News / speaker workshops
Text of the Opening Remarks / Introduction at the Speaker Workshops (DEF CON 25)
Good morning and welcome to the Packet Hacking Village at DEF CON 25 in Las Vegas, Nevada! We cannot thank you enough for your support and for your continuing support for all these years. The Wall of Sheepʼs mission is and has always been security awareness. This year, the Packet Hacking Village have a number of events and learning opportunities including the venerable Packet Detective and Capture The Packets. We have a fantastic slate of DJs to entertain and keep this village lively. Sheep City and Honeypots have returned this year. We are also excited for something new this year: hands-on workshops as there is a tremendous demand for training and continuing education in this cyber security. We hope that you will take advantage of the many opportunities here at the Packet Hacking Village and ultimately at DEF CON to learn, to collaborate, and to be inspired.
And of course, here we are at the Speaker Workshops. This is a special year: this is the fifth anniversary of the Speaker Workshops at the Packet Hacking Village. We are going to kick it off right-off-the-bat with a very special keynote. Dan Geer said in his keynote at Black Hat 2014: "cyber security is now a riveting concern, a top issue in many venues more important than this one." Or as Matt Blaze said bluntly at The Eleventh HOPE: "we are in a national cybersecurity crisis." So what does this have to do with our keynote? There are many people now starting to study or entering the field of cyber security which is very welcoming to see. However, the body of knowledge is now too deep and intimidating to grasp and history is easily forgotten. So how did we get into the mess we are in now? In May of 1998, a group of hackers testified in front of a panel of US Senators. The hacker group was L0pht. One of the members of L0pht who testified was Weld Pond, Chris Wysopal. L0pht warned that the Internet, software, and hardware are not safe and security is an afterthought. Their warning was a disaster foretold and tragically ignored (please read the stellar Washington Post article "A Disaster Foretold --And Ignored"). Their warning and efforts also paved way for many of our careers and lifestyles in this field, and why most of us are here today at DEF CON. It is my fantastic honor to introduce you all to Chris Wysopal.
Speaker Workshops at DEF CON 25 Call for Presentations Now Open
The Wall of Sheep would like to announce a call for presentations at DEF CON 25 at the Caesars Palace in Las Vegas, NV from Thursday, July 27th to Sunday, July 30th. This will be the 5th anniversary of our Speaker Workshops.
Our Speaker Workshops Schedule at DEF CON 24 is Now LIVE!
We will be adding more talks in the upcoming weeks.
Link: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24/
First Round of Accepted Speaker Workshops at DEF CON 24
The Arizona Cyber Warfare Range: Learn by Destruction
Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter
Want to run all those tools you have always heard about, but don't have the hardware to do it? Or - does your Boss want you to learn NMap, but won't let you run it on any of the corporate networks? This presentation will show what can happen when a couple of dedicated and slightly unbalanced individuals come together to establish the largest volunteer staffed, donation funded Cyber Offensive and Defensive Training facility in the world. Attendees will be shown how real hardware and real tools can be used remotely to further increase their Cyber talents.
Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.
Attacks on Enterprise Social Media
Mike Raggo, Chief Research Scientist at ZeroFOX
Current threat vectors show targeted attacks on social media accounts owned by enterprises and their employees. Most organizations lack a defense-in-depth strategy to address the evolving social media threat landscape. The attacks are outside their network, commonly occur through their employee's personal accounts, and circumvent existing detection technologies. In this presentation we'll explore the taxonomy of social media impersonation attacks, phishing scams, information leakage, espionage, and more. We'll then provide a method to categorize these threats and develop a methodology to adapting existing incident response processes to encompass social media threats for your organization.
Michael T. Raggo (Twitter: @MikeRaggo) has over 20 years of security research experience. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.
Connections: Eisenhower and the Internet
Damon "Chef" Small, Technical Project Manager at NCC Group
"Rise of the Machines" conjures thoughts of the evolution of technology from the exclusive domain of computer scientists in the early days of our industry to including everyday people using - and often wearing - Internet-connected devices. With that theme in mind, the speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the the Information Superhighway and how information security professionals can prepare.
Chef (Twitter: @damonsmall) earned his handle from his use of cooking metaphors to describe infosec concepts to laypeople. He began his career studying music at Louisiana State University and took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Chef began focusing on cyber security. This has remained his passion, and over the past 16 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Chef completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Project Manager at NCC Group includes working closely with consultants and clients in delivering complex security assessments that meet varied business requirements. Recent speaking engagements include DEFCON 23, BSides Austin, BSides San Antonio, HouSecCon, and ISSA Houston.
Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection
Omer Zohar, Head of Research at TopSpin Security
Today's networks are undergoing all sorts of sinister attacks from numerous sources and for myriad reasons. Security at the perimeter is inadequate for thwarting today's highly intelligent attacks as hackers routinely breach the perimeter and gain entry. It isn't long before the network is compromised and critical information is stolen. We must now assume that, despite significant investments in prevention, breaches are going to happen. An additional approach is required. Security teams must go on the offensive, creating a web of non-stop, real-time detection operations using multiple vectors against an ever-changing landscape of cyber threats. Deception technology now plays a critical role. Used as a strategy for many centuries in actual warfare, the concept of deception is becoming a significant weapon in network-protection schemes. Deception technology doesn't rely on known attack patterns and monitoring. Instead, it employs very advanced luring techniques to entice attackers away from valuable company assets and into pre-set traps, thus revealing their presence. It is able to detect threats in real time without relying on any signatures, heuristics or complex behavioral patterns. But how effective is a deception strategy in detecting breaches? What method works best? How does it integrate with current security operations already in place?
In this talk we will present findings from a first ever research which measured the efficiency of proactive deception using mini-traps and decoys in real-life threat scenarios. We have reconstructed a real enterprise environment complete with endpoints, servers, network traffic and data repositories as well as security tools such as IDS, firewall, SIEM etc. The deception layer was then integrated into the environment in 2 steps: (a) by placing decoys in the network and (b) by placing mini-traps on the assets which point to the decoys, set false credentials, trigger silent alarms and more. We then evaluated the effectiveness of the mini-traps and decoys against both automated, machine-based attacks as well as against sophisticated human attacks: The first stage involved checking the behavior of a variety of malware families against the environment and measuring the deception layer's success in detecting their activity. For the second phase, we invited red-team professionals and white hat hackers to employ real techniques and advanced tools with the task of moving laterally in the environment and exfiltrate high value data.
Omer Zohar has over a decade of experience as a developer and researcher in the data security market. As head of Research for TopSpin Security he is responsible for the research of malware and post-breach detection methods and for defining advanced detection schemes.
Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)
Rod Soto, Senior Security and Researcher at Splunk UBA
Joseph Zadeh, Senior Security Data Scientist at Splunk UBA
The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.
These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone.
Rod Soto (Twitter: @rodsoto) has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEF CON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 Black Hat Las Vegas CTF competition and is the founder and lead developer of the Kommand & KonTroll competitive hacking Tournament series.
Joseph Zadeh (Twitter: @josephzadeh) studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEF CON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanente's first Cyber Security R&D team.
HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things
Catherine (Kate) Pearce, Senior Security Consultant at Cisco Security Services
Vyrus, Senior Security Consultant at Cisco Security Services
The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.
Catherine (Kate) Pearce (Twitter: @secvalve) is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC and several others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.
Carl Vincent (Twitter: @vyrus001) is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As an information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime. He also practices personal information warfare, and most of his biographic details online are somewhat exaggerated.
Now You See Me, Now You Don't
Joseph Muniz, Architect and Researcher at Cisco
Aamir Lakahni, Senior Security Researcher at Fortinet
Many people leave behind bread crumbs of their personal life on social media, within systems they access daily, and on other digital sources. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that leak your information and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators to track individuals. Learn how you can protect your online footprint, reduce your digital trail, and securing your privacy.
Joseph Muniz (Twitter: @SecureBlogger) is a architect at Cisco Systems and researcher. He has extensive experience in designing security solutions for the top Fortune 500 corporations and US Government. Joseph's current role gives him visibility into the latest trends in cyber security both from leading vendors and customers. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including a recent Cisco Press book focused on security operations centers (SOC).
Aamir Lakhani (Twitter: @aamirlakhani)
Presenting Security Metrics to the Board / Leadership
Walt Williams
The board of directors and corporate leadership is not interested in how many attacks your firewall has blocked, and frankly, that is not a metric, that is a measure. Difference between metrics and measurements, how metrics are constructed, and the kinds of metrics the board of directors are interested in will be discussed. In other words, how to identify how to align security metrics with business goals and objectives. The use of frameworks such as ISO 27004 to construct metrics, the pragmatic framework and its uses will also be discussed.
Walt Williams (Twitter: @LESecurity) CISSP, SSCP, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now manages security at Lattice Engines. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides on risk management as the cornerstone of a security architecture. He maintains a blog on security metrics and has presented to boards of three different organizations in diverse industries.
Vulnerability Management: No Excuses, A Network Engineer's Perspective
Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter
Anthony Kosednar, Chief Software Engineer at AZCWR
Vuln Management encompasses 3 out of the top 4 items in the SANS 20 and is a critical item for PCI DSS. Yet, so few companies manage to do it correctly. This presentation will cover the result of the author (a network geek) being unceremoniously thrown into one of those situations, and will detail the lessons learned from it. Tools used: NMap, Tripwire, Qualys, and Crayons.
Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.
Anthony Kosednar (Twitter: @akosednar) is an Information Security Engineer with a background in Aerospace. By day he helps secure corporations and large events (such as Super Bowl XLIX). By night, he puts on the cape of software architect for the Arizona Cyber Warfare Range. Through the darkness of night he helps program the systems that operate the range.
You Are Being Manipulated
GrayRaven, Senior Software Engineer at Cisco Systems
You are being manipulated. There is constant pressure coming from companies, people, and attackers. Millions are spent researching and studying your weaknesses. The attack vectors are subtle. Most times we don't realize that manipulation has occurred until it is too late. Fear not, we can harden our defenses. We can put safeguards in place to help avoid being the victim. For me, the answer came from an unlikely source: my daughter. Small children are fantastic. Society has not yet influenced their development; therefore, children are relentless in pursuing their aims. Since they are naive to right and wrong, they will use any tool available to get their goal. How does this help? My daughter became my trainer, and this talk discusses how interacting with her has improved my defenses. Comparing her strategies to real world examples will show how to build a training framework of your own. Access to small children is not needed.
GrayRaven (Twitter: @_grayraven_) is a senior software engineer at Cisco Systems. He has been fascinated with manipulation since his childhood. Despite receiving a degree in psychology, he spent 18 years as a professional in the Information Technology space. GrayRaven spent the first seven years of his career as a system and network administrator before moving to the dark art of programming. Two years ago he stopped dabbling and tumbled down the security rabbit hole. This journey makes him believe that he is finally using his degree professionally. During his downtime, GrayRaven can be found practicing martial arts, brewing beer and mead, or writing.
Stay tuned for schedule: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24.
Our Speaker Workshops Schedule at DEF CON 23 is Now LIVE!
Several amazing workshops also added:
- How Machine Learning Finds Malware Needles in an AppStore Haystack by Theodora Titonis
- Sniffing Scada by Karl Koscher
There will also be a very special workshop from 3 - 4 PM on Saturday, August 8th.
For complete schedule, abstracts and bios, see http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-23
New Batch of Accepted Speaker Workshops at DEF CON 23
- Creating REAL Threat Intelligence With Evernote by Salvador Grec
- Fishing To Phishing: It's All About Slimy Creatures by Wayne Crowder
- From XSS to Root on Your NAS by Tony Martin
- Haking the Next Generation by David Schwartzberg
- Mobile Data Loss - Threats & Countermeasures by Mike Raggo
- Remaining Covert in an Overt World by Mike Raggo
- Violating Web Services by Ron Taylor
For abstract and bios, see http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-23
Two More Accepted Speaker Workshops at DEF CON 23 Posted
- Is Your Android App Secure? by Sam Bowne
- The Packets Made Me Do It: Getting Started with Distributed Full Packet Capture Using OpenFPC by Leon Ward
For abstract and bios, see http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-23