News / talks

Schedule of Packet Hacking Village Talks at DEF CON 31

All talks will be held at the Village Stage in the Contest Area. You can enter via Room 232.

Friday

Saturday

Title: Pwning the Pwners with Mindware
Speaker: Frank "D9" DiGiovanni

Abstract: Traditionally the cyber attacker has an asymmetric advantage over the cyber defender. But does it have to be that way? Is it possible for the cyber defender to take an "offensive stance." This talk will show how the emerging science of cyberpsychology and the leveraging of AI can provide the defender with the ability to pwn the most vulnerable component in the cyberattack kill chain, the attack's human operator. Leveraging the DoD's "Tularosa Study," this talk will cover a theoretical framework for achieving this objective, outline an operational vignette, and then cover some the specifics for such an approach.

Speaker Bio: Forty-one years of government service, Frank DiGiovanni is a retired USAF Colonel and DoD Senior Executive Service. Co-Led with the DoD CIO the development of the SecDef's DoD Cyber Workforce Strategy. Built from scratch a six-month DoD Cyber Operations training course, repurposed DEFCON's CTF and CTP technical architecture to support DoD cyber operations training, and now working advanced cyber R&D projects in private sector. UPENN doctoral dissertation examined what makes hackers extraordinary unique from the average human population.

Title: The Importance of Arts and Crafts in ThreatOps
Speaker: Pete Hay, Editor-in-Chief, TheCyber.Report

Abstract: Cybersecurity professionals spend an huge amount of time attempting to use a visual medium to communicate complicated concepts in a simple yet information-dense manner. However if you ask 10 analysts to map out the same incident, you'll get 10 divergent diagrams. In this presentation we present a method of leveling-up your cybersecurity-related arts and crafts skills: effectively diagramming incidents, threat reports, threat intel, and reporting to support full-spectrum ThreatOps.

Speaker Bio: In addition to being SimSpace's Principal Security Strategist, Pete is the Co-Founder & Editor-in-Chief of TheCyber.Report. Pete has an extensive & diverse background in technology driven fields including Computer Network Operations (CNO), Network Forensics, & Nuclear Chemistry, as well as one of the few patents issued in Cybersecurity & ZTA. A life-long learner & security enthusiast, Pete helps Fortune 10 banks test & refine their security postures, while running TheCyber.Report as a passion project.

Title: Death by 1000 Likes: How Much Do You Really Leak in Social
Media?
Speaker: Will Kay

Abstract: As lonely Aussies attending our first Defcon last year, we were frequently drawn to the hilarity/uniquness of the Wall of Sheep board. One of our group suggested people leaking at the con was super entertaining, but what about throughout the rest of the year? We decided to use the time between DC30 and DC31 scraping the r/defcon subreddit to create the Wall of Sheep - online edition.

Speaker Bio: Will works for a private security consultancy in Australia. He is cybersecurity advisor and insider threat consultant. His professional career began many years ago in military intelligence to which he owes his knowledge of traditional targeting methods. The organisation and team he works for today provides security awareness and reinforcement training. His passion is removing the weakness that exists across society to social engineering techniques, and believes a more secure and prosperous future begins with people.

Title: OSINT for Physical Security Intelligence
Speakers: Mike Raggo, Security Researcher, SilentSignals; Chet Hosmer,
Chief Scientist

Abstract: Organizations seek rapid intelligence about critical situations that impact their teams, locations, or assets. Yet when it comes to OSINT we find organizations performing Open Source Information gathering; wasting time sifting through data to get to the actionable intelligence. In this presentation we demonstrate how to collect curated data and eliminate 99% of the time spent on reliminary data analysis. Furthermore, all of this data can be combined to perform trending and predictive analysis for natural disasters, geo-political situations, or business risk. The goal is to provide attendees with ideas for formulating new approaches for physical security OSINT.

Speaker Bios: Michael T. Raggo has over 30 years of security research experience. During this time, he has uncovered and ethically disclosed vulnerabilities in products including Samsung, Checkpoint, and Netgear. Michael is the author of "Mobile Data Loss: Threats &Countermeasures" and "Data Hiding" for Syngress Book. He is also a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, SANS. He was also awarded the Pentagon's Certificate of Appreciation.

Chet Hosmer is an international author, educator, researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Title: WINE Pairing with Malware
Speaker: Jared Stroud, Lead Security Engineer, The MITRE Corporation

Abstract: The growing popularity of playing AAA Windows video games on Linux has increased the compatibility of tools such as WINE and Proton. These same platforms that enable the latest games to run also can be used to execute the latest Malware. This talk will walk through configuring an environment to rapidly collect IoCs from unknown samples without having to use expensive sandboxes. Learn how to leverage your favorite UNIX tools to awk, grep, and pipe your way to extracting valuable forensic evidence without submitting your samples to $VENDOR. More on the offensive side? Come see how to shorten the feedback loop from idea generation, to testing and finally deployment!

Speaker Bio: Jared Stroud is a Lead Security Engineer at The MITRE Corporation tackling problems related to Container and Kubernetes security. Jared also contributes to ATT&CK via Adversary Emulation for Linux threats.

Read more →

Packet Hacking Village Talks at DEF CON 31

We are pleased to announce our accepted Packet Hacking Village (PHV)
Talks at DEF CON 31. Times and location of talks will be announced
soon.

**********
Title: Pwning the Pwners with Mindware

Speaker: Frank "D9" DiGiovanni

Abstract: Traditionally the cyber attacker has an asymmetric advantage
over the cyber defender. But does it have to be that way? Is it
possible for the cyber defender to take an "offensive stance." This
talk will show how the emerging science of cyberpsychology and the
leveraging of AI can provide the defender with the ability to pwn the
most vulnerable component in the cyberattack kill chain, the attack's
human operator. Leveraging the DoD's "Tularosa Study," this talk will
cover a theoretical framework for achieving this objective, outline an
operational vignette, and then cover some the specifics for such an
approach.

Speaker Bio: Forty-one years of government service, Frank DiGiovanni
is a retired USAF Colonel and DoD Senior Executive Service. Co-Led
with the DoD CIO the development of the SecDef's DoD Cyber Workforce
Strategy. Built from scratch a six-month DoD Cyber Operations training
course, repurposed DEFCON's CTF and CTP technical architecture to
support DoD cyber operations training, and now working advanced cyber
R&D projects in private sector. UPENN doctoral dissertation examined
what makes hackers extraordinary unique from the average human
population.

**********

Title: The Importance of Arts and Crafts in ThreatOps

Speaker: Pete Hay, Editor-in-Chief, TheCyber.Report

Abstract: Cybersecurity professionals spend an huge amount of time
attempting to use a visual medium to communicate complicated concepts
in a simple yet information-dense manner. However if you ask 10
analysts to map out the same incident, you'll get 10 divergent
diagrams. In this presentation we present a method of leveling-up your
cybersecurity-related arts and crafts skills: effectively diagramming
incidents, threat reports, threat intel, and reporting to support
full-spectrum ThreatOps.

Speaker Bio: In addition to being SimSpace's Principal Security
Strategist, Pete is the Co-Founder & Editor-in-Chief of
TheCyber.Report. Pete has an extensive & diverse background in
technology driven fields including Computer Network Operations (CNO),
Network Forensics, & Nuclear Chemistry, as well as one of the few
patents issued in Cybersecurity & ZTA. A life-long learner & security
enthusiast, Pete helps Fortune 10 banks test & refine their security
postures, while running TheCyber.Report as a passion project.

**********

Title: Death by 1000 Likes: How Much Do You Really Leak in Social
Media?

Speaker: Will Kay

Abstract: As lonely Aussies attending our first Defcon last year, we
were frequently drawn to the hilarity/uniquness of the Wall of Sheep
board. One of our group suggested people leaking at the con was super
entertaining, but what about throughout the rest of the year? We
decided to use the time between DC30 and DC31 scraping the r/defcon
subreddit to create the Wall of Sheep - online edition.

Speaker Bio: Will works for a private security consultancy in
Australia. He is cybersecurity advisor and insider threat
consultant. His professional career began many years ago in military
intelligence to which he owes his knowledge of traditional targeting
methods. The organisation and team he works for today provides
security awareness and reinforcement training. His passion is removing
the weakness that exists across society to social engineering
techniques, and believes a more secure and prosperous future begins
with people.

**********

Title: OSINT for Physical Security Intelligence

Speakers: Mike Raggo, Security Researcher, SilentSignals; Chet Hosmer,
Chief Scientist

Abstract: Organizations seek rapid intelligence about critical
situations that impact their teams, locations, or assets. Yet when it
comes to OSINT we find organizations performing Open Source
Information gathering; wasting time sifting through data to get to the
actionable intelligence. In this presentation we demonstrate how to
collect curated data and eliminate 99% of the time spent on
preliminary data analysis. Furthermore, all of this data can be
combined to perform trending and predictive analysis for natural
disasters, geo-political situations, or business risk. The goal is to
provide attendees with ideas for formulating new approaches for
physical security OSINT.

Speaker Bios: Michael T. Raggo has over 30 years of security research
experience. During this time, he has uncovered and ethically disclosed
vulnerabilities in products including Samsung, Checkpoint, and
Netgear. Michael is the author of "Mobile Data Loss: Threats &
Countermeasures" and "Data Hiding" for Syngress Book. He is also a
frequent presenter at security conferences, including Black Hat, DEF
CON, Gartner, RSA, DoD Cyber Crime, OWASP, SANS. He was also awarded
the Pentagon's Certificate of Appreciation.

Chet Hosmer is an international author, educator, researcher, and
founder of Python Forensics, Inc., a non-profit research institute
focused on the collaborative development of open source investigative
technologies using the Python programming language. Chet is also a
Visiting Professor at Utica College in the Cybersecurity Graduate
Program, where his research and teaching is focused on data hiding,
active cyber defense and security of industrial control
systems. Additionally, Chet is an Adjunct Professor at Champlain
College in the Digital Forensics Graduate Program, where his research
and teaching is focused on solving hard digital investigation problems
using the Python programming language.

**********

Title: WINE Pairing with Malware

Speaker: Jared Stroud, Lead Security Engineer, The MITRE Corporation

Abstract: The growing popularity of playing AAA Windows video games on
Linux has increased the compatibility of tools such as WINE and
Proton. These same platforms that enable the latest games to run also
can be used to execute the latest Malware. This talk will walk
through configuring an environment to rapidly collect IoCs from
unknown samples without having to use expensive sandboxes. Learn how
to leverage your favorite UNIX tools to awk, grep, and pipe your way
to extracting valuable forensic evidence without submitting your
samples to $VENDOR. More on the offensive side? Come see how to
shorten the feedback loop from idea generation, to testing and finally
deployment!

Speaker Bio: Jared Stroud is a Lead Security Engineer at The MITRE
Corporation tackling problems related to Container and Kubernetes
security. Jared also contributes to ATT&CK via Adversary Emulation
for Linux threats.
Read more →

First Batch of Accepted Packet Hacking Village Talks at DEF CON 29 Announced

Schedules of talks and events at the Packet Hacking Village are available at https://www.wallofsheep.com/pages/dc29. More talks will be added soon. All talks will be streamed on YouTube, Twitch, Facebook, and Periscope.

*nix Processes. Starting, Stopping, and Everything In Between

Nick Roy

Core Topic: Operating Systems: *nix

Recording discusses Linux and Unix processes, starting with a high level overview of what a process is and what the key components are. We then take a look at how the operating system manages multiple processes, what are the main components of a running process, and finally some common syscalls used in Linux when creating processes. Finally, we look at a few code samples to show how these calls are used with a simple shell. All code can be found here to compliment the video: https://github.com/superducktoes/syscall_processes

Nick Roy (Twitter: @superducktoes) currently works for a global security vendor creating training content and researching new attacker patterns and techniques. Previously he worked at an automation platform startup teaching people about the joys and benefits of automation. While not working he lives in Boston with his wife and two cats hunting out the best dive bars in Boston and solving math problems on college chalkboards overnight.

Internet Protocol (IP)

Roy Feng

Core Topic: Core Networking

The Internet Protocol is one of the foundational protocols of the Internet, and is what keeps devices connected. This video talks about the fundamentals of the Internet Protocol.

Roy Feng (Twitter: @LPF613) is a networking and cybersecurity enthusiast. He has six years of experience working as a network engineer and one year working in threat intelligence. His latest role is at a managed security service provider, where he leads a team of incident responders and threat hunters to help investigate and respond to incidents as well as hunt for threats in customer environments. In his spare time, Roy can be seen building and maintaining his home lab, and learning about and tinkering with the latest and greatest technologies.

Linux Binary Analysis w/ Strace

Jared Stroud, Lacework

Core Topic: File Analysis

The strace utility allows for deep insight into what an application is doing on a nix host. While the amount of data produced can be overwhelming, in this video I'll demonstrate how to filter, log and obtain relevant information for a wide variety of use cases around file analysis. From diagnosing a bisheaving application, to revealing a malware's secrets. This video will give a practical introduction in using strace to spy on *nix applications at the syscall level. All resources can be found here: https://www.github.com/lacework-dev/strace_lab_PUBLIC

Jared Stroud (Twitter: @DLL_Cool_J) is a Cloud Security Researcher at Lacework where he focuses on emerging Linux and Cloud platform threats. Previously, he worked at The MITRE Corporation where he contributed Unix and Windows tooling for the ATT&CK Fin7/CARBANAK Evaluation and the Open Source adversary emulation utility CALDERA.

MITRE Engage: A Framework for Adversary Engagement Operations

Stan Bar, Capability Area Lead, Cyber Denial, Deception, and Adversary Engagement, The MITRE Corporation
Gabby Raymond, Co-Capability Area Lead, Cyber Denial, Deception, and Adversary Engagement, The MITRE Corporation
Maretta Morovitz, Senior Cyber Security Engineer, The MITRE Corporation

Core Topic: File/Network Monitoring

For 10+ years MITRE has been engaged in denial, deception, and adversary engagement operations for internal defense and research purposes. We have created MITRE Engage as a framework for planning and communicating about adversary engagement operations. In our talk we include:

  • A brief overview of what we mean when we say denial, deception, and adversary engagement
  • Our vision for the future and why we think this technology matters
  • A brief history of our past experiences (and failures) in this space and how that shaped where we are today
  • The official release of MITRE Engage 0.9 Beta and ask for community feedback
  • A fictional walkthrough of how you can use Engage to get started in adversary engagement operations

Dr. Stanley Barr is a three-time graduate of University of Massachusetts Lowell. He has a BS in Information Sciences, an MS in Mathematics, and a PhD in Computer Science. He has coauthored papers in malware analysis, barrier coverage problems, expert systems for network security, and robotic manufacturing. He has spoken at MILCOM and been a panelist for several conferences. Additionally, he has appeared on several podcasts on adversary engagement and presented at TEDx. Currently, he is a Principal Scientist at The MITRE Corporation. He currently is the Capability Area Leader for Cyber Denial, Deception, and Adversary Engagement. Stan lives with his wife, 5 rescue dogs, and 15 chickens.

Gabby Raymond is a two-time graduate from Tufts University. She holds a B.S. in Mathematics and Computer Science and a M.S. in Computer Science. Her research has spanned topics in intrusion detection, cyber-physical systems, and machine learning applications for security. Gabby recently co-authored a Choose Your Own Adventure style book called "The Toolbox of Innovation" with members of MITRE's Innovation Toolkit team. Outside of work, Gabby enjoys knitting and judging science fairs. Gabby is the Co-Capability Area Lead for Cyber Deception and Adversary Engagement at The MITRE Corporation.

Maretta Morovitz is a graduate of Tufts University School of Engineering, where she graduated with a degree in Computer Science. She is a Senior Cyber Security Engineer at the MITRE Corporation where she works in the areas of adversary engagement, malware analysis, and reverse engineering. She is a founding member of MITRE's Cyber Deterrence and Adversary Management (CDAM) team and has helped shape MITRE's adversary engagement work for the last two years. She was recently named as one fo the AFCEA 40 Under 40 Awardees for 2021. Outside of work you can find her nerding out about the latest Brandon Sanderson novel, still anxiously awaiting her letter from Hogwarts, or snuggling with her dog and hedgehog.

RCE via Meow Variant along with an Example 0day

Özkan Mustafa AKKUŞ, Senior Cyber Security Consultant and Vulnerability Researcher at Turk Telekom

Core Topic: Operating Systems: *nix

I will touch Some Alternative Bypass Restriction Techniques. Then I will present a vulnerability of Ericsson Network Location that provides the infrastructure of the research and we are going to touch on the meow variant with details through this vulnerability Towards the end we are going to prepare a Metasploit module and exploit the vulnerability.

Ozkan (Twitter: @ehakkus) is a vulnerability researcher and senior cyber security consultant in Turkey. Ozkan publishes security vulnerabilities on international platforms that he has discovered. He shares his experiences and works on his personal blog (https://www.pentest.com.tr). He gave training and presentations in many universities and institutions in his country. In addition to these studies, He gave the presentation of "The Vulnerability That Gmail Overlooked and Enabling Threat Hunting" in Packet Hacking Village at DEF CON 28 and "0day Hunting and RCE Exploitation in Web Applications" in AppSec Village at DEF CON 27.

Seeing the Forest Through the Trees – Foundations of Event Log Analysis

Jake Williams, CTO of BreachQuest

Core Topic: System Forensics

During an incident, everyone knows you need to review the logs – but what are they actually telling you? There's a wealth of information to be had in your logs event logs, but most analysts miss the forest because they don't understand the trees. In this talk, Jake will walk you through some of the most impactful event logs to focus on in your analysis. We'll target some old favorites covering login events, service creation, and process execution. We'll also examine task scheduler logs, useful in uncovering lateral movement and privilege escalation. Finally, we'll discuss some of the new event logs available in Windows 10 (if only you enable them first). If you don't want to be barking up the wrong tree during your next insider investigation or getting axed because you failed to identify the lateral movement attempts, make sure to watch this video.

Jake Williams (Twitter: @malwarejake) is an incident responder, red teamer, occasional vCISO, and prolific infosec shitposter. He has traveled the world, but isn't welcome in China or Russia (and avoids most countries they have extradition treaties with). When not speaking at a conference like this one, it's a good bet that Jake is engaged in hand to hand combat with an adversary rooted deep in a network or engineering ways to keep them out. Jake's career in infosec started in the intelligence community, but has taken around the world securing networks of all shapes and sizes, from utilities to hospitals to manufacturing plants.

Seeing Through The Windows: Centralizing Windows Logs For Greater Visibility

Matthew Gracie, Senior Engineer at Security Onion Solutions

Core Topic: Operating Systems: Windows

This talk is a brief summary of how to collect and centralize Windows Event Logs for analysis and free tools that can be used to do so. There is also a demonstration of how to use Elastic Stack to investigate an incident using these collected logs.

Matthew Gracie (Twitter: @InfosecGoon) has over a decade of experience in information security, working to defend networks in higher education, manufacturing, and financial services. He is currently a Senior Engineer at Security Onion Solutions and the founder of the Infosec 716 monthly meetup. Matt enjoys good beer, mountain bikes, Debian-based Linux distributions, and college hockey.

The War for Control of DNS Encryption

Dr. Paul Vixie, Chairman and CEO and Cofounder of Farsight Security, Inc.

Core Topic: Core Networking

Pervasive monitoring of the Internet by both government, corporate, and criminal actors has triggered an encryption wavefront as wide as the Internet itself. DNS, as the map of the Internet's territory, is seen as especially sensitive and there are now several competing encryption standards waiting to be deployed. In this short talk, Dr. Vixie will explain the original problem, describe the protocol-level solutions, and then show how vendors like Google, Mozilla Corporation, Microsoft, and Apple are deploying these technologies across their product lines. Opinions may also be offered.

Dr. Paul Vixie (Twitter: @PaulVixie) is an Internet pioneer. Currently, he is the Chairman, Chief Executive Officer and Cofounder of Farsight Security, Inc. He was inducted into the Internet Hall of Fame in 2014 for work related to DNS and DNSSEC. Dr. Vixie is a prolific author of open-source Internet software including BIND, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). He earned his Ph.D. from Keio University.

Read more →

Time For Something New: Call For Presentations at the Packet Hacking Village

Security education is the mission of the Packet Hacking Village and the Wall of Sheep. We also take great pride in being a welcoming village for newcomers to DEF CON and to the Cyber Security field. We aim to act as a bridge between our visitors' existing knowledge and a better understanding of security topics by providing both knowledge of core fundamental concepts as well as advanced topics. Each year, there are thousands of newcomers into the Cyber Security field --technical or non-technical. We want to make sure that everyone has a solid foundation in Cyber Security. To that end, we're looking for pre-recorded talks in a 10-12 minute, 25-30 minute, OR 45-50 minute length, to teach our viewers something about one of these fundamental topics:

  • Disk structures
  • File systems
  • Core networking concepts
  • Operating Systems: *nix
  • Operating Systems: Windows
  • Operating Systems: macOS
  • Code/cipher/hash fundamentals
  • File analysis
  • Web traffic fundamentals
  • Network capture fundamentals
  • Email fundamentals
  • File/network/system forensics
  • File/network monitoring

We have identified these topics as the fundamental pillars of knowledge in Cyber Security. Our Packet Detective, Packet Inspector, and Capture The Packet events each provide attendees a way to apply knowledge from these topics and more in an engaging learning environment. Our goal is to build a glossary of fundamentals for Cyber Security people of all kinds: students, practitioners, teachers, lawmakers, government officials, and professionals.

Product or vendor related pitches are not welcomed.

To submit a talk, please provide the following information and link to presentation video in the form below to cfp2021[at]wallofsheep[dot]com. The Call for Presentations will close on Friday, July 30th, at 11:59 PM PDT. The list of talks will be finalized and published on Sunday, August 1st.

SPEAKER NAME:

SPEAKER TITLE AND COMPANY (IF APPLICABLE):

SPEAKER EMAIL ADDRESS:

SPEAKER TWITTER NAME (IF YOU WANT IT KNOWN IF YOU ARE ACCEPTED):

NAME OF PRESENTATION:

WHICH ONE OF THE CORE TOPICS DOES YOUR VIDEO FIT INTO (CHECK ONE ONLY):

  • Disk structures
  • File systems
  • Core networking concepts
  • Operating Systems: *nix
  • Operating Systems: Windows
  • Operating Systems: macOS
  • Code/cipher/hash fundamentals
  • File analysis
  • Web traffic fundamentals
  • Network capture fundamentals
  • Email fundamentals
  • File/network/system forensics
  • File/network monitoring

BRIEF DESCRIPTION OF YOUR VIDEO:

SPEAKER'S BIO:

This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.

WHERE TO DOWNLOAD YOUR VIDEO (e.g., Box, Dropbox, Google Drive, YouTube --unlisted), PROVIDE LINK:

As for video format, please use MP4.

TERMS AND CONDITIONS

By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.

GRANT OF COPYRIGHT USE

I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.

Read more →

UPDATED Call for Presentations for Packet Hacking (Virtual) Village Talks at DEF CON 28

Overview

The Wall of Sheep would like to announce a call for virtual presentations from Thursday, August 6th to Sunday, August 9th. Packet Hacking (Virtual) Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.

Topics of interest include:

  • Tools and techniques on network sniffing, intrusion detection, monitoring, forensics, log analysis
  • General Digital Forensics and Incident Response (DFIR) talks
  • Threat hunting
  • Incident response process and procedures and/or recovery
  • Hands-on spy level makup art (e.g., wigs, prosthetic noses, etc.)
  • How to do refresh your system without losing all your stuff and eliminate malware
  • Setting up cloud backups that withstand ransomware attacks
  • How to justify hacking / security tools in the corporate world
  • How to use regulatory compliance requirements in your favor to enhance your overall funding and security posture
  • Security awareness program success and failure stories
  • Tools for data collection and visualization
  • Purple and blue teaming
  • Business continuity planning for cyber war

The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!

All accepted talks will be announced, recorded, and published by Aries Security, LLC. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.

The Call for Presentations will close on Friday, June 26th at 11:59 PM PDT. The list of talks will be finalized and published on Wednesday, July 15th.

Speaking Format

Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.

To submit a presentation, please provide the following information in the form below to cfp2020[at]wallofsheep[dot]com

Primary Speaker Name:

Primary Speaker Title and Company (if applicable):

Primary Speaker Email Address:

Primary Speaker Phone Number (to contact you if necessary during the conference):

Primary Speaker Twitter name (if you want it known if you are accepted):

Additional Speakers' name(s), titles, and social information:

Additional Email Addresses:

Is there a specific day or time you MUST speak by?

Name of Presentation:

Length of presentation: (20 minutes or 50 minutes)

Abstract (100 words MAXIMUM, absolutely necessary):

Your abstract will be used for the website. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.

Speaker's Bio(s):

This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.

Detailed Outline:

You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.

Supporting File(s):

Additional supporting materials such as code, white papers, proof of concept, etc. must be sent along with this email to cfp2020[at]wallofsheep[dot]com to be considered. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.

Terms and Conditions

By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.

Grant of Copyright Use

I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.

Terms of Speaking Requirements

1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, Wednesday, July 15th, 2020.

2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, Wednesday, July 15th, 2020.

3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.

4. I will complete my presentation within the time allocated to me - not running over the time allocation.

I, (insert your name here), have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements. In the case that a speaker is a child under the age of 13 years old: in compliance with the Children's Online Privacy Protection Act (COPPA) regulations, http://www.coppa.org, any child under age 13 must have parental consent for the collection, use, or disclosure of that child's personal information by a website. Parent/Guardian Consent: I (insert parent/guardian's name here) am the parent or guardian of the minor/s named above. I have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.

Read more →

Packet Hacking Village Talks at DEF CON 28 Call for Presentations Now Open

Overview

The Wall of Sheep would like to announce a call for presentations at DEF CON 28 in Las Vegas, NV from Thursday, August 6th to Sunday, August 9th. Packet Hacking Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.

Topics of interest include:

  • Tools and techniques on network sniffing, intrusion detection, monitoring, forensics, log analysis
  • General Digital Forensics and Incident Response (DFIR) talks
  • Threat hunting
  • Incident response process and procedures and/or recovery
  • Hands-on spy level makup art (e.g., wigs, prosthetic noses, etc.)
  • How to do refresh your system without losing all your stuff and eliminate malware
  • Setting up cloud backups that withstand ransomware attacks
  • How to justify hacking / security tools in the corporate world
  • How to use regulatory compliance requirements in your favor to enhance your overall funding and security posture
  • Security awareness program success and failure stories
  • Tools for data collection and visualization
  • Purple and blue teaming
  • Business continuity planning for cyber war

The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!

All accepted talks will be announced, recorded, and published by Aries Security, LLC. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.

The Call for Presentations will close on Friday, June 12th at 11:59 PM PST. The list of talks will be finalized and published on Friday, June 28th.

Speaking Format

Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.

To submit a presentation, please provide the following information in the form below to cfp2020[at]wallofsheep[dot]com

Primary Speaker Name:

Primary Speaker Title and Company (if applicable):

Primary Speaker Email Address:

Primary Speaker Phone Number (to contact you if necessary during the conference):

Primary Speaker Twitter name (if you want it known if you are accepted):

Additional Speakers' name(s), titles, and social information:

Additional Email Addresses:

Is there a specific day or time you MUST speak by?

Name of Presentation:

Length of presentation: (20 minutes or 50 minutes)

Abstract (100 words MAXIMUM, absolutely necessary for printing purposes):

Your abstract will be used for the website and printed materials. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.

Equipment Needs & Special Requests:

The Wall of Sheep will provide 1 projector feed, and microphones. If you need to use multiple outputs for a demo, please mention this below.

Speaker's Bio(s):

This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.

Detailed Outline:

You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.

Supporting File(s):

Additional supporting materials such as code, white papers, proof of concept, etc. must be sent along with this email to <strongcfp2020[at]wallofsheep[dot]com to be considered. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.

Terms and Conditions

By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.

Grant of Copyright Use

I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.

Terms of Speaking Requirements

1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, June 26th, 2020.

2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 26th, 2020.

3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.

4. I will complete my presentation within the time allocated to me - not running over the time allocation.

5. I understand that the Wall of Sheep will provide 1 LCD projector feed, 2 screens, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.

6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.

Yes, I, (insert primary speaker name), have read and agree to the Grant of Copyright Use.

I, (insert your name here), have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements. In the case that a speaker is a child under the age of 13 years old: in compliance with the Children's Online Privacy Protection Act (COPPA) regulations, http://www.coppa.org, any child under age 13 must have parental consent for the collection, use, or disclosure of that child's personal information by a website. Parent/Guardian Consent: I (insert parent/guardian's name here) am the parent or guardian of the minor/s named above. I have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.

Read more →

Packet Hacking Village Talks at DEF CON 27 Finalized

Friday, August 9th Saturday, August 10th Sunday, August 11th
10:00 4 years and 10,000+ Hours Later: Lessons Learned from Running a National Penetration Testing Competition
Tom Kopchak and Dan Borges
Hacking Corporate Org Socialization: One Day You Are Out and the Next Day You Pwn the Org!
D9
Wi-Fi Threat Modeling and Monitoring
Besim Altinok and Can Kurnaz
11:00 Hacking Kubernetes: Choose Your Own Adventure Style
Jay Beale
Solving Crimes with Wireless GeoFencing and Multi-Zone Correlation Analytics
Gleb Esman
Head in the Clouds
Matt Nash
12:00 StegoAugmented Malware
Mike Raggo and Chet Hosmer
"First-Try" DNS Cache Poisoning with IPv4 and IPv6 Fragmentation
Travis Palmer and Brian Somers
CIRCO: [Cisco Implant Raspberry Controlled Operations]
Emilio Couto
13:00 The Art of Detection
Jay Dimartino
Phishing Freakonomics
Russell Butturini
Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools
Wes Lambert
14:00 Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum
Winnona DeSombre
  CLOSED
14:30 Hunting Certificates and Servers
Sam Erb
Security to Make the CFO Happy
Adam
15:00 Old Tech vs New Adversaries. Round 1... Fight!
Joseph Muniz and Aamir Lakhani
Generating Personalized Wordlists With NLP by Analyzing Tweets
Utku Sen
15:30 Sandbox Creative Usage For Fun and Pro...Blems
Cesare Pizzi
16:00 Patching: It's Complicated
Cheryl Biswas
(Re)Thinking Security Given the Spectre of a Meltdown (hold my beer)
Jeff Man
17:00 Your Phone is Using Tor and Leaking Your PII
Milind Bhargava and Adam Podgorski
State Sponsored Hacking: How to Intercept/Decrypt TLS Traffic and How to Prevent TLS Interception Attacks
Chris Hanlon
18:00 Beyond Sandboxes. How to Execute IoT Malware and Analyze Its Evolution
María José Erquiaga, Sebastian Garcia
Leveraging Passive Network Mapping with Raspberry Pi and Python
Chet Hosmer
19:00 The Cyberlous Mrs. Maisel: A Comedic (and slightly terrifying) Introduction to Information Warfare
Jessica "Zhanna" Malekos Smith
Read more →

Few More Accepted Packet Hacking Village Talks At DEF CON 27 Announced

CIRCO - [Cisco Implant Raspberry Controlled Operations]

Emilio Couto, eKio Security

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!

Emilio Couto (Twitter: @ekio_jp) is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT. In his spare time he enjoys playing with RFID, computers and home made IoT devices. Over the last 5 years presenting tools in conferences (Black Hat Asia, HITB, AV Tokyo and SECCON)

Generating Personalized Wordlists With NLP by Analyzing Tweets

Utku Sen, R&D Lead at Tear Security

Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named "mask attack" where the attacker needs to assume a password's structure. Even if it narrows the combination pool significantly, it can be still too large to use for online attacks or offline attacks with low hardware resources. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist.

Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.

Leveraging Passive Network Mapping with Raspberry Pi and Python

Chet Hosmer, Owner of Python Forensics

Mapping of network assets and their behaviors is a vital step needed for the prevention and response to cyber-attacks. Today active tools like NMAP are used to discover network assets, however, these methods take a momentary snapshot of network devices. By passively monitoring network activity the discovery of rogue devices, aberrant behavior, and emerging threats is possible. This talk and demonstration will utilize a Raspberry Pi and a custom Python solution to map network assets and their behaviors and demonstration the identification of rogue devices and unauthorized behaviors.

Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Read more →

First Batch of Accepted Packet Hacking Village Talks at DEF CON 27 Announced

Bestsellers in the Underground Economy - Measuring Malware Popularity by Forum

Winnona DeSombre, Threat Intelligence Researcher at Recorded Future

While you can patch against malware infecting your tech stack or targeting your competitors, what about malware that hasn't been in the news? This presentation will cover what malware and tools are popular among underground forum members based on prevalence in forum ads, how malware presence differs between forums, and why understanding that difference matters.

Winnona DeSombre (Twitter: @__winn) is an Asia Pacific threat intelligence researcher at Recorded Future, focusing on Chinese underground hacking communities and East Asian cyber espionage campaigns. She was recently featured in Threatcare's "Tribe of Hackers" book, containing career advice from some of the world's best information security professionals.

Phishing Freakonomics

Russell Butturini

This presentation is the story of the success and failures of building a security awareness program at a Top 20 CPA firm, and finding "the hidden side" of why users fail phishing exercises (both simulated and not!). The presentation will cover how Elasticsearch was used to correlate awareness training, phishing test, and HR data together, examine real results from this work, and the improvements that were made to improve user awareness and reduce phishing related security incidents.

Russell Butturini (Twitter: @tcstoolhax0r) is head of information security for a top 20 CPA and financial services firm. He has authored tools for both red and blue teams with his C- and Python coding skills. His most popular tool, NoSQLMap, was featured in the Hacker Playbook 2.

Solving Crimes with Wireless GeoFencing and Multi-Zone Correlation Analytics

Gleb Esman, Senior Project Manager, Fraud Analytics and Research at Splunk Inc.

The presentation will introduce viewer to geofencing - the technique successfully used by law enforcement agencies to pinpoint suspects in an array of anonymous metadata coming from wireless devices. The presentation will teach viewer how to build such system from scratch using freely downloadable analytical tools. Different ways to visually define GeoFencing zones and investigation constraints will be explained. Samples of working scripts, search queries, data formats and working dashboard layouts will be provided.

Gleb Esman (Twitter: @gesman) helps to guide research, product planning and development efforts in the areas of fraud detection, data security analytics and investigations at Splunk Inc. Currently Gleb manages number of security projects in healthcare space such as drugs and opioids diversion platform and healthcare privacy monitoring platform. Before Splunk Gleb was engaged at Morgan Stanley overseeing fraud detection platform and enterprise wide data analytics systems within retail banking space. During his career, Gleb worked in a various positions at a number of enterprises involved in research and development of solutions against advanced malware and computer viruses as well as solutions for secure payments and data protection in e-commerce space. Gleb is an author of several patents in Deep Learning, Security, Behavior Biometrics and Healthcare Data Analytics.

StegoAugmented Malware

Mike Raggo, CSO at 802 Secure
Chet Hosmer, Owner of Python Forensics

As adversaries look for new methods of creating malware, steganography has seen a resurgence. In this session, we'll review this black art and uncover recent steganographic malware weaponizing techniques. We'll cover techniques that include file and image embedding techniques invisible to malware and intrusion detection systems, methods of exploiting weak networking protocols for covert communications, mischievous IoT devices, and cloud data hiding methods. But we don't stop there, our organic research has uncovered numerous other ways in which malware could be embedded in an effort to prepare threat researchers with the knowledge to improve their tools and fortify their networks.

Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Wi-Fi Threat Modelling and Monitoring (WiNT)

Besim Altinok, Barikat Internet Security
Can Kurnaz, Senior Cybersecurity Consultant at KPMG Netherlands

With the widespread use of wireless Internet access, we see that the use of portable technologies is rapidly increasing. Increasing public networks and facilitating access to these networks have attracted the attention of attackers. Due to easy availability of mature honeypot creation tools, this attack is a slam dunk for even the most novice of Wi-Fi attackers. Enterprise security products have tried but failed to solve this problem with rule and lockdown based approaches. In this talk, we are going to tell a story experienced about Wi-Fi network attackers. We will practically demonstrate how using new detection and deception techniques we can make Wi-Fi clients and environmentally secure.

Besim Altinok (Twitter: @AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, ASIA, Defcon, and others. Besim ALTINOK works currently at BARIKAT Internet Security in Turkey. Besim also founded Pentester Training project.

Can Kurnaz (Twitter: @0x43414e) is conducting penetration tests from internet and internal networks to web-based applications, network infrastructures, wireless devices, IoT devices and operational technology infrastructures such as ICS/SCADA systems and components.

Read more →

Packet Hacking Village Talks at DEF CON 26 Finalized

Friday, August 10th Saturday, August 11th Sunday, August 12th
10:00 Mallet: A Proxy for Arbitrary Traffic
Rogan Dawes
Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols
Esteban Rodriguez
CLOSED
10:30 How to Tune Automation to Avoid False Positives
Gita Ziabari
CLOSED
11:00 Rethinking Role-Based Security Education
Kat Sweet
wpa-sec: The Largest Online WPA Handshake Database
Alex Stanev
Microcontrollers and Single Board Computers for Hacking, Fun and Profit
gh057
11:30 Capturing in Hard to Reach Places
Silas Cutler
12:00 PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution Using DNS and Text-Based Steganography
TryCatchHCF
An OSINT Approach to Third Party Cloud Service Provider Evaluation
Lokesh Pidawekar
Fishing for Phishers. The Enterprise Strikes Back!
Joseph Muniz, Aamir Lakhani
12:30 Bitsquatting: Passive DNS Hijacking
Ed Miles
13:00 Target-Based Security Model
Garett Montgomery
Turning Deception Outside-In: Tricking Attackers with OSINT
Hadar Yudovich, Tom Kahana, Tom Sela
What Do You Want to be When You Grow Up?
Damon "ch3f" Small
13:30 Defense in Depth: The Path to SGX at Akamai
Sam Erb
14:00 Protecting Crypto Exchanges From a New Wave of Man-in-the-Browser Attacks
Pedro Fortuna
Building a Teaching SOC
Andrew Johnson
CLOSED
14:30 Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Utku Sen, Gozde Sinturk
CLOSED
15:00 Freedom of Information: Hacking the Human Black Box
Elliott Brink
Grand Theft Auto: Digital Key Hacking
Huajiang "Kevin2600" Chen, Jin Yang
CLOSED
15:30 CLOSED
16:00 Car Infotainment Hacking Methodology and Attack Surface Scenarios
Jay Turla
Ridealong Adventures: Critical Issues with Police Body Cameras
Josh Mitchell
CLOSED
16:30 CLOSED
17:00 Swiss Cheese Holes in the Foundation of Modern Security - CERT VU#919801
Chris Hanlon
IoT Data Exfiltration
Mike Raggo, Chet Hosmer
CLOSED
17:30 CLOSED
18:00 Mapping Wi-Fi Networks and Triggering on Interesting Traffic Patterns
Caleb Madrigal
  CLOSED

PHV Talks Abstracts and Bios

Bitsquatting: Passive DNS Hijacking

Ed Miles, Security Researcher at DiDi Labs

The Domain Name System is one of the foundational technologies that allow the internet to function, but unfortunately, DNS is surprisingly brittle to certain issues, such as bitsquatting.

Lookups to names that are a "bitflip" away from well-known sites (like 'amczon.com' instead of 'amazon.com' since 'c' and 'a have a single bit difference) can be caused by memory failing due to defect or overheating situations, rogue cosmic rays, or even (allegedly) radiation caused by nuclear reactions.

I was curious how realistic the last case really was - can we 'detect' active nuclear tests based solely on bitsquatting data? To find out, I revisited bitsquatting. First I'll briefly introduce the key concepts required for understanding bitsquatting (including ASCII, DNS and HTTP, Internet infrastructure, and memory error scenarios). I'll show the tools and techniques used to identify and register over 30 newly identified bitsquat domains, monitor DNS and HTTP requests, and process, enrich, and investigate the data. Finally, I will discuss any observations gathered from the data, with a focus on regional trends, specific devices, and current events - and try and see if I could prove any correlation.

In the end, attendees should leave with knowledge of the prevalence of bitsquatting and how it has evolved since the phrase was coined 8 years ago, as well as a few techniques for analyzing bitsquatting data and drawing some interesting conclusions.

Ed Miles (Twitter: @criznash) is a researcher at DiDi Chuxing's California-based DiDi Labs. Working in technology professionally since 2001, and as a hobbyist since 1991, Ed has been focused on forensics, incident response, malware analysis, reverse engineering, and detection since 2010.

Building A Teaching SOC

Andrew Johnson, Information Security Officer at Carnegie Mellon University

Effective security monitoring is an ongoing process. How do you get everyone participating? How do you on-board junior colleagues to continuous improvement? The purpose of this presentation is to show methods for encouraging participation from all members of the security monitoring team as well as tactics for communicating effective with the organization.

Andrew Johnson (Twitter: @pierogipowered) is implementing a dedicated security operations team at Carnegie Mellon University. The security operations group has a dual focus on both the traditional aspect of securing the university as well as a focus on training student colleagues on the practical application of their degree. Prior to Carnegie Mellon University, Andrew was with HM Health Solutions. He had been responsible for creating a security operations platform in the heavily regulated health insurance/provider space. Andrew is a co-organizer for the BSides Pittsburgh (@bsidespgh) conference and enjoys recreational cycling and cooking when not participating in information security related activities.

Capturing in Hard to Reach Places

Silas Cutler, Senior Security Researcher at CrowdStrike

It's easy for us to take for granted when tools allow us to start capturing network traffic without any real hardships. However, what happens when the data you want isn't so easy to capture. This talk will look at two cases in which environments needed to be bent in order to capture the data needed for analysis.

Silas Cutler (Twitter: @silascutler) is a Senior Security Researcher at CrowdStrike, Project Director for MalShare and DEFCON 21 Black Badge (from Capture the Packet). Endorsed on LinkedIn by [REDACTED] for "tcpdump". His prior managers have described him as "a guy" and "meeting necessary skills to perform job functions."

Car Infotainment Hacking Methodology and Attack Surface Scenarios

Jay Turla, Application Security Engineer at Bugcrowd

The battle for supremacy for the control of the dashboard display or infotainment systems has always been a race. Most of these systems run on Linux, Android, Windows (customized dashboards - perhaps Windows ME or CE) and Blackberry's QNX. In-Vehicle Infotainment (IVI) or In-car entertainment (ICE) Systems are indeed fun consoles where you can play media, movies, or work with your car's navigational system. But somehow it also comes with a risk of being hacked or attacked because they have also been plagued with vulnerabilities. In this talk, join Jay as he presents his own Car Hacker's Methodology in finding security bugs in order to pwn a car's infotainment system without having to do a drive by wire or CANbus hacking tools but will simply point out the common attack surfaces e.g WiFi, Bluetooth, USB Ports, etc. and some scenarios on how to exploit it just like how he popped a shell or issue an arbitrary command in his car which he tweeted in Twitter before.

Jay Turla (Twitter: @shipcod3) is an application security engineer at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework and presented at ROOTCON, Nullcon, and TCON. He used to work for HP Fortify where he performs Vulnerability Assessment, Remediation and Advance Testing.

Defense in Depth: The Path to SGX at Akamai

Sam Erb, Software Engineer at Akamai Technologies

In this presentation you will learn how Akamai has spent the past 4 years working toward preventing the next TLS heartbleed incident. Nothing hypothetical --only deployed defense-in-depth systems will be discussed. This talk will include how we deployed Intel SGX at scale in our network.

Sam Erb (Twitter: @erbbysam) is a 2x black badge winner with Co9 in the Badge Challenge and is working to make the Internet a safer place.

Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols

Esteban Rodriguez, Security Consultant at Coalfire Labs

This talk will cover the basics of protocol analysis using Wireshark and lead into analyzing two custom application protocols used for extending the mouse and keyboard of a remote system. The two applications covered are HippoRemote, and iOS app to use a iPhone as a trackpad and keyboard, and Synergy, an application to allow for control of multiple operating systems with one mouse and keyboard. By performing a MITM attack, an attacker can abuse this protocols to send keystokes to a remote machine to gain remote code execution similar to a USB rubber ducky attack. The talk will also discuss mitigations and open source code will be provided for exploitation. The target audience should have a basic understanding of Wireshark, ARP spoofing, and reverse shells.

Esteban Rodriguez (Twitter: @n00py1) a Security Consultant at Coalfire Labs. He primarily perform network and web application penetration testing. Esteban worked previously at Apple Inc performing intrusion analysis and incident response. Outside of work, Esteban blog at n00py.io and perform independent security research. He have authored multiple penetration testing tools and have presented at BSides Puerto Rico covering penetration testing techniques.

Fishing for Phishers. The Enterprise Strikes Back!

Joseph Muniz, Cisco
Aamir Lakhani, Fortinet

Phishing and social engineering has been around since Han Solo has flown the Millennium Flacon. The typically response is deleting the messages and giving the middle finger however, what more could be done to strike back? This talk will cover how to build an artificial environment and develop anti phishing tools used to respond to phishing attempts. Results could include owning the attacker's box "hypothetically" since some legal boundaries could be crossed.

Joseph Muniz is an architect at Cisco Systems. Aamir Lakhani (Twitter: @SecureBlogger) is a lead researcher at Fortinet. Together, they have spoken at various conferences including the infamous Social Media Deception RSA talk quoted by many sources found by searching "Emily Williams Social Engineering." They are also making their fourth appearance for the DEF CON Wall of Sheep. Both speakers have written books together including a recent title Digital Forensics for Network Engineers released on Cisco Press late February 2018. They have been friends for years and continue to collaborate on research and other projects.

Freedom of Information - Hacking the Human Black Box

Elliott Brink, Senior Penetration Tester at RSM US LLP

FOIA (otherwise known as the Freedom of Information Act or FOI/Freedom of Information in Australia) are government-based initiatives to permit the public to request information on various government records. In practice, these acts enable transparency of the operations of government to the masses with relative ease. In reality, submitting FOI requests can be a cumbersome and frustrating process for citizens.

For two years now I have been hacking this human black box - finding out what you can/cannot ask for and more importantly how to ask for information and get it! Have you ever asked the government for a log file, Cisco IOS running config or Active Directory group policies? Do you ever wonder if a government employee would provide you with such information if you asked really really nicely? Let's find out together! For the past couple of years I have been performing various technology-focused FOI requests in an attempt to answer one simple argument: Can you utilize freedom of information to enumerate technical information from government agencies? I present my research, findings and results of multiple years of submitting FOIA requests to various USA and Australian government institutions including multiple intelligence agencies. We will discover the fun times and challenges when performing such requests.

Attendees will gain practical knowledge about: what FOIA is, the caveats of FOIA, how you can utilize FOIA on red team engagements and other open source intelligence gathering activities and finally the results of my research in multiple requests to intelligence agencies.

Elliott Brink (Twitter: @ebrinkster) is an information security consultant based out of NYC. He specializes in internal/external pentesting, security architecture and social engineering. He loves computer history, tracking bad guys, honeypots, an expertly crafted bloody mary, and traveling the globe.

Grand Theft Auto: Digital Key Hacking

Huajiang "Kevin2600" Chen, Security Research at Ingeek
Jin Yang, Independent Security Researcher

The security of automobiles accesses control system is a topic often discussed. Today's vehicles rely on key-fob control modules, to ensure the vehicle is accessible to authorized users only. While most traditional automobile key-fob systems have been shown to be insecure in the past, here comes a game changer. Instead of the regular key-fob system, some car owners will be able to access their vehicle by having their smartphone authenticates as a digital car key.In this talk, we will reveal the research and attacks for one of digital car keys system in the current market. By investigating how these features work, and how to exploit it through different possibles of attack vectors, we will demonstrate the security limitations of such system. By the end of this talk, the attendees will not only understand how to exploit these systems also which tools can be used to achieve our goals.

Huajiang "Kevin2600" Chen (Twitter: @kevin2600) is a security researcher at Ingeek. And a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. Team members have worked extensively with binary reverse engineering, mobile security, and hardware security. Kevin2600 has spoken at various conferences including XCON, KCON, OZSecCon, BSides, and Alibaba-Cloud-Zcon.

Jin Yang is a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. He work in network security industry for over 10 years and focus on the Automated Virus Analysis, IoT Security, Threat Intelligence and Rootkits. Jin has spoken at XCon; AVAR and KCon.

How to Tune Automation to Avoid False Positives

Gita Ziabari, Senior Consultant Engineer at Verizon

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to deploy automation to accelerate response time, consistency, scalability and efficiency. This talk will cover techniques to design a reliable automated tool in security. We will discuss about techniques of tunning the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We will walk through steps of creating an automated tool and the essential factors to be considered to avoid any false positive.

Gita Ziabari (Twitter: @gitaziabri) is working at as a Senior Consultant Engineer at Verizon. She has more than 14 years of experience in threat research, networking, testing and building automated tools. Her main focus is creating automated tools in cybersecurity for mining data.

IoT Data Exfiltration

Mike Raggo, CSO of 802 Secure, Inc.
Chet Hosmer, Owner of Python Forensics

IoT offers new protocols and frequencies over which communication travels. Due to lack of familiarity amongst most enterprises, most organizations are ill-equipped to monitor or detect these mysterious channels. This introduces a plethora of covert channels by which data could be exfiltrated, or malware to be infiltrated into the network. In this session we explore this new frontier by focusing on new methods of IoT protocol exploitation by revealing research conducted over the last 2 years. Detailed examples will be provided, as well as demo of a python tool for exploiting unused portions of protocol fields. From our research, we'll also reveal new methods of detecting aberrant behavior emanating to/from these devices gathered from our lab and real world testing.

Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Mallet: A Proxy for Arbitrary Traffic

Rogan Dawes, Senior Researcher at SensePost

Mallet is an intercepting proxy for arbitrary protocols. More accurately, it is a framework for building proxies for arbitrary protocols. Mallet provides the basics required of all proxies: A way to receive the data, a way to send the data, and a user interface to intercept and edit the data. It builds on the Netty project, and as such has access to a large, well-tested suite of protocol implementations that can be used to transform a stream of bytes into useful, high-level protocol objects. This workshop will introduce attendees to Mallet, and show how to construct pipelines of arbitrary complexity, to successfully decode and intercept messages in various protocols, as well as automating modifications of the various messages. A basic familiarity with Java will enhance the delegate's understanding of what they are taught, but is not a requirement.

Rogan Dawes (Twitter: @RoganDawes) is a Senior Researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague's frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies, WebScarab.

Mapping Wi-Fi Networks and Triggering on Interesting Traffic Patterns

Caleb Madrigal, Applied Researcher at Mandiant/FireEye

Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area along with all devices connected to them? Or maybe you want to know who's hogging all the bandwidth? Or, what if you want to know when a certain someone's cell phone is nearby. Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud?

For all these use-cases, I've developed a new tool called "trackerjacker". In this talk, we'll use this tool to explore some of the surprisingly-informative data floating around in the radio space, and you'll come away with a new skill point or two in your radio hacking skill tree, as well as a new magical weapon... I mean tool.

Caleb Madrigal (Twitter: @caleb_madrigal) is an Applied Researcher at Mandiant/FireEye.

Microcontrollers and Single Board Computers for Hacking, Fun and Profit

gh057

As security researchers, we are always looking for the next device that will make our jobs easier and our research more effective. In many cases, physical gear can be expensive and limited in capability which can be prohibitive, especially in engagements where dead drops are required. However, with the skyrocketing popularity of microcontrollers and single board computers, that barrier has been reduced significantly and has created a host of new possibilities for everything from dead drops to wired and wireless network intrusion and analysis. gh057 will introduce some of the more popular options in this genre and some live demonstrations of their more fun uses. gh057 will demonstrate three devices he built to solve specific problems and that are based on these platforms: ATtiny85, ESP8266 / ES32, Raspberry Pi Finally, and as a bonus, gh057 will demonstrate a simple technique that uses Applescript and Bash that can be used to create a simple USB trojan and can be useful for end-user training.

gh057 has worked on almost every aspect of the software development lifecycle. For the majority of his career, he worked as a front-end, full stack engineer specializing in UI/UX. During this time, he was involved in development and also testing efforts, which included quality and security best practices. In the last few years, gh057 completed a career transition to application security, most notably through security evangelism roles, where he worked closely with development teams. As an application security engineer, gh057 is responsible for security best practices, which encompasses both digital and physical threat vectors. Most recently, gh057 has been the concept creator and team lead for the Day of Shecurity conference which took place on June 16th in San Francisco, CA. In his free time, he is passionate about promoting equality in the cybersecurity industry and offering mentorship to young technologists. His goal is to leave behind a better industry than the one he found when he first began his career.

Normalizing Empire's Traffic to Evade Anomaly-based IDS

Utku Sen, Senior R&D Engineer at Tear Security
Gozde Sinturk, R&D Engineer at Tear Security

Perimeter defenses are holding an important role in computer security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on "assume breach" type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intrusion Detection Systems). In this session, we will discuss one of the most famous post-exploitation tool, Empire's situation against payload-based anomaly detection systems. We will explain how to normalize Empire's traffic with polymorphic blending attack (PBA) method. We will also cover our tool, "firstorder" which is designed to evade anomaly-based detection systems. firstorder tool takes a traffic capture file of the network, tries to identify normal profile and configures Empire's listener in such way.

Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on following areas: application security, network security, tool development. He presented his tool, Leviathan Framework in Black Hat USA Arsenal and DEF CON Demo Labs in 2017. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016.

Gozde Sinturk is Security Researcher and Python Developer who involved in projects related to machine learning, natural language processing, and big data. She is developing security tools in her current position.

An OSINT Approach to Third Party Cloud Service Provider Evaluation

Lokesh Pidawekar, Senior Cloud and Application Security Engineer at Cisco

In the era of third party cloud service providers where enterprise critical data is hosted and shared with various vendors, third party security reviews have become essential part of Information Security. It has become a challenge for security teams to ensure parity is maintained between security controls that are available on premise, to those offered by the cloud provider. Typically, companies send a word document or excel sheet to get answers from cloud providers, however, this process is done only once and the review is point in time. In this talk, the attendees will learn about various methods of identifying security posture of the third-party cloud service using information available on Internet, how to use this information for performing cloud service review and improve their own cloud offerings. This can also supplement the tedious questionnaire process and provide an option to fast track the vendor reviews.

Lokesh Pidawekar (Twitter: @MaverickRocky02) work as Senior Cloud and Application Security Engineer in Cisco InfoSec team where he is responsible for designing secure architecture for applications, evaluating third party cloud service providers, and providing training to enterprise architects. He has Master's in Information Assurance & Cyber Security from Northeastern University, Boston. Previously, he has spoken at BSides Las Vegas, DEFCON Packet Hacking Village talks, OWASP Boston chapter and CarolinaCon. He likes to read about application vulnerabilities in free time and has reported security bugs to vendors as part of their bug bounty program.

PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution Using DNS and Text-Based Steganography

TryCatchHCF

Data exfiltration through DNS typically relies on the use of DNS query fields to exfiltrate data via the attacker's DNS server. This approach has several shortcomings. The first is attribution, since attackers end up creating a trail back to their own infrastructure. The second is awareness, as DFIR analysts have made careful study of DNS fields as exfiltration vectors. The third is access, since companies are increasingly using DNS server whitelisting to prevent or alert on outgoing DNS queries to servers controlled by attackers. But what if data could be transferred using the target's own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration?

Through a combination of DNS queries and text-based steganography, we'll cover the methods used to transfer data across a network, hidden in plain sight, without direct connectivity between systems, while employing multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts. The presentation will include a demonstration of PacketWhisper, a new tool written in Python, that automates all of these steps for you. PacketWhisper will be made available on GitHub to coincide with this session (https://github.com/TryCatchHCF).

TryCatchHCF (Twitter: @TryCatchHCF) is Red Team Lead at a Fortune 500 company, and creator of the Cloakify Exfiltration and DumpsterFire Incident Automation Toolsets (https://github.com/TryCatchHCF). Previous roles have included Lead Pentester and AppSec Team Lead. He hacked into his first systems in 1981 and wrote his first malware the following year, all while nearly being eaten by a grue. He has 25+ years of security and software engineering experience, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. Education includes a bachelors degree in Cognitive Science, a masters degree in Information Assurance, and the collective HiveMind of the global hacking community.

Protecting Crypto Exchanges from a New Wave of Man-in-the-Browser Attacks

Pedro Fortuna, CTO and Co-Founder of Jscrambler

In the last year or so, we have seen a massive increase in the value of cryptocurrencies and the emergence of hundreds of new coins and ICOs, getting millions of people into an investment frenzy. A lot of them being non-technical regular consumers that rushed to create new accounts in the most popular crypto exchanges like Coinbase or Bitstamp. Crypto exchanges are naturally appealing for attackers and have been targeted since as long as we can remember. However, since last year, they are also being targeted by Man-in-the-Browser (MITB) attacks. Malware families such as Zeus Panda, Ramnit and Trickbot are already aiming at websites such as Coinbase.com or Blockchain.info. In this talk, we will detail how these attacks work, from account takeover to moving out the coins to attacker-controlled wallets. We'll discuss current defenses e.g. multi-factor authentication or strong SSL encryption and why they are failing to mitigate this type of attacks.

Pedro Fortuna (Twitter: @pedrofortuna) is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes to web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.

Rethinking Role-Based Security Education

Kat Sweet, Duo Security

How do we scale a deeper level of security awareness training without sacrificing efficacy? This talk will explore strategies and tactics for developing security education based on employees' roles, access, and attack surface while designing not only for efficiency but also for effectiveness. By prioritizing the highest-risk teams, pooling teams to collaboratively threat-model, and contextualizing universal truths of security hygiene to those threat models, we can deliver training that leverages employees' roles, fosters retention via active participation, and eases the burden on trainers within the security team. Attendees will walk away with a roadmap for building scalable, contextual, and collaborative role-based employee security education within their organizations.

Kat Sweet (Twitter: @TheSweetKat) works for Duo Security's corporate security team as an information security analyst (and senior pun architect). A passionate security educator, she is heavily involved in building her team's employee security awareness and engagement program, and is frequently the first security team member that new Duo employees meet. She also serves as the lockpick village coordinator for BSides Las Vegas, a mentor for the SANS Women's Immersion Academy, and a teaching assistant for the Ann Arbor chapter of Girl Develop It. When she's not in security mode, you can often find her bursting into song or picking unsuspecting locks.

Ridealong Adventures: Critical Issues with Police Body Cameras

Josh Mitchell, Principal cybersecurity Consultant at Nuix

The police body camera market has been growing in popularity over the last few years. A recent (2016) Johns Hopkins University market survey found 60 different models have been produced specifically for law enforcement use. Rapid adoption is fueling this meteoric increase in availability and utilization. Additionally, device manufactures are attempting to package more and more technology into these devices. This has caused a deficiency in local municipalities' skills and budget to accurately assess the attack surface and exposure to the organization. Furthermore, departmental policies and procedures governing the secure deployment of these devices is largely insufficient.

At DEF CON, we will be introducing tactics, techniques, and procedures to assess the security of these devices. We will cover attacks against the physical devices, RF components, smartphone app's, and desktop software. The capabilities demonstrated and discussed will encompass publicly and privately available technologies. Additionally, the talk will cover multiple products and vendors, shedding light on industry wide issues and trends. Finally, we will be releasing software to detect and track various devices and tie these issues into real world events.

Josh Mitchell has more than a decade's experience as an information security researcher. He has authored numerous technical documents and presented his findings at conferences, academic discussions, and in the classroom. Josh is an expert at discovering and exploiting vulnerabilities and writing code to protect operating systems and programs. He holds patents in classifying computer files and executable files as malware or whiteware. Josh has served in the United States Air Force and held numerous defense contracting roles covering electronic signals intelligence exploitation, electronic warfare, malware analysis, exploit development, and reverse engineering. He also provided security services for General Dynamics Advanced Information Systems, Endgame, and Accuvant and assisted multiple computer emergency response teams with investigations vital to national security.

Swiss Cheese Holes in the Foundation of Modern Security - CERT VU#919801

Chris Hanlon, Founder of SecurityAlliance.ca

In this talk we briefly introduce common SMTP/TLS implementation weaknesses explain how governments, criminals, and malicious insiders can exploit them to remotely reset account passwords, create/update/delete firewall rules, control windows desktops/laptops, access online backup systems, download full-disk Encryption Keys, watch security cameras, listen to security camera microphones, control social media accounts, and takeover AWS virtual machines.

Chris Hanlon (Twitter: @ChrisHanlonCA) has been maintaining Unix, Linux, and Windows Servers since 1998 and submitting vulnerability reports since 2000. Chris's submissions have resulted in security and privacy enhancements in Google Apps, the Linux Kernel, and Interac email transfers.

Target-Based Security Model

Garett Montgomery, Principal Security Research Engineer at BreakingPoint (Ixia/KeySight)

Have you ever been asked 'what is the best way to protect against $ATTACK'? (usually shortly after $ATTACK makes headlines). Have you ever been challenged to provide the reasoning behind your suggestion? If you were in a room full of experts, would your reasoning hold up under scrutiny? When you discuss with your security-savvy peers, you're quickly come to a consensus on the 'best' control (!= device) to protect against $ATTACK. But do you know WHY it's the 'best'? The Target-Based Security Model is essentially a framework that breaks down attacks to their component level. This breakdown makes it easy to see what the 'best' security controls are - as well as alternative security controls that could also be applied. Its not so much something new, as it is a new way for the industry to communicate about security. In much the same way that the OSI model allows for developers to know they are talking about the same thing, a common security model allows security professionsals to communicate in a vendor-agnostic manner. Think of it as a translation tool for vendor-speak. In this talk we'll present the Target-Based Security model and discuss the following: how it came to be, what it is, and how to use it. And of course, we'll talk about how it can be used to make the world a better place - provided we all agree to use it.

Garett Montgomery (Twitter: @garett_monty) has been a Security Researcher at BreakingPoint (since acquired by Ixia; since acquired by KeySight) for the last 6+ years. Prior to joining BreakingPoint he had been employed as a Security Analyst at the Naval Postgraduate School and then an IPS Signature Developer. He holds an MS in Information Assurance and numerous (likely since-expired) security certifications. A self-described packet-monkey, he enjoys automating all the things.

Turning Deception Outside-In: Tricking Attackers with OSINT

Hadar Yudovich, Security Researcher at Illusive Networks
Tom Sela, Head of Security Research at Illusive Networks
Tom Kahana, Security Researcher at Illusive Networks

Deceptions use attackers' own tactics to force them to reveal themselves. Deception techniques are typically used inside the network once attackers have broken in. Once inside, attackers use credentials to move laterally. But before penetrating their target, attackers often study publicly available data to plan their attack. Can we assume that attackers continue to use public information once they've broken in? Could externally-planted deceptions expand our range of visibility on the adversary's activity? In this session, we will present research we conducted to answer these questions, and introduce a tool you can use to "try it at home." We first took a deeper look at various OSINT resources-social media, paste sites, public code repositories, etc.-to refine our picture of the types of publicly-available data, attackers might use to further an attack. Then we planted various deceptive information. For example, on PasteBin we created a fake "paste" page containing a dump of fake credentials. On GitHub we created a fake repository of code containing "accidental" commits (git commit -am 'removed password'). Next, we paired these deceptions with relevant data and user objects within a simulated network environment. We then started monitoring and waited for an attacker to bite.

Hadar (Twitter: @hadar0x) is a Security Researcher at Illusive Networks. He has eight years of experience in cyber security, with six of those years focused on digital forensics and incident response (DFIR), both in the Israeli Air Force and in the private sector. Before joining Illusive Networks, he was a malware researcher for IBM Security where he hunted for new malware families and researched new techniques for malware detection. Hadar holds a Bachelor's degree in Computer Science from the Holon Institute of Technology, and several certifications, including the GIAC Certified Forensic Analyst (GCFA). In his free time he likes to develop open source forensic tools and solve forensic challenges.

Tom Sela (Twitter: @4x6hw) is Head of Security Research at Illusive Networks. He specializes in reverse engineering, malware research, deception development and OS internals. Prior to joining Illusive, Tom headed the Malware Research team at Trusteer (acquired by IBM), where he was responsible for Trusteer's anti-fraud endpoint product. At Trusteer he also led a team of reverse-engineers, researching the internals of advanced malware. As an active contributor to the security research community, Tom has spoken at DefCon and IEEE events. He attended the Israeli Naval Academy at the University of Haifa and holds a B.Sc. from Ben-Gurion University.

Tom Kahana (Twitter: @tomkahana1) is a Security Researcher at Illusive Networks, with over nine years in cybersecurity. He specializes in Windows internals. Prior to Illusive Networks, Tom worked for Trusteer, where he specialized in exploitation techniques. Among other accomplishments, he is credited with discovery of ASLR security bypass vulnerability CVE-2016-0012. Tom served five years in an elite unit of the Israel Defense Force (IDF), specializing in Cyber Security Research and Development. Tom is studying for his Bachelor's of Computer Science degree at the Open University of Israel.

What Do You Want to be When You Grow Up?

Damon "ch3f" Small, Technical Director at NCC Group North America

Many industries have well-defined points of entry and well-understood education and training requirements. Information Security is not one of those industries. Successful infosec pros often have wildly diverse backgrounds so it is difficult to know which is the "correct" way to enter this field. As our industry has evolved and matured, what do organizations now look for in a candidate? What combination of skills, experience, and education will get you in your "dream job?" SPOILER - there are many predictors of success, and organizations have different priorities, so there is no single answer.

The speaker will describe his experiences as a 22-year veteran of IT and infosec, both from the perspective of working for internal support teams and as a client-facing consultant. In addition to direct observations, this presentation will include the perspectives of other infosec pros that currently work in various capacities in our industry. The goal is not to answer the question of how to successfully develop one's career, as such, but rather to continue the dialogue of what is important to us as we develop our future experts and leaders.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Over the past 18 years as a security professional he has supported infosec initiatives in the healthcare, defense, aerospace, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Director includes working closely with NCC Group consultants and clients in delivering complex security assessments that meet varied business requirements.

wpa-sec: The Largest Online WPA Handshake Database

Alex Stanev, CTO of Information Services at JSC

Started as pet project in 2011, wpa-sec collects WPA handshake captures from all over the world. Contributors use client script to download handshakes and special crafted dictionaries to initiate attack against PSKs. With more than 115 GB captures from 240 000 submissions, collected samples represent invaluable source for wireless security research. This includes:

  • Many improvements for emerging wireless security tools like hcxtools suite (https://github.com/ZerBea/hcxtools)
  • Identified default PSK key generation algorithms, used by various ISPs. Those, along with fixes for current implementations get in RouterKeygen project (https://github.com/routerkeygen/routerkeygenPC). Many more to come, based on current research activities
  • Performance optimizations for WPA crackers
  • Identified some linux kernel driver bugs

During the talk I will explain how wpa-sec works, provide statistics and a lot internals on optimization and how to use the database as OSINT source during pentests and red team actions.

wpa-sec is opensource project available at https://github.com/RealEnder/dwpa.

Live installation at https://wpa-sec.stanev.org.

Alex Stanev (Twitter: @RealEnderSec) started as a software developer in late 90s working on a wide range of projects - from specialized hardware drivers to large scale information systems for private and public sectors, including e-government services, elections management and smart cities. Going through virtually all mainstream enterprise platforms, Alex also took some time to explore various niche technologies and did a lot of low level stuff.

As a security consultant, Alex led penetration test audits in Europe, America and Africa for financial and government institutions.

Currently Alex serves as CTO in largest Bulgarian systems integrator Information Services JSC.

Read more →