Talk Abstracts



The State of Security BSides

Jack Daniel

3 years, 5 continents, 9 countries, 34 cities, 53 events. Not a bad start. As an all-volunteer organization, from the central org to every event, we have done amazing things. We have also left a few things undone, or done at a more leisurely pace than many of us would like. In this session I will quickly review the history of BSides, specifically the central organization, then detail the steps which have been taken in the past year to resolve disagreements and formalize the organization.
I have audit results from the first org transaction through the end of 2011, I will present summaries and review the finances. The change in operation of "house events" has a significant impact on BSides finances, I'll discuss this, as well as the consequences, intended and otherwise, of discontinuing Global Sponsorships. I have had several conversations with BSides organizers to discuss direction for the central org, a summary of these discussions will be presented, and hopefully the conversations will continue during and after the presentation.

Ambush - Catching Intruders At Any Point

Matt Weeks

Intrusion detection and prevention systems monitor a point or set of points such as a network connection. In response, malware authors hide traffic through these points with encryption, encoding, and obfuscation. This presentation will demonstrate a different strategy, based not on another point but on the flexibility to add almost any point dynamically, with a new function call hooking system, capable of intercepting virtually any set of API functions system-wide. This is in contrast to existing HIPS's, which are limited to functions chosen during design and only monitor certain actions, such as file and registry edits. It uses dynamic code generation to expand on existing hooking techniques, overcoming challenges with different function definitions, architectures, and associated calling conventions.
This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API's, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.

Max Level Web App Security

Robert Rowley

I'm going to cover the topic of web application security from the worlds biggest "honeypot": 1.2+ million domains and one web application firewall. I will review the trends in new and old attacks, review how impact each new vulnerability was this year (including timthumb.html, php-cgi remote code execution, and more) with raw log data and identify really what is fueling the web based attacks.
Once the rhetoric of "vulnerabilities are bad" is over, I will discuss some in house developed tools used to detect malicious files on compromised sites (software released). As well as delve into the evolution and in Darwinian fashion dissection of the backdoors and code the attackers use to compromise sites (including more open source software released to de-obfuscate even the most complex malicious code.)

Big Data's Fourth V: Or Why We'll Never Find the Loch Ness Monster

Davi Ottenheimer

Variety, Volume, Velocity and Vulnerability. We know many different types of data is being generated at high speed but how much do we know about the new weakness it introduces? Security is often an issue in Big Data but rarely understood or discussed openly. This presentation brings forward the giant elephant in the room and offers the audience some real-world puzzles of big data to solve. Examples of humorous failures as well as some success are presented as examples. You might think your security problems are big until you are asked to help find some solutions for Big Data's Fourth V.

Puzzle Competitions and You

Christopher Lytle

It's a rarity these days to attend a con and not have cipher text jump out of the program at you or find some recreational math hidden on the back of your attendee badge. Just like competing in a CTF, if you want to win, you're going to need to come in prepared. Come join a veteran puzzle hound as he goes over tools, techniques, and team strategies that have helped him take on and win some ridiculous challenges.

Introducing Android Security Evaluation Framework (ASEF)

Parth Patel

First I will provide an introduction to security of Android Apps: we will take a look at them through the eyes of a security engineer, looking at examples of how to reverse engineer them to look for possible security issues through 'Behavioral Analysis'. I will also discuss the limitations of manual research. Then, I will introduce an automated way to scan android devices using an "Automated Security Evaluation Framework" (A S E F). Then I will discuss the framework's design, showing a live demo of how it works, and how to use it. We will also go over interesting results and statistics covering the scope of the tool's functionality and outcome. I will demonstrate how to expand this idea and solve complex problems with most practical ways. I will also discuss what future versions of 'A S E F' has to offer and at the same time will make it available as an Open Source Project.


Terry Gold

RFID access cards are often used to secure entry points in the corporate enteprise facilities. They are very convenient, relatively inexpensive, and generally assumed to be highly secure. This session explains how these cards are programmed, what their vulnerabilities are, and the choices available to secure them. Also demonstrated will be how the most common access card can be hacked, cloned, and minted to subvert policies and controls to access corporations, data centers and other critical environments.

Force Multipliers for Red Team Operations

Raphael Mudge

March and April 2012, I worked with ~80 security professionals, in remote and local contexts, to break into systems protected by ~500 active defenders across several events. In this talk, I share my experiences from the 2012 Cyber Defense Competition season and use them to analyze Armitage as a red teaming platform. Collaboration, automation, and distribution are discussed as opportunities to coordinate, scale, and protect red efforts. This talk is not about individual features. It's an exploration of how red teams organize themselves, what does and doesn't work, how we work around our tools, and what we need next. Those interested in the future of collaborative hacking should attend this talk.

Applications and Cloud and Hackers, Oh My!

Andrew Hay & Matt Johansen

It would be irresponsible to state that cloud computing is directly responsible for the increased number of vulnerable applications on the Internet. Stating that cloud has likely provided a platform upon which to rapidly deploy vulnerable applications, however, is probably something we can all agree on. Getting your product to market faster than your competitors has always been a primary business goal. Now that organizations rely on web based applications to operate their business, both startups and established businesses continue to relegate security of their applications to a future roadmap item or, even worse, the feature request bucket. In this FUD-free session, CloudPassage Chief Evangelist, Andrew Hay and WhiteHat Security Threat Research Manager, Matt Johansen will break down the top security considerations specific to developing, testing and deploying web applications in SaaS, PaaS and IaaS cloud architectures and offer practical steps to easily secure both your applications and cloud servers.

Reticle: Dropping an Intelligent F-BOMB

Brendan O'Connor

F-BOMB is a disposable computing project, and Reticle is its software brain: a distributed, leaderless system for transferring data and commands to and from the tiny, distributed, dirt-cheap little boxes. Together, these two systems form a botnet-styled sensor network that can be deployed the same way as a smoke grenade by a field agent, but with intelligent encryption, plausible deniability, and a peer-to-peer command network to ensure that an enemy can't compromise your goals-- whether you're providing Internet access to an Occupy group, or playing distributed hide and seek for cell phones. We discuss the design and implementation of Reticle, which was intended to take some of the networking ideas from modern botnets and apply them in a more useful context. Reticle was created with support from DARPA Cyber Fast Track, and the code, utilities, and documentation created under that project will be released with the talk.

The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems

Josh Sokol & Dan Cornell

Throw out everything that you know about security tools today. No more six-figure appliances that only do one thing marginally well. No more proprietary protocols. We deserve better and we demand better. Envision a world where your security tools talk with eachother. They communicate and share data in order to leverage eachothers strengths and and help compensate for their weaknesses. They work together to solve problems. Envision "Symbiotic Security".
Symbiotic Security is a new term that was coined to describe the ability of a tool to consume data from other tools or provide data to other tools. As part of our research, we have examined various classes of tools on the market and identified these abilities in each of them resulting in a label of "Consumer", "Provider", or "Symbiotic". As a consumer of security tools, this completely revolutionizes the way that we make purchases.
As an example, let's pretend that you are purchasing a new Intrusion Prevention System for your enterprise. As you begin to evaluate the various tools from the Gartner Magic Quadrant, you quickly realize that they almost all have the same primary feature set. The key differentiator at this point aren't the rules or the hardware, but rather, the ability for the system to send and receive data with other systems. The IPS itself has some signatures and blocking abilities, but has zero relevancy data. Now, we give the IPS the ability to pull in vulnerability data and system configuration information from network and host scans and we gain relevancy. Add in some additional data on where the potential threat is coming from and now you have the data necessary to take a decisive action on threats. This new system is a "Consumer". Now, if you give the IPS the ability to send information to other devices on things like the source of relevant threats, those devices, like a firewall or HIPS, can now make intelligent blocking decisions as well. Our IPS now has "Provider" abilities. Since our IPS is labeled as both a "Provider" and "Consumer" it is deemed "Symbiotic". This convention can now be used both by the manufacturer to market the value-add of the device as well as a way for the purchasers to differentiate between otherwise similar devices.
In order to demonstrate the true powers of being symbiotic, we are releasing a free tool that epitomizes this concept. The tool, named ThreadFix, has been labeled as a "Consumer" because of it's abilities to pull vulnerability data from static and dynamic scanning tools, threat modeling, and manual penetration tests as well as alert logs and vulnerability details from IDS, IPS, and WAF products. ThreadFix has also been labeled as a "Provider" because of it's abilities to normalize the data consumed and pass it along to IDS, IPS, and WAF for action as well as to your bug tracking system for remediation tracking. Because it can serve both a consumer and provider role, we designate it as a "Symbiotic" tool, thus indicating that it can provide the utmost value to it's users.
We recognize that like any new concept it can take some time to embrace, but we feel certain that labeling tools according to their abilities as "Consumers" and "Providers" can help to facilitate a much needed turn towards openness in our industry. Vendors will get the message that consumers want to select tools that work together in order to achieve their maximum effectiveness. Consumers will get the added value of having tools that work outside of their silos to make their jobs more effecient and maximize their ROI. Please join us in embracing this bold new concept.

Occupy Burp Suite: Informing the 99% of what the 1%'ers are knowingly taking advantage of.

James Lester & Joseph Tartaro

Burp Suite has created a name for itself as arguably one of the go-to weapons of choice for web application pentesters, but one of its best features is consistently being ignored: the ability to append or modify functionality through the use of burp extensions. Extensions as a feature have introduced users to numerious possibilities, and have given opportunities to easily develop functionality that’s necessary to complete required test related tasks. With all that is available through Burp extensibility, why have we not seen its users contribute functionality to the same degree as community driven projects such as MetaSploit or the Nmap Scriptability Engine? In this presentation, James Lester and Joseph Tartaro will debut their campaign, which focuses on building demand, support, and an overall desire around the creation of Burp extensions in the hope of bringing extensibility to the forfront of web application testing. As a team, James and Joseph will begin by outlining the current demand, capabilities, and limitations while introducing up to a dozen extensions they created that presently utilize all current accessible functionality within the extensibility suite. Along with the release of these extensions, a campaign will be presented to organize and develop an extension community that documents tool primers, lessons learned, and tips/tricks, along with hosting extensions and tools catered to Burp. As a team, Joseph and James will showcase the benefits to their approach, which include increased efficiency and a simplified way to write new scripts. During development of this talk, James and Joseph took into consideration that re-use is a key factor and development techniques were used to help test user adaptation. Something learned isn't research until it's shared, and they plan to put this statement to practice utilizing B-Sides as a perfect tool to help collect data, convey interests, and share results.

Stiltwalker, Round 2


Stiltwalker is a system we designed to break the audio version of reCAPTCHA. At LayerOne, the original Stiltwalker was released. However reCAPTCHA updated its system to break Stiltwalker in the hours before our talk/release. Prior to these changes, Stiltwalker was able to achieve an accuracy of 99.1%. This talk will describe a narrative of the events that lead to us choosing to break the audio version of reCAPTCHA, the methods we used to break it, the events surrounding our LayerOne talk and reCAPTCHA's response, and most importantly how we have worked around their response to break reCAPTCHA again after their changes since LayerOne.

The Badmin project: (Na-na-nanana Na-na-nanana BADMIN)

Gillis Jones

Web Application Firewall. Network Access Control. Intrusion Detection Systems/Intrusion Preventions Systems. Intrinsic Heuristic Detectioneering Devices, this presentation can exploit them all.
The security industry is awash with device strategies attempting to remediate the most prevalent security issues in a single stroke. In fact, some of the biggest names in security are attempting to squeeze as many buzz words into one platform as possible to lure in the unknowing. This tactic gives them the ability to market any product as a must-have for IT and security professionals, while rudimentary security procedures are routinely overlooked. There is nothing more basic than an admin portal that, due to incompetence or ignorance, has not been fully customized for the application's needs.
Quick Facts: Default Admin Login Portals are enabled on over a ten million websites currently (stats only for /admin and /admin/login.php) There are still portals in wide use on the net that God could get into (Yes, even though he wouldn't be up this late)

IPv6 Panel / Drinking Game

Assorted Executives

Join HD Moore: CSO of Rapid7, Wolfgang Kandek: CTO of Qualys, Ron Gula: CEO/CTO of Tenable Network Security, and Misha Govshteyn: founder/VP of New Products at Alert Logicto discuss/learn about IP6.

Topics covered:

  • What is IP6?
  • IPv6 basics
  • How to recognize if you have it on the network?
  • How do you manage it alongside IP4?
  • Practical hands on device to using IPv6.
  • Securing your network with IP6.
  • How are the vulnerability management vendors coping with it?

IP6 Jeopardy/Trivia game – Each correct answer will win a free drink card, wrong answer and the panel member gets to drink. Hosted by Alan “Alex Trebek” Shimel.



How I managed to break into the InfoSec World with only a tweet and an email.

Michael Fornal

The InfoSec field is a hard career field to enter if you have little knowledge of security and no experience, but don’t let that discourage you. I was able to secure a job in the information security field and so can you. I did it by using a few common everyday tools like WordPress and Twitter to put myself out there. In the end it came down to one tweet and one email. That tweet and that email changed my life. During this presentation, I’ll show you how I got my job and how using tools like WordPress and Twitter can aid you in your quest to become a security professional.

Breaking Microsoft Dynamics Great Plains - an insiders guide

David Keene

In working with Microsoft GP for many years, Microsoft has made improvements to security while ignoring others. I would like to review my findings where GP is lacking in security, how it could be used in a pen test to gather info, and what steps Microsoft should take to fix the problems.

Lotus Notes Password Hash Redux

William Ghote

Despite publication of CVE-2007-0977, CVE-2005-2696, and CVE-2005-2428, enterprises continue expose their users' password hashes through insecure deployments of Lotus Notes and related products (Quickr, Sametime, etc.). Over the past year, hashes were collected from approximately 600 sites. Vulnerable sites are not limited to the software versions described by the CVE notices, but also include the latest software releases from IBM. Public and private sector across every conceivable industry with exposures were discovered.
This presentation will highlight the impact of these exposures by demonstrating techniques for discovering vulnerable web sites via web searches (Google and ERIPP), new scripts for acquiring password hashes from web sites were developed to accelerate download times when compared with existing scripts. Prior work from other researchers was also used in some cases; proper attribution will be given to these where referenced.

How I Learned To Stop Worrying and Love the Smart Meter

Spencer McIntyre

The "Power Grid" is a growing topic in the security industry and Advanced Metering Infrastructure (AMI) is a topic that hasn't been discussed to its full potential. This presentation will discuss the types of vulnerabilities that have been found in Smart Meters, and give examples from real world assessments we’ve conducted. Different methods of accessing the meter will be presented such as over the optical interface and the Zigbee wireless radio. In addition, we will discuss a testing methodology we’ve developed which covers Smart Meter testing. Finally a live demonstration of the attacks that were discussed will be performed on a real Smart Meter during the presentation for the audience. The live demonstration will feature the first public release of a new open-source tool that has been developed for the testing of Smart Meters.

Shot With Your Own Gun: How Appliances are Used Against You.

Christopher Campbell

Security and monitoring appliances and applications are introducing all new places for attackers to get in and hide. As enterprise networks mature, they should become more secure. Unfortunately, many appliances are introducing unknown risks to your environment. Some vendors use FUD-laced marketing to hook unwitting managers and then provide a poorly-documented and "closed" product. These products can allow an attacker to get on your network and stay there. We plan to show you how to take back your tools and vet them against the kind of vulnerabilities that are rampant in today's appliances.

Mirror Mirror - Reflected PDF Attacks Using SQL Injection

Shawn Asmus & Kristov Widak

SQL Injection vulnerabilities are old-hat, but there are many web applications in production that are still prone to this flaw. One subclass of these are websites that serve PDF documents from dynamically-built URLs. We demonstrate that, in certain cases, trusted websites prone to SQLi that also deliver binary file content such as PDFs can be used surreptitiously for stealthy data extraction and obfuscated malware delivery, even when database security is otherwise configured properly. The talk is based on findings from a real-world application penetration test.

Introducing the Smartphone Penetration Testing Framework

Georgia Weidman

As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.

Mainframed - The Forgotten Fortress.

Phil Young

Mainframes? Unix? TSO (not the chicken)? This talk will try to demystify the mainframe from "that cool big black box"" to "why the hell is NOMIXEDCASE turned on" or "what kind of moron uses 1234 as their password?". Most fortune 500 companies use mainframes, but don't put them through the same rigorous testing as they would their Linux or Windows systems? Why, imagine if you were running Windows XP for 20+ years with all these little addons and custom changes and the only guide to securing your customized OS was four thousand pages long, without pictures. Thats what Mainframe security folks face. This talk will give an overview of how to actually use a mainframe (should you encounter one), how IBM decided to hash z/OS passwords and how to crack them offline using JtR (including the scripts/JCL to get a copy of the password file off the mainframe), how to compile Netcat for z/OS so you can use the Mainframe to pivot on to the corporate network or to create a backdoor on to the mainframe and how you can run a mainframe at home on your own PC.

Metrics that Suck even less

Walt Williams

At B-Sides SF, Dr. Mike Lloyd presented "Metrics that Don't Suck". this presentation aims to improve upon his work, adding the use of bayesian statistical analysis through the use of Pert distributions and the monte carlo simulation to get metrics that suck even less. The attendees will be introduced to a variety of free and open source tools available for analysis so their metrics can suck even less, just like the high paid consultants.

The Leverage of Language: Or How I Realized Information Theory Could Save Information Security

Conrad Constantine

Information Security has an ingrained fear of new technology, which brings with it new complexity. This fear spills over into our own unwillingness to use these 'new-fangled' technologies to make our lives easier, leaving security professionals still working with CSV sheets, trying to locate the APT in the bar chart and struggling to make sense from monolithic SQL databases while the rest of the world shoots forward with AJAX-enabled workflows, advanced visual analytics and distributed expert systems. We justify our luddism with a mix of insistence that our problems are unique and unsolvable outside of the field, willfully dismissive of the possibility that some of the fundamental issues facing Infosecurity today have already been solved in other areas in more elegant ways than we have the time to even imagine today. We'll cover some of the more interesting technologies that could revolutionize information security knowledge and workflow management and drag us from the dark ages of the temporary solutions that we've forgotten were only meant to be temporary.

The Blooming Social Media Economics Built on "Fake" Identities

Jason Ding

Social media has become a strong point of economic growth in all over the global. We are interested in studying the unethical or even illegal business that are built around several social networking platforms. Several case studies will show that such business models are very effective to generate enough revenue for sustainable growth. Our first study case is thousands of fake accounts built on Facebook that are tried to promote a group of websites selling fake Nike shoes while claiming authentic. More data statistics show that these fake accounts have gradually evolved to make them harder to detect, even with matured machine learning algorithms.
Our second study is another group of users and pages on Facebook which promoted a simple meaningless game while gaining audiences and impressions for further advertising or spamming. This game strategy is more robust and carefully designed than traditional spamming trick, where no terms or rules has been broken yet. A potential use of this may be for legal marketing strategy. Our third study is the business of buying Twitter followers and sending tweets to large audience. Various followers buying and tweets sending services can be easily found through Google and eBay. We had a real case of using their service and monitored the following statistics. Results show that these services can quickly earn lots of cash before Twitter can find these fake followers. Meanwhile, we found many famous Twitter users use their services as well. Compared to the first spam case on Pinterest, Twitter following services can make equally or more profits, and sustainably.
Finally, as we reveal the economic benefits out of the "fake" social identity business, warnings are given to audience that either we all start making our "fake" business like them(kidding!), or we will be drowned among these meaningless social activities, if we do not take actions to stop them.



Arizona Craigslist Hookers (and other dating website shenanigans).

Matt Krick (DCFluX)

You'll laugh and cry as DCFluX remembers his experiences in the world of online dating. Over 3 years in the making. Viewer discretion is advised.

When Devices Rat Us Out

Ken Westin

Over the past 5 years I have been involved in developing advanced tracking technologies to assist in the recovery of stolen laptops, phones, cameras, flash drives and more:
We have built software that gets location of devices without GPS, uses cameras to capture photos of suspects and technology that indexes the web to extract serial numbers from photos online in search of stolen cameras.Through this process I have worked closely with law enforcement in the recover processes as well as provided training to law enforcement agencies on tracking technology and how to use it in their cases. While working with law enforcement I have learned a great deal regarding processes they go through to get data on suspects from companies, technologies they use and what is on the horizon in terms of surveillance technology and how the data we freely give to companies can be used against us.
In my presentation I will be discussing many of the recoveries that I have been involved with, the technologies that were used as well as additional evidence we provided to police via social media networks and other data mining efforts. Many of our cases have not only led to the recovery of stolen devices but also larger crimes such as larger theft rings, a violent car jacking, drugs, identity theft and the recovery of a stolen car. I will also discuss how the same technologies and data mining can be used against you, the data that law enforcement has access to and the processes they go through to get it. I will also discuss newer technologies that are being introduced such as license plate readers, facial recognition software and other tools law enforcement are starting to bring into their arsenal. I would like the presentation to be a discussion regarding how new technology can be used for good and evil and what checks the government should have in place to warrant their use.

Sexy Defense

Ian Amit

Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that's hard.
Usually after the pentesters/auditors (or worst - red team) leaves, there's a whole lot of mess of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time - can you fix this so your security posture will actually be better the next time these guys come around? This talk focuses mainly on what should be done (note - no what should be BOUGHT - you probably have most of what you need already in place and you just don't know it yet).
Methodically, defensively, decisively. Just like the red-team can play ball cross-court, so should you! This talk will walk through some of the finer lines between legality and ethics to see just how aggressive can the defenders be. Some examples from actual organizations that practice "SexyDefense" will be provided - both at the intelligence gathering aspect, as well as the incident management and re-action to attacks.

Mobile Snitch - Devices telling the world about you

Dos Santos & Montoro

This is more of a privacy talk than a security talk. The nature of mobile WiFi device behavior, combined with a lack of user awareness (or attention), could lead someone not only to know what device you use, but also where've you been (and possible where you're heading to), where you work, and in some cases who you are. Some users are security-cautious and use VPNs when connecting company-provided devices to public hotspots, but still there are a large number of people that use a personal mobile device to check corporate emails and other resources. We will also cover how some applications in mobile devices could be spilling out important information about your privacy. This presentation will introduce the proof-of-concept tool Mobile Snitch, which provides easy access to this information.

Panel: Ask The EFF

Kurt Opsahl - Sr. Staff Attorney
Trevor Timm - Activist
Mitch Stoltz - Staff Attorney
Hanni Fahoury - Staff Attorney
Marcia Hoffman - Sr. Staff Attorney

Router of Darkness, Techniques for Embedded System Hacking.

David Bryan

The embedded system market is great! They give us the power to make things happen, and give us shiny unicorns. I'm coming at this with the approach of a service provider, producing hardware for end users. The developers, and system engineers seem to think that being a "custom" solution gives them amnesty from security. I will focus on issues that I have identified, and I would recommend for the future of embedded computing for commercial applications. Time permitting (and demo gods) I would love to do a demo of JTAG memory dumping, and show the fun things we can find using IDA Pro.