Exploit Kits haven’t disappeared, they’ve simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.

This talk will provide an in-depth overview of the vulnerabilities and exploitation techniques used by the ThreadKit and VenomKit documents to spread well known malware families, and how they are being used in targeted attacks.

Email addresses are one of our most public piece of PII. We are comfortable sharing it with strangers, publishing it on the internet and it is generally our public way of communicating.

However, when it comes to phone numbers things change. We are more selective with who we share it with, mostly because receiving unsolicited phone calls is much more invasive. There are also security implications when making your phone number publicly available. SS7 attacks, SIM swapping, phishing and scam calls are just a few of the threats that originate from the target’s phone number.

What if it were possible to obtain someone’s phone number by only knowing their email address? Beyond the criminal advantage, it could be very useful to investigators, red teams and OSINT lovers.

In this talk, I will discuss techniques which when combined will let you discover someone’s phone number via their email address. I will also demo and release a tool that helps automate the process.

Efficient, reliable trapping of execution in a program at the desired location is a linchpin technique for dynamic malware analysis. The progression of debuggers and malware is akin to a game of cat and mouse – each are constantly in a state of trying to thwart one another. At the core of most efficient debuggers today is a combination of virtual machines and traditional binary modification breakpoints (int3). In this paper, we present a design for Virtual Breakpoints — a modification to the x86 MMU which brings breakpoint management into hardware alongside page tables. In this paper we demonstrate the fundamental abstraction failures of current trapping methods, and rebuild the mechanism from the ground up. Our design incorporates the lessons learned from 40 years of virtualization and debugger design to deliver fast, reliable trapping without the pitfalls of traditional binary modification.

Authors: Nicholas Mosier, Pete Johson

While a Turing-complete set of ROP gadgets can easily be found in libc, many existing ROP compilers are not Turing-complete or do not include essential programming language constructs, such as subroutine calls.

ROPC is a proof-of-concept ROP compiler for 64-bit x86_64 architectures that achieves Turing-completeness by maintaining a second, shellcode-accessible stack, which most notably makes possible subroutine calls within the exploit itself. Turing-completeness allows shellcode to avoid suspicious behavior such as calling system(3) and to return control to the target process.

As input, ROPC accepts (i) source files written in so-called ROPC-IR, (ii) rules for translating ROPC-IR instructions to sequences of gadget addresses, and (iii) static configuration parameters about the victim process. As output, it produces a two-stage shellcode (a sequence of gadget return addresses) that can be injected onto the target process’ stack.

The distinguishing features of ROPC is its emulation of a second stack available to the ROP shellcode and its consequent support for nondestructive invocation of library and system calls (with variable parameters) as well as shellcode subroutine calls.

The Service Workers API is a modern web API that grants web developers advanced capabilities, such as acting as a proxy server, intercepting network requests and improving offline experience as a background service.

In Akamai, we have unique visibility into the world wide web traffic. We have witnessed a dramatic increase in usage of legitimate service workers in our customers web applications in the past year. We believe this trend also applies to malicious service workers as well.

In this talk we will cover new and emerging web based attacks that (ab)use the Service Worker web API. We will cover and demonstrate the attack flow where a potential attacker can amplify and persist his foothold on the client and exfiltrate sensitive information by abusing the service worker API.

Along showcasing those kind of attacks, we will also discuss and explain how to find those attacks and methods to mitigate and prevent them.

Do you want to know how you can exploit DNS rebinding 10x faster, bypass prevention mechanisms, interactively browse the victim’s internal network, and automate the whole process during your next red team exercise?

This talk will teach you how and give you an easy-to-use tool to do it.

First, we will cover in detail the subtleties that make DNS rebinding attacks more effective in practice, including techniques and operational conditions that make it faster and more reliable. We’ll also explain how to bypass commonly recommended security controls, dispelling attack and defense misconceptions that have been disseminated in blogs and social media posts.

This talk will include a number of demos using Singularity, our open source DNS rebinding attack framework that includes all the parts you need to get started pwning today, including:
– Remote code execution and exfiltration payloads for common dev tools and software
– Practical scanning and automation techniques to maximize the chance of controlling targeted services

We’ll also show an interesting post-exploitation technique that allows browsing a victim browser network environment without the use of HTTP proxies.

In the 1968 television series, the Prisoner, a former British intelligence agent is imprisoned on an island, called “”the Village’, with other former spies. This pretty prison is a retirement home for those like him who “”know too much””.
On the island (called ‘The Village’) prisoners are only referred to by their numbers, with our prisoner being Number 6.

In this session, we play a game in which we are Prisoner Number 6, a containerized application that “”knows too much’ and our Village is a “”privileged’ Docker container, which “”imprisons”” us.
During the game we constantly try to escape the Village and return home to the mainland.
Do we succeed to escape the Village? Join our session to find out.

During this session we will show how we attempt to escape the privileged container to reach the underlying host, using a number of different methods, such as loading a Linux kernel module into the underlying kernel, exploiting devices present inside the container to read and write host’s files, and more.

At the end of the session we will attempt a real live escape from a Docker training website to remotely run code on the host.

It’s almost 2020 and it’s time to reset how we think about the traditional “”phases of hacking”” and responding to modern intrusions.

The Classic attack paradigm: traditionally Windows focused, Active Directory/Domain Admin emphasis, port scanning, privilege escalation, stealing hashes, exploiting vulnerabilities.
The here and now: hybrid MacOS environments, cloud emphasis, SSO/SAML, 2FA, 3rd party SaaS, zero exploit code.

As companies adapt their businesses to new technologies, attackers change with them, and so should incident responders. In this talk I will discuss how my security team and I respond to modern intrusions from Red Team engagements and “IRL” threats that no longer follow the “Classic” methodologies of attack. If you’re a defender that’s tired of hearing about Powershell, sysmon, mimkatz, and “Red Teaming 101”, this may be for you. This talk is primarily targeted at incident responders working in complex, modern, environments and aims to provide practical guidance on improving your teams capability to detect bad actors and respond to intrusions in 2019 and beyond.

Effective third-party security risk management requires collecting a significant amount of information from vendors. That information gathering process often starts with the customer sending the vendor a lengthy infosec questionnaire.
Katie’s team was on the receiving end of those questionnaires, and the significant time and effort required to complete them interfered with progress on imperative security projects. To address this problem, the team created documentation and a new process that lessened their workload, reduced sales cycle friction, and gave customers increased visibility into Rapid7’s security program. Katie will share her approach, the lessons she learned along the way, and the metrics she used to measure success, ensuring you leave this session ready to apply these strategies at your organization.

Organizations are routinely required to present their risk and security posture to customers, management, and auditors. There are a myriad of vulnerability datasets and online risk scoring tools available, but how can you use them to your advantage? This talk will focus on not only getting those troublesome scores and online databases to cooperate, but also setting them up to do your work for you. We will review current standard data sources and scoring models; various ways common environmental factors mitigate risk and how they apply in CVSS scoring calculations; and how to aggregate and use the results to inform security decisions within your organization.

In June 2019, the open-source drand project will be jointly announced by its developer, Nicolas, and its current members, EPFL, Cloudflare, NIST and Kudelski Security.
Its goal? Providing a trusted source of distributed randomness that would enable new applications and could be a way to allow blockchains to provide actual randomness to smart contracts in the future.
This talk is about what distributed randomness is, what it means for developers, and why you’d want to use it. I will also present to you drand, a Go application implementing distributed randomness that was developed at EPFL.

Don’t worry though: we will first discuss an overview of how it works without diving too deep into the gory cryptographic details. In addition, I’ll demo how this cool new open-source tool works and explain you how you can use it in your own applications.

Disclaimer: this is NOT a blockchain talk, but rather a distributed system one.

When a company moves to the Cloud, the Security team will need to figure out how to adjust how the go about day-to-day operations for Cloud environments. We will go over how to accomplish different requirements that a SOC would have, including war stories of when I’ve implemented solutions that worked very well, and solutions that blew up in my face. From native services, to open-sauce tools, and then some commercial tools (no this isn’t an advertisement). We will go over the pros and cons, so you can accelerate your decisions in how you secure your cloud.

Join us in the studio for rousing commentary, insightful observations, and witty banter as we walk through breaking reports on vulnerability disclosures from around the world. Our three experts will discuss, debate, and dissect the dos and don’ts of vulnerability disclosure. In talk show format, our irrepressible, opinionated, and occasionally controversial pundits will offer legal, researcher, and vendor perspectives on this week’s news in vulnerability disclosure. We’ll provide candid reactions to how various tales of vulnerability disclosures unfolded – highlighting what works, what doesn’t, and what’s likely to get you punched or arrested. Or both. We may not be Emmy-nominated (yet), but we’ll bring you the hottest news and informed reactions from across the coordinated disclosure landscape.

There have been several studies on country based passwords by authors but there has been a lack of focused study on the type of passwords that are being created in Africa and whether there are benefits in creating passwords in an African language.For this research, password databases containing LAN Manager and NT LAN Manager hashes extracted from South African organisations, were obtained to gain an understanding of user behaviour in creating passwords. Analysis of the passwords obtained from these hashes showed that many organisational passwords are based on the English language. This is understandable considering that the business language in South Africa is English even though South Africa has official 11 languages. African language based passwords were derived from known English weak passwords and some of the passwords were appended with numbers and special characters. The African based passwords were then uploaded to the Internet to test the security around using passwords based on African languages.Most of the passwords were able to be cracked by third-party researchers, we conclude that any password that is derived from known weak English words marked no improvement in the security of a password written in an African language,especially the more widely spoken languages.

Most databases worth mentioning include authentication and authorization capabilities.
However, devils emerge in the details when edge cases of these capabilities are investigated.
We’ll see that popular databases (e.g. MySQL, PostgreSQL, Cassandra, MongoDB …) can have unexpected and sometimes unintended auth behavior.
This includes a fresh authentication vulnerability.
Ideal auth behaviors, with regard to security, will be reviewed.
Then we’ll demo how popular databases stack up against them.
Attendees will walk away knowing which auth properties to look for when including a database in their tech stack.

In today’s ecosystem, verification of identity is no longer applicable just to the user; extending to microservices, cloud providers, IoT devices and many other emerging systems as well. 81% of discovered breaches are due to broken authentication, indicate it as a prevalent issue. Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often lose context on best practices.

In this context, we talk about popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed in disclosed reports related to these schemes. Finally, we will conclude with actionable solutions to correct these flaws realized in the form of practical guidelines. These would be security design patterns that developers or designers could refer to in their daily tasks

In this talk, Group Policy expert Darren Mar-Elia (a.k.a. the GPOGUY) looks at Active Directory Group Policy from an attacker’s perspective, illustrating techniques that can be leveraged to gain insight into an organization’s Windows security posture, privileged use and opportunities for compromise. He’ll start by explaining how GP works under the covers, then dig into tools and techniques you can use to take advantage of GP’s “readability” to map out how an organized has deployed security hardening and privileged access, including how you can specifically identify admin tiering and work around it. Then Darren will dig deep into the bowels of GP to show several approaches to exploiting Group Policy, including linking exploits, write-permission/settings abuse, GPT redirection, external paths abuse and some newly documented ideas for abusing GP processing at the client to run arbitrary code. He’ll finish up by presenting some defensive techniques that can be used to harden GP against this kind of abuse.

Do you dance madly on the lip of the volcano regarding your own research, or would like to research a particular topic that you feel might have a non desirable personal outcome?

Do you know someone who does these things?

If so, you should come to this session and learn about some new process and relationships where more people can benefit than before.

NOW, FOR THE FIRST TIME EVER- NOT IN UNDERGROUND!
Welcome to the new age of Glasnost and the end of an era.

Sometimes, the link you clink on is harmless like a Magikarp using splash. However, sometimes the link you click on might be a Gyarados using Hyperbeam to misuse PHP and steal your credit card credentials.

Phishing campaigns remain as one of the most timeless, and prevalent attacks against a corporation. However, phishing detection and prevention used today are still rooted in archaic methodologies of producing, obtaining, and maintaining blacklists. As an alternative, research into implementing a heuristic-based approach, rooted in fundamental machine learning algorithms, for phishing prevention is becoming more common. This talk will include a discussion on the heuristically approach of extracting features from a website and assessing if they are malicious or not, exploring how to effectively use various modeling for classification on the features of a website, and the stages to build out a repository for phishing research.

Machine Learning models ostensibly offer excellent detection rates at low false positive rates for detecting malware statically at the pre-execution stage. Importantly, they generalize well to new malware samples, evolving families and polymorphic strains. However, often neglected is the fact that “old-school” signatures actually perform *better* at the narrow role for which they were designed: signatures detect *known* and well-behaved malware families at detection rates approaching 100% and false positive rates approaching 0%. Should these not be a powerful complement to static malware detection using machine learning?

I present automatic malware signature generation via n-grams, but with one significant upgrade: I consider ludicrously large n-grams for n up to 1024 using “KiloGrams”, an approach co-developed by government, academic and industry partners. Since memory burden using straightforward approaches grows exponentially with n, previous research for n>6 is exceedingly rare, and to our knowledge has never been attempted for n>8. But more than 1 in 50 observed x86 instructions exceed 6 bytes, so that a byte 6-gram is insufficient for capturing telling sequences. KiloGrams discovers the K dominant n-grams (for very large n) with very modest memory requirements, and the resulting signatures provide both impressive predictive performance, and intrinsic interpretability.

This talk comprises two parts: How to reduce Alert fatigue in security analysts so as to automatically fuse alerts from disparate log sources; and How to Reuse/recycle ML models from one security domain to another. Both systems are in production in Azure Sentinel, Microsoft’s Cloud SIEM. Attendees will takeaway three core concepts: how to encode uncertainties in attacks using probabilistic kill chains; compressing ML models using high capacity LSTMs; and finally the trials and tribulations of building large scale ML systems for security.

Machine learning has already proven itself an extremely useful tool for blue teams and defensive products. Organizations and their vendors have access to millions of endpoints, logs, and events. Extending talks and research given at previous DefCon events, this presentation will discuss research at integrating operationally relevant machine learning techniques into offensive operations. Through a few practical examples, we’ll explore basic statistics for operator efficacy, detecting a sandbox for payload security using a simple neural network, analyzing command sequences from previous operations to provide command recommendations for current operations, and using reinforcement learning to teach malware to pivot across a network. PhD NOT required!

Just looking at your logs is extremely unappealing for many security analysts. This leaves specialized tools and scripts to do the analysis before anything is investigated. This leaves any threat actor with access to the tools at an advantage and you with tunnel vision. With the math presented here we show the odds of finding something is quite high for hunting and the effectiveness of $CYBER_ML_PRODUCT might be closer to a list of your assets picked at random.

Browser (Chrome) extensions can often be overlooked in an enterprise environment. They offer would-be attackers’ access to all sorts of potentially sensitive information. In order to find interesting ones there are a number of tools and data analysis techniques available. Some of these tools and techniques will be covered so you can hunt through your organizations Chrome extensions in a meaningful way, and understand the risk they pose.

With myriad threats facing organizations, eliminating all avenues for attack is impossible. Accepting this reality means organizations need to focus resources where they are most likely to be impactful. But this begs many questions: What types of hosts are most likely to have vulnerabilities? Are those same hosts critical parts of the business? What about cloud infrastructure that isn’t fully controlled? Are hosts on foreign soil in compliance with local laws?

We could tap into prevailing FUD and personal opinions to answer these questions, but haven’t we all had enough of that? We’d prefer to know what the data says. In this talk we introduce the concept of risk surface and explore its shape by tapping into a fascinating data set spanning millions of internet-facing hosts from tens of thousands of firms and major hosting providers around the world. We find that for most organizations risk is global with more than half locating infrastructure in multiple countries. Not only are hosts spread far and wide, but vulnerabilities are too: more than half of organizations have high or critical vulnerabilities on external infrastructure. Armed with this new perspective, we can make recommendations to organizations on where their resources are best deployed.

Infiltrating into internal networks by targeting people into visiting malicious websites is still being used by attackers. However, as the modern browsers are being automatically patched and endpoint protection improves, depending on either a browser 0day or the victim to click and deploy a malware on his machine narrows down attacker’s opportunities. But did you ever wonder how could someone obtain access to internal network by only relying on the victim’s browser as the main weapon?

In this talk, we will propose an attack concept that brings a whole new attack surface to infiltrate internal networks. The attack will work even on the latest patched browsers and without deploying any malware. By combining and advancing existing concepts of JavaScript reconnaissance techniques and DNS rebinding attacks, internal applications could be now exposed to the outside world while going unnoticed.

We will explain how going from theory to practice requires overcoming several limitations of the current DNS rebinding attack. We will go through the steps of evolving the current possibilities into establishing a full tunnel to internal network applications. We will tackle the challenges with handling all HTTP methods, proxying authentication and downloading binaries via the tunnel.

DNS Tunnels are fun for bypassing Wi-Fi restrictions and breaking out of networks. Today there are many defence options in place to detect or block DNS Tunnels. However, exfiltration of data via DNS is still very possible and continues to plague corporate environments. We will look at some unique and new ways to exfiltrate data via DNS. We’re not looking to get free internet here, we’re looking at how attackers can send sensitive data out of a company without being detected by the usual DNS tunnel detection mechanisms.

Microsoft has added a significant number of features to Windows 10 that affect the types of evidence that can be found both on disk and in memory during digital forensic and incident response investigations. These features include new event logging sources, new artifacts of program execution and file access, compression of in-memory data stores, native support for Linux virtual machines, and much more. The inclusion of these features necessitate that blue team members update a significant portion of their workflow to fully capture events that previously occurred on the system. These features also force red team members to update their workflows if they wish to operate in a stealthy manner. During this presentation, the full range of these new features will be presented along with how they can be accessed, analyzed, and understood. This will include discussion of open source tools along with analysis methodologies. By the end of the presentation, attendees who work in a wide variety of information security roles will understand how Windows 10 changes their daily workflow and how to best take advantage of the new features. With Windows 7 reaching its official end-of-life in January 2020, now is the time to learn these new skills.

Many organizations struggle with keeping track with the flood of information regarding threat actor groups, malware, and other security vulnerabilities being released each day. Although many people understand the importance of keeping up to date with this information, it can often become a lower priority to other defensive security operations functions.

This talk will cover how to take various forms of cyber threat intelligence and operationalize that information into behaviors that can create actual detections relevant to the organization. We will walk through the process of identifying said behaviors, how to create detections, and how to actually test those detections using open source tools.

This briefing quickly introduces the DoD Cyber Crime Center (DC3) and then gives into a discussion about what cyber threat intel is, the cyber kill chain (using movie gifs) and ends with a brief intro of some APTs. The talk is geared at an introductory level for people who don’t specialize or would like to learn more about CTI and APTs.

Picture it: Sicily, 1922. I’m reporting to a great CISO who gets an opportunity to lead security for a global law firm. A few minutes later I’m in the hallway with the CIO and accepting the role of interim CISO. Fast forward a few years, I’m in a place that I never expected and doing things I wasn’t sure I knew how to do. The purpose of this talk is to share lessons I’ve learned going from a practitioner to the guy in charge and how practitioners at any level can lead and inspire change within the community.

Bad management is regularly one of the reasons cited for why people change jobs. Plenty of books exist out there for the topic on how to manage and lead people, but there often isn’t a good vision for people with strong technical skills can transition into leadership roles. Some of the pitfalls and issues that come with these transitions can be tricky to navigate, but the potential reward can be very high.

The security industry complains about a lack of talented people, but most of our jobs require Senior Engineers with 8 years experience. New grads and non-grads struggle to get a foot in the door, so they never get those 8 years of experience. Google has made progress towards solving that problem. We created a team that hires people at entry level and grows them until they can take more senior jobs. The team manages operational security work, like exception requests, that senior engineers find boring but new engineers find interesting and educational. The team also writes code to automate away as much work as possible.

We’ve also created a feeder program to train non-security people up to entry level in security, and we’ve created a rotation program to transition software engineers into security. Together, these programs have resulted in many hires and promotions and multiple rising stars. Additionally, the team is substantially more diverse than average.

After attending this talk, you’ll understand how we achieved these results and how you can create a similar program in your own organization.

Are you working in a mature enterprise security team, but have been exploring the idea of transitioning into a security leadership role in a startup or smaller, less mature organization? Tech debt is a real issue in any role, but perhaps instead moving into a new role in a new organization where the perception is that the grass is greener, you want to truly try your hand at a true evergreen environment where you build the program from scratch at a startup. Specifically, are you thinking about making a career change as a security specific domain expert to moving into a startup role where you may develop domains within InfoSec, Compliance, Privacy, and more. While it may be intimidating, it’s not impossible, come learn about specific examples of how to apply enterprise security lessons to build a security program at a tech startup.

Three years ago, a team of nerds at the Pentagon brought in hackers and launched the federal government’s first bug bounty and coordinated disclosure programs. Today, the Defense Digital Service’s (DDS) ‘Hack the Pentagon’ program has run nearly twenty bug bounties across the Department of Defense, engaged thousands of ethical hackers, and uncovered thousands vulnerabilities. The program has been replicated at agencies across government and is helping feds to rethink many of the government’s security approaches. While these programs are what DDS is best known for, the military also manages thousands of vehicles, ICS systems, and medical devices, in some of the most unique and challenging circumstances or any organization. Hear from DDS Director and noted data scientist Brett Goldstein about going beyond checklists and attested security, shifting culture in the world’s largest bureaucracy, and working to incorporate diverse perspectives and talent to contribute to our country. Under Brett, the DDS team is helping to push better security norms and best practices – recognizing talent, diverse perspectives, and creativity are critical to remaining a step ahead of our adversaries. You’ll learn how this passionate group of citizens have been effective and how they’re inviting BSidesLV participants to get involved.

Nowhere is the interconnected relationship between technology and the home more evident than the rapidly growing world of IoT.

What we see time and time again is that consumers care about security within their products, but most assume that a product is safe simply because it is for sale. We recognise it is not reasonable to expect everyone to become a cyber security expert, so we need to shift the burden off end users, support manufacturers of all sizes to embed strong cyber security principles, champion those that already do, and regulate to protect citizens from manufacturers that don’t take security seriously.

The talk will outline the work we have done to date and our approach to protecting consumers. In the past twelve months, we have published the Code of Practice for Consumer IoT Security, have worked to develop the first globally applicable standard for consumer IoT- ETSI 103 645 and have been supporting organisations at all scales to implement these standards as a manufacturer and buyer of IoT. It is clear that action is needed, and we published our ambition to regulate in May 2019, outlining possible options for consultation, as well as a proposed labelling option.

Ransomware attacks and confidentiality breaches tend to make the news as it relates to healthcare security challenges. But what about attacks directly on a patient?

During this session, we’ll look at some of the common security issues pervasive throughout the Internet of Things, and tie them directly to real-world attack scenarios using connected medical devices. We’ll discuss the anatomy and risks of an attack against a patient in a hospital, review common mechanisms and tools used for these attacks, and identify effective solutions to evaluate and better understand the inherent risks of the connected healthcare ecosystem.

The press must translate complex digital security issues for the public, bringing a sense of urgency to the subject without scaring people into inaction. To do this job right, we need to talk to hackers. An open and earnest dialogue on how reporters navigate these challenges is in everyone’s interest – unless, of course, you have something to hide.

This panel will feature a frank discussion about what works and what doesn’t in uncovering some of the most important infosec storylines of the day. Discussion topics will include how companies and agencies disclose data breaches; how reporters are involved in the flawed and difficult process of vulnerability disclosure; the responsibilities of more “”mainstream”” outlets in explaining cybersecurity issues to readers; and what to do when policymakers draw the wrong conclusions from your reporting.

Journalists to include Sean Lyngaas from CyberScoop, Joseph Cox of Motherboard, Lily Hay Newman from Wired, and freelance journalist Kim Zetter.

Most US federal agencies lack a formal mechanism to receive information from third-parties about potential security vulnerabilities. Many agencies have no defined strategy for triaging reports about flaws reported by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith will not be subject to legal action by the government.

These circumstances create an environment that discourages people from reporting potential information security problems to the government, which delays or prevents the discovery, prioritization, and remediation of these issues.

Representatives from the Office of the Federal CIO and the Cyber & Infrastructure Security Agency will talk about potential approaches and solicit feedback on addressing these concerns in the enterprise of enterprises that is the US Government.

Mass Attack Campaign with Hands-on Webcam Exercise will teach participants about the IOT threat landscape (what have we seen) and common oversights made in the development, configuration, and deployment of IoT devices. And, while IOT may not be interesting itself as an end target, it’s easy to build an automated campaign at scale which can access operational systems and sensitive data. I’ll do a hacking demonstration to show the stages of an IOT campaign from OSINT/recon to exploitation to lateral movement to steal interesting things.

“Hackers of the world – unite?”
We are taught there is strength in coming together, but, must we all speak the same language? do the same things to achieve impact? I think not. This talk, will be an international point of view about the global and different state of hacker communities, and the meaning of the word hacker – Past present and future.

Over the years we have been increasingly been surrounded by technology. Some of us, particularly my generation, and gen z have almost been raised by it. This means that things like “Don’t clicks links from people you don’t know.” has now become the new “Don’t take candy from strangers.” making it harder for us to perform old tricks like redirecting users to pages with malicious scripts.

But what if I told you that could change with a small injection and a little social engineering? With a small chip in your hand, you could convince your target to let you wreak havoc on their device, and them be none the wiser.

This presentation covers the offensive uses of NFC implants and how you can use this new technology to your advantage, as well as its limitations out in the field.

I want to talk about the struggles of teaching teammates how to learn python. Specifically I want to talk about how to motivate or keep people working towards the goal without using financial incentives and creating the correct culture around learning. I’ve been working with my team to have each one learn. All of them come from very different starting points. Some of the struggles have been finding the right projects to work on and what resources I used and which ones worked well and which ones did not.

How to leverage the Mitre ATT&CK Framework to improve your organization security posture and bring your SOC/BlueTeam up to speed with the current Tactics, Techniques and Procedures (TTP) that modern Threat Actors uses. Our goal is to answer a few questions we often see or hear: “ATT&CK is nice and all, but how do I (we) get started?”, “How can I (we) detect those TTP?”, “Why use the ATT&CK Framework?”

Game Theory is a wide ranging subject with practical applications that we are beginning to apply to information security. Many are familiar with the Prisoner’s Dilemma, but there are many other games that also illustrate strategic advantage. In this presentation, two games will be discussed in the context of infosec and identifying practical strategic applications– Col Blotto and FlipIt. Col Blotto games use a militaristic example of identifying where to put troops on a battlefield to best defend a territory. FlipIt games cover what to do when you have incomplete information, including situations in which you don’t see your opponent’s moves. This presentation aims to use these games demonstrate a dynamic methodology in network hardening as well as a plan in an assumed compromise scenario

The term “Threat Hunter” and “Threat Researcher” seem to be buzzing around these days. But what does it mean? What do those people do? Where do they fall in?
I’m going to tell you my thoughts on what the skills and abilities of seasoned hunter might look like and how having one could help an organization.
I will talk a little about the common types of hunters, but I will talk more about my passion that is also my job.
My goal is to help clear a couple of things up and maybe spark some interest in this field that I love.

What do the front line protectors of this world need to be aware of when the adversary’s turn tech on them? No longer is it just a matter of catching bullets. Physical security teams now have more to consider. We give an insight to the world of close protection, the threat landscape and how they could be attacked.

There is a lot of swirl (and some crappy documents online) about how to CYA when you’re an independent consultant or a third party vendor doing pen testing / red team work for a client.

But what do you really need to know? And where do you draw the line/ walk away from a client? We’re going to talk about how you don’t end up on the hook for damages or screwed in a lawsuit by getting the paperwork right on the front end.

I’ll bring the information (and some docs you can adjust for your needs), and you bring the questions!

Many cybersecurity textbooks dictate that we disconnect from the network when a compromised PC is detected. In the case of sophisticated attacks like an APT, however, we can benefit significantly if we can observe how the adversary performed their attack and understand their TTPs and eventually their purposes and intentions. To realize these benefits, the observation needs to be conducted safely and covertly so that the adversary continues the attack.
We propose a new technique that transfers the attack to a safe observation environment without alerting the adversary so that we can keep observing their activity in real time. We propose first to prepare the Deception Network (D-Net) configured identically to the Operational Network (O-Net).
After a compromise is detected, the relevant network packets are modified so that communications between the compromised PC and the O-Net are seamlessly redirected into the D-Net, minimizing any further compromise of operational data and assets. In order to not let the adversary knows that their attack was transferred from the O-Net to the D-Net, we employ a sophisticated and unique packet rewriting technique using Software Defined Networking technology.

Deepfakes, or videos that utilize AI-based technology to create or alter content to misrepresent reality, are becoming more indistinguishable from reality. These videos frequently utilize face-swapping to falsify statements or actions of others. Threat actors could utilize this technology to create content that would cause significant market disruption- for example, a high ranking finance executive declaring their firm is no longer liquid, or the Chairman of the Fed stating that the US is unable to pay debt requirements. Proliferation of the content via social media has the potential to cause immediate impact to global economies, plausibly causing potential losses in the billions. Previous actions by threat groups have demonstrated this threat is not out of reach, as the necessary technology is low cost or free and technical barriers to entry are minimal. Financial institutions must be prepared to react accordingly.

Canary tokens are not a new idea, but are woefully underused. In this talk I will outline particular use cases and techniques to get more mileage out of the base concept. Rather than just a simple tripwire with limited environments it can be set in, we’ll cover how you can bait these canaries to provide additional context, such as the attackers IP or useragent, which victims visit a phishing page, or the accounts used in exfiltration. Depending on the context, you could even replace creds attackers are trying to phish for without the attackers attackers knowledge, or expand the beacon into something more C&C.

The implementations I will cover include a stealthy JS-based payload designed to trigger when ran outside it’s normal domain, a G-suite payload, as well as PDF/DOCX bait files. Additionally, explanations of how you can use various communication channels such as DNS to expand the reliability and stealthiness. For the DNS channels, a quick coverage of the necessary constraints you need to be aware of will be included, such as allowable character sets, subdomain lengths, # of subdomains, and multipacket stitching for longer messages.

You are looking for a way to continuously check the security of your Web/Mobile application before pushing new code to the production ?

The talk explain how to design and create a Disposable, Agile, and Scalable security automation tool set according to your security business requirements. The idea is to convert security tooling into micro services, and deploy them into a Kubernetes cluster.

This talk provide also some pitfalls to avoid in your journey to build a secure software supply chain.

Malware authors are always looking for new ways to achieve code injection. By using such techniques, a malware can run itself as another legitimate process on the system.
This is done for a few reasons which include:
• To hide the malware presence in the operation system
• To use other process context (for example, to bypass an application firewall)
• To mine data from the process (for example, form grabbing in browsers)
In general, by using such techniques, the malware writes part of its code in a remote process memory, and then causes the remote process to execute the injected malicious code.

Achieving code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions. I found a new injection-less method to inject code to a remote process.
In this method I don’t use any of the known methods to inject code. To achieve the injection-less injection the remote process is made to read data from the injecting process by calling ReadProcessMemory. This code injection works only on x86_64 architecture.
In addition to this method, I found another way to copy data in the remote process. By copying data inside the remote process, I can recreate a shellcode from the injecting process. The second method should work on x86 and x86_64 architectures.

Do you ever wonder how you can influence the Department of Justice’s cybersecurity and law enforcement efforts? Over the last 5 years, the Computer Crime & Intellectual Property Section (CCIPS) has undertaken projects intended to improve cybersecurity by supporting the computer security researcher community. CCIPS, which is responsible for implementing DOJ’s national strategies for combating computer and intellectual property crimes worldwide, has helped DoD implement its “”Hack-the-Pentagon”” Program, published a vulnerability disclosure framework to help organizations adopt vulnerability disclosure policies, and advocated for the expansion of a researcher exception under the Digital Millennium Copyright Act’s Triennial Section 1201 Proceeding. Come listen to a status report from CCIPS, hear about DOJ’s upcoming plans, and tell them what you think DOJ should do next to help researchers.

Nowhere is the interconnected relationship between technology and the home more evident than the rapidly growing world of IoT.

What we see time and time again is that consumers care about security within their products, but most assume that a product is safe simply because it is for sale. We recognise it is not reasonable to expect everyone to become a cyber security expert, so we need to shift the burden off end users, support manufacturers of all sizes to embed strong cyber security principles, champion those that already do, and regulate to protect citizens from manufacturers that don’t take security seriously.

In the workshop, I will seek feedback on how effective legislation can be implemented, and how to ensure a system is set up to continue to protect citizens and the wider economy. Among this, I would like to explore the following questions…
– How can we ensure all manufacturers act responsibly and meet the baseline?
– How can we ensure the ‘floor’ doesn’t become the ‘ceiling’: ensuring transparency is built in above the baseline?

The more connected our world becomes, the more vigilant we
should be. We have a shared global responsibility to prevent the
Internet from becoming “weaponized” by increasing attacks by
criminal groups and state actors alike. We already have global
organizations to tackle physical emergencies and now we need new ones
to help with their counterparts in cyberspace. They should assist
those in need following a large-scale systemic cyber attacks and they
should bring the international cybersecurity community together to
prevent new attacks.

A CyberPeace Institute, an independent non-profit organization, should
be created to convene and fill three critical gaps in the current
cyber policy ecosystem: (1) investigating attacks against civilians
and civilian infrastructure that cause widespread harm and publishing
peer-reviewed analysis of such attacks; (2) assessing the harm caused
by attacks and how those attacks transgress international norms of
responsible behavior in cyberspace; and, (3) providing security tools
and assistance to affected organizations and individuals to help them
recover and be resilient. The Institute would rely on a robust array
of partnerships with leading civil society, academic, private sector,
and other interested parties to carry out its tripartite mission.

Hacking with good tools is a blast.

Sign up for the Storm Ethical Hacking Workshop and you’ll learn how to hack using the EC Council Ethical Hacking toolkit (Kit). In the workshop you’ll use iLabs to practice hacking skills on a live range with apps, from nmap, to Metasploit, from Aircrack-ng, to OWASP ZAP. You’ll learn the hacking process using the Kit, in addition to upgrading, installing, integrating and adapting your kit for hacking.

You’ll also learn how to move through a “”Capture The Flag”” challenge, hacking a vulnerable machine step-by-step, using the Storm Ethical Hacking Toolkit.

Weather you are a Maker/Hacker who already had his own code and tools, or a system admin who is interested in hacking, the Storm Ethical Hacking workshop is for you.

Join us! Ride the storm into the Storm Ethical Hacking Workshop and let’s hack!

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.

You often hear that one of the first steps is to harden your servers and services – buy how exactly do you do that?

In this workshop, we will go through the various stages of hardening a Linux environment (Ubuntu) against attackers. During this workshop, we will consider common attack vectors and their mitigations, deploying security “feelers” and properly configuring the operating system and services against attacks.

This is an introductory level workshop (2-6 hours), hands-on, that allows participants to practice basic security hardening steps and customize their journey from that launch point.

Join Secure Code Warrior’s live tournament to prove your web application security knowledge of the OWASP Top 10 or if you simply want to learn more about secure coding.
Players will be presented with a series of vulnerable code challenges that will ask them to identify the problem, locate the insecure code, and fix the vulnerability.
Watch as you climb to the top of the leaderboard and be crowned the Secure Code Warrior. Prizes will be provided to the top 3 winners.

Have you ever wanted to learn how attackers break into websites and mobile apps?

At this BSides workshop, we explore a purposefully vulnerable web application and show you 15 common ways that attackers try to cause harm.

The workshop includes hunting techniques, exploit techniques, self directed vulnerability hunting and team based vulnerability hunting.

Some of the vulnerabilities are simple to find while others are much more difficult.

This event is open to participants with all skill-sets including people with non-technical backgrounds, developers, DEVOPS admins, Quality Assurance professionals, pen-testers, and more.

ICS cybersecurity has been a new subject for years now, especially since Stuxnet. Has the security level of ICS improved?
Well, we can probably say yes for network segmentation and patching. And it is mostly true for critical infrastructures that must comply with multiple laws. But what about the most critical components such as PLCs?

In this workshop, you will learn how to attack PLCs, by attacking ICS protocols: a legacy protocol, Modbus, and an open source protocol considered as the future of ICS communications, OPC-UA. To do so, what could be better than giving you hands-on experience on real devices by hacking our model train?

We will start by defining industrial control systems and its main components, and explaining the key risks and vulnerabilities that affect them. We will then focus on their key assets, Programmable Logic Controllers, and discover how they work, how they communicate, how they can be programmed to learn the methods and tools you can use to p*wn them.

Then we will move on to real-world by attacking real PLCs on a dedicated setup featuring robot arms and a model train! And to conclude, probably the most difficult, let’s discuss how to secure ICS.

Find out how Mitre’s ATT&CK can be used as a baseline for threat hunting. Starting with data hygiene and ending with an example hunt, we’ll show you how the Elastic Stack can help you find bad actors in a standardized and auditable way. Learn how the Elastic Stack’s latest capabilities enable interactive exploration and automated analysis.