BSidesLV

Pool Party, BSides Las Vegas 2015

banasidhe — Mon, 19 Oct 2015 19:46:43 +0000

The New Hacker Pyramid at Security BSides Las Vegas 2015

banasidhe — Mon, 19 Oct 2015 19:45:04 +0000

SSH (Super Soaked Hackers) water balloon fight for Hak4Kids at BSidesLV

banasidhe — Mon, 19 Oct 2015 19:43:49 +0000

Two days of prep in 61 seconds

banasidhe — Mon, 19 Oct 2015 19:41:27 +0000

Official Statement of the Board of Directors, in regards to our videographer

banasidhe — Wed, 09 Sep 2015 15:27:21 +0000

The community hosts content from BSides conferences in multiple places. We, the BSidesLV organization, have recently been made aware that the owner of one of these sites, and the primary host and videographer for our events from 2012 to the present, has been going out of his way to antagonize certain visitors to his site and other members of the community. We would like to take this opportunity to say four things:

1) We do not condone the actions of this individual, but we cannot make people get along with each other, nor can we tell people what to do with open, free content on their own property.

2) We encourage everyone to consider why BSides exists in the first place. We are here to build a strong community, so that we can all be better — better at our jobs, better at our hobbies, and better people.

3) Dog-whistle politics is only fun for the person stirring the pot. We recognize it for what it is — malicious trolling at the community’s expense — and we will not stand behind it.

4) While we wish to thank our videographer for his past services, we are breaking ties with him and while he may choose (or not) to continue to host his past work on his site, his services will no longer be utilized at BSidesLV events.

If anyone has a viable alternative for hosting and videography of our conference, that won’t come at a cost that BSidesLV can’t afford and will allow us to publish our content for free to the community, we’d love to hear your recommendations. If you are a videographer and would like to submit a bid, please contact us.

The Security BSides Las Vegas, Inc. Board of Directors

Genevieve Southwick

Jack Daniel

Alex Hutton

Meredith L. Patterson

James McMurry

BSIDESLV PREVIEW: BRIDGING THE AIR GAP – CROSS DOMAIN SOLUTIONS

BSides — Thu, 31 Jul 2014 15:00:50 +0000

With the August 5th & 6th show fast approaching, this will be the last in our series highlighting some of the great presentations that are scheduled to take place at Security BSides Las Vegas.

For those who don’t already know, Security BSides events are organized by-and-for the security community, attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.

We previously featured sessions on vulnerabilities in URL schemes, a talk on conference swag hacking strategies, a session on how to be successful in social engineering attacks, another on attacking Drupal, one titled IDS and NSM: Cut the Sh**!, one on Pwning the Hapless or How to Make Your Security Program Not Suck, and the last was for a talk titled No Info Sec Staff? No Problem.

Next up is a session being presented by Patrick Orzechowski (@shftleft), titled Bridging the Air Gap: Cross Domain Solutions, which will examine how in the commercial realm, we seem to be obsessed with cobbling together security systems to bolt around our data instead of building systems that are aware of what’s supposed to be passing through the network and into our applications.

Orzechowski notes that in the beginning, the only way data could be sent between classification levels was by physically transferring it via media, hence the term: “sneakernet.”

Analysts that wanted to move data from a “secret” system to an “unclassified” system would need to copy the data to a piece of media, scan it for “dirty words” and, if it passed the requisite tests, the data could be considered “sanitized” and moved to a lower classification level.

“At some point folks decided that systems could do this kind of thing, the term ‘trusted computing’ was thrown around, and the ‘CDS’ (Cross Domain Solutions) was born. At its core, the CDS provides those functions that the old sneakernet provided, but it has grown into much more,” Orzechowski said.

“For example, today’s next generation firewalls tout that they are ‘application aware,’ understanding what protocol moves across what port, while the CDS is ‘data aware’ – not only does it know that only XML is supposed to pass from host/port to host/port, it knows what specific XML tags, what data is contained in those tags, and how often the data is passed.”

Orzechowski says CDS acts somewhat like Web Application Firewalls are supposed to work, but are much more type-driven and formal.

“I believe these CDS solutions need to be reviewed and tested as any COTS product should be, not just because they’re what’s used to protect the nation’s secrets, but because they could act as a model for data protection in the commercial world,” Orzechowski explained.

“As we look at adopting the ‘data driven’ firewalling principles adopted by CDS in the commercial side of the industry, we can adopt the best practices employed by systems that are considered COTS.”

Orzechowski believes the idea of an “air gapped” network – whether it be military, infrastructure, or utilities – has gone the way of the dodo.

“There are no more air gapped networks, as shown by Stuxnet,” Orzechowski said. “The concept of Cross-Domain solutions, solutions that are specifically designed to bridge those air gaps, is a very important one, and I think we need to take a closer look at vendors and solutions to make sure these things are keeping our critical networks safe.

The target audience for Orzechowski’s talk are those people in positions charged with protecting the most critical networks: Military, infrastructure, nuclear, etc., but he says the same concepts that apply to CDS for a “critical” network could also be applied to traditional layered networks on the commercial side.

“I want the audience to have a solid understanding of what Cross-Domain Solutions are and how they’re used,” Orzechowski continued. “Hopefully this talk will spur discussion about CDS and CDS-like systems, how they’re implemented, tested for vulnerabilities and maintained. Protecting these critical systems should be a top priority.”

Orzechowski says that obviously the biggest challenge with these systems are potential vulnerabilities or misconfigurations that could ultimately costs lives.

“The idea that a critical infrastructure or highly classified network could potentially be accessed from the Internet should be a scary one for everyone – hopefully these systems, if they continue being deployed, will get safer and more secure,” Orzechowski said.

“On the upside, these systems are amongst the most heavily scrutinized and tested in the industry. On the downside, as we see in security time and again, it takes a major incident for serious action and attention to come to a vulnerable system.”

http://www.tripwire.com/state-of-security/security-data-protection/bsideslv-preview-bridging-the-air-gap-cross-domain-solutions/

BSIDESLV PREVIEW: NO INFOSEC STAFF? NO PROBLEM…

BSides — Wed, 30 Jul 2014 13:00:41 +0000

With the August 5th & 6th show fast approaching, we are continuing our series highlighting some of the coolest presentations that are scheduled to take place at Security BSides Las Vegas.

We previously featured sessions on vulnerabilities in URL schemes, a talk on conference swag hacking strategies, a session on how to be successful in social engineering attacks, another on attacking Drupal, one titled IDS and NSM: Cut the Sh**!, and the last one on Pwning the Hapless or How to Make Your Security Program Not Suck.

Next up is a session presented by Anthony Czarnik titled No Info Sec Staff? No Problem, where he will share his proven methodology, including key, actionable recommendations to help you meet the challenge and manage IT risk to a level that is acceptable to your small business.

Czarnik’s security experience covers the roles of security engineer, project manager, partner/channels manager, practice manager, marketing and business development, giving him a perfect 360 degree background with which to lead an information security firm.

His initial role was pre-sales engineer for SenSage, a SIEM vendor, where he designed and developed the Cerner HIPAA prototype implemented at Kansas University Medical. He then joined Klocwork, an application security and quality development platform vendor.

Czarnik integrated Klocwork into clients’ S-SDLC, designed and led an e-learning courseware development project, and then after managing an information security practice for five years, he founded Czartek, an information security firm.

Previously Czarnik has presented at the Chicago chapters of Cloud Security Alliance, Security Meetup, Software Quality Improvement Process (SPIN), Mobile Security Meetup and numerous corporate webinars, and he also published an article on software security and the S-SDLC in the international publication hackin9.

Czarnik says that cyber attacks on small and medium size businesses (SMB’s) rarely make headlines, making it is easy for these IT organizations to develop a false sense of security, and that information security is becoming increasingly challenging as both IT complexity and the threat landscape are evolving at an accelerated pace.

“In reality, 40% of security incidents involved SMB’s; 1 in 5 reported being victimized during previous 24 months; 69% lost productivity, 65% lost information and 47% lost revenue. The risk is real,” Czarnik said.

Yet for many SMB’s, information security commonly becomes a secondary responsibility of IT leadership, whose primary responsibility is to provide IT systems and services. Software as a Service (in the cloud) and virtualization provide cost savings.

“Users demand systems that are easy to use and provide them with lightning-fast performance, while also accessing the network with their mobile device of choice (BYOD),” Czarnik continued. “Partners need access to your network or cloud application. These recent technological advancements have resulted in increasingly complex IT environments. As IT complexity increases, so does the challenge of information security.”

To compound your challenge, Czarnik says, the threat landscape is evolving and now includes web applications, advanced social engineering and internal threats.

“A data breach will have an impact on the entire organization. The responsibility is yours. That includes CEO’s and COO’s of small businesses who do not have internal IT staff either,” Czarnik said. “You can outsource security, but you can’t outsource risk, so it’s a daunting challenge.”

Czarnik’s session will address that challenge, and key take-aways will include:

A proven approach to effectively managing the business risk inherent to information technology and systems
Key factors in determining when to use internal resources and when to invest in 3rd party services
Valuable yet inexpensive tools and trusted information sources
How to uncover vulnerabilities before attackers do [many vulnerabilities that lead to exploitation are relatively easy to find and inexpensive to fix]
How information security can also solve compliance mandates
Effectively communicating security and risk with non-IT executives

“You will also get a glimpse into the future; a future where vendors are required to document industry standard security ratings, the first mature wave of data scientists raise network analytics to level well beyond today’s correlation effectiveness,” Czarnik said, “and as an industry, mad as hell, we will rage offensive security.”

http://www.tripwire.com/state-of-security/security-data-protection/bsideslv-preview-no-infosec-staff-no-problem/

BSIDESLV PREVIEW: HOW TO MAKE YOUR SECURITY PROGRAM NOT SUCK

BSides — Tue, 29 Jul 2014 16:00:49 +0000

With the August 5th & 6th show fast approaching, we are continuing our series highlighting some of the coolest presentations that are scheduled to take place at Security BSides Las Vegas.

For those who don’t already know, Security BSides events are organized by-and-for the security community, and attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.

Next up is a talk being presented by Casey Dunham (@CaseyDunham) and Emily Pience (@obfusicationx2), titled Pwning the Hapless or How to Make Your Security Program Not Suck, which will explore the lack of security awareness most employees continually make which can lead to a major security event, as well as discussing useful training, resource organization and allocation.

The presenters will walk attendees through a few scenarios – some successful and some not – and share what they have learned about human behavior and how it can be applied to enforcing security policies by creating a “culture of care.”

We discussed the session with Pience, an insurance industry professional with ten years experience of working for three of the biggest U.S. based disability insurance companies. Her co-speaker Casey is a Security Engineer with a history working for commercial financial firms.

“Customer data is our business. Whether within the financial or healthcare industries, the root of our business is to safely house and transmit information to and from trusted parties,” Pience said.

“With the growing demand of increased access – in healthcare, from providers, employees, visitors and patients, from a variety of devices, increased federal enforcements of privacy and security requirements under the new HIPAA Omnibus Rule, there is an ongoing challenge of ensuring patient and customer information is adequately protected.”

Pience points out that numerous breaches within both the healthcare and financial fields have involved lost or stolen devices that are unencrypted, and that these kinds of mistakes by employees continue to be the biggest security threats to all businesses.

The session will examine why these breaches keep occurring and how you as an IT professional – or merely an employee with the safety of your customers’ data of concern – can help your business create useful prevention strategies that employees will pay attention to, as well as how to train employees to not be susceptible to social engineering attacks.

“Technical solutions will not be discussed specifically, as the focus will be on employee awareness, education and how we can do better,” Pience said. “By working through a few scenarios that we have personally encountered, we will address the topics of ‘why to care’ – or problems with people caring about security – testing your people, getting the ‘peons’ out of the loop, and rewarding security efforts.”

Pience says she and Casey are passionate about this topic because, as employees of Fortune 100 companies with large training budgets for security awareness, they continually see the same security mistakes being made by employees – both techy and non-techy – over and over again.

“With everyone wanting instant access to their own data – personal banking, medical records and bills – and companies clamoring to provide this access in multiple forms, the opportunities for human error have increased infinitely, and the human errors we have seen publicized in the media have been ‘duh’ lapses by ‘intelligent’ people,” Pience said.

“In many cases, the efforts of the people responsible for the security of an organization fail to properly get their point across, and it is even harder when trying to explain something that doesn’t have a quick fix and involves more technical astuteness on the part of the user – oftentimes the difference between a successful security campaign and a non-successful one is simply communication.”

The session will be of utmost interest to anyone who handles or protects customer data on a daily basis, or creates proprietary programs and processes of obtaining customer data within company systems.

“We feel it may be more vital to those who have influence over in creating, sponsoring or financing security awareness programs within companies handling customer data, as these people are better able to identify their specific audience and create effective training with levity they will better prepare their workforce to prevent lapses in judgment and error,” Pience said.

“Security developers will be aware of how to introduce changes to their applications that will create checks and balances to gain access to customer data, thus preventing employees from accessing data without appropriate information.”

Pience said she and Casey are hoping audience members come away with new ideas for creating security training within their own company, and a renewed sense of awareness of how important and effective these trainings can be within their own organization.

“And we hope that during this presentation someone who has already been running an awareness program or is putting one together will leave with at least one idea that can make their program more effective,” Pience said.

“We are also hoping that developers come away with the notion that they can create checks and balances within their proprietary systems to prevent attacks, and we hope they find inspiration for changing or upgrading their programs to include such checks and balances.”

While there will always be people who remain computer operators rather than true users, Pience and Casey point out that as generations of more technologically aware people enter the workforce and hacking force, there will be new methods of exploiting human error and lack of awareness.

“Developers can create new ways to assist in creating processes that will prevent opportunities for common attacks and human errors,” Pience said.

http://www.tripwire.com/state-of-security/security-awareness/bsideslv-preview-how-to-make-your-security-program-not-suck/

BSIDESLV PREVIEW: WHAT I LEARNED AS A CON MAN

BSides — Tue, 29 Jul 2014 11:57:44 +0000

Security BSides Las Vegas is slated for August 5th & 6th, and in the run-up to this fifth anniversary of the epic event, we are spotlighting some of the really cool presentations that scheduled to take place. Don’t forget that there is no registration for this year’s show, and passes will be provided on a first come basis, so get there early.

Security BSides events are organized by-and-for the security community, and attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.

We first featured sessions by Guillaume Ross (@gepeto42) on vulnerabilities in URL schemes that could be exploited by malicious actors, and a talk being presented by Rachel Keslensky (@lastres0rt) which examines why the sea of swag at conferences are generally a wasted investment for companies.

Next up is a session being delivered by Nick “MasterChen” Rosario (@chenb0x) titled What I Learned as a Con Man, which will focus on a few case studies of various cons and a breakdown of what, in social practices, makes it easy for a con artist to be successful in social engineering attacks.

This will be Rosario’s first speaking engagement in the information security field, but his extensive experience with the subject matter is based on a background in sales, teaching, and technical writing for 2600 The Hacker Quarterly on the subject of hacking VoIP systems.

The case studies discussed in this session look at what has and has not worked in the past for Rosario in regards to social engineering and manipulation ops. These cases are drawn from his relationships, sales and advertising efforts, and job hunting expeditions that were somehow misunderstood as “hacker for hire” solicitations, and after each case study is presented there will be analysis provided that about what would enable better success in future such cases.

“Every single one of us encounter con-men in some form or fashion in our lives, perhaps even on a daily basis. Whether it be a pushy sales person or a straight up grifter, many people are after your money and information,” Rosario said.

“This talk is aimed towards the fundamentals of conning people out of their assets. With each case study, the audience members can reflect to see if they have been a victim. We need to know the methods used in order to be able to defend against these social attack vectors.”

Rosario says the information presented in his session will be of interest to anyone who has ever been targeted, or are at least a little paranoid of such an incident occurring, including businesses and individuals alike who have information and other assets that need to be secured.

“By understanding the mind and methods of a grifter, I am hoping that my audience will be made more aware of social attack vectors and how exactly these vectors are conducted, because cons aren’t always technical in nature, which means there is more potential here for a bigger pool of attackers,” Rosario said.

“The attacker doesn’t need to know how to program a computer to breakdown weaknesses in the human psyche. While this is well known, I don’t believe this hits home until the target has already been compromised.”

Rosario emphasizes that he is not trying to train a new wave of attackers, but simply trying to provide the audience actionable knowledge that will make them less likely to become victims of human hacking attempts.

“It is a double-edged sword, but I feel that if I expose some secrets, real attackers will be forced to work harder for the same result,” Rosario said. “Whether a con is a failure or a success, something can be learned from each example. Sure, social engineering talks have been plentiful, but I am confident that my talk will bring some new perspectives to light.”

Rosario notes that humans are creatures of habit, and the future vulnerabilities that will be exploited are dependent on an aware culture as a whole – like the social norm to be cautious when dealing with strangers, yet at the same time still trying to remain personable.

“Should we become paranoid and cold towards each other, or should we become more aware of the risks in order to gain a mutual respect for each other while mitigating social attack vectors?” Rosario said. “This talk will examine those questions and the associated dynamics involved.”

http://www.tripwire.com/state-of-security/security-awareness/bsideslv-preview-what-i-learned-as-a-con-man/

BSIDESLV PREVIEW: CONFESSIONS OF A CONVENTION SWAG HOARDER

banasidhe — Mon, 16 Jun 2014 11:58:25 +0000

Are you ready to get your security on? Security BSides Las Vegas is slated to take place on August 5th & 6th at the Tuscany Suites & Casino, and in the run-up to the event we are highlighting just a few of the top-shelf sessions and speakers that are scheduled for this year’s show.

Security BSides events are organized by-and-for the security community, and attract some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the best events of the series.

We first featured a session with Guillaume Ross (@gepeto42) titled iOS URL Schemes: omg://, which will examine vulnerabilities in URL schemes that could be exploited by malicious actors.

Next up is a talk being presented by Rachel Keslensky (@lastres0rt) titled Geek Welfare – Confessions of a Convention Swag Hoarder, which examines why the sea of swag at conferences are generally a wasted investment for companies, what they can do to improve swag ROI, and how attendees can tip the scales in their favor when it comes to winning the high dollar items offered in vendor drawings.

Keslensky is a regular in the Southeast Hacker Convention scene, and says she has picked up plenty of unusual knowledge both from her formal education as well as from working on her creator-owned graphic novel series Last Res0rt, and held a successful fundraiser on Kickstarter to print the second volume.

She has two degrees from the Georgia Institute of Technology, the most recent of which is a Master’s Degree in Human-Computer Interaction, but she really made a name for herself as a Comic Book Artist, with appearances in Dragon Con’s Comic and Pop Artist’s Alley, and she also did the artwork for the DEFCON 21 Scavenger Hunt.

Her combination of artistic talent and technical knowledge has given her a unique point of view and voice in the hacker community, focusing primarily on DIY, Hacker Media, and embracing cha0s. She is currently working as a Usability Specialist for hire.

Keslensky says those who have booths at big conferences know the pain of having to justify to their company why they had to go to that expensive conference and give away all that swag — and why they came back with so much of it – and attendees have grown tired of trying to find someplace to store the piles of XXXXL T-shirts they will never wear.

“Guess what — that’s all money that’s flying out of those companies’ hands with almost no return on investment. Even worse, with so many ways to re-purpose and repackage 90% of the swag out there, they can’t even claim they’re generating real brand awareness,” Keslensky said.

Marketers who attend her session at BSidesLV can learn from a self-diagnosed “swag hoarder ” on how to avoid wasting their company’s resources on that swag no self-respecting person would use – at least without a few alterations.

And for those who are just another face in the con-crowd, Keslensky will explain how to make short work of all the crap – er, ‘promotional material’ – vendors supply, as well as how to win that iPad or other great prizes offered with a few tricks that will improve your chances at a big score.

“When you look at the typical budget a company allocates to marketing at trade shows and add in the man-hours wasted chasing unqualified sales leads, you can start to see how much money is being flushed down the proverbial toilet – often an amount that if it were attributed to a security leak, it would make heads roll!” Keslensky said.

“But hey, as long as companies keep throwing away money, there’s no reason not to go ahead and make something useful out of it. The ‘hacks’ involved here can all be done from a smartphone and are cheap enough that $10 in business cards and a few rolls of duct tape will net you no shortage of useful swag – and maybe some cool technology too.”

Keslensky says two types of people will benefit the most from he session: Business folks who are looking to make their next trade show efforts more valuable by not wasting their money throwing useless swag at people, and attendees looking to net some kind of quick gain from their time at the conference. Hey, if they’re giving away some sweet piece of technology you want, wouldn’t you want to know how to get it?

“In order to discourage brand pollution and ‘useless’ swag, folks at the talk will learn about how to ‘debrand’ swag using simple tools like duct tape or find alternative uses for all the unwanted t-shirts, as well as some simple exploits for most trade show contests,” Keslensky

“And business people will learn what types of swag are more desirable – or at least less likely to be abused – steering resources towards those items for future shows and hopefully freeing all of us from an endless cascade of blinking pens and dancing clockwork toys.”

Keslensky says “swag hoarding” is just a symptom of a system bloated with excess. Companies are keen on saving their best stuff only for qualified clients, but know they have to provide items that will attract high-impact prospects like executives.

Likewise, attendees who might not be interested in working with certain companies, or are concerned about opening themselves up to sales spam from a badge scan, may nonetheless be willing to play along if they think something valuable is at the end of the rainbow.

“This usually means that companies end up with a large number of unqualified leads wasting sales peoples’ time after the show, have wasted money spent on poorly-optimized booths and worthless trinkets, or most likely, both,” Keslensky said.

“In addition, a huge motivation for companies to spend excessively at conferences is in an attempt to keep up appearances. Obviously, it’s one thing to point out how wasteful so many of these companies’ efforts are, and entirely another thing to actually try and justify the ROI back in the office since the reasons for many of these trade-show blunders are people-based flaws as opposed to software-based ones, so fixing them is far more difficult.”

Moving forward, Keslensky says companies looking to make the most profitable impact at these shows should start focusing on actionable, results-oriented goals – including meaningful swag that’s not as likely to end up at the bottom of a donations box – especially new and growing companies.

“Startups can’t afford to waste time on crappy swag – they should analyze what works, and surge ahead of competitors that just don’t get it,” Keslensky said.

“As far as attendees go… Hey, wouldn’t it be nice to be able to make better use out of all the stuff you come home with so you can focus on what really matters and save your headspace for the companies you actually like?”

http://www.tripwire.com/state-of-security/off-topic/bsideslv-preview-confessions-of-a-convention-swag-hoarder/