What’s the first thing that comes to mind when you think of security awareness training? If it exists at all, it’s typically a painfully dry and boring user experience, and provides little to no context to employees. Instead of producing an interactive and educational experience for users, many organizations miss the mark, inevitably turning an incredibly valuable and critically important training into another checkbox on a questionnaire.Organizations should view security awareness training as an opportunity to disseminate relevant and timely information to the users who ultimately determine their level of risk. During this talk, Lauren Clausen, Security Governance Analyst at Rapid7, will discuss the current state of security awareness trainings, the ways in which organizations can create engaging content that conveys this important information, as well as the win, losses, and lessons learned from Rapid7’s own security awareness training refresh.

The demand for inforamtion security skills have far outpaced the supply. The stories and surveys indicate a growing problem with shortages of trained professionals. The problem isn’t being addressed adequately by any entity. This discussion will propose that we the information security community must bridge the gap by training our own reinforcements.The vocational education system, such as community and technical colleges, are a great location to build a better platform for training the skills needed in our industry. We cannot sit by and wait for the government or academia to fill the employee void. Make your job and life better by building the system to train someone else to be on call for a change.An open discussion facilitated by a security guy turned academic about what we can do to help ourselves.

Malware Researchers must take into account a wide range of factors in order to effectively triage, reverse, and address the threat of modern malware. Provenance, or being able to infer the origins of a given sample, is an important but often overlooked characteristic of most malware that may not be apparent to those entering this field. With added knowledge, and new tooling we can make our lives easier. Being able to determine the compiler provenance of a sample is valuable to a reverse engineer as it can speed up the detection of anomalous or otherwise interesting sections of a given binary. I’ll discuss how different compilers and build systems produce different Windows (PE) binaries, where ‚Äòinteresting’ bits of code exist across different kinds of binaries, their expected behaviour and defining characteristics and most importantly how to leverage this information to make heuristic conclusions that will improve one’s reverse engineering efficiency. The talk also coincides with the public release of two things; 1. A package of Yara rules to fingerprint binaries by compiler type and 2. A tool which facilitates the analysis of a given binary by providing a graphic and diagnostic output that can denote malicious and benign segments.

In response to the Heartbleed vulnerability disclosure of April 2014, the OpenBSD team created LibreSSL, a fork of OpenSSL focused on removing obsolete code and dangerous features, improving security, and simplifying the interfaces, while maintaining backward compatibility as much as possible. Since that time, OpenSSL has also had significant investments both in developers and money. But the principal forks of OpenSSL, BoringSSL and LibreSSL, continue to grow and find unique places in the TLS stack ecosystem. Four years later, has the ecosystem improved? Are there too many forks? Why not merge everything back into OpenSSL?This talk will discuss the impact of OpenSSL, BoringSSL, and LibreSSL on applications and operating sytem, why forks still exist, and with TLS 1.3 right around the corner, where the projects are heading.

Getting developers to take security findings seriously can feel like an uphill battle. Security can be seen as an outside function that is separate from engineering, and somebody else’s problem. Reported findings are frequently dismissed or ignored.Using the framework of social engineering, we’ll discuss techniques and strategies for bringing developers to the conclusion that they should fix their security bugs. From pretexts to recon, to recognizing people as emotional state machines, the tools of social engineering are usually used as part of the testing phase in security. In this talk we’ll cover how to bring developers over to your side and understand why security findings matter to them.

You bank online. PDFs have replaced paper. Bills come via email and are paid automatically. Your thermostat even has an account online in some cloud! Your daily life heavily uses technology, and it’s great. As a good digital citizen, you may even use a password vault, two-factor authentication, full disk encryption, and cloud backups.But then you get hit by a bus. Or, less morbidly, your home burns down, floods, or is robbed. If you don’t have a tested personal disaster recovery plan, you and your family may find yourself struggling to return to normal life. You may lose access to your treasured pictures, important documents, online accounts, and digital currencies. Companies understand and mitigate this risk by (hopefully) revising, reviewing, and testing their plans, but individuals rarely even think about this risk, much less plan for it.But backups! And the cloud! They may turn out to be useless if you haven’t fully tested out a disaster recovery plan – mine were worthless because of a circularly dependency. Come learn about how to make your own disaster recovery plan so you can sleep a little better a night and make a disaster a little less disastrous.

“How I Met Your Password” is an interactive talk and session around password cracking techniques. Passwords are still getting much notice in the world especially with leaks constantly occurring. As such, people are interested in password cracking. However this session is not a recap of simple Wiki’s on how to crack passwords. It is an in-depth analysis of advanced cracking techniques, methods of cracking difficult and “impossible” passwords as well as how to use the plethora of tools out there to be successful. The target audience is more intermediate than beginner, with attendees needing to already understand what “hashing” is, how some of the algorithms work and also know their way around Linux and tools such as JTR and Hashcat. What we will do is fill the gaps between simple cracking techniques and how to elevate your cracking capabilities to return much higher hit-rates and better results.

In this talk we will cover a new attack methodology based on the concept of “offline credential stuffing”. This approach makes use of large amounts of correlated data and abuses the commonality of user password reuse to efficiently reduce the workload required to attack large lists of slow, salted hashes.

WebAuthn is a new standard for strong authentication on the web, giving users an easy to use, phishing-resistant way to authenticate. This talk will look at how the standard enables key use cases of second factor authentication (2FA) and primary login with WebAuthn capable devices and explore practical considerations for deploying it. I’ll talk about lessons learned adding WebAuthn 2FA support to Dropbox and discuss policy and usability questions around using WebAuthn for primary login. To get to a world where WebAuthn replaces passwords, we’ll need to figure out how to handle varying device capabilities and account recovery. Even before resolving these questions, WebAuthn offers clear benefits that encourage deployment.

Over 10,000 AWS access keys are currently exposed on GitHub. Are one of them yours? GitHub is the world’s leading platform for software development. The problem is it’s insecure by default. Access is inherently difficult to manage, repos can be left inadvertently public which could expose intellectual property, company passwords and keys to the internet, or could include vulnerable third-party libraries that may pull your company into the spotlight as was seen with Equifax, Uber, and Tesla. With GitHub being increasingly used as an initial attack vector, the platform is finding itself as the root cause for some of the industry’s largest breaches. In the case of Uber and Apple, public repositories resulted in exposure of proprietary code and AWS credentials. The answer? GitHub Guardian. GitHub Guardian is a solution that utilizes GitHub’s Rest APIs to ensure your accounts are safeguarded with multi-factor authentication, repository privacy control and ensuring credentials are not present in code. As the threat landscape continues to evolve – what’s next? GitHub Guardian will evolve to cover use cases around federated identity and authentication management, API security, and credential encryption enforcement for repositories.

The general belief is that a mobile device that is locked, encrypted and protected with a PIN or biometrics is a secure device. Personal assistants on mobile devices are very popular like Siri and OK Google. They can perform multiple tasks including calls, sending emails and reading SMS. How secure are they? Can we trust our personal assistants to keep our data safe?With the proliferation of cheap SDR hardware, DIY IMSI catchers, open source tools and still supported broken GSM protocols, targeting mobile communications is easier than ever. But what are the real consequences? It is well known that SMS is not a secure channel but the industry is still hesitant to move away from it. This presentation is yet another nail in the SMS coffin and aims to help push the industry away from supporting it. Ransombile is a tool that can be used in different scenarios to compromise someone’s digital life in less than 2 minutes. Email accounts, financial data, social networks… all gone. Have you ever left your phone on the desk unattended? Do you belief losing your phone only impacts your wallet? This presentation is for you.

“Gathering Threat Intelligence is an art. Using it to your advantage is magic. Do you even know what your real security profile is and who/what is attacking you? Vulnerability scans are great, but are you really vulnerable? Using OSS across honeypots and even Raspberry Pis, none of which requires rocket-science technical skills to deploy, allow you to see the profile of those who might be attacking you. Gathering real Threat Intel, in a live environment, directed at your systems and using the data to be more secure! This live session will use a network of worldwide honeypots to show how “”Live”” threat intel can be gathered and analyzed to more thoroughly understand your environment and the threats facing you.”

My experiences with qualitative risk analysis have never been satisfying. The categories used to bin the risks seemed arbitrary. I couldn’t see how to consistently compare one risk to another. I couldn’t combine risk assessments from multiple sources. I wasn’t sure how many “Low” risks it took to overwhelm a “High” risk and I couldn’t easily defend my analyses. In 2016 Douglas Hubbard and Richard Siersen released the book “How to Measure Anything in Cybersecurity Risk” which covers the science of measurement, the Monte Carlo simulation technique, and their application to cybersecurity risk. I was instantly hooked. Here was a repeatable, consistent, statistically valid method to really get a grasp on my risks. But learning about something is easy; applying it is hard. This talk will go over the basics of quantitative risk analysis techniques and my experiences with applying them at my current job. Attendees will leave with guidelines for practical application of the techniques as well as a link to a GitHub repo where the tools I use are freely available.

Whether or not you are just starting in InfoSec, it is always important to remember that mistakes happen, even to the best and most seasoned of analysts. The key is to learn from your mistakes and keep going. So, if you have a few minutes and want to talk a load off for a bit, come and join in as a hillbilly spins a yarn about a group unfortunate pentesters and their misadventures. All stories and events are true (but the names have been be changed to prevent embarrassment).

For defenders Powershell is a major challenge when for attackers it is an opportunity (if it is enabled). This talk will open with a quick explanations and examples for Powershell abuse by malware in the wild and why it is so common. Then, the main dish will be served, InvokeNoShell -a new framework for generating infected documents containing embedded Powershell executed even if powershell.exe is disabled without admin privileges, bypassing app whitelisting and AV solutions. The tool is fully automatic and capable of generating multiple variants of bypassing output to optimize the test of solutions claiming to block Powershell. It will be shown that using the InvokeNoShell framework enables easy automation of the payload generation process from scratch. This allows to create multiple similar payloads automatically, allowing an individual to poke advanced ML unicorn next-NG AV engines efficiently, generating dozen payloads with a single command.

DevOps teams still think of Security as “the people who say no.” However, DevOps are Security’s best allies in getting basic security improvements in place. Using the framework of the CIS Critical Security Controls (chiefly the ones classified as Basic), we will explain the ways that Security teams can sell security improvements to the DevOps/SRE/Automation teams and help them get their priorities addressed.For example, while having an inventory of all hardware and/or cloud assets is critical to speedy investigation of incidents, it is also critical to keeping systems within SLAs for their lifecycle and ensuring that billing for resources is correct. Likewise, the other Basic Critical Security Controls line up directly with DevOps and Automation teams’ priorities, and Security teams can meet their goals of improving the security of the company at the same time.

We’re seeing an evolution in botnets. The impact of Mirai bringing down a huge swath of the internet two years ago raised awareness but the release of the Mirai code has raised a new army of botnets that are capable of more than just DDOS on basic systems. But Mirai isn’t the only botnet in town. There are some serious contenders with unexpected enhancements looking for new recruits to work in the bitcoin mines. Routers and cameras and toasters -oh my! The ongoing deluge of devices that connect to the Internet is an IoT nightmare, and an attacker’s dream. Default credentials and weak passwords are only the beginning. Especially with a bevy of unpatched, vulnerable systems on which to unleash some substantial exploits. Persistence and lateral movement ftw! DDoS isn’t just child’s play when attacks are in the realm of terabytes. What happens when we move past outages, and into destructive payloads? And what happens when weaponization meets automation? In this talk, we’ll explore what may come next when nation states move into the turf once held by script kiddies, and build-a-bot gets leveled up in a very bad way.

By now, many security practitioners know that PowerShell is a powerful scripting language used by administrators and adversaries alike. Many blue team professionals may also know that effective detective controls are very difficult to develop due to the flexibility of PowerShell. This presentation covers the journey where I try to develop effective detective mechanisms for malicious PowerShell, shortcomings of this attempt, my first attempt at developing a classifier, the problems I encountered, the lessons I learned, and the success in the end. I will cover the development of the initial prototype from start to finish but the greatest value is in the lessons that were learned during the journey.

PAM is climbing the security charts, coming in at no. 4 in the latest CIS controls, up from no. 5 in the previous version. It has also piqued the interest of ‚ ‘the Board’ -the concept of a superuser and the potential impact on critical business systems is easy to grasp.Security teams now find themselves thrust into the spotlight, with the C-suite demanding answers while they grapple with this seemingly intractable problem. It’s uniquely challenging as some people need admin rights to do their job, so we can’t just lock everything down -but “who?”, “when?”, “how?”, “why?”. As one CISO put it, PAM is “at the intersection of human behaviour and technical controls and often brings IT and security into conflict” .There are many tools to administer privileged access but installing a vault to manage PAM is only the beginning.Once you’ve identified how people should be accessing assets, how do you clean up the tangled web of permissions that exists in most big orgs, without hindering BAU?In this talk, we’ll reframe PAM as a data science problem and explore what insight you can glean from your data about where the problem lies and how to fix it.

In the lateral movement phase of APT incidents, analysis of Windows Active Directory event logs is crucial since it is one of the few ways to identify compromised hosts. At the same time, examining the logs is usually a painful task because Windows Event Viewer is not a best tool. Analysts often end up exporting the entire logs into text format, then feeding them to other tools such as SIEM. However, SIEM is neither a perfect solution to handle the increasing amount of logs. In this presentation, we would like to introduce a more specialized event log analysis tool for incident responders. It visualizes event logs using network analysis and machine learning so as to show correlation of accounts and hosts. Proven with our on the ground response experience, most importantly it is an open source tool.

In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. This research seeks to develop a framework which adapts existing methods such as the cyber kill chain to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor. In addition, the framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.

Given the high pace at which new malware variants are generated, antivirus software struggle to keep their signature database up-to-date, and AV scanners suffer from a considerable quantity of false negatives. Creating a high-quality signature able to be effective against new malware variants, while avoiding false positives detection, is a challenging task, and it requires a substantial portion of human expert’s time. Artificial intelligence techniques can be applied to solve the malware signature generation problem.The ultimate goal is to develop an algorithm able to automatically create a generalized family signature, eventually reducing threat exposure and increasing the quality of the detection. The proposed technique automatically generates an optimal signature to identify a malware family with very high precision and good recall using heuristics, evolutionary and linear programming algorithms.In this talk I will present YaYaGen (Yet Another YARA Rule Generator), a tool to automatically generate Android malware signatures. Performances have been evaluated on a massive dataset of millions of applications available in the Koodous project, showing promising results: in few minutes the algorithm is able to generate precise ruleset able to catch 0-day malware, better than human generated rules.

Ever wonder how static analysis tools figure out not only what lines contribute to a buffer overflow, but by how much it can be overflown? Ever get the sense developers might get insecure solutions from StackOverflow, and wonder what can be done about it? Curious about what you might be able to do if only you could get your hands on some industrial robots, field forensic equipment, voting machines, or avionics? We discuss some of the latest developments in infosec coming from academia, what they’re likely to result in, and of course, where more work is needed.

Vulnerability identification is critical defensive security infrastructure. We have CVE, which is improving scope and coverage, but CVE assigns numbers, and people like words. Phrases. Names. From Heartbleed to Efail, there’s a trend in security research to market disclosure events with catchy brand names. Some are annoyed by this trend. Is annoyance justified? Names imply importance. Is the claimed importance justified? It may be that a more human-oriented handle is beneficial. We explore the issues around named vulnerabilities and present a system to generate names separate from implied importance.

Why do organizations work so hard to recruit a talented workforce, but fall flat when it comes to retention? After all, rapid turnover negates investments in recruiting and training, stalls projects and innovation, and is often a gauge for the health of a company. Given the growing workforce deficit, it is essential to improve retention in security, especially among underrepresented groups. But what are those factors that improve and hinder retention in security? I conducted a survey and integrated existing social science research to identify those core factors. I will first describe the research design and the main findings. Next, and building upon existing social science research on social change and organizational structure, I will offer several concrete steps organizations can take to improve retention, including a nuanced approach to professional growth and addressing burnout, as well as key cultural factors within the workplace environment. This discussion also includes what the security industry writ large can do to help augment retention, especially when it comes to professional conferences, marketing, and some of the biases embedded in them.

Check our resume reviewers & career coaches page to see a list of available mentors and when they are available

Confused how to get into the security field? Unsure how to grow your skills, knowledge, and certifications? Uncertain where to find training that fits your budget? If you have any of these questions, then this presentation is for you!
With over 40 years in this field as a security practitioner, I have learned many tricks and tips, which I have shared to help others start and quickly advance in their careers. The goal of this presentation is to:

• Help you identify the starter roles which will best help you make it to your dream job
• Plot a path, which includes understanding credentials, skill sets, and salaries, associated with each role
• Understand how to level up from entry level, through mid-level, advanced-specialists to expert
• Have fun doing it!

If you are someone that is hiring, there are also a few tidbits for you.

Career development is typically seen as a progression of education, certification and job moves. However, to progress in our careers it is helpful to build both technical and non-technical skills in different environments to challenge us and give us the opportunity to learn. Community involvement strengthens not only the overall community but provides opportunities to stretch and learn new skills that support personal growth. We will review presenting, con management and competitions as ways to strengthen your career. We will hear from a recruiter involved in the community how they evaluate these experiences and recommendations on presenting this information in your job search. Finally, we will address burnout, exhaustion and how not to burn bridges.

Whether your goal is to push a vulnerability through remediation, change user behavior, or secure funding for your dream project, you can get it done with the right ambassadors in your corner. We’ll review several case studies and discuss strategies that have worked – and strategies that haven’t – for getting buy-in and achieving your infosec #squadgoals

Technology experts are all over the country except on Capitol Hill, where they are needed most. Of the 3500 legislative staff in Congress, there are exactly *seven* that have an actionable technology background (though dozens are getting very smart, very quickly). Policymakers, the security community, and technology users all benefit when we embed real tech expertise on the Hill to inform discussion on critical issues like privacy, cybersecurity, and digital rights. The CFAA, DMCA, FOSTA are all examples of short-sighted laws written by people who didn’t realize the unintended consequences until it was too late. Security experts can help bridge the gap between government and the technology community by tapping into the tech policy API to become a voice for informed change within the legislative process.

This session explores ways for security professionals to engage policymakers through the real world experiences of two types of experts in this area. Travis Moore and Maurice Turner will talk about the amazing impact Tech Congress fellows are having by taking on one year placements in Congressional offices. Then we’ll hear from the other side of the equation as House Energy and Commerce Committee staffer, Jessica Wilkerson, talks about how she leverages security and technology industry experts to help educate her Committee Members and drive a more productive and informed discussion around security issues.

The Common Vulnerabilities and Exposures (CVE) list, the Common Vulnerability Scoring System (CVSS), and the U.S. National Vulnerability Database (NVD) are fundamental pillars of infosec, providing a common taxonomy for discussing vulnerabilities and their potential severity. Despite their critical role, and how much depends on these frameworks, there remain issues with each, especially when applied to human life and public safety impacts.

This panel will educate the audience on why so many acronyms are necessary in our collective attempt to grapple with the proliferation of security vulnerabilities in basically everything. We’ll talk about approaches that have tried and been somewhat successful; approaches that have tried and seem to have failed; and what we want to see change for the future, because your existence depends on good wi-fi now.

Each panelist (and the moderator, in a clear violation of the rules) will an issue they believe are wrecking, or are about to wreck, modern civilization (in the scope of networked technology. Not in scope: ultraviolet rays, WMD proliferation, the greenhouse effect, or other non-digital things). After the panelist round-robin, we’ll go to open Q&A with the coalition of attendees, who are encouraged to be constructive. At the end, the mighty Casey will most likely strike out, but Sisyphus always has a shoulder to cry on.

From federal data breaches to foreign governments phishing political campaigns to malware shutting down city services, our nation is under attack. You can help – starting right in your own community. We are using the election process as an example of how you can get involved in the policy of cybersecurity. The 2016 elections and last year’s DEF CON Voting Village showcased vulnerabilities in voting systems. Local and state officials are working to build a more resilient electoral process, but their capacity is limited. We need government leaders and civic-minded infosec professionals alike to start building bridges and combine their knowledge and talents. Join a conversation with policymakers to explore how they should be looking in their own communities to find individuals with security research or systems administration skills who are interested in acting as technical volunteers for Election Day and beyond

I Am The Cavalry presents two case studies on shifting mindsets of security researchers and a focus on cyber safety. The first outlines first positive steps in the aviation industry toward safer skies. The second looks at security research community contributions to US and UK government policy documents.

The aviation industry has long managed the risks of physical attacks, now it must also manage the risks of digital attacks. To do this will take a close collaborative effort between the aviation industry, government, industry bodies and security researchers. Yet those relationships are strained. This panel will discuss the current challenges and how we can help foster a collaborative relationship between all the key stakeholders so that we can keep the aviation industry as safe as it currently is.

For the past several years, ideas from the security research community have been quietly making their way into public policy positions. When the FDA, DHS, NHTSA, and UK government have put together new policies on IoT security, privacy, and safety, some have had an ace up their sleeve: direct contact with security researchers. This discussion will cover some of the relevant policies, how researchers have contributed, and what this looks like in the aggregate.

“The cavalry isn’t coming; it falls to us,” were the words five years ago at BSidesLV that launched I Am The Cavalry. The cavalry still isn’t coming; it still falls to all of us to make the change we want to see in the world. This session will recap a number of highlights from the past five years, and will introduce several ways ALL OF US can walk out of the room and immediately contribute our experience and passion to transforming the world around us for the better. These will include:

• Rod Soto –  CHIRON open source, home-based IoT security
• Travis Moore – Is a Congressional Fellowship in your future?

Are you a person who works with Agile developers? Are they driving you nuts? This presentation will explain the core tenets of Agile and how they apply to you, the security wonk. What you may not realize is that at its core Agile is about delivering a product, fast. Agile teams are focused on delivering a minimal viable product, getting feedback, and improving both the product and the process through iterative and continuous improvement. With a keen understanding of Agile forged in the trenches of large deployments, this presentation shows you how to effectively scale your team in order to have security be an integrated part of the Agile iterations.

To hunt attackers on their networks and raise resilience, enterprises can use various attack models such as Lockheed Martin’s Cyber Kill Chain© and MITRE’s ATT&CK™ framework. These models are individually valuable but limited in their scope of application. The modus operandi (MO) of APTs also does not necessarily coincide with these models, which limits their predictive value and leads to misaligned investments in defensive capabilities.In this presentation, Paul Pols will detail a “Unified Kill Chain” that overcomes these deficiencies and covers modern cyber-attacks end-to-end. The model was iteratively developed in a master’s thesis through literature research and case studies. The Unified Kill Chain can be used to defend against expected attacker behavior through layered defense strategies that adopt the assume breach and defend in depth principles. The Unified Kill Chain offers an improvement over the scope of the Cyber Kill Chain© and the time-agnostic nature of the ATT&CK™ model.The Unified Kill Chain has been used to analyze and compare the tactical MO of a red team and that of APT28 (Fancy Bear), to improve threat emulation and to raise resilience. The comparison shows the potential to improve the predictive value of red team assessments.

At a time when new innovations and developments in IPS, detection, big data, anti-virus, and other automated solutions are offeredon a seemingly daily basis, another equally important asset remains misunderstood, or simply under-appreciated – the human. This is not an offensive social engineering tutorial or proof of concept. Rather, this session will discuss the value of humanintelligence (HUMINT) and collection efforts within the growing discipline of Cyber Intelligence, how HUMINT/collections contributesto, and supplements, an organization’s detection, prevention, and research solution alongside other cyber threat teams, and how this skillset can be leveraged to elicit information and context that tools and appliances simply cannot.

This presentation demonstrates the ways we exploited opportunistic encryption to break into popular cloud virtual machine systems, web hosting accounts, file sharing systems, encrypted volumes, desktop computers, IOT Devices, Security cameras, and more. After demonstrating the attack, we explain how Developers, Security administrators, and End Users can protect themselves similar attacks.

Abstract There are a multitude of Open Sourced C2 software that are readily available for a quick git clone and deployment during a red team engagement. These softwares, though new and sometimes kind of buggy, can offer a unique way to bypass antivirus engines, allowing for undetected entry into a network and lateral movement that can allow you to move around undetected from many modern defenses. The usage of PowerShell scripting in Windows and MSFVenom payload generation in Kali make it all the easier to apply these methods for quick and easy wins. Using these methods and a bit of guile about delivering the payload will allow a Red Teamer to enter into the network easily and bypass perimeter defenses in play and lead to exfiltration of data and ultimately the end goal of your assessment, get as much win as you can.Full Example Locate at: https://informersecurity.com/antivirus_bypass/

More often than not, firmware is seen as an intriguing no man’s land -neither software nor hardware exclusively. However, increasing interest in firmware binaries is challenging their security, which has depended on obscurity for decades. As attackers focus more on them, understanding the fundamentals of firmware become more relevant to be able to defend ourselves better. This talk is derived from my personal experiences of tinkering with firmware without any formal learning in it. It is intended as an introduction for anyone who is interested in firmware security but doesn’t know where to start from.I will talk about:(1) System architecture.(2) Firmware flavors – BIOS and UEFI(3) Attack vectors(4) Defensive approaches.(5) Open source firmware tools.Hopefully, by the end of this talk, the audience will have a big picture of firmware architecture and security measures.

Machine learning is quickly becoming a ubiquitous technology in the computer security space, but how secure is it exactly? This talk covers the research occurring in adversarial machine learning and includes a discussion of machine learning blind spots, adversarial examples and how they are generated, and current blackbox testing techniques.

In today’s security world it is well understood that it is impossible to eliminate all bugs. This is why in order to limit vulnerabilities, security enhancements are introduced as an extra line of defence. Attack surfaces are being narrowed and mitigations are added to make exploitation harder. This is an approach that is well used by Google in Android. They add more security enhancements in each major Android version, including Project Treble, recently added in Android 8.We decided look deeper into Project Treble and examine how beneficial to security it really is. During our research, we found a very dangerous vulnerability in areas related to Project Treble. Not only did Project Treble do nothing to prevent this vulnerability, it was actually the reason it was introduced.In this talk we will review the inner works of Project Treble. We will look at the refactoring that Android services went through and point out multiple issues with it. We will also cover the details of the vulnerability we found, and its impact. We found that while Google were keen to announce a new enhancement with a flashy name, its implementation was somewhat neglected.

You wanna learn how to hunt the APTs? This is the workshop for you. Using a realworld* dataset we hunt through the APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre Att&ck framework and how these concepts can frame your hunting. Then we look deep in the data using Splunk and OSINT to find the APTs riddling a small startup’s network. We walk you through detecting lateral movement, the P of APT, and even PowerShell Empire. Then at the end, we give you a similar dataset and tools to take home and try yourself.

Drop-in ham radio operator exams. First come, first served.

Come live your cyberpunk dreams! Mainframes are the workhorse behind almost every fortune 500. It’s probably time you learned how to hack one. This workshop provides a one of a kind experience, allowing you to get hands on mainframe hacking experience with multiple labs. This workshop lays the groundwork for mainframe penetration testing. Walkinging you through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to “own” the mainframe. After a brief overview of how z/OS works and how to translate from Windows/Linux to “z/OS” the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the workshop. The areas explored include VTAM, CICS, TSO, and Unix. Students will be given access to a mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some easy wins, and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, and JCL.

AWS is the most widely used cloud environments today and almost every security professional has to encounter this environment whether you are attacking an organization or defending it. In this fast-paced workshop, we will teach participants with some neat tools, techniques, and procedures to attack the most widely used AWS services as well as to defend them. Below is the broad agenda for the workshop:- Recon / Information Gathering on AWS Services- Attacking S3 buckets- Exploiting web application flaws to compromise AWS services (IAM/KMS)- Attacking Serverless applications- Disrupting AWS Logging- Attacking Misconfigured Cloud SDN Class Duration: 4 hours Takeaways:Students will be able to understand and appreciate the delta in attack surface which gets added due to moving to the cloud. And subsequently, design architecture and develop applications to defend them. What will participants be provided?- PDF copy of slide deck- Lab VM- Workshop lab manual- Bonus labs access for 15 days Target Audience:- Cloud Security Engineers- DevOps engineers- Security Analyst- Penetration Testers- Anyone else who is interested in Cloud Security Prerequisites for students:- Need to have AWS account (Free-tier)- Basic understanding of AWS Materials or Equipment students will need to bring to participate:- Machine with at least 8 GB RAM and 20 GB free HD space- VirtualBox [VMs will be provided]

This half-day workshop will be a hands-on introduction to the Ethereum smart contract. We will cover tools necessary to create, deploy and interact with smart contracts on an Ethereum blockchain. We will explore and interact with high profile bugs that have caused millions of dollars in losses. There will be a CryptoCurrency CTF at the end of workshop.

Deep down we all know that perimeter defenses aren’t enough to keep the bad guys from your assets. As soon as an outsider compromises one endpoint, they effectively become an insider. Having a power-tool to monitor endpoints is key for incident detection and an organization’s overall security posture.

But how should you query and monitor your infrastructure? How should you deal with so many different operating systems and environments? To help meet this challenge, the Facebook Security team created Osquery, which is under active development by Facebook and the open source community. Osquery is actively used by many companies to collect data from hosts and proactively hunt for abnormalities.

Osquery makes it easy to ask targeted or broad questions about a heterogeneous infrastructure. Besides being open source, osquery is multi-platform (Windows, Linux, Mac, and FreeBSD), powerful and provides countless query possibilities with hundreds of tables with thousands of fields in a simple SQL query syntax.

In this training you will learn about osquery internals, how to understand queries, how to deploy a interface to manage and gain visibility to improve detection and threat hunting, and more.

Do you dance madly on the lip of the volcano regarding your security research? Or would like to research a particular topic that you feel might have a non-desirable personal outcome? Do you know someone who does these things? If so, you should come to this session and learn about some processes and relationships where more people can benefit than before.

“Ask the EFF” will be a panel presentation and unrecorded question-and-answer session with several staff members of the Electronic Frontier Foundation, the nation’s premiere nonprofit digital civil liberties group. Each staffer will discuss a particular issue that has been in the news or on EFF’s docket this year.