait! Make it so those humorless Google spiders can find your content.
Kate Brew
Kate Brew has over 15 years experience in product management and marketing, primarily in information security. She's been editor of AlienVault's blog for over four years.
4:30 - 4:55SaturdayStable14RID Hijacking: Maintaining Access on Windows Machines
The art of persistence is (and will be...) a matter of concern when successfully exploitation is achieved. Sometimes it is pretty tricky to maintain access on certain environments, especially when it is not possible to execute common vectors like creating or adding users to privileged groups, dumping credentials or hashes, deploying a persistent shell, or anything that could trigger an alert on the victim. This statement ratifies why it's necessary to use discrete and stealthy techniques to keep an open door right after obtaining a high privilege access on the target. What could be more convenient that only use OS resources in order to persist an access? This presentation will provide a new post-exploitation hook applicable to all Windows versions called RID Hijacking, which allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes. To show its effectiveness, the attack will be demonstrated by using a module which was recently added by Rapid7 to their Metasploit Framework, and developed by the security researcher Sebastián Castro.
Sebastián Castro@r4wd3r
Sebastián Castro (@r4wd3r) is the R&D Leader at CSL Labs. Born in Bogotá, Colombia, has been an information security researcher, network & application pentester and red-teamer for 6 years, providing cybersecurity services to global financial institutions and local defense government organizations. This guy has presented at national and international conferences, such as BSides, ISC² and recently Black Hat, exposing password cracking and Windows security own research. Sometimes a tenor, sometimes a hacker, Sebastián also works as an opera singer at the Opera of Colombia Chorus, participating on many national and international fancy performances with well-known singers whose names he can’t even spell.
5:00 - 5:25SaturdayStable15Your Training Data is Bad and You Should Feel Bad
Everyone is using Big Data and Machine Learning these days. Not sure how to solve a problem? Train a classifier! But beware the old axiom: Garbage In, Garbage Out. This talk will present three key findings from original research on the effects of training data recency in Twitter classifiers so that your next Twitter bot classifier can start off on the right footing.
Ryan J. O'GradyN/A
Ryan O’Grady has worked in cyber security for over 10 years and is a research scientist in Soar Technology’s Cyberspace Operations business area. He is the principal investigator for a project to develop an intelligent training system for cyberspace operators that enables individualized, personalized training in realistic environments. He has a BSE in Computer Science from the University of Michigan and is currently pursuing a MS in Information Security Engineering from SANS Technology Institute
5:30 - 5:55SaturdayStable16So many pentesting tools from a $4 Arduino
Arduinos are cool, but making LEDs blink and monitoring the water in your houseplants can quickly get boring. Have no fear! In this talk we will show you a bunch of penetration testing tools you can build from an inexpensive Arduino Leonardo, Arduino Pro Micro or similar Arduino clone.
Kevin Bong, Michael Vieau
Michael Vieau - @michael_vieau, @minipwner, @mayhemlab
Kevin is a Senior Manager, Penetration Testing Lead with Sikich focusing on information security and compliance issues faced by organizations of all types and sizes. Prior to joining Sikich, Kevin spent 12 years as a Vice President of a multi-billion-dollar financial group, leading the bank’s security and IT risk management activities. Kevin is the creator of the MiniPwner, a pocket-size penetration testing device used to gain remote access to a network, and enjoys building tools and toys from Arduino and other embedded systems. He’s also an author, instructor and a speaker at conferences like RSA, DerbyCon, Security BSides and WACCI. Michael is a Managing Consultant and Penetration Tester at Sikich LLP with over 17 years of experience in information security. Michael currently maintains the MiniPwner project and works with Kevin to build and modify electronics at The Mayhem Lab. When not performing penetration tests, Michael is an adjunct professor at MSOE and enjoys presenting at different security conferences.
9:00 - 9:50SaturdayTrack 11Building an Empire with (Iron)Python
This talk discusses porting Python payloads to Windows using a little known, former Microsoft project. It explores offensive uses of .Net and how to reduce attack surface on .Net payloads.
Jim Shaver@elitest
Jim Shaver is a penetration tester and security researcher.
9:00 - 9:50SaturdayTrack 21Hardware Slashing, Smashing, and Reconstructing for Root access
This presentation I will be focusing on what is typically referred to as destructive methods for data acquisition from embedded devices. Focusing on the process of removing embedded Multimedia Media Controller (eMMC) devices from circuit boards to gain access to their contents. But we will take it a step further by covering how to restore the device back to operation including methods and technics on altering the devices firmware prior to rebuilding, to allow for full root level access to functional system after recovery. Topics covered will include, Device removal, eMMC firmware extraction and modification methods. Hot air and infrared reflow methods, BGA re-balling manually and with re-ball kit.
Deral Heiland@percent_x
Deral Heiland CISSP, serves as a Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris.
9:00 - 9:50SaturdayTrack 31VBA Stomping - Advanced Malware Techniques
There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we refer to as VBA stomping refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. In this talk we will demonstrate detailed examples of VBA stomping as well as introduce some additional techniques. Reverse engineering and defense tips will also be provided.
Carrie Roberts, Kirk Sayre, Harold Ogden
Carrie - @OrOneEqualsOne, Kirk - @bigmacjpg , Harold - @haroldogden
Carrie Roberts - Carrie is a developer turned Red Team. She became interested in Info Sec after doing PC, mobile and web app development. She obtained her Masters in Info Sec Engineering from the SANS Technology Institute in 2015 and holds 11 GIAC certifications including the GSE. She is currently a Senior Red Team Engineer at Walmart and loves to give back to the Info Sec community. Kirk Sayre is a member of the Dynamic Defense Engineering team at Walmart. One of Kirk's focuses at Walmart has been on the detection and analysis of malicious Office documents. Kirk is one of the primary maintainers of ViperMonkey (, a VBA macro emulator utility. Prior to working for the cybersecurity group at Walmart, Kirk Sayre performed cybersecurity research at Oak Ridge National Lab (ORNL). While at ORNL Kirk was one of the primary developers of a tool for automating the reverse engineering of malware. Kirk is the author of several patents based on this work. Outside of cybersecurity, Kirk has also worked on projects ranging from weapons control systems, medical devices, web applications, corporate software engineering training, and software design tools. Kirk’s educational background includes a PhD in Computer Science from the University of Tennessee where his research centered around using statistical methods to improve the testing of software. Harold Ogden is a member of the Dynamic Defense Engineering team at the Walmart Security Operations Center. He researches malicious documents and observable system behaviors related to common adversary tactics. He writes rules for various file and traffic inspection products, and implements processes to monitor and triage suspected compromise at enterprise scale.
9:00 - 9:50SaturdayTrack 41Disaster Strikes: A Hacker's Cook book
Go back in time to September 21, 2017 after Hurricane Maria passed over Puerto Rico and two guys flew from Louisville Kentucky back to a disaster stricken home island. No communications, No Power, almost no technologies worked. What can a Hacker do? First, call on the community or as it happened, the community responded without calling. Derbycon, various B Sides, Hackers for Charity and many individuals gave money and time to help out. But, once on ground zero you are basically on your own and you have to hack your way back to civility and survive.
Jose Quinones, Carlos Perez
@josequinones, @carlos_perez
José L. Quiñones has 20+ years of experience in the IT field and holds a Bachelors in Science in Electronic Engineering Technology and various professional certifications in systems administration and cybersecurity. Jose has mainly worked in the Health and Education industries, works as an independent consultant in IT infrastructure, cloud and security architecture. In addition, Jose has worked with the start-up community and in the creation of the first IoT Lab in the Caribbean towards the goal of research and development of new technologies and solutions to build Smart Cities. He is President/Co-Founder of Obsidis Cosortia, Inc a not for profit organization which mission is to promote professional development of information security for IT professionals, students and enthusiasts, and security awareness to the general public. Finally Jose, runs the local Defcon Group 787, is the head organizer of “Security B Sides Puerto Rico” and runs a personal blog about systems administration and security Carlos Perez has over 20 years experience in the security field. He is currently the Research Lead at TrustedSec helping develop new TTPs for the Force team. Carlos is best known for his contribution to the Metasploit, tools like DNSRecon and the overall Windows PowerShell security community. He is a co-host in the SecurityWeekly Podcast. He is Co-Founder of Obsidis Cosortia, Inc a not for profit organization which mission is to promote professional development of information security for IT professionals, students and enthusiasts, and security awareness to the general public.
10:00 - 10:50SaturdayTrack 12SAEDY: Subversion and Espionage Directed Against You
Industrial espionage is the practice of secretly gathering information about competing corporation or business interest, with the objective of placing one’s own organization at a strategic or financial advantage. A common practice to achieve this advantage is to elicit information from unwitting individuals through what today is called social engineering (SE). We all hear the term SE so often that we become desensitized to it, thereby INCREASING the effectiveness of it against ourselves and organizations. Thus, will call it what it is - Human Intelligence, also known as HUMINT.Presenting personal experiences as an Army counterintelligence agent with examples of military and industrial espionage, will examine tradecraft employed against individuals every day. We will apply lessons learned from the US military and the intelligence community by using two acronyms taught to Army counterintelligence agents: SAEDA (Subversion and Espionage Directed Against the Army) and MICE (Money, Ideology, Coercion, Ego). By presenting different aspects of HUMINT collection efforts will enable individuals to possibly detect, deflect, and protect oneself from such actions.
Judy Towers@ladyred_6
As an active duty US Army Counterintelligence Agent (6 yrs), Judy provided weekly SAEDA briefings for new incoming unit soldiers and for yearly awareness training requirements. Judy received an Army award for the presentation’s effectiveness in engaging the audience, thereby enhancing self-awareness of the threat. Her experiences include training in traditional espionage tradecraft, along with supervising and conducting counterintelligence investigations of individuals, organizations, installations and activities in order to detect, assess and counter threats to national security. After leaving the Army, Judy started a civilian career in information security as: domain admin for a global company, an IT manager implementing incident response system, Fraud department investigating people stealing company services, and now a Cyber Threat Intelligence Analyst, augmented by a 2nd Master’s Degree in Cybersecurity and Computer Forensics.
10:00 - 10:50SaturdayTrack 22App-o-Lockalypse now!
Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.
Oddvar Moe
Oddvar is a Cloud and Datacenter Management MVP, security researcher, blogger, trainer, penetration tester, speaker and he works at Advania Norway as a Chief Technical Architect. He has more than 17 years of experience in the IT industry. He is passionate about Windows Security and he loves to share his knowledge with everyone. Oddvar has delivered top-notch sessions in the past at conferences such as IT Dev Connections, HackCon, Nordic Infrastructure Conference and Paranoia. Oddvar loves to work with both offensive and defensive security.
10:00 - 10:50SaturdayTrack 32Media hacks: an Infosec guide to dealing with journalists
Infosec researchers, experts, and hackers in general have a…fraught relationship with media, ranging from exploitive to adversarial. Recent episodes, including the doxxing of Marcus Hutchins by UK media and sensational coverage of his arrest, don't help, nor do broadcast media reports that are often factually incorrect or even damaging to the security of those who take the reports as gospel. And researchers looking to get out word to the general public are often (based on anecdotal data) confused or intimidated by the media machine. This presentation seeks to demystify how news media work, the strengths and weaknesses of each channel of communications, and how to effectively interact with journalists in a way that is constructive and productive. We are infosec journalists—ask us anything.
Sean Gallagher, Steve Ragan, Paul Wagenseil
Sean - @thepacketrat, Steve - @SteveD3, Paul - @snd_wagenseil
Sean Gallagher is the IT Editor and National Security Editor for Ars Technica. A former Navy officer and government IT contractor (and for a time the Director of IT Strategy for Ziff Davis Enterprise), Sean has been an IT journalist for over 20 years. He covers information security and privacy as part of his vast beat at Ars. Prior to joining the journalism world in 2005, Steve Ragan spent 15 years as a freelance IT contractor focused on infrastructure management and security. He's a father of two and rounded geek with a strong technical background. Paul Wagenseil heads security and privacy coverage for Tom's Guide. He has also been a warehouse manager, a car deliveryman, a bartender, a fry cook and a dishwasher. That's all he's going to tell you unless you meet him in person.
10:00 - 10:50SaturdayTrack 42Ninja Looting Like a Pirate
There is a vast amount of information that exist in the modern world. More so than has ever existed in any society at any time in the history of mankind. Companies, individual, organizations, and nations keep adding to this massive sea of data. Wouldn’t you like to get your hands on some of it? This presentation will show you how to do just that very thing with no tools. Simply using the right browser, search commands and Boolean logic. You will learn how to navigate and surf this ocean of information and find repositories that others a have placed online. Repositories a.k.a. loot which they believe to be safe from others but, in fact they are not. You will learn a few simple techniques that allow you to find their loot and take it for yourself or others. The techniques to accomplish this are not new, in fact they are very old by Information Technology time. However they are as relevant today as they were more than thirteen years ago when people first started to compile them. The techniques will enable you to sift through the haystack of information that you normally get when web searching to find the specific needles that you seek. These techniques will optimize your search time and provide a greater focus of the desired target than you have ever had before. All accomplished from a "search engine" you use every day.
A senior security systems engineer with 25+ years’ experience currently employed at a fortune sixty company in the Washington DC area. Day job, responsible for world-wide evaluation, certification, penetration and integrity testing of a variety of current and emerging technologies, networks, architectures, and devices. Night hobbies - monitors major trade shows like CES in Las Vegas for the train-wreck factor as new technology seems to be developed and deployed with some if not most of the existing vulnerabilities, bugs, and issues of today. Some issues dating back more than twenty years ago that should have been resolved. When not stifled by my company’s legal team I have been permitted to speak on certain subjects to the security community on issues that I see in technology. I'm an active member of the Northern Virginia Hackers association (NoVaH) a collective of security professionals, hackers, authors, makers, and tool developers.
12:00 - 12:50SaturdayTrack 14
OSX/Pirrit - Reverse engineering mac OSX malware and the legal department of the company who makes it
Back in 2016 I discovered a new OSX strain of the Pirrit adware/malware which up until then only targeted windows machines. I completely reverse engineered the malware, which runs with root privileges, hijacks all the HTTP traffic on the infected machine, and employs several other nefarious tricks. Due to some stunning opsec mistakes (which I will cover) I found the malware’s authors downright to their full names and the company that they work for. Fast forward almost two years later, OSX/Pirrit was back with a vengeance, employing new techniques and learning their lessons from everything I wrote about in my previous reports. Nevertheless, after lots of binary reverse engineering, going through thousands of lines of JavaScript, bash, and AppleScript code - I managed to reveal just how sinister the new version of OSX/pirrit is which is virtually impossible to remove without deep OSX knowledge. Due to more opsec mistakes by the authors I managed to tie this new wave of infections back to On top of that, TargetingEdge, the company who makes this adware/malware, bombarded us with cease and desist letters, threatening my employer and myself personally - trying to keep us from publishing our report. In my talk I will highlight all of the methods that were used by the authors of the malware to abuse systems, I will guide the attendees through the process of reverse engineering such malware and share with everyone the amazing and hilarious story behind this whole incident. There will be IDA screenshots, there will be stunning opsec mistakes by the authors and there will lolz galore.Join me for a session about reverse engineering, browser hooking tricks on OSX and interesting tales about my time with our corporate attorney battling these legal threats. This talk is meant for beginners and experienced audiences alike as I intend to walk through all the phases of my research. Attendees will walk out this talk knowing a lot about the security and the process of malware analysis on macs along with how to handle situations where the malware authors are sending their attorneys on you.
Amit Serper, Niv Yona, Yuval Chuddy@0xAmit
Amit Serper, Head of security research, Cybereason Nocturnus group:Amit leads the security research at Cybereason's Nocturnus global security practice. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. Whenever he is not taking apart malware and exploring the dark and undocumented corners of operating systems at the office, you could find him in his lab at home reverse engineering routers and other IoT devices and finding horrible bugs on them. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for the Israeli government, specifically in embedded system security. Niv Yona, Threat hunting and research lead, EMEA at Cybereason Nocturnus group - Niv began his career as a team leader of the security operations center in the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. At Cybereason, Niv focuses on threat research that directly enhances product detections and the Nocturnus hunting playbook. Yuval Chuddy, Threat hunter and Security researcher at Cybereason Nocturnus group Yuval began his career as a security researcher in the cyber security department of the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. At Cybereason, Yuval focuses on investigating targeted and complex attacks and conducts threat hunting in customer environments.
12:00 - 12:50SaturdayTrack 24Web App 101: Getting the lay of the land
Getting started with web apps can be a daunting task. "Ooh, shiny!" rabbit holes are just around the corner with every click. Without a good plan and a road map, it can be very easy to get lost in these holes and run out of time before reaching your goal. This talk covers how to identify the goal and set up a plan that will help you avoid the rabbit holes, identify the points you should focus on, and ultimately help you become an effective application tester.
Mike Saunders
Mike's love of IT started in the third grade when he discovered he could view the code of BASIC programs on an Apple ][e. He has held many information technology and IT security positions, including developer, network and system administrator, security architect and security incident handler. Currently, Mike is a principal consultant with Red Siege. When he is not at work, he is an avid ice fishing and kayak fisherman and member of a local horn rock band.
12:00 - 12:50SaturdayTrack 34Deploying Deceptive Systems: Luring Attackers from the Shadows
"Assume the network is compromised" has been a popular mantra in information security for years now. So how do defenders operate in such an environment? Honeypots and honeytokens that are well-planned and strategically-placed can enhance any organization's threat detection capability. This talk will demonstrate a few of the various free, open-source solutions available as well as a strategic plan for deploying them.
Kevin Gennuso@kevvyg
Kevin is a security architect/manager and part time packet mangler. He has nearly 20 years of experience in both the offensive and defensive sides of information security, and has done work for a number of organizations across the technology, healthcare, finance, and retail sectors.
12:00 - 12:50SaturdayTrack 44Hacking Mobile Applications with Frida
Scientists have estimated by the year 2033 the entire solar system will be made up of mobile apps. Be prepared by mastering Frida, the mobile instrumentation (cough hacking) toolkit. Testing beyond traffic analysis can be extremely useful for any form of mobile pentest or bug bounty. In this talk we are going to cover getting up and running with Frida for hacking mobile applications. We will look at several of the built-in Frida tools, as well as some very helpful projects that utilize Frida. This will include being able to examine the live, running functionality of both iOS and Android apps to learn how they work, and hopefully how to alter they way they work. You will walk away with a new methodology for attacking mobile apps, and a lifelong friendship.
David Coursey
David is a family man that takes time out for Xbox, woodworking, and good whiskey. He forgets things due to years of rugby but is old enough to appreciate keeping notes in a paper notebook. After high school, Army service, and dropping out of college, David got a job as a web developer. Since then, his work has taken him through positions in the DoD, IC, USSOCOM, the VA, and now as an Application Pentester. David enjoys dissecting software and helping developers better understand how to create resilient applications. You can find him speaking at conferences or rambling about meaningless junk on Twitter.
1:00 - 1:50SaturdayTrack 15How to test Network Investigative Techniques(NITs) used by the FBI
Network Investigative Techniques are used to investigate cyber criminal activities. These techniques have been used to unmask users of TOR whom are downloading illegal content from the Tor network. This talk will discuss such techniques, discuss ethical and legal issues and describe a methodology to test and verify such techniques.
Dr. Matthew Miller
Dr. Matthew has taught Computer Science and assembly and reverse engineering for 6 years at the collegiate level. He has been called as an expert witness on more that a dozen Federal Cases, where he had to reverse engineer the NIT code provided by the government. His expert declarations have been used by the ACLU in their "Challenging government hacking in criminal cases" guide for attorneys and by lawyers in federal cases.
1:00 - 1:50SaturdayTrack 25Fingerprinting Encrypted Channels for Detection
Last year we open sourced JA3, a method for fingerprinting client applications over TLS, and we saw that it was good. This year we tried fingerprinting the server side of the encrypted communication, and it's even better. Fingerprinting both ends of the channel creates a unique TLS communication fingerprint between client and server making detection of TLS C2 channels exceedingly easy. I'll explain how in this talk. What about non-TLS encrypted channels? The same principal can be applied. I'll talk about fingerprinting SSH clients and servers and what we've observed in our research. Are those SSH clients what they say they are? Maybe not.
John Althouse@4A4133
Detection Scientist, Bro NSM Enthusiast, PC Master Builder, BMW Track Instructor
1:00 - 1:50SaturdayTrack 35The Money-Laundering Cannon: Real cash; Real Criminals; and Real Layoffs
After 15 years of building security products, I decided to join the front lines of the fight by taking a real-world job running product management & engineering, for a team that was building a new cash/debit[credit-rails] payments platform. My first day on the job we discovered we were being attacked by an organized crime ring. For roughly every $150k stolen - it meant we had to lay someone off - further reducing our ability to be effective. Tense moments. We also had no Infosec/Cybersecurity staff, nor any type of Infosec or Anti-Fraud software/systems. We only had a Windows-based “Compliance System” that looked like it was written in the late 90s. In spite of that we managed to cut our losses to zero dollars for almost six months! The next 13 months were a bloody battle that ended with me losing my job. If you like real world cybersecurity; want to learn how we built an anti-fraud system from scratch; or simply like schadenfreude - join me for a laugh and a few super-obvious lessons in statistics. :)
Arian Evans
Arian is an 18+ year Infosec veteran who has worked as a Builder, Breaker, and Defender. He has built both enterprise financial and security software, and helped catch bad guys. He is fairly certain the majority of his success is due to luck - and the privilege of being surrounded by really smart people. Arian has pontificated in books and papers on software security and breaking software, and blathered at conferences around the world on techniques & technologies for both Red and Blue Teams. He also pads his presentations with bad jokes. Early employee of FishNet, WhiteHat, RiskIQ; also worked at several #Fintech companies you’ve never heard of, and taught my wife to phish kidnappers.
1:00 - 1:50SaturdayTrack 45Victor or Victim? Strategies for Avoiding an InfoSec Cold War
Is your internal red team withholding their TTPs from the defense? Defenders, are you constantly trying to “win” your pentests by fixing vulns on the fly? Have you been on engagements where the blue team starts blocking your ips and targeting you just to prove that they are better, or had pentesters that mock your environment on twitter like you are the butt of an InfoSec joke. These approaches are not working, not only from a personal level but from an industry level. How we choose to work with each other needs to grow if our goal is to protect those around us rather than make a name for ourselves. Come hear stories of offensive engagements done right (and really really wrong), and learn from a seasoned defender and attacker how partnerships should be forged to be most impactful. Victims complain, Victors adapt. Which are you?
Jason Lang, Stuart McIntosh
@curi0usJack, @Contra_BlueTeam
With over 10 years of industry experience, Jason Lang (@curi0usJack) has worked in both offensive and defensive roles. Before switching to red teaming, he spent 8 years working as a technical Security Architect for a Fortune 500, specializing in Active Directory and .Net/database development. Stuart has over 15 years in IT and Security. A recovering Security Architecture manager turned frontline blue teamer, he strives to stop threats using every tactic in the playbook and making a few new ones.
2:00 - 2:50SaturdayTrack 16Cloud Computing Therapy Session
You don't have to hate your motherboard, or want a magic wand to solve all your computering problems because everyone is medicating with the cloud these days, but not every cloud platform is created equal. Much like security conference attendees each cloud has its own special sauce, and “idiosyncrasies”. Azure has a shadow twin no one likes to discuss, GCP hands out public IPs like it’s 1983 again, and AWS is praised as the golden child because they did their homework. While ranting about these quirks Cara and Andy plan on presenting some of the solutions that they have written to deal with a few of the more annoying issues that can rear their ugly heads when deploying in the cloud.
Cara Marie, Andy Cooper
Andy Cooper - @integgroll, Cara Marie - @bones_codes
Cara Marie: Cara has been traveling the world breaking networks, applications, and protocols professionally for over 5 years. Currently, she is a Security Engineer at Datadog working on building out their offensive security. When she isn’t breaking networks, building bombs (, or giving talks, she can be found baking ugly pies and killing zombies. Andy Cooper: Andy Cooper is a pentesting consultant turned blue team try-hard. Currently he works for Datadog as a Security Engineer working with AWS security primarily. If he isn’t working he is often found in his Dallas home electrocuting himself on accident or building cool things with high voltage.
2:00 - 2:50SaturdayTrack 26WE ARE THE ARTILLERY: Using Google Fu To Take Down The Grids
In this presentation we will show how effective a team of individuals can be in using open source intelligence gathering techniques in gathering leaked data on the electrical grid. By using Google dorking alone, the team has been able to not only gather insider information on grid technologies but also their deployment in the US including and up to passwords to systems and blueprints and runbooks. Using such information an attacker could not only attempt to gain access to power company and grid networks but also easily be able to connect the dots and perform hybrid (physical and electronic) attacks on the US power grid systems.
Chris Sistrunk, Krypt3ia, SynAckPwn
Chris is an electrical engineer who is fluent in RS-232 and Kirchhoff’s Laws. You can thank Stuxnet (drink!) for bringing him here. Squirrels are his arch nemesis and he hates FUD. His sock game is strong. Krypt3ia has been in INFOSEC since the 90’s working for fortune 500 companies in pentesting and now blue team DFIR. An infamous curmudgeon, Krypt3ia has a blog featuring national security issues and OSINT. He also co hosted Cloak & Swagger a podcast on all things natsec and INFOSEC with a Sasquatch named Ali. SynAckPwn is a semi-professional retired troll that spends most of his time in a hardhat and popping MS08-067 in control systems. Yes, MS08-067 is still a thing and he takes little pleasure in exploiting it. Yes, when it comes to critical infrastructure, it’s still a problem. Yes, most of what you hear about grid hacking is bullsh!t.
2:00 - 2:50SaturdayTrack 36Perfect Storm: Taking the Helm of Kubernetes
Containers don't always contain. For attackers, Kubernetes contains a number of interesting attack surfaces and opportunities for exploitation. For defenders and operators, it's complicated to set up and the defaults often aren't enough. This can create a perfect storm. This talk will walk you through attacking Kubernetes clusters, and give defenders tools and techniques to protect themselves from shipwrecks.
Ian Coldwater
Ian Coldwater is a DevSecOps engineer who spends her days hacking and hardening cloud native infrastructure. In her spare time, she likes to go on cross-country road trips, capture flags and eat a lot of pie. She lives in Minneapolis and tweets at @IanColdwater.
2:00 - 2:50SaturdayTrack 46Ubiquitous Shells
Ubiquiti network gear has become a favorite among tech enthusiasts. Unfortunately, various Ubiquiti products have had some serious vulnerabilities in recent history, and like most products, there are deployment decisions that can dramatically reduce the security of the network. There are even features that can provide shell access to the network from the internet. Listen in as we discuss how to go from zero access from the Internet to a root shell via Ubiquiti gear. We'll also explore methods to weaponize the Unifi APs and Unifi Cloud Key devices to for use as attack platforms.
Jon Gorenflo@flkapaket
Jon is the Founder and Principle Consultant of Fundamental Security, a small consulting firm focused on penetration testing, incident response, and strategic security consulting. He started working with technology in High School as a student of the Cisco Networking Academy, and has focused on Information Security since 2006. He has performed security engineering, security architecture, incident response, and penetration testing in the government, retail, insurance, and financial sectors. He has managed a team of Penetration Testers at a Fortune 500 financial institution, and served as a Security Architect and Penetration Tester for an international Fortune 500 retailer. Jon also travels the country as an instructor for the SANS Institute. Currently, he teaches two of SANS’s seminal courses, SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and SEC560: Network Penetration Testing and Ethical Hacking. He is proud to have served in the Army Reserve for 11 years, where he became a Warrant Officer and served one tour in Afghanistan. He currently maintains the GCIH, GPEN, GAWN, GMOB, CISSP, and Security+ certifications.
3:00 - 3:50SaturdayTrack 17Silent Compromise: Social Engineering Fortune 500 Businesses
Social Engineering and Open Source Intelligence (OSINT) are silent modes of compromising businesses. This presentation takes experience from the field and from a simulated compromise of a Fortune 500 from a Social Engineering Capture the Flag and applies it to help organizations better understand the threat landscape and arms them with actionable advice to employ internally to minimize the impact of such attacks. We also identify places to find data, which provides insight for more valuable data sources. This includes a demo of OSINT techniques, phishing, and a pretexting discussion. This aims to help penetration testers, social engineers, and other interested (and authorized) parties find ways to gain information about an organization and its people to be able to overcome the technical limitations of the perimeter and gain access to allow further exploitation.
Joe Gray@C_3PJoe
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.
3:00 - 3:50SaturdayTrack 27Just Let Yourself In
Everyone loves the ‘shiny blinky security hardware’. However, they don’t work as well if a user or your physical security is compromised. In this talk, I will be discussing three (3) different Security Awareness/Social Engineering scenarios: a pretexting exercise, a phishing exercise, and a physical security assessment. I will go over what they are, what they look like, some tips and tricks that I have found for all three (3) that have worked great (at least for me), as well as what failed miserably. There will be some amusing stories from the field, some tips for new folks getting started with social engineering, as well as defense tips for the sys admins and blue teamers out there.
David Boyd@fir3d0g
David Boyd (@fir3d0g) is a security analyst for a security company in Knoxville, TN. He is a Christian, husband, and father that also enjoys geek culture, video games and Mountain Dew. He has over 15 years of technical experience in several environments including education, military, retail, government, media, law firms, and hospitals learning something from each one along the way. He also once found Waldo and Carmen Sandiego.
3:00 - 3:50SaturdayTrack 37How to put on a Con for Fun and (Non) Profit
Planning and running an InfoSec conference can be the most fun and rewarding time that you can have herding cats. The 304 Geeks have been mostly successfully running Hack3rcon for the last 9 years. In this talk we will share our perspective on how to build your organization and get started running your very own conference.
Benny Karnes, John Moore, Rick Hayes, Matt Perry, Bill Gardner, Justin Rogosky, Mike Fry, Steve Truax
Benny - @kungfujo, John - @mournewind, Rick - @ragingotaku, Matt - @sirgurdWV, Bill - @oncee Justin - @CptSexy, Mike - @MichaelDFry, Steve - @steventruax
Benny Karnes is the most vocal member of the 304 Geeks (He talks a lot), As our resident CTF Geek Benny builds and runs the servers for Hack3rcon. John Moore is a Crypto and Cypher expert, He also prints the programs for Hack3rcon. Rick Hayes is the most well-armed of the 304 Geeks, because, well yeah because. Matt Perry is the Designated Adult of the 304 Geeks and the resident Social Engineer that talks everyone else into doing his work. Professor Bill Gardner is in charge of all things Cyber. Justin Rogosky is a Gemini and likes holding hand on long walks on nude beaches (Hey that is not my hand). Mike Fry is the 304 Geeks resident web master and in charge of all the stuff the rest of us got tired of doing. Steve Truax is the newest member of the board and is in charge of bringing the donuts.
3:00 - 3:50SaturdayTrack 4799 Reasons Your Perimeter Is Leaking - Evolution of C&C
From the venerable bind shell, to the reverse shell, the IRC bot channel, the icmp/dns/custom UDP tunnel, and the asynchronous HTTP C&C server, remote access has taken many forms since we first began remotely exploiting software. Even today, many traditional methods will still frequently bypass firewalls and detection, and additional methods continue to be devised. But as an attacker, what do I do when my favorite method is blocked? What are my options other than reusing a stale python script from github or creating my own ad-hoc, informally-specified, bug-ridden, slow implementation of a high-level messaging protocol? And as a defender, how can I measure my ability to detect the diverse C&C traffic that may be seen today, and also prepare for new and unexpected channels? In this talk, we will discuss the evolution of command and control methods, their strengths and weaknesses from an attacker's perspective, and the capabilities of a defender to detect and respond to them. We will identify what aspects a forward-thinking C&C framework might require, and then demonstrate a proof-of-concept with 99(ish) different interchangeable methods for communication. Finally, we will discuss some of the shortcomings of egress filtering in enterprise environments that should be addressed in order to mature our detection and response in kind.
John AskewN/A
John Askew is a founder and principal of Graywolf and a native of Kentucky. After 12 years in infosec, he has probably spent too much time breaking things and not enough fixing them.
4:00 - 4:50SaturdayTrack 18Dexter: the friendly forensics expert on the Coinbase security team
Sometimes you want to be able to pull forensic images off your production hosts but you want to make sure you set that up correctly because if you don’t people might steal customer financial data or cryptocurrency private keys for hot wallets or something and that would be a very bad day for you and for the cryptocurrency community. This talk introduces Dexter, a forensics tool for high security environments. Dexter makes sure that no single person can do scary forensics things, and that the scary results of the scary forensics things can only be read by people who aren’t scary. I’ll give an overview of the Coinbase production environment, data pipeline, and detection tooling to set the stage for when we might use Dexter. Then we’ll walk through how Dexter works and do a demo that will totally work and not have any technical issues whatsoever.
Hayden ParkerN/A
Hayden Parker is a security engineer at Coinbase, working on detection and response tooling. He has been part of Coinbase for over three years and enjoys almost any project that has to do with networking or golang. Outside of work Hayden enjoys spending his time as far away from computers as possible.
4:00 - 4:50SaturdayTrack 28A “Crash” Course in Exploiting Buffer Overflows (Live Demos!)
Buffer overflows, a condition where attacker-controlled input overwrites program data, are consistently being used in large-scale attacks, including Stuxnet in 2011 and WannaCry in 2017. In this interactive presentation we will demonstrate how to test for and craft buffer overflows, even without an application's source code. Then we will alternately introduce more exploit mitigations, including ASLR, NX, and Stack Canaries, and demonstrate how to bypass each one of them -- all with live demos! Materials at
Parker Garrison
Parker enjoys the challenge of subverting the intended functionality of systems and is an active participant in CTF Competitions. At the most recent RSA Conference he attended in 2017, he took 1st place in both the SANS NetWars Tournament and SANS One-Hour CTF competitions. He is also a GIAC certified Exploit Researcher and Advanced Penetration Tester (GXPN).Parker currently works as an consulting contractor, performing network penetration testing and social engineering. He is an experienced communicator with the Toastmasters Advanced Communicator Gold (ACG) certification, and has developed and led training programs for teams in cyber defense and CTF competitions.
4:00 - 4:50SaturdayTrack 38Web app testing classroom in a box - the good, the bad and the ugly
Web based applications and services are the key technologies behind modern service delivery. And their security, or lack thereof, can make or break a company. We developed an approach to follow including tools to help with the assessment throughout each step of the process, leveraging free and commercial products that can assist the assessment process. There are more engagements than there are resources, so we set out on a mission to train new web application testers on a portable platform to teach them an approach to not only test application security but also leverage tools that simplify the process, in effect cheating to win. To conduct that training, we had to develop a classroom-in-a-box, which included the network, the targets and tools for the students. Over the last year, we have leveraged Raspberry Pi Zeros, Thumb Drives with Kali Linux, Chromebooks and Intel NUC servers. We will discuss the pros and cons, showing what works and what to avoid, as well as what can be leveraged to build a home lab, or your own classroom in a box. The user will leave with information they can take back to their home organization to serve as a foundation for either an ad-hoc or ongoing capability.
Lee Neely, Chelle Clements, James McMurry
@lelandneely, @jmcmurry
Jim McMurry is an accomplished Technologist with an entrepreneurial mindset with over 23 years of combined experience in Security, Information Technology, Telecommunication, Networking, Management and Software development. Jim's varied experience in network security, military projects, IT and high-tech arenas, with startups through Fortune 1000 companies, provides him with a unique set of tools as he grows Milton Security. He volunteers for numerous charities, and supports Veterans through the Milton Veteran Hiring program. Lee Neely is a senior IT and security professional at Lawrence Livermore National Laboratory with over 25 years of extensive experience with a wide variety of technology and applications from point implementations to enterprise solutions. He currently leads LLNL’s Entrust team and is the CSP lead for new technology adoption specializing in mobility. He teaches cyber security courses, and holds several security certifications including GMOB, GPEN, GWAPT, GAWN, CISSP, CISA, CISM and CRISC. He is also the President of the ISC2 Eastbay Chapter. Chelle Clements has been associated with computer science and cyber security for over 20 years. She has an AAS in Environmental Science from Northern Virginia Community College, and a BS and an MS in Information Systems Management from University of San Francisco. She is an Army Veteran, one of the first women in the Corps of Engineers (she has some great stories!). She spent 30-years at Lawrence Livermore National Lab as a researcher in three different fields (chemistry, physics and computer science) and also as a community outreach volunteer. She currently supports several Veteran causes with pro bono web development (such as East Bay Stand Down) and served on her city’s art commission.
4:00 - 4:50SaturdayTrack 48Ship Hacking: a Primer for Today’s Pirate
In 1995, when the fictitious Dade Murphy and his friends stopped oil tankers from being capsized by a virus in the movie “Hackers”, “digital piracy” was just a euphemism for copyright infringement and sharing music. Today digital piracy is anything but a euphemism or fiction. From breaches by pirates seeking cargo information, to denial of service (DOS) attacks on offshore oil platforms, there are very real threats to the maritime sector. This talk will provide an introduction to understanding ships as Industrial Control Systems (ICS) and lessons learned from vulnerability research on marine diesel engine controllers. We also hope to challenge our peers in the infosec community to apply their skills, red and blue, to protect our maritime critical infrastructure. A talk for anyone who likes computers and pirates. Arrgh!
Brian Satira, Brian Olson@r3doubt
Brian Satira is an information security researcher with ten years of experience including forensic investigations and vulnerability analysis on various Industrial Control Systems(ICS). Brian is a member of the I Am The Cavalry project and NoVA Hackers. Brian is also a graduate of the University of Pittsburgh and a U.S. Army veteran. Offline, Brian enjoys locksport and is both a registered locksmith in Virginia and a co-founding member of his local TOOOL chapter. Brian Olson is a Security Engineer for CORESCOUT, a tech company focused on big data and network security. A graduate of UMBC with experience in research, pen testing, and systems administration, Brian now works in the DC area focusing on security engineering and threat emulation designing systems with a defensive mindset. When not behind the keyboard Brian enjoys meteorology and sailing; utilizing his skills for navigation/weather routing and tactics for both regattas and deliveries.
5:00 - 5:50SaturdayTrack 19Going on a Printer Safari – Hunting Zebra Printers
If you see a label or receipt there is a good chance it was printed by a Zebra printer. Everyone has come in contact with a Zebra printer if you have ever returned a rental car. Every price label you see in your local grocery or department store is printed by a Zebra printer. Warehouses, distribution centers, and even hospitals rely on the ability to print bar-coded labels for tracking purposes. These embedded devices pack a powerful real-time operating system offering an array of services that facilitate communication with the corporate environment. By default these services offer an attack surface into the corporate environment that is alarming. Take a trip on a safari as we go hunting Zebra printers in the wild.
James Edge
James Edge is an experienced information security professional as a consultant for state and local governments, education, financial services, and retail industries. He has an alphabet soup of certification credentials in information technology, information security, and audit. He is active member for the local chapters of ISACA wherever he happens to reside, has provided support for the Southeastern Collegiate Cyber Defense Challenge (CCDC), and has spoken at various security conferences run by universities, BSides, SkyTalks, and ISACA.
5:00 - 5:50SaturdayTrack 29Living in a Secure Container, Down by the River
Linux container technologies offer the ability to run software in isolation with a significantly reduced attack surface. By reducing the capabilities and resources a container can utilize, we make it increasingly difficult to elevate privileges, gain persistence or move laterally within a cluster of containerized services. While Docker is the container technology most people are familiar with, there are other container types to think about too, each with their own opinionated take on security. It’s getting increasingly common to adopt other runtimes through the Open Container Initiative (OCI) specification using interfaces and shims provided by container orchestration platforms. Containers that use Linux namespaces and control groups for isolation typically provide weaker protections against escaping than hypervisor-based containers, further detaching security reality from your hopes and dreams. This presentation will focus on the security and kernel protections available in several popular Linux container technologies including Docker, Rkt, LXC, Kata and gVisor. We will explore how the default runtime security controls stack up under attack and how they attempt to isolate resources at security boundaries. We will explore the container hardening process through AppArmor, SELinux, Seccomp and Capabilities. At the end of this presentation, you’ll be motivated to run minimally privileged containers that are isolated from doing any real damage. You’ll have plenty of time for security when your code is living in a container down by the river.
Jack Mannino
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.
5:00 - 5:50SaturdayTrack 39Metasploit Town Hall 0x4
In our fourth Metasploit Town Hall, join us for a look at the hotness that landed in Metasploit 5 this past year—including Python-based modules, new exploits, and fresh EternalBlue additions. We’ll demo some of the latest and greatest work coming out of our team and our top-notch contributor base, and then we’ll offer ourselves up to the crowd for questions and conversation about what you’d like to see Metasploit take on next.
Brent Cook, Aaron Soto, Adam Cammack, Cody Pierce
Brent Cook - @busterbcook, Aaron Soto - @_surefire_, Cody Pierce - @codypierce, Metasploit - @metasploit
We are a few of the many people who make Metasploit awesome. Brent Cook heads up Metasploit’s engineering team at Rapid7, Aaron Soto and Adam Cammack are two of the team’s core developers, and Cody Pierce is the Metasploit product manager. We are all staunch open-source security advocates, contributors, and community members.
5:00 - 5:50SaturdayTrack 49Code Execution with JDK Scripting Tools & Nashorn Javascript Engine
There are several languages and methods used to execute code on a computer system, such as C#, Powershell, Python, VBA, and many more. The defense is getting better, which has caused the offense to adapt and look for innovative ways to “live off the land”. One area that has not been explored deeply is utilizing tools that the Java Development Kit (JDK) provides. According to a statement by Oracle, Java runs on 3 billion devices. Enterprises depend on Java running on their user endpoints and servers in order to keep their businesses running. This makes using tools installed with the JDK very enticing to attackers. This talk will explore using JDK command-line scripting tools and the Nashorn Javascript Engine to perform several actions, such as downloading files, executing scripts locally and remotely, and gaining a remote interactive shell to a computer system. Detective and preventive controls will also be discussed for the usage of these JDK scripting tools.
Brett Hawkins@h4wkst3r
Brett has been in Information Security for several years in the private sector working for multiple Fortune 500 companies across different industries. He has focused on both offensive and defensive disciplines, with more of a focus on the offensive side recently. He holds several industry recognized certifications from SANS and Offensive Security, and has spoken at BSides Cleveland previously. His extensive knowledge and experience in a breadth of different areas in Information Security give him a unique and well-rounded perspective. When not at his day job, he enjoys doing security research, programming, and playing sports and video games.
6:00 - 6:50SaturdayTrack 310
Community Based Career Development or How to Get More than a T-Shirt When Participating as part of the Community
Career development is typically seen as a progression of education, certification and job moves. However, to progress in our careers it is helpful to build both technical and non-technical skills in different environments to challenge us and give us the opportunity to learn. Community involvement strengthens not only the overall community but provides opportunities to stretch and learn new skills that support personal growth. We will review presenting, con management and competitions as ways to strengthen your career. We will hear from a recruiter involved in the community how they evaluate these experiences and recommendations on presenting this information in your job search. Finally, we will address burnout, exhaustion and how not to burn bridges.
Kathleen Smith, Magen Wu, Cindy Jones, Kathryn Seymour, Kirsten Renner
@YesItsKathleen, @infosec_tottie, @SinderzNAshes, @RecruitCyberDC
Kathleen Smith (moderator) in her capacity as CMO and Outreach Lead for CyberSecJobs.Com and ClearedJobs.Net has coached thousands of job seekers and employers on how to better connect and work together to achieve the mutual goal of employment. Kathleen presents at several security conferences each year on recruiting and job search. Some of the conferences she has presented at as a sole presenter or a moderator include BSidesLV, BSidesTampa, BSidesDE, FedCyber, Cyber912 and CyberSecureGov. Kathleen firmly believes that giving back is the best way to move forward and volunteers in many capacities; she is the Director, HireGround, BSidesLV’s two day career track; Women in Cybersecurity, National Conference Planning Committee, Cyber912 and Women in Cybersecurity Celebration Planning Committee. Finally, Kathleen is well respected within the recruiting community; is the co-founder and current President of recruitDC, the largest community of recruiters in the Washington DC area. Cindy Jones brings over 17 years of specialized IT and security experience to her role of Senior Security Consultant with Rapid7. Cindy maintains a CISSP and MCP certifications. She has worked in several arenas including Federal government, with the Department of Defense, education, technology and healthcare, with a focus on the development, maintenance and management of information security programs. Cindy is actively involved within the information security community and volunteers her time leading the registration team for BSides Las Vegas, volunteers for DerbyCon, is a Def Con Goon and holds a position on the board for BSides Texas and is an active volunteer for these local events. Cindy’s favorite color is purple. Kat Seymour is a Red Team Penetration tester at Bank of America with 16 years of experience in the fields of IT and information security. Kat started playing her company’s internal CTF in 2013 as a way to sharpen her hunting skills. She was invited to join the Red Team 18 months later due to her demonstrated skill and dedication. Kat continues to participate in CTFs whenever she can to help practice and sharpen her skills. Magen Wu is a Senior Associate with Urbane Security with almost 10 years of experience in the technology industry. Wu is currently pursuing her master’s in Organizational Psychology with the intent to apply its principles to security practices and training. She also currently co-organizes BSides Seattle, the mentor track at BSides Las Vegas and DEFCON US and China Workshops. Kirsten is the Director of Recruiting at Novetta, an advanced analytics and cyber security company. She studied HR Management at University of Maryland. After a short while working as a software developer, then help desk manager, she combined her love for technology and HR by becoming a Technical Recruiter and has been doing so for over 20 years. For the last decade, Kirsten has been primarily supporting the Information Security field, and is best known in the community for her involvement in the Car Hacking Village!
6:00 - 6:50SaturdayTrack 410
PHONOPTICON - leveraging low-rent mobile ad services to achieve state-actor level mass surveillance on a shoestring budget
By now we all know that mobile advertisements aren't secure. How would an attacker take advantage of that, though, and spy on people without their consent, knowledge or interaction, and how do we defend against it? Let's take a journey through the demand-side of advertising as we put ourselves in the role of an attacker, build an ad-based surveillance system, and unleash it on the masses. I'll demonstrate how, using the built-in features of advertising Demand Side Platforms (DSPs), it's easy to build a surveillance system that can track unsuspecting people. I'll demonstrate that some platforms make it much easier than it needs to be, and I'll show that there's more than just geo-locations at risk here. Finally I will discuss some ways that everyone can help mitigate this, from the users, all the way up to the ad networks and software developers. Like every good spy story, this one includes Russian ad networks, hastily written code, and GPS coordinates - lots of GPS coordinates. By now if you're still clinging desperately to the hope that your location is safe then this talk is for you!
Mark Milhouse
Mark Milhouse is a Computer Forensics Investigator at Edelson PC where he investigates high-profile tech-related consumer class action cases (namely digital privacy, security and fraud) and supports ongoing litigation. Prior to his current position he served in the United States Marines as a 2651 (Intelligence Systems), deploying to Iraq, and supporting various elements within II Marine Expeditionary Force. In his free time he enjoys cycling, traveling, and endless projects like building obscure web apps.
9:00 - 9:25SundayStable1Patching: Show me where it hurts
Patching – it’s complicated. Organizations at every level struggle with patching. It feels more like a necessary evil rather than a best practice. We're damned if we do, damned if we don't. As much as we like to point fingers of blame and malign the processes in place, the fact is that one size does not fit all when security updates get issued. We’ve lived through the joy of Patch Tuesdays gone bad, watched systems meltdown from patches for Spectre and Meltdown. Given all we should have learned, why does it seem like things are getting worse? Securing our stuff should not be an endless succession of dumpster fires. We need to go beyond just finding the sweet spot between mitigating business risk with vulnerability exposure. Join me in a candid and interactive discussion on this fundamental process that seems inherently broken, especially as it now affects IoT, OT and medical devices. In an off the record, behind closed doors session, let's share what we’ve seen and say what we really think about management, internal and external customers, vendors. Because the cure isn't supposed to be worse than the disease.
Cheryl Biswas
Cheryl Biswas, aka @3ncr1pt3d, is a Strategic Threat Intel Analyst with TD Bank in Toronto, Canada. Previously, she was a Cyber Security Consultant with KPMG and worked on security audits and assessment, privacy, breaches, and DRP. Her experience includes project management, vendor management and change management. Cheryl holds an ITIL certification and a degree in Political Science. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building threat intel. She actively shares her passion for security online, as a speaker and a volunteer at conferences, and by encouraging women and diversity in Infosec as a founder and member of the "The Diana Initiative".
9:30 - 9:55SundayStable2Advanced Deception Technology Through Behavioral Biometrics
In cybersecurity, the attacker tends to have a significant advantage over the defender. A motivated network defender should look for opportunities to have an asymmetric advantage over the attacker to level the playing field. In this talk, we will apply the concept of Behavioral Biometrics in the realm of deception technologies to obtain such an advantage. There are three common factors used in authentication: something you know (a password), something you have (a token), and something you are (a biometric). Each factor has its own unique strengths and weaknesses. In the case of biometrics, biometric data is, in many cases, easy to steal and spoof. Once biometric data is stolen, it is impossible to change, since it is inherently tied to the user. Behavioral Biometrics is the authentication paradigm of using an individual’s behavior as a biometric, rather than a fingerprint. The technology looks at how how a user interacts with a system, such as how they type or move the mouse, touch the screen, which hand they hold the device in, the characteristics of their gait from the motion sensor, as well as spatial and temporal patterns. The result is a biometric that is not immediately visible to an attacker, and incredibly difficult to spoof. Traditionally, should behavioral components detect an intrusion, access is blocked, authentication escalated, or the user was de-authed completely. However, this does not necessarily have to be the case. Deception technology has emerged as a method to either delay attackers, coax out their TTPs (Tactics, Techniques, and Procedures), or gather clues about their true identities. This strategy typically includes things such as canaries, honeypots, or tainted or tracked data. The challenge with deception technology is often in identifying an attacker in the first place in order to divert them to fake resources. We will demonstrate in this talk that Behavioral Biometrics are uniquely positioned to identify an attacker as unauthorized, independent of credentials, in a way that is invisible and spoof resistant. With that information, deceptive technology can redirect their attack in order to delay it, discover the attackers TTPs, or even learn the identity of the attacker as they attempt to exfiltrate mocked data, transfer funds, or use services. We will conclude by demonstrating this combination live.
Curt Barnard, Dawud Gordon
Dawud Gordon - @d4wud , Curt Barnard - @CurtBarnard
Dr. Dawud Gordon is CEO & Co-Founder at TWOSENSE.AI, an NYC-based Behavioral Biometrics firm that makes authentication invisible through AI. Dawud holds a Ph.D. in Computer Engineering from KIT in Karlsruhe, Germany for his work on using Machine Learning to for human behavior analytics. He has published over 30 peer-reviewed papers and patents on related topics, and won several awards for his research. Curt is the Founder and CEO of ThreshingFloor ( Curt holds an MS in Cyber Operations from the Air Force Institute of Technology, and has spent the last decade in cybersecurity across public and private industries, including venture capital. Curt’s research interests lie primarily in network analysis, anonymizing technologies, and generally breaking stuff.
10:00 - 10:25SundayStable3We are all on the spectrum: What my 10-year-old taught me about leading teams
Being a parent of an autistic child has taught me how to communicate with my team in a way that no book on leadership has. We all fall somewhere on the spectrum and communicating with one another is key to building effective teams.
Carla A Raisler@KyCarla
Carla Raisler is a cybersecurity professional in the healthcare industry and the department of defense. When she isn’t harassing her coworkers with phishing tests or security audits, she’s telling war stories while enjoying her favorite bourbon.
10:30 - 10:55SundayStable4No Place Like Home: Real Estate OSINT and OPSec Fails
Join me in discovering the large amount of OSINT data that can be obtained through the many areas of Real Estate. Along the way we will cover areas of OPSec failures in the market and things to do to prevent it.
John Bullinger
John is currently a hands-on CSO for a small SaaS company. He has over 25 years of experience in the IT and Security industry. John has worked in multiple sectors including Retail, Manufacturing, Medical, and Technology. He has held roles ranging from Systems Administrator, DBA, Director/CIO, and CSO. John currently holds a OSCP, GCIH, CISSP, and PMP certifications.
11:00 - 11:25SundayStable5The Layer2 Nightmare
It all started with a very simple question. Is it possible to firewall all internal traffic to help prevent or detect lateral movement?
Chris Mallz@vvalien1
Chris Mallz would much rather spend his time hacking or researching than writing a Bio.
11:30 - 11:55SundayStable6Attacking Azure Environments with PowerShell
For a multitude of reasons, many organizations are moving their operations to the cloud. Along with this, many organizations are introducing old vulnerabilities in new ways. As one of the top cloud providers, Microsoft Azure has had significant adoption and continues to grow in market share. As part of this increase in adoption, there has also been an increase in demand for security testing of Azure environments. Given the blended nature of hosted services, PAAS, and virtual infrastructure, it can be difficult to get a handle on how to properly secure these environments. Reviewing Azure environments can also be time consuming given the lack of automated tools for dumping configuration information. MicroBurst is a PowerShell tool that helps automate the processes of dumping and reviewing Microsoft Azure configurations. This talk will go over the ways that pen testers and defenders can use MicroBurst to dump out the configuration information for an Azure environment, and identify common configuration issues. Security testers will benefit from the speed of dumping environment credentials for pivoting, listing out publicly available services and files, and enumerating additional targets for phishing and password guessing attacks. As an added bonus, defenders can also use these tools to audit their environment for weak spots.
Karl Fosaaen@kfosaaen
Karl is a Practice Director at NetSPI who specializes in network and web application penetration testing. With over ten years of consulting experience in the computer security industry, he has worked in a variety of industries and has made his way through many Active Directory domains. Karl also holds a BS in Computer Science from the University of Minnesota. This year, he has spent a fair amount of time digging into automating and assessing the Azure stack. Over the years at NetSPI, Karl has helped build out and maintain their GPU cracking boxes. Karl holds a couple of certifications, that is neat. Karl has previously spoken at THOTCON, DerbyCon 6.0, and BSidesPDX. In his spare time, you may see him trying to sell you a t-shirt as a swag goon at DEF CON.
12:00 - 12:25SundayStable7Blue Blood Injection: Transitioning Red to Purple
Moving from a large company with a retinue of pentesters, to a start-up with far fewer resources, can be a strain. It may be just you. While you're performing services, your new company may also need you to be flexible -- move to supporting some IR or blue team-related functionality. You won't be able to do both sides of a purple team, but you can help things meet for your clients. This talk will have my story, as well as some ideas when having to reach across a spectrum of needs with limited (or no) defense-focused personnel.
Lsly Ayyy
Leslie is a network-focused penetration tester (learning about OT/ICS in their downtime). Relatedly, they're a perpetual Linux sysadmin and frequent conference volunteer and attendee. Typically you’ll find them scoping out WAPs, wiggling ATM card readers, and hiding in a corner with MP3s, a 3DS (playing JRPGs), or CTFs.
12:30 - 12:55SundayStable8Mirai, Satori, OMG, and Owari - IoT Botnets Oh My
Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in 2016. Since the release of Mirai’s source code, IoT botnet authors have used it as a framework to build new malware. Authors have expanded the original Mirai code base with new capabilities and functionality while making some improvements. This talk will cover three of the most recent variants of Mirai based botnets and the flair added by the authors to make it their own.
Peter ArzamendiN/A
Peter Arzamendi is a Security Researcher with NETSCOUT Arbor's ASERT team. He has expertise in vulnerability discovery, fuzzing, exploitation techniques, malware analysis, and protocol analysis. Areas of interest include static and dynamic analysis of binaries and hardware reverse engineering. He has over 15 years of experience in systems administration, computer engineering, and information systems security. He is active in the InfoSec community and has presented on security topics at Shmoocon, Hack in Paris, Blackhat Arsenal, and local venues. He has also contributed to several open source projects such as Metasploit, Fgdump, and Serpico.
1:00 - 1:25SundayStable9Comparing apples to Apple
Many defenders have hard fought experience finding evil on Windows systems, but stare blankly when handed a Mac. You know all the ways PowerShell can own a box, but how about AppleScript? This practical talk will give defenders a primer in finding adversarial activity on macOS using the TTPs they know and love from other platforms as a reference point.
Adam Mathis@ch41_
Adam is a security practitioner, beard enthusiast, and heavy metal connoisseur. For the better part of a decade he has worked across multiple security disciplines, such as architecture design and implementation, penetration testing, security engineering, and incident handling and response. Adam is an Incident Handler with Red Canary, helping organizations find and evict evil.
1:30 - 1:55SundayStable10How online dating made me better at threat modeling
Isaiah Sarju uses online dating sites such as Tinder and OkCupid. At times this seems antithetical to his stance on privacy and security. To better understand the security ramifications of online dating, and to establish safer methods of doing it, he applied threat modeling to online dating. Through this he came up with a set of best practices depending on your threat model. This talk is relevant for anyone who is trying to balance privacy/security and a desire for human connection in this modern world. Due to the real and perceived dangers of online dating, the stigma that surrounds it, and the pervasiveness of it, it is a great lens through which folks can be introduced to the core principles of threat modeling. It also makes it fun to talk about!
Isaiah Sarju
Isaiah Sarju is a co-owner of Revis Solutions, LLC, a boutique information security firm. He has contributed to the Microsoft Security Intelligence Report, conducted numerous white hat hacking attacks, and taught students how to become top tier defenders. He plays tabletop games, swims, and trains Brazilian Jiu-Jitsu.
9:00 - 9:50SundayTrack 11
Social Engineering At Work – How to use positive influence to gain management buy-in for anything
Do you understand how to navigate office politics and regularly get what you want and need to make your security efforts take off and be successful? Are there projects or programs you want to institute, but have trouble getting started or knowing how to get people on-board? Most of us understand how SE can be used to test for human vulnerabilities, but socializing at work may give us a yucky feeling. However, if you really want to learn how to get buy-in for your ideas or projects and get what you want, you need to be able to navigate the social system at work and exert indirect influence. It is possible to study and reverse the “dark arts” of SE to actually achieve positive goals; SE principles are used every day by savvy business people to make things happen, even if they don’t realize that they’re using them. Let’s define ways even the most introverted person can play the corporate game in a non-malicious non-manipulative way. Then, we can use this knowledge within our organizations to improve our security posture, “sell” security to stakeholders, and lessen risk. Learn how to utilize the tools of SE “for good” so that we can better serve our infrastructures and customers.
April Wright
April C. Wright is a hacker, author, teacher, and community leader with over 25 years of breaking, making, fixing, and defending global critical communications and connections. She is an international speaker and trainer, educating others about Information Security, with the goal of protecting individual privacy and important assets to make the digital components that impact our lives safer and more secure. A security program specialist for a Fortune 15 company, April has held roles on offensive, defensive, operational, and development teams throughout her career, and been a speaker and contributor at numerous security conferences including BlackHat, DEF CON, DerbyCon, Hack in Paris, DefCamp, ITWeb, as well as for the US Government and industry organizations such as OWASP and ISSA. She has started multiple small businesses including a non-profit, is a member of the DEF CON Groups Core Team, and in 2017 she co-founded the Boston DEF CON Group DC617. April has collected dozens of certifications to add letters at the end of her name, almost died in Dracula’s secret staircase, and once read on ‘teh interwebs’ that researchers at the University of North Carolina released a comprehensive report in 2014 confirming that she is the “most significant and interesting person currently inhabiting the earth”, so it must be true.
9:00 - 9:50SundayTrack 21Red Mirror: Bringing Telemetry to Red Teaming
Providing impact and insights on a red team engagement is crucial to improving the security posture of the target organization. Too often red teams have to comb through log files, pcaps or other disjointed artifacts to tell the whole story making it difficult especially on long-term engagements. The Red Mirror project is the mirror to the blue team’s SIEM; it’s an ELK-based system that captures operator actions, network traffic including C2 and MITRE ATT&CK tactics. By capturing this extensive amount of data, red teams can now easily query, visualize, and report on their actions. The gathered data has the added benefit of enabling red teams to perform infrastructure and operational security monitoring.
Zach Grace@ztgrace
Zach has worked in offensive security for the last eight years focusing on securing financial institutions by breaking into them. He is currently the red team lead for a Fortune 100. Zach is the creator of the open source security projects changeme and Sticky Keys Hunter, and has contributed to several others including Metasploit, Empire and Recon-ng.
Main menu