Morning Keynote: Security is already here – it’s just not evenly distributed yet
When the FBI is having a hissy fit because Apple can’t help them unlock the data on a phone you know it is pretty secure. On the other hand, there are products shipping with without signed updates and people still manage to make their S3 bucket world readable. The knowledge to build and operate secure systems is out there. Why don’t we implement it? This talk will take a look at how to distribute security more evenly across all technology.
Fri 9:20 AM — 45 min
The Devops Debacle: How & Why AWS Misconfigurations Occur
Lately, many organizations have been embracing Devops, a set of cultural philosophies, practices, and tools that increase an organization's ability to deliver applications and services quickly. It is this rapid development that has also led to a rat’s nest of misconfigurations that lead to massive data leaks.
This talk is addressed to developers, Devops engineers and the security professionals who work with them. It lays down some strategies on how to continue using Devops practices while incorporating security. The speaker will go over tools, techniques, cultural adjustments and development strategies for building better IAM roles and policies that can prevent unnecessary exposure on AWS. The author argues for a need to clean the cloud and begin integrating security standards with Devops. without sane guidelines on development and infrastructure management, misconfigurations and data leaks will continue to occur.
Fri 10:10 AM — 45 min
What Is HTTPS, and Why Does It Matter?
HTTPS, SSL, TLS, green check marks, browser padlocks, and "not secure" sites. What does all of this mean, how are they protecting you, and why should you be using them wherever possible?
In this talk, I'll discuss HTTPS, its advantages, the effect it has on privacy and code integrity, and basic implementation for site owners.
This talk has information for everyone, from entry level to the seasoned. Whether you are a site-owner, a curious internet browser, or a security professional, you’ll see why you should use SSL – even if your site doesn’t “submit” information.
Fri 10:10 AM — 45 min
Binary Spelunking with Ghidra
Software reverse engineering has traditionally had many barriers to entry. It tends to require background in multiple disciplines that sometimes have steep learning curves, and expensive or hacked-together tools that frustrate and quickly deflate motivation, especially for beginners. With the open-source release of Ghidra, there is now a free professional-class software reverse engineering platform available to all! This workshop will cover the basics of utilizing Ghidra for binary analysis, work through some tips and tricks for getting the most out of the tool, and motivate participants to continue low-level software exploration.
Some experience with a high-level programming language like C, as well as some exposure to an assembly language (x86, ARM, etc.) is expected. All examples will be built for a 64-bit Intel Linux host, so participants should be able to run this class of binary either via a virtual environment (VMWare, VirtualBox, Parallels, Windows Subsystem for Linux) or native Linux. Participants should also install and test Ghidra on their host machine prior to arriving at the workshop. Materials, instructions, and exercises will be posted here: http://bit.ly/BSidesRDU19
DURHAM CONVENTION CENTER ROOM 3
Fri 10:15 AM — 105 min
Honeypots can be implemented to discover new threat information or detect intruders on a network. However, while there are numerous free honeypots available, many of them can be complicated to deploy or require additional engineering around them to consume log data. Are you curious to learn more about honeypots? Are you interested in deploying your own honeypots on the Internet? HoneyDB is comprised of a honeypot agent and data collection backend, which makes getting started with honeypots simple. In the HoneyDB honeypot workshop, you will learn about honeypots, configure and deploy a honeydb-agent in the cloud, and use HoneyDB tools to query honeypot data. This workshop is for beginner levels and up. See the latest details about this workshop at https://riskdiscovery.com/honeydb/workshop
DURHAM CONVENTION CENTER ROOM 2
Fri 10:15 AM — 105 min
Let's Get CyberPhysical: Learn it, See it, Secure it
In modern day society, we rely on ever-present digital systems that sync with, manage/control and diagnose actual devices in the physical realm. This interconnected omnipresence can be observed in IOT (Internet of Things) devices, mobility (through smart cars and automotive cyberphysical systems) and ICS (Industrial Control Systems). As our need to increase connection between the physical and virtual realm grow, so does the cyberphysical attack surface. For every innovative we way we connect our critical systems and infrastructure to the internet (and remote devices), the constituents of these connections need to be secured. Any damage caused by a cyberphysical attack can result in damage to infrastructure, property and most importantly loss of life.
To properly converge the physical and the digital, air-gaps need to be bridged, devices and their connections need to be secured in scrutiny at all layers. In an effort to meet market relevance and need, some connect their networks and devices straight onto the internet, leaving them vulnerable to all manner of exploits.
So this presentation aims to make the audience familiar with different types of Cyberphysical technologies, the dangers that these technologies face and ways to "take home" to secure their cyber-to-physical convergence.
Fri 11:00 AM — 60 min
More Tales From the Crypt...Analyst
The speaker, a former Cryptographer for the National Security Agency (NSA), presented “Tales from the Crypt…Analyst” at GrrCON 2016 where he shared some of his experiences as both a designer of and breaker of cryptographic systems. “More Tales from the Crypt…analyst” will pick up with the speaker’s third “tour of duty” at NSA where he became one of the founding members of NSA’s first penetration testing or Red Team. While the thought of NSA hiring hackers or engaging in cyber warfare might be fairly common today, it was not always the case. Somebody had to be first, and the policies, procedures, methodologies, and rules of engagement had to be developed for not only conducting what we called Vulnerability and Threat Assessments, but for successfully navigating the politics, bureaucracy, and reticence of this often-misunderstood clandestine organization. The first NSA penetration testing team was assembled as a part of the newly formed center of excellence that NSA called the “Systems and Network Attack Center” or SNAC. To quote Charles Dickens, “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us…” Come hear some war stories from the early days, and see how this industry and the practice of penetration testing has evolved in the past 25 years.
Fri 11:00 AM — 60 min
I've Looked At Cloud From Both Sides Now
It seems that all organizations these days are either migrating critical computing capabilities to the Cloud, or have already done so. The benefits can be significant from financial, administrative and elasticity perspectives, but what about the drawbacks - such as the loss of hands-on control, the over-reliance on service level agreements and third-party audit reports, and the potential lock-in with Cloud providers? This tongue-in-cheek presentation will present the pros and cons of running critical computing services in the Cloud, highlight Cloud-related business risks, and expose the potential pitfalls when organizations don’t sufficiently staff up to perform adequate assessment, oversight and control on these external infrastructures and services.
Fri 1:00 PM — 45 min
The Top 5 Ways I Own Your Internal Network
This talk discussed the top five ways I own internal networks when performing internal penetration tests. The talk will briefly discuss each topic, perform a live demonstration of the attack (with backup slides of course because live demos are sketch), and discuss blue team prevention measures. The talk will demonstrate how an attacker can leverage these attacks for lateral movement purposes and domain admin access. The ideal audience for this talk is junior penetration testers, blue teamers, C-levels, and anyone interested in common internal Active Directory network attacks.
Here is the talk outline:
1. Introduction (5 minutes)
1.2 Why this talk?
2. Attack #1: LLMNR poisoning/hash cracking (7 minutes)
2.1 Brief overview of the attack and vulnerability
2.2 Live demonstration of the attack
2.3 Attack prevention/blue team measures
3. Attack #2: Pass-the-hash/Pass-the-password (7 minutes)
3.1 Brief overview of the attack and vulnerability
3.2 Live demonstration of the attack
3.3 Attack prevention/blue team measures
4. Attack #3: Token Impersonation (7 minutes)
4.1 Brief overview of the attack and vulnerability
4.2 Live demonstration of the attack
4.3 Attack prevention/blue team measures
5. Attack #4: SMB Relay (7 minutes)
5.1 Brief overview of the attack and vulnerability
5.2 Live demonstration of the attack
5.3 Attack prevention/blue team measures
6. Attack #5: Kerberoasting (7 minutes)
6.1 Brief overview of the attack and vulnerability
6.2 Live demonstration of the attack
6.3 Attack prevention/blue team measures
7. Q&A/Questions from audience (5 minutes)
Fri 1:00 PM — 45 min
Active Directory Kill Chain Attack and Defense
Cover the specific TTPs that matter most. How to address them from both a Red and Blue team perspective and what truly matters most from the perspective of the vendor that owns what we call - Active Directory
Fri 1:50 PM — 45 min
Illuminating Malware Adversaries with MalBeacon
It is far too easy for anyone to obtain a malware kit from
the Internet and use it to breach an organization. A new system of its kind, MalBeacon is a fresh take on offensively gaining attribution intelligence on knuckleheads using these kits.
Fri 1:50 PM — 45 min
Extracting the Attacker: Getting the Bad Guys Off Your SaaS
The Microsoft Office 365 suite contains many applications that can help organizations do some amazing things. But occasionally, a user account will get compromised by an attacker. You can (and should) reset the user password, but is that enough? If that was all you needed to do, this would be a VERY short session. Regaining control of a user account does take a little more effort to ensure the attacker isn’t just temporarily inconvenienced.
How do you extract the attackers and get them off your SaaS?
I’ll walk you through some sneaky areas where attacker can retain access and show you how to shut it down. I can almost guarantee I’ll show you some attack methods you haven’t thought of before!
Fri 2:40 PM — 45 min
Starting A Dumpster Fire: Data Exfiltration
I've been extending https://github.com/PaulSec/DET.
I've added more plugins and functionality to the tool.
Including plugins based off: https://github.com/ytisf/PyExfil
Along with PowerShell to compliment the python modules.
Teredo and 6to4 has also been included as a tunnel method.
This would be a presentation covering my development of the tool along with the methods it uses to bypass DLP.
Fri 2:40 PM — 60 min
Extinguishing the Vulnerability Management Dumpster Fire
Vulnerability management seems like it should be no more than a harmless birthday candle, but too often it escalates to become a full-on dumpster fire complete with flaming sofas.
All effective security programs have to deal with vulnerability management. It all seems so simple. Vulnerabilities are discovered, patches are released, configuration changes are made and no systems should ever remain vulnerable. How do enterprises end up with hundreds of thousands of known vulnerabilities? In practice, enterprise vulnerability management is a tangled web of change control, fear, hurt feelings, misinformation, and lack of knowledge. Vulnerabilities pile up, patches do not install even when administrators try to push them. The company rapidly loses faith in the vulnerability scanner and teams accept the inevitability of failure.
This is an example of a troubled vulnerability management program that recovered and then returned to abject failure. We began with half a million vulnerabilities across around 5000 systems. During a three-month period with a modest team and a plan, we reduced the number of unaddressed vulnerabilities by more than 80%.
This presentation details the team, meetings, patch schedule, and process to reduce known vulnerabilities across the enterprise followed by how to tank a previously successful program. There are no gory technical details and the presentation is suitable for any skill level. The target audience is anyone working vulnerability management in an enterprise.
Fri 3:30 PM — 30 min
Afternoon Keynote: The more things change...
Sometimes it feels like we’re treading water in our industry. As we make changes to our organizations and try to improve our security, new technologies and new threats can make us feel like progress is impossible and cybersecurity is a Sisyphean task that has no end.
But is it? Is our industry an eternal dumpster fire that will burn forever? Or are we at an inflection point where maybe This Time Things are Different?
This talk will examine trends and changes in technology, threats, and security capability to try to figure out what the future holds. Rather than being a “stare deeply into a crystal ball” examination of the future (which is easy to do but holds little value), this talk will focus on “what can I do to make the future better.” I will talk about development and testing processes, risk management, the cloudy-clouds, and *gasp* cryptocurrency. By the end of this talk, you’ll hopefully be more optimistic about our collective future and how we can work together to make the Internet a bit more secure.
Fri 4:05 PM — 45 min