BSides Las Vegas

Christien Rioux will be discussing ‘The Security Industry: How to Survive Becoming Management’. Discussion about what the path to management looks like, what to expect from a start-up experience in the security industry, and how to carry the hacker ethos forward into the culture of a company. Learn the do’s and don’ts of running a hacker company, and how to lose your hair as quickly as possible.

"There are nearly 1,000,000 free and paid Android apps available. A very small percentage of these mean to do you harm. Figuring out which apps are the bad ones is difficult enough for the average user, but it’s not much easier for malware analysts. Analysis tools and automation can help to filter this flood of apps. Towards the end of discovering new unknown malware in a timely manner, we are developing new heuristics. We will cover: * Existing analysis tools: manual and automated * Data leakage and permissions abuse * Development of new tools and heuristics for malicious Android apps * Comparing the results of running the heuristics vs. manual analysis"

Exactly two years ago I gave a presentation on weaknesses in diabetic medical devices, and how similar they were to industrial SCADA systems. Well, I got a new insulin pump, and I have managed to find more problems. This will be a very unique talk where the audience will get to see over a dozen different diabetic devices, touch and poke at them, ask how they work and see them attached to me. Also part of the discussion will be these devices in context: How are they used? What are the implications of their failure? There will also be a live demo of a critical software flaw that has never been discussed publicly! There will be needles. There will be blood. There’s a chance the speaker might not even survive.

"Overzealous Admin: “I bet you can’t break in to my network! I got my stuff together…” Pentester: “I’m just here to help out and find the weaknesses the bad guys might or have used.” Overzealous Admin: “Well I have a corporate network with a level 8 Paladin firewall taking +2 hit points, a level 3 Rouge IDS to disarm your Smurf Attack, a level 5 Wizard SEIM solution with +3 powers of divination, and a level 2 Devoted Cleric antivirus to heal your malware infections!” Pentester: “Um…your CEO shared all his docs on Dropbox. Didn’t your Wizard tell you?” Lets play a game of fantasy tower defense with your infrastructure? Instead of measuring the price of your implementation, lets concentrate on if it can really protect you! If your defense isn’t mobile, agile, or technically relevant to where your users and data are then you’re still waging medieval siege warfare! Who cares about networks, servers, mobile computing, and BYOD! How about we review some modern security practices to protect what’s really important…YOUR DATA…without attending a single vendor song and dance routine. In the end, we’ll collaboratively outline a new approach to securing your assets that doesn’t focus on patching or hardening a single device or buying something. Are we doing this all wrong? You may even be convinced to throw away your firewall altogether!"

Some data is too sensitive or volatile to store on systems you own. What if we could store it somewhere else without compromising the security or availability of the data, while leveraging intended functionality to do so? This presentation will cover the methodology and tools required to create a distributed file store built on top of a JavaScript botnet. This type of data storage offers redundancy, encryption, and plausible deniability, but still allows you to store a virtually unlimited amount of data in any type of file. They can seize your server — but the data’s not there!

This presentation intends to cover the thought process and logistics behind building a better wordlist using github public repositories as its source. With an estimated 2,000,000 github projects to date, how would one store that amount of data? Would you even want or need to? After downloading approximately 750,000 repositories, storing 10TB on multiple usb drives; this will be a story of one computer, bandwidth, basic python and how a small idea quickly got out of hand.

Lair is an open-source project developed for and by pentesters. Built on Meteor and Node.js with a dash of Python, Lair is a web application that normalizes, centralizes, and manages diverse test data from a number of common tools including Nmap, Nessus, Nexpose, and Burp. Unlike existing alternatives, Lair encourages team-based collaboration by automatically pushing updates to team members in real time. Paired with it’s workflow and documentation management, Lair offers a single solution for performing a detailed, thorough penetration test individually or as a team in a manner that has not been done before.

Many social engineering talks focus on the exploitation of trust relationship and the resulting compromise of corporate and personal assets. However, what happens after the pwnage is done? This session opens with the aftermath of a successful social engineering incident on a major automotive financing company. Attendees will learn of the methodical analysis of the interactions which led to the compromise of customer information, as well as employee and executive network credentials. The case study also illustrates how this organization was able to use the forensic analysis of social interactions to enhance its customer service business processes. This information was used to engage employees in protecting information with the associated business processes. Most importantly, the customer care process was transformed such that it was able to frustrate social engineers and enhance the experience of their customers. Attendees will learn: - How the incident response team used log information and incident investigation to determine the social nature of this incident. - How the incident response team employed Open Source Intelligence techniques to profile the social attack surface, narrowing the focus of their investigation. - How the incident response team worked with management to modify business processes to be resilient in the face of social exploits.

Why is the diamond a sign of love and devotion? Why do baseball players always step over the first base line? The history behind these questions are examples of how small manipulations can make changes in the behavior of millions. Kati Rodzon uses her background in behavioral science to demonstrate how easy it is to social engineer your own behavior as well as those around you. Want your dog to fetch you a beer? How about get your friend to think that he has to stand up and point his remote at the wall before the TV will turn on? Done. Changing behavior is easier that you might think. Get ready to learn some history and social engineer your way into anything.

While the past isn’t a direct indication of future performance, knowing the past is essential to predicting the future. In security, this requires reviewing large quantities of vulnerability, defect and exploit data to fully understand how attackers are likely to approach their task. While there have been many annual reports on the vulnerabilities produced by individual tools, this view can be myopic based on the focus of that particular product: Network, Database, Operating System, Dynamic Application, Source code, etc. It is impossible to get a full picture and how the different components relate. This talk is a comprehensive look into a data set that spans all of these. Instead of examining a single tool, this talk represents the aggregation of data from 20 of the leading security tools on the market and a thorough review of the data they generate. First, we examine the overlapping data generated from the aforementioned tools. Next, we will compare and contrast it with the output of multiple breach reports and databases, and extract trends that may be important in helping us reduce the number of breaches in the future. The corpus of this research is from over 30,000,000 vulnerabilities analyzed from the past 12 months, generated from across some of the largest corporations in the world.

Interested in building your own pen test training lab but lack the hardware or software to roll your own? One option is to go the way that most companies are doing these days and build your own “infrastructure” in the cloud. Not only do you get the cloud benefits of only paying what you use and the ability to expand when needed but you also get a range of licensed victim servers to choose from. This talk covers the basics of Amazon’s EC2 cloud infrastructure (e.g., EC2, VPC, basic network and routing, Elastic IPs, Security Groups, VPNs, and Snapshots) and step-by-step instructions on configuring this infrastrucutre to build your own isolated test network complete with licensed victim servers or customized AMIs.

How can you secure your server if you have no idea what files, registry keys, users, groups, services, or other artifacts are created when an application is installed? Most vendor documentation fails to detail the intricacies of an application’s installation footprint down to individual files. This makes securing the application, not to mention the development of enterprise policies and procedures for the application, an arduous and ultimately ineffective task. Using a combination of malware analysis techniques, package management utilities, and some homegrown tools, anyone can understand exactly what an application is going to do to your server and how its installation impacts your attack surface area. With this knowledge in hand, an organization can translate the newly created application map to Chef, Puppet, and RightScale configuration scripts to better automate its server and application fleet deployments. The map can also be used to help tighten controls for more accurate and continuous operational and security monitoring of applications. In this talk Andrew Hay, CloudPassage, Inc.’s Director of Applied Security Research, will present a repeatable and application-agnostic methodology to quickly and easily: - Use malware analysis techniques to profile any application before its installation - Identify undocumented post-installation application artifacts worth monitoring - Build new, and leverage existing, automated tools to expedite the entire identification process

It is possible to eat healthy foods, moderate (or even eliminate) alcohol consumption, and exercise- both at home and while traveling. But life is too short for that nonsense, so let’s enjoy ourselves; if you’re worried about shortening your life with food and drink you clearly have too much to live for. This talk is about exploration and discovery, but in generally low-risk situations- no pith helmet required (but if you can rock one, I say go for it). The presentation begins with an introduction to classic (and no-so-classic) drinks, starting with an exploration of bitters- those magical elixirs which have evolved from impotent herbal remedies to potent flavoring agents. I’ll explore the history, evolution, and popularity boom of bitters, and delve into making your own bitters. The discussion of bitters leads into their use in drinks both tame and wild, and their role in the revival of the cocktail scene- including a few suggestions for drinks both alcoholic and not. The ensuing quest for proper cocktails leads us out of our hotel bar, and into more interesting venues where good drink leads to good conversation, which leads to learning more about drinks- and also leads to local knowledge. Local knowledge leads to more entries in the ever-evolving Erudite Inebriate’s own Traveler’s Survival Guide. This phase of our journey includes discussions of how to find the good stuff, how to have a socially-acceptable amount of fun, and how to stay somewhat safe while doing it. I will close by delivering a short “Business Traveler’s Survival Guide to Las Vegas” as an example of these ideas.

While information security is widely considered a negative-unemployment industry (it’s actually closer to 3%), most of us will look for a job at some point. Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that attract the kind of attention you want, getting short-listed for cool positions before they’re even posted, strategically riding infosec employment trends, and how to most effectively work with those delightful recruiters. This talk will have something for those just entering the workforce, mid-career security professionals, and former VAX hackers alike!

As infosec practitioners, we often operate in a vacuum or within silos. Reaching out to others in the community to share ideas, indicators, and problems helps to build a more relevant, diverse security program. Find out about a specific threat or incident as it unfolds: learn what others are doing tactically to combat this threat along with mitigation strategies. Get out of that vacuum. Once we can accept that security does not provide a competitive advantage, doors to information sharing will open, and everyone will see the benefit. As the saying goes, a rising tide lifts all the ships. In this talk, I will show ways that security peeps at all career levels can effectively share information. Analyst-to-analyst communication is just as important as management-to-management communication. Certain avenues already exist like ISACs, but they constrain the sharing to a sector vertical. There are opportunities I will present that go beyond ISACs. I will discuss the legal challenges as well as solutions we’ve found for overcoming them. An end goal is to facilitate the development of professional and trusted relationships among peers and subject matter experts to protect our organizations. Additionally, I would like to introduce an idea for getting feedback on documentation. Infosec Peer Review is a concept to facilitate sharing of documents such as policies, procedures, and reports and getting constructive feedback on them in a secure way.

It is never too inchoate to commence elucidating your obfuscated intelligence. Have you ever really listened to yourself or read what you have written? How many words can be reworded or dropped from a sentence to make your message clearer? As a listener and reader, it is hard enough trying to remember the various InfoSec-specific acronyms without surrounding them with various $5 words and extra, fluffy crap. In this talk, I will truly show how cheap talk is by not wasting money on wordage.

Despite being l33t technologists, many infosec leaders feel overwhelmed, marginalized and resigned to the notion that CISO stands for “Career is So Over”. This talk is about positive deviants; those who steer clear of the scape goat mentality and establish themselves as business leaders and facilitators. Come hear about one CISO’s “cage rattling questions” and how he harnesses for influence; or another CISO’s “Do not do” list that will make you cringe. If you are responsible for your company’s security program (or would like to be) come participate in this conversation on what it takes to deliver WIN.

Does this sound painfully familiar: After hardening your systems and implementing a firewall, application and vulnerability scanners, network intrusion detection, and comprehensive patch management – Your internal web server was still compromised. To make matters worse it was then used as a pivot point to compromise your whole network. And you didn’t even know it had happened until you got a call from an external security organization. Like the Little Dutch Boy in that famous story, you discover the tiny hole in your network defenses that the bad guys were able to sneak through undetected. And you realize that the clues were there all along. If you had seen those simple clues, you could have plugged the vulnerability before it was exploited and prevented the whole mess. This was the genesis of a new continuous monitoring tool called OMENS. OMENS is a free Windows web server monitoring tool designed to monitor, detect, and block the attackers that traditional Network Monitoring tools can sometimes miss. In this presentation the creator of OMENS will discuss the blind spots that Network Monitoring systems suffer from, and how these holes can be plugged by a distributed, host based monitoring system. He will also discuss how OMENS is being used to monitor for hostile actors, understand their activity, and to remediate the possible flaws they are probing for – Before they can be exploited.

The Hacker Mentality is applied to technology with fervor. Take a thing, learn how it works, make it do cool things, bend it to your will. Yet in other areas, we take things at face value and not question them. We need to learn to apply the line of thinking we have for technology to solve our other issues. The talk is an attempt to give a overview of the journey I have been on for the past few years to identify my issues (depression, anxiety, overweight, self esteem), learn about the topics, dig through the garbage, learn to question everything that has been documented, and then apply it to where it mattered, myself. The point of the talk isn’t to give any mind blowing revelations on how to solve anything, rather to try to say that the only person who can solve the problems are those with the problems. I plan to share random facts that I have picked up during my investigations into mental health, physical health and other topics, talk about my obsessive metrics gathering/biomining and hopefully inspire others to take an educational journey of their own.

There is no one single device that will provide a total security solution. All those “magic” and 4th quadrant solutions will not protect you. Security is not a framework, not a destination, and not a weekend of overtime implementing a new tool. It is not news that organizations need defense in depth or layered defenses. Too many organizations are stuck in a reactive security mode. Businesses react to network alerts, researching events in the morning from the day before. They react to virus detections when the av solution emails them a report. Each security solution only provides a part of the answer to the question “Am I owned?” Network alerts only provide a partial picture, same with host monitoring. By combining logs, network alerts, and system alerts a much clearer picture emerges. This talk will show that you can detect system compromises days, weeks and even months before antivirus will catch it. It will cover key system events and locations to monitor. Network events that you may not currently be watching for that you absolutely should be watching. Plus how simple visualization of log data can make potential compromises really stand out. Examples from compromises will be used to reinforce the concepts presented.

The information security industry is notorious for flameouts of brilliant people. In looking back at the circumstances that lead to a dramatic situation, we can usually find early indicators that bad things lie ahead and fail to take timely action to avoid tripping into the abyss. In some instances, we feel that we are trapped in the darkness and we are alone. How do we identify when we or others near us are on a bad path? How do we recover? Once we’re back in a good mental state, what can we do to protect ourselves from the dark places?

Come one, come all! In this stimulating oral presentation, learn how to harness 3D printing technology for a purpose that we can all get behind: sex toys. You’ll be taken through the ins and outs of erecting your perfect toy right in the privacy of your own bedroom: from design, to material choice, to post-processing, it’s only as hard as you want it to be. You’ll learn how to program your first sex toy’s own unique curves, and you’ll also learn why privacy, anonymity, and choice all dictate that your next 3D model should be for personal use only.

One of your company’s laptops was just stolen. You know that there was sensitive information on the machine. You also know that full disk encryption was deployed. Is your data safe? Can you prove it? Many organizations are flocking to full disk encryption solutions as a solution to their data security requirements. Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets. All too often, these systems are not properly configured and adequately tested. In this talk, Tom will analyze the challenges associated with attacking and defending systems protected with full disk encryption. Many of the examples provided will draw from Tom's personal experience, including several scenarios where a fully encrypted and powered down system was fully compromised as part of a penetration test.

As we are becoming more immersed in technology the “talent” of face to face communication is becoming a commodity. This talk will look at Communication Degradation and its effect on social engineering effectiveness and fundamental communication skills. While Communication Degradation is not new, research into it and its effects are. This talk will explore some of the new research being done in the area as well as look at some future research that is going to be taking place soon.

Much talk has been given to the concept of burnout and recurring feelings of futility by InfoSec professionals.This talk will discuss the Japanese concept of the craftman’s spirit — “shokunin kishitsu”, and how that mindset can help you find some fulfillment in your job in what can be a really frustrating industry.

“See the world. Meet interesting people. Hack the planet.” You don’t have to join the military or the Peace Corps. Just be ready, able and enthusiastic to DROP TABLE status_quo;– There’s nothing stopping you from living your dream except a little bit of information and that first step. Hack Java from Java, Indonesia. Drop O’Day from a Dublin pub. Run Kali from Cali, Colombia. Beau and Taylor want to engage the BSidesLV attendees with stories of our WINS and FAILS. We want to hear your stories and inspire you to live your dreams as we are doing. We’ll tell you what’s worked for us and give ideas for what might work for you. We’ll pay cab fare for anybody who heads straight to the airport to GTFO FTW!

Trying to make non-security people to follow security systems is incredibly difficult when it works, and incredibly difficult and frustrating when it fails. This presentation not only describes what to do and what not to do, but also why the different approaches work or not. There are simple guidelines, based on psychological principles, that can help you develop more successful security systems. Explaining and developing security systems in a way that anyone can understand means you can get them to decide to do what you wanted them to do in the first place.

With all of the recent focus on Android vulnerabilities, the Android landscape seems like an antivirus vendor’s dream. Unfortunately, for those who are using traditional protection software, the Android security software landscape is just as full of holes as Android itself seems to be. In this innovative talk, Allan and Mike will describe the issues within the Android OS’s design and the failure of most security tools to protect it, while at the same time writing active malicious code that will compromise a current Android device with any of the currently available protective software installed while on stage.

Network Video Recorders (NVR) are network devices that record and store video from local and remote IP cameras on HDD storage. These NVRs are increasingly used in surveillance systems of homes and businesses. In this presentation, we will analyze the (in)security of NVRs from one of the reputed manufacturers of these devices. The presentation will cover how NVRs work, analysis of NVR firmware and a step-by-step demo of how an attacker could take complete control of these devices. Once an attacker has control of the device, he can monitor videos from all the cameras connected to the device in real time from anywhere via his smartphone. I will also release a tool to remotely detect and own a vulnerable device in the wild.

Independent researchers are lifeblood of the hacking community. Discovering new vulnerabilities, formulating new strategies and ideas, publishing white papers and blogs, and creating new tools, these visionaries help move our community and industry forward. Unfortunately, many outside of the community look down upon independent security researchers and dismiss their ideas and work. This can be for numerous reasons, such as the research not working for a specific organization or company, the lack of scientific and academic standards, or just a prejudice against the concept of independent research. Even worse, for our community, we have recently witnessed the prosecution of some of these researchers for crossing real or imaginary legal lines during the pursuit of their study. One way to help legitimize the researchers to others in the corporate and academic communities, as well as help them avoid legal trouble, is the creation and adoption of research guidelines. The first half of the talk discusses some of the potential pitfalls and prejudices independent security researchers face, especially in regards to security disclosures. After that, there will be a frank discussion with audience members about their concerns and fears in terms of research, as well as what they would like to see in a research framework. Finally, volunteers will be invited to help create the framework.

Come witness the prognosticators of the SIEM as we travel through the mysterious 5 Ages of Logging and Security. We will reveal the (likely bleak) future of every InfoSec pro’s fave topic, Log Review. Our holy mission is to make you think about log review in a new light, discuss how to make it suck less, and to make you laugh about things that would normally lead to sadness and cutting yourself. The 5 Ages of Logging: Anarchistic - There were no logs, the IT world was a dark & chaotic place, which was pretty cool, albeit kinda scary. Monolithic - There were logs, but no one cared/bothered to look at them. Life was good. Realistic - There was log review, and it sucked, like really – a lot. Craptastic - Miraculously SIEM was created, and it sucked too, but slightly less so. Supercalifuturistic - There will be something ‘better’ and it will also suck. And you will pay too much for it from your favorite greedy vendor(s) because your CISO told you to get some of that stuff that is on the cover of or he heard about at the IT Managers happy hour at the local sleaze joint… Why? Come to the talk… Live onstage [redacted] demo included. You will laugh at least once – or your money back! Satisfaction Guaranteed except where noted, especially Nevada.

Sex, drugs and… censorship? This talk includes the Sex + Drugs talk that was censored under duress at BSides San Francisco, and begins by exploring why no topics should ever be off limits in hacker communities – and especially, why no topic should ever be off limits because there are women in the room. Solutions are offered to the community for current dilemmas posed by sex-negative and anti-harm reduction acts by feminist extremists in hacker communities. This Common Grounds Keynote also serves as an introduction to community-focused concepts – including the very necessary refusal to be silenced.

We have some good news and some bad news. The good news is that security is now top of mind for the people of planet Earth. The bad news is that their security illiteracy has lead to very dangerous precedents and this is likely just the beginning. The reactionary stances taken by the hacker community has induced burnout and fatigue with many of us watching our own demise. We’re here to help us all hit rock bottom in the pursuit of something better. At some point the pain of maintaining inertia will exceed the pain of making changes, so it is time for some uncomfortable experimentation. While it may be overwhelming to think about, this is what we do. We hack systems. Finding flaws in the digital world comes naturally to us. We can and must do the same to the physical world; the media, governments, and lawmakers in order to survive the next decade. Let’s get started.

Signatureless attack detection is becoming the hot topic in threat prevention. Client side security vulnerabilities are often found in zero day exploits in the wild, meaning that signature based intrusion detection and prevention systems are not likely to catch these attacks. Signatureless detection systems are designed to detect these kinds of attacks and they do provide some additional layer of security. One of the techniques deployed by signatureless is called sandboxing. In sandboxing , the signatureless attack detection systems executes files that are being transferred in networks in sandbox. They carefully instrument the execution and based on that determine if the file was malicious. We have analyzed signatureless detection and particularly the sandboxing technique, and we have and found several issues in the concept. We have also found ways to completely evade sandboxing. We have taken some peeks into one of the market leading sandboxing product and will discuss about our findings. In this presentation we will highlight the problems we have identified in signatureless attack detection and sandboxing, and present our findings regarding one of the market leading product. The attendees will better understands limits of these systems. Even though they do provide additional layer of security, there are issues one should know.

Cybercriminals persistently challenge the security of organizations through the rapid implementation of diverse attack methodologies, state of the art malware, and innovative evasion techniques. In response organizations deploy and rely on multiple layers of diverse security technologies. This talk examines the “kill chain” and the measured effectiveness of typical defense technologies such as Next Generation Firewalls, Intrusion Prevention Systems IPS, Antivirus/Malware Detection, and browsers internal protection. Empirical data on the effectiveness of security products derived from NSS Labs harsh real world testing is presented together with a live demonstration of successful evasion of malware detection. We find a considerable gap of protection levels within/and across different security product groups. The presentation will be backed up with a paper to be made available to attendees.

With all the security products you use, you still don’t have confidence that your networks are malware-free. And you’re right. They aren’t. You want to know a dirty little secret? There IS a way to discover the most advanced malware! This discussion comes straight from the guys in the trenches who have been dealing with real world advanced malware for years. We are not in pristine labs, but the kind of environments that most of us really have, but won’t admit in public. Through our own wins and losses at defending our environments, we have identified what works and what doesn’t, and have created the Malware Management Framework: A simple methodology for defending your systems against the most advanced malware. We will cover the Malware Management Framework and provide specific, actionable items on how to use it in your environment with tools you may already have, and free tools you have not yet seen. If you are responsible for defending a network, and you want to have higher confidence that systems in your environment are malware-free, you need to attend this discussion.

A detailed analysis of password policies and authentication controls for widely-used websites hadn’t been conducted and seemed to be a daunting effort. To address this I supplemented automated and semi-automated data collection with the utilization of low-cost marketplaces like Amazon Mechanical Turk and the implementation of a system which allows volunteers to add, update, and modify data. I will cover my methodology, analysis of the collected data, challenges, lessons learned, and future plans.sites’ Password Policies and Controls.

This talk is about the ways the many components of governments interact and respond to challenging and anomalous events–highly relevant to hacking by all definitions and at all levels. If you don’t know the lay of the land, you can not engage in appropriate research and reconnaissance, counter-measures, and operations. The proliferation of reliable reports of unidentified flying objects from the 1940s forward represented just such a challenge. The phenomenon was anomalous, well-documented, and certainly challenging—because, as Major General John Samford said, “credible people have seen incredible things.” The UFO History Group includes some of the best researchers in the field. Richard Thieme was privileged to be invited to join the group and their project which resulted, after nearly 5 years of work, in “UFOs and Government: A Historical Inquiry,” an outstanding work of historical scholarship that nevertheless reads like a fascinating detective story. In almost 600 pages and with nearly 1000 citations, the work illuminates the response of the government since the early 1940s. how and why policies were set, and how they were executed. The book has been recommended by CHOICE, the primary resource for academic libraries, for inclusion by libraries at all levels because the book stands out as “an exception” in a field filled with speculation (there is virtually none in this book). Other reviews say, “this is the best book about the UFO phenomena that was ever written” and “UFOs and Government is a triumph of sober, conscientious scholarship unlikely to be equaled for year s to come.” You have never heard a talk like this – about a subject that has been ridiculed and marginalized intentionally for sixty years as a matter of policy and politics. As Don Quixote said, “insanity is seeing things as they really are.” This speech uses UFO phenomena as dye in the arteries of “how things really are.”

There is one very important fact, most people overlook when considering privacy and user data: Data cannot be owned. Personal data cannot be owned. This small fact has astounding implications when considering privacy. Consider the intersection of two distinct, troublesome areas: data broker operations and the computer fraud and abuse act. When considering threats to the integrity of your network, advertisers are not the first thing that comes to mind. Yet the market for user data is so rich right now that it is ripe for exploitation. The brokers can buy and sell any data they wish, with no concern for the origin or means of acquiring data. They are not required to and unwilling to reveal their sources. Some provisions in the Computer Fraud and Abuse Act open up the opportunity to acquire data surreptitiously by discouraging the public from discovering what may be happening to their data. Quiet, quasi-criminal operations could exist that syphon data that is illegitimately collected and sell to legitimate brokers. The result of this alignment of circumstances is that there is an entirely unexplored class of attackers that may operate beneath the radar, yet out in the open. The data market is not something that has the potential for regulation, so it is incumbent on organizations to be aware of the threat and take appropriate measures to contain it.

As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set. The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn’t let me go down the GRC route, I finally decided to do something about it. At BSides Las Vegas 2013, I would like to formally debut SimpleRisk, a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at http://www.simplerisk.org. With a simple, powerful, and cost-effective tool and some basic risk management knowledge at your disposal, you too can become the security rock star that your business seeks out for risk-based decision making. Let me show you how to convince your management, your peers, and yourself that Risk Management doesn’t suck.

I used to be a security professional, but even my boss didn’t remember my name. My brilliant ideas weren’t listened to, I was never invited to speak at conferences and not even my mother visited my blog. In this talk I will take you down a journey of self-discovery that took me 3 years and went from another faceless security dude, to being slightly less faceless. What worked, what didn’t work and all the behind-the-curtain magic exposed. If you’re interested in carving out your own space, making your voice heard amongst the 100′s of security ‘rockstars’ and dinosaurs who get all the attention – this is the talk for you to attend.

Automation is key when it comes to production. The same is true for malware. Malware production has moved on from the traditional manual method to a more efficient automated assembly line. In this talk, I will take the audience on an over-the-shoulder look at how attackers automate malware production. Discussion will focus on the tools and methodologies the attackers use to produce thousands of malware on a daily basis. The talk will then conclude with a live demonstration of how malware is produced in an automated fashion.

Breaking in is half the battle. I’ve talked to so many people whose only objective is to try and break into systems. I get that. It’s awesome, the rush you get when you bring up that shell. But what then? Ops hardening does not end at the outer shell. Once you’re in, you still have to navigate the maze of files, directories, and permissions that is the Linux file system. This talk will cover discovering services, utilizing simple and moderate netcat commands, combining netcat with crontab to create access windows, utilizing /dev/tcp to create a reverse shell, obfuscation to avoid IDS/IPS, and providing examples of tools at each step of the way. Some Linux experience needed. If breaking in is half the battle, staying in wins the war.

Imagine you have just started a new job and been handed a new (to you) desktop. It’s running Windows 7 and you have no local admin rights. Your new boss has challenged you to find out as much information about the network in the next 45 minutes without downloading any tools. What do you do? What do you do?

Creating and distributing useful software requires significant intellectual, emotional, temporal, and financial resources. Security software tends to require some level of operational security around vulnerability disclosures, and often carries some unique ethical and legal implications. On top of all this, “open source” often means there is no paycheck at the end of the week for programming effort. Why go to all the trouble? Why do some open source security projects succeed while many others fail? What does success even mean for open source? This talk by Thomas d’Otreppe (Aircrack-NG project lead) and Tod Beardsley (Metasploit engineering manager) will explore the unique challenges (and rewards!) faced by open source security projects. They will discuss strategies to keep projects and contributors on track, provide resources that make the life of an open source developer more productive and rewarding, and offer their unique insight into open source security development. Participants in this talk will come away with the tools and knowledge needed to launch a new open source security project or more effectively contribute to an existing one.

Almost every day there are new revelations about violations of user’s online privacy. Usually these infractions are for the monetary gain of an online entity, but at other times it can be part of censorship, a surveillance state or even a government breaking the law when accessing such data. With email being so personal, webmail (which is generally hosted free of charge by for-profit providers) is a particularly vulnerable space where people are not doing enough to protect online privacy. When a highly decorated four-star general is brought down because he couldn’t secure his online webmail, what hope do we have in terms of guaranteeing our own online privacy? The Electronic Communications Privacy Act of 1986 states that after 6 months, email messages lose their status as protected communication and no longer requires a warrant, only a subpoena, for a government agency to force email providers to produce copies of user’s data. Online privacy is a right we have taken too lightly. Attendees of this talk will learn real world techniques that will enable them to make educated decisions about how to properly protect their webmail. Generally, you have little email privacy with US-based email services, so we will focus on offshore hosting where laws better regulate your data protection and online privacy. A survey of current options, with details from the speaker’s own trials of multiple solutions, will provide a framework for you to replicate, allowing you the online email privacy everyone deserves.

WebSockets are HTML5s solution for low latency communications. Support is now stable in major browsers, and developers are starting to use them for chat, games, videoconferencing, and other applications. Despite its growing adoption, WebSockets are difficult for pen testers to mess with. Tools are starting to catch up – wireshark, fiddler & chrome will let you view WebSocket traffic, but there is no simple system currently available to tamper with these messages. This summer I plan to release Socket Puppet, a chrome extension designed to fill this need, and I want to release it at BSides.

Big Data, Data Science, Machine Learning and Analytics are a few of the new buzzwords that have invaded out industry of late. Again we are being sold a unicorn-laden, silver-bullet panacea by heavy handed marketing folks, evoking an expected pushback from the most enlightened members of our community. However, as was the case before, there might just be enough technical meat in there to help out with our security challenges and the overwhelming odds we face everyday. And if so, what do we as a community have to know about these technologies in order to be better professionals? Can we really use the data we have been collecting to help automate our security decision making? Is a robot going to steal my job? If you are interested in what is behind this marketing buzz and are not scared of a little math (not crypto, though ;)), this talk would like to address some insights into applying Machine Learning techniques to data any of us have easy access to, and try to bring home the point that if all of this technology can be used to show us “better” ads in social media and track our behavior online (and a bit more than that) it can also be used to defend our networks as well.

OSINT is often mentioned, but not really covered. Occasionally mention is made of a particular tool, but the aspiring professional is left to their own means to discover how to use the tool, or determine what information is of value. Given a sample case, a real world person, the talk will include some dox freely available in the wild and discuss and demonstrate how some of the information found can easily be used in a penetration test or by an attacker. The purpose of this discussion is multi-parted. By and large it will show some aspiring individuals how to go about gathering some of the information. It will also serve as a warning to those in the audience who might be simply curious about infosec and security in general, how easy it can be to find some information about particular individuals.

In recent years, Application Whitelisting has been one of the new breeds of antimalware technology. However, malware has already developed techniques for dealing with and impeding this new technology’s adoption rate, from causing unwanted behavior in the solution to directly altering the execution of the security solution to avoid detection while making it appear as though it is operating correctly. This talk will demonstrate how malware can accomplish these negative outcomes by manipulating application certificates and using file system filter drivers. This talk will also discuss how to factor these vulnerabilities into your security decisions.

In an ever-changing world where the technological dependence is ever increasing — the government wants to provide transparency, everyone has 500+ friends on Facebook, your kids can use the computer better than you can, your bank allows transfers on the fly, you can meet your next first date (or your future ex) based on an algortihm, you can apply for a loan, or even look up medical records… In a world of Big Data, data mining, network breaches and the cloud, what is the first line of defense for your important, personal, private info?! Software Assurance. This talk will discuss the various definitions of software assurance, who it relates to, as well as the ownership. We will talk about the recent law that was passed National Defense Authorization Act of 2013 (NDAA) and what it means to software assurance and career developers everywhere. We’ll wrap up the discussion by highlighting some common vulnerabilities of software, suggestions for incorporating it into development and testing and finally several options for practice.

Matriux is the first full-fledged Debian-based security distribution designed for penetration testing and forensic investigations. Although it is primarily designed for security enthusiasts and professionals, it can also be used by any Linux user as a desktop system for day-to-day computing. Besides standard Debian software the Matriux Arsenal contains a huge collection of more than 350 most powerful and versatile security and penetration testing tools with around 20-50 more tools being added every release cycle of 6 months. Matriux comes with a custom-built Linux kernel to provide better performance and higher support for hardware to work even with a Pentium IV and 512 MB RAM comfortably. Matriux was first released in 2009 under code name “lithium” and then followed by versions like “xenon” based on Ubuntu. Matriux “Krypton” then followed in 2011 where we moved our system to Debian. Other versions followed for Matriux “Krypton” with v1.2 and then Ec-Centric in 2012. This year we are working releasing Matriux “Leandros” which is currently in beta testing and a major revamp over the existing system. Matriux arsenal is divided into sections with a broader classification of tools for Reconnaissance, Scanning, Attack Tools, Frameworks, Radio (Wireless), Digital Forensics, Debuggers, Tracers, Fuzzers and other miscellaneous tool providing a wider approach over the steps followed for a complete penetration testing and forensic scenario. Although there are were many questions raised regarding why there is a need for another security distribution while there is already one. We believed and followed the free spirit of Linux in making one. We always tried to stay updated with the tool and hardware support and so include the latest tools and compile a custom kernel to stay abreast with the latest technologies in the field of information security. Matriux is also designed to run from a Live environment like a CD/ DVD or USB stick which can be help

ANSI (and ASCII) art dominated online communication for a short time. However, in that small window the medium evolved from a necessary function of early online systems into an art form on its own. Sixteen Colors was created to keep a history of the art form as seen from the production of the underground art scene that began in the 1990′s and continues today. Learn what it takes to compile hundreds of thousands of pieces of artwork and how that artwork has changed over two decades.

You put your credit card in, I take your cash out. Point of Sale systems and Cash Machines are frequently targeted but rarely discussed. This talk will be a frank discussion about the types of attacks we have both seen and executed against these types of machines, where these systems are vulnerable from physical attacks to network and trojan attacks, and how to proactively deal with the problems. We will focus on current, practical, and frequently seen attacks of both POS systems and systems which dispense cash, because THAT’S what it’s all about.

The “China threat” is an incredibly hot topic in government and in the popular media. Information security companies have used the publicity to sell their services, and for the first time, hacking has taken center stage in American diplomatic policy. However, is China really a threat? If so, is the People’s Liberation Army really the worst adversary? As a hacker interested in China or a security researcher interested in profiling threats, where do you even begin? TProphet will share his perspectives based on three years of real-world experience living and working full-time in Beijing.

Once again, the Electronic Frontier Foundation returns to the Underground to answer your toughest Off-the-Record queries. Question some of the greatest minds in the field of internet law, in what is fast becoming an annual BSidesLV tradition. Patent Trolls, Free Speech, Fair Use, CFAA, CISPA (the cybersecurity bill), and the NSA surveillance programs like PRISM. If it matters (or should) to the on-line community, the EFF is researching it, litigating it and defending your rights. Come join us for what has become one of the liveliest, insightful, audience driven panel discussions in InfoSec.

We’ve known for some time that physical access to a device means game over. In response we’ve begun to rely more and more on “secure” container applications to keep our private and company secrets… well… secret! In this presentation I will discuss specific design flaws in the security of “secure” Applications that promise to keep your data / password and even company email safe and sound.

In early 2012 a group of 3 hackers were caught when a mainframe at Logica was no longer running as expected. This was the first warning that hackers had penetrated the once unpenetrable IBM mainframe z/OS. Through some simple and some ungodly technical hacks the attackers were able to gain shell access to the mainframe, harvest accounts and got access to some very private data. The mainframe that was breached was responsible for Swedish police, banks, SPAR (SSN equivalent), Infortorg etc. SoF was able to obtain the detailed investigation to the attack and some extras that weren’t in the report. This talk will go over how the attack when down, what was successful and what wasn’t, how they were caught and investigated and tools that exist today (which didn’t exist at the time of the attack) to perform the same type of pentest on your mainframes. If you learn anything from this talk it will be just how unsecure these mainframes really are when in the wrong hands.

APT, Cyberwar, ANONYMOUS, ACTIVE DEFENSE! All things you will hear along with the word “Attribution” but what is the point of attribution anyway? Are you going to hack back? Will you really be able to tell who really hacked you anyway? This talk is a cry for sanity in a world where the new hotness is attributing who attacked you even though the damage has already been done. In this presentation I will go beyond attribution of who did what to whom and show you methods to use the WHO to perform a 360 degree assessment of WHY you were attacked and HOW it was successfully carried out. This talk will discuss common techniques of OSINT, Psychology, Sociology, Forensics, Asset Classification, and other INFOSEC standard practices within a framework for securing your environment in a more holistic manner while using salty language and imagery.

“A burglar steals an unencrypted powered-down laptop containing PII and is immediately hit and killed by a bus. Data breach?” as more laws are passed there remain many difficult questions to answer. this panel will try. come see opposed minds in the industry debate the ethics and economics of incident response and related regulations. we will debate things like: have the past 10 years of breach legislation helped or hurt our efforts in information security? when is a breach really a breach? is it wrong to say “any loss of control is a breach and must be reported?” do you agree there “no safe harbor for encryption?” is it “unduly costly on society” if our breach definition is too broad?