KEYNOTE SPEAKERS
TRACK 1
Vehicle Forensics by Courtney Lancaster
The automotive industry is one of the leading industries in the world, topping 2.6 trillion dollars in annual sales. Over the past several years, automotive manufactures have been slowly adding advanced technology to seamlessly and safely integrate access to our digital lives from within our vehicles. The industry is evolving from making vehicles that simply take us from one destination to another, to vehicles that create an experience that entertains and informs us as well as facilitates voice and data communications while we travel. Vehicle Infotainment and Telematics systems store a vast amount of data such as recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. Many systems record events such as when and where a vehicle’s lights are turned on, which doors are opened and closed at specific locations, and even where the vehicle is when Bluetooth devices connect. This information is not easily retrievable and is typically stored in several different systems within a vehicle not traditionally associated with event data. This presentation will address the data stored in several different infotainment and telematics systems and touch on methods to acquire and analyze it.
Using Software Defined Radio for IoT Analysis by Samantha Palazzolo
Internet of Things (IoT) devices are combinations of actuators, sensors, and processors. Their capabilities vary. One thing most of them have in common is the use of a wireless interface. The wireless protocols range from well-known standards such as WiFi or Bluetooth to little known proprietary protocols used by various venders. The management of these devices proves to be difficult as the number of devices continues to increase, while the usability requirements remain ever pressing. Add speed-to-market considerations, and security takes a back seat for many IoT developers. Wireless, in particular, can be a difficult security area to grasp and IoT devices show this through their growing number of wireless-specific vulnerabilities. Wireless communication is inherently insecure. Wireless signals are not easily contained or directed; they pass through walls and can be detected from miles away. Software Defined Radios (SDRs) have made viewing and manipulating these signals easier. The lack of security in IoT devices and the widespread inability to upgrade wireless protocols on these devices provides a rich target space. Previously known and mitigated vulnerabilities continue to appear and remain unpatched for the life of these devices. For example, a basic RF replay attack requires little to no modification of a captured signal that is then rebroadcast to execute the same action. For a light on/off command this may not matter, but when applied to something like a door lock the security risk becomes more serious. In addition to general RF related vulnerabilities, each wireless standard has its own specific flaws, and there’s a good chance that IoT devices will implement an out of date version of the standard without the security upgrades. Wireless communication and protocol analysis traditionally have high barriers for entry. Standard-specific tools help remove some of these barriers for some more common protocols (like WiFi and Bluetooth). SDRs and open source tools continue to lower the barriers. In-depth understanding of digital signal processing, while useful, is no longer a necessity when analyzing unknown protocols. Performing a security analysis on an IoT device can be broken down into easy-to-follow steps with the help of open source tools. This talk will go over how to use SDR hardware, GNU Radio, and other open source software to collect information about an IoT device’s wireless communication and how to break down a captured signal to extract the packet information.
Imposter Syndrome: I Don’t Feel Like Who You Think I Am by Micah Hoffman @WebBreacher
Several years ago I was walking back to my hotel after a day’s worth of DerbyCon talks and it hit me all at once. “I’m an infosec fraud. I’m not finding 0-day exploits. I’m not hacking cars or Internets of Things and I don’t know PowerShell. I don’t belong in infosec.” It was a hard revelation to grasp because I loved infosec and the people in it. But that was my “truth” back then and I went home and looked for jobs outside of the computer industry. [SPOILER ALERT] I didn’t leave our industry. Instead, I threw myself into the community and tried to conquer those feelings of inadequacy and self-doubt. Does this sound like someone you know? If so, come join me and learn not only about “Imposter Syndrome” but how I am dealing with it and how you and your colleagues can too.
How the Smart-City becomes stupid by Denis Makrushin @difezza & Vladimir Dashchenko
Scary stories around the Internet of Things (IoT) conjure up images of bad guys in hoodies, living for hacking and making the lives of other people harder, inventing millions of ways to infiltrate your life through your gadgets. Probably nobody cares about his smart-home security, but what about Smart-City threats, which affect billions people? A huge number of public IoT devices are vulnerable for potential abuse, potentially endangering users’ data, networks of companies they belong to, or both. Based on research of various public devices, such as terminals and cameras, we offer a methodology for security analysis of these devices, which would answer the following questions:
- How easy it is to compromise a terminal in the park?
- What can hackers steal from there?
- What can be done with hacked device?
- How can the internal network of the installer organization be penetrated?
- How to protect public devices from attacks?
- How to protect public devices from attacks?
We will share not only our research experience, but also will show a live demo how you can easily hijack a real speed radar somewhere around the world. This topic is the unique opportunity to hear about real cases of public device hacking and see the process of compromising the different terminals from the beginning to the end:
- Parking and ticket terminals
- Information terminals in museums/cinemas/whatever else
- Hotels infrastructures
- Airport infrastructure
- Road Cameras/speed radars Topic includes:
- Methodology for security analysis of public IoT
- Post-exploitation scenarios
- Methodology for improving the security of these devices
- Non-trivial protection for non-trivial device
Software Supply Chains and the Illusion of Control by Derek Weeks @weekstweets
In this presentation I am sharing the results of a three-year, industry-wide study on open source development and security practices across 3,000 organizations and 25,000. I will detail how these organizations are employing a vast community of open source component suppliers, warehouses, and development tools that take the form of software supply chains. Modern software development practices are now consuming BILLIONS of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market. However, using these components brings ownership and responsibility with it and this fact is largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh. This session aims to enlighten development professionals by sharing results from the State of the Software Supply Chain reports from 2015 through 2017. The reports blend of public and proprietary data with expert research and analysis. Attendees in this session will learn:
- What our analysis of 25,000 applications reveals about the quality and security of software built with open source components
- How organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security
- Why avoiding open source components over 3 years old might be a really good idea
- How to balance the need for speed with quality and security — early in the development lifecycle
- We will also discuss how you can best approach the effort for development teams to identify, track and replace components with known vulnerabilities, while getting more products and new features to market quickly. Attend this session and gain insight as to how your organization’s application development practices compare to others. I’ll share the industry benchmarks to take back and discuss with your development, security, and open source governance teams
TRACK 2
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge by Blaine Stancill @MalwareMechanic & Josh Wang @rh0gue
Malware reverse engineering challenges are a great way to keep reversing skills sharp and learn new techniques. The Flare-On Challenge is one of the most difficult and respected ones out there. Participants must complete ten unique challenges of increasing sophistication over a six-week period. Only 17 people in the US successfully completed this year’s challenge, including the two of us. In this presentation, we’ll familiarize reversers and non-reversers alike with how to approach challenge problems, and arm them with tools and tricks to successfully solve the types of problems they regularly see. These techniques not only helped solve this year’s Flare-On problems, but more importantly, have real-world applicability. Many of the tools and techniques needed to complete the Flare-On challenge are key to understanding and reversing actual sophisticated malware, such as those used by APTs. We’ll walk through how we solved several of the most relevant and creative challenges, providing the audience unique reversing insights that can help both experienced reversers and non-reversers augment their skill sets.
Finding Companies BreakPoint by Zachary Meyers @b3armunch & Andrew McNicol @PrimalSec
The goal of this talk is to help educate those who are new or learning penetration testing and hacking techniques. We tend to see the same mindset applied when we speak to those new to pentesting “Scan something with Nessus to find the vulnerability, and then exploit it…Right?”. This is very far from reality when we talk about pentesting or even real world attacks. In this talk we will cover five (5) techniques that we find to be highly effective at establishing an initial foothold into the target network including: phishing, multicast protocol poisoning, SMBrelay attacks, account compromise and web application vulnerabilities.
Challenges and Opportunities: Application Containers and Microservices by Andrew Wild @AWildCSO & Amil Karmel @c2labs
Virtualization has fundamentally altered the computing landscape over the past ten years, abstracting infrastructure from operating systems, enabling IT to reduce costs and to leverage new deployment models such as cloud. One of the fundamental challenges in migrating to the cloud is breaking application dependencies on the operating system. Application containers accomplish this by providing abstraction and isolation between applications and the operating system, enabling cloud portability and scale up/scale out architectures powering the DevOps revolution. Docker, in particular, has taken Industry by storm, resulting in over 400 million downloads and 75,000+ containerized applications leveraging this open source platform. But what about Security? IT professionals need to understand how application containers and microservices architectures impact their security posture. Come learn how application containers and microservices work via the definition published in the new NIST publication SP 800-180, understand the security challenges with this approach and opportunities unveiled via best practices and strategies to enable your organization’s Secure Development Operations (SecDevOps) revolution.
What you’ll take away:
- Application Containers and Microservices 101: How they work and work together
- How to and who uses these solutions?
- Challenges posed by Application Containers and Microservices
- Best practices for securing application container and microservices
Networking with Humans to Create a Culture of Security by Tracy Maleeff @InfoSecSherpa
Talking. To people. People you don’t know.
For most, this triggers feelings of stress and anxiety. What can be lost on many people down this rabbit hole of feelings is that networking – with humans – can make your job easier as a security professional. Get insight on how to interact with people inside your work environment to foster a sense of value for your position and your department. Gain a better understanding of how meeting people from other industries can help you professionally. Using a mix of her own personal experiences and observations, the speaker will leave you feeling confident to go out and begin cultivating networking contacts to put you on a path to a culture of security within your organization.
Anti-Virus & Firewall Techniques (FUD Viruses) by Candan Bolukbas @candanbolukbas
Anti-Virus & Firewall Evasion Techniques and Creating Fully UnDetectable (FUD) Viruses
- msfvenom
- veil-evasion
- shellter
- unicorn
- metload (Created for BSidesNoVA)
- Stage Encoding / Encryption
I’m Cuckoo for Malware: Cuckoo Sandbox and Dynamic Malware Analysis by Lane Huff @skankinmonkey
I’m Cuckoo for Malware provides an introductory overview to Cuckoo Sandbox and Malware Analysis. This talk walks through discussing different types of malware and what they do, to explaining how Cuckoo Sandbox works and how to get the best results from it. The talk will cover how to harden your sandbox against Malware authors attempts to avoid analysis and give ideas for listeners wanting to set up custom environments of their own. The goal of the talk is to allow listeners with enough information so that they can begin analyzing malware in their own Cuckoo-based sandbox environment.
Doomsday Preppers: Fortifying Your Red Team Infrastructure by Steve Borosh @424f424f & Jeff Dimmock @bluscreenofjeff
Don’t worry Blues, we provide detection and mitigation methods to protect your bunker– or organization.
TRACK 3
So you want to be a “Cyber Threat Analyst” eh? by Anthony Melfi @cubed_wombat
Abstract: Despite being around for well over six years, the position of a “cyber threat analyst” is one that is still not yet clearly defined. The lack of definition is due to the positions popularity and infancy. For example, there are vastly different job descriptions which are all labeled as “cyber threat analyst”. This talk isn’t about stating which definition is right or wrong. This presentation is about the set of skills, concepts and theories which enable an analyst to be successful under any definition of “cyber threat analyst”. This presentation will provide key theories, concepts and required skills of the profession. For beginners it is a road-map. For experienced analysts it is a cross-pollination of ideas.
- An Overview of the Cyber Threat Analyst landscape
- A recommended definition for ” Cyber Threat Analyst”
- Figure out your environment: Porters five forces analysis for the threat analyst
- Knowing how to talk and organize like a business: Porters Value Chain for SOC and analyst shops
- Pick your own risk analysis. Example: Operational Risk Management (ORM)
- If you only remember one thing from this talk: The Diamond Model of Intrusion Analysis
- Choose your own attack phases: The Lockheed Martin Kill Chain & EC counsel phases of attack
- Mitigation and understanding how to use defense in-depth concepts like the Lockheed Martin Cyber Threat Matrix
- The Pyramid of Pain..and you! aka No good deed goes unpunished: How to prioritize your analytic life and avoid management’s Lenny-like crushing grasp when they love you SOOO much!
- Quick check to put it all together
- Organizing your research aka pivoting whilst keeping your sanity
- Tips on collaboration and avoiding being Alice in Wonderland (common analytic pivoting pitfalls to avoid)
- How to support a SOC and play match-maker on the security team
Recommend courses, certifications, reading and means to break into the industry
“Humans, right?” Soft Skills in Security by Ariel Robinson @ArielRobinson1
Let’s face it: humans ruin everything. They are almost always the weak link in the information security chain, between their susceptibility to social engineering, rejection of security threats, and sheer laziness. You can make the best security tool in the business, but if a human doesn’t use it right, well, you might as well leave your passwords on a sticky note on your– wait a minute.
Yes, humans suck at information security. But we don’t make it easy. Infosec is incredibly inaccessible to your average user. Just ask me: I am one.
We can’t change humans (or get rid of them, no matter how much we might want to), but we can change information security. We can leverage insights from non-technical disciplines such as cognitive science, human-centered design, strategic communications, and psychology. Or we can keep hitting our heads against our desktops.
As a professional communicator and bridge builder, help me help you. To make security work, we have to make it easy. For humans.
Why the NTP Security Problem Is Worse than You Think by Allan Liska @uuallan
NTP DDoS attacks have been a steady source of pain for network defenders the last few years and are just now showing signs of letting up. Unfortunately, NTP threats are not going away. An analysis of NTP traffic and the NTP protocol shows why the future of NTP security is grim and how organizations can protect themselves from this threat.
Bro, I Can See You Moving Laterally by Richie Cyrus @rrcyrus
Post-compromise, threat actors are using the Server Message Block (SMB) protocol to move laterally and carry out their objectives. How does an organization go about detecting this activity designed to blend in with normal traffic? Enabling Windows event logs to audit access to file shares may assist in detection. However, sifting through the sheer volume of logs created during normal day to day operations is not ideal. Actors may also move malware from share to share, undetected by an organization’s particular anti-virus solution. Bro Network Security Monitor provides the functionality and flexibility needed to detect some of these techniques on the wire. This session is designed to show defenders the capability of Bro to detect malicious SMB activity, specifically during lateral movement. The scripts and examples introduced can be used right away in environments with Bro deployed.