BSides Las Vegas

The contrast between the enthusiasm which brings together the BSides community and the burnout which impacts our professional lives is so blindingly obvious it's easy to miss. This talk will focus in on the key reason that so many burnout: the difficulty of being effective, and discuss ways we as a community can transform.

We've heard a lot about crypto backdoors recently (the flawed Dual_EC RNG, NIST curves and their fishy parameters, etc.). This talk presents new results on crypto backdooring, with the first published backdoor of its kind: a sabotaged version of SHA-1 that allows us to create exploitable collisions, such that we fully control the content of the colliding files: unlike theoretical "breaks" of SHA-1, our collision attacks are practical, although they use sophisticated differential attacks. We'll demonstrate PoCs of colliding binaries (MBR, COM), as well as compressed archives (RAR, 7zip) and JPEG images.

Every day, endless consumer and educational technologies provide learning opportunities in classrooms across the planet. We already live in a world where every moment of a child’s life can be recorded with metadata attached-- but what if sensitive education data became part of metadata profiles, too? While there has been a recent massive influx of investment and resources into education technology, few schools have the appropriate resources to build secure infrastructure for sensitive student data, and few education technology companies take the challenge of securing student information seriously. This talk will examine the current state of (in)security in schools and in the education technology industry that leaves sensitive student data and private information exposed for anyone with a basic understanding of hacking to exploit. In addition to exposing the gaping security holes and lack of minimum encryption standards in educational technology, it will focus on ways that hackers, technologists and parents can advocate for more security protections that will keep the private data of children safe and sound.

Power laws occur widely and irrefutably in economics, physics, biology, and international relations. The root causes of power laws are hard to determine, but a good theory is that proportional random growth causes the phenomenon. This talk will attempt to prove a power law for breach size and breach occurrence volume, using data from over 30,000 businesses. The goal is to show that no matter the set of breaches one picks, the most impactful breach will have more impact than all the others combined. Information security breaches are scale-invariant and distributed according to a power law.

USB mass storage devices are some of the most common peripherals in use today. They number in the billions and have become the de-facto standard for offline data transfer. USB drives have also been implicated in malware propagation (BadBIOS) and targeted attacks (Stuxnet). A USB write blocker may help to prevent some of these issues and allow researchers to examine the content of the attempted writes. USBProxy allows us to build an external write blocker using cheap and widely available hardware that will be undetectable by the host system.

Long ago, during the “Great Age of l33t”, the digital oceans were traversed by notorious bands of pseudonymous ne’er-do-wells. These outlaw fleets, festooned with brightly-colored flags, laden with teenage pomposity and self-importance, roving their way into undiscovered territories . They took whatever they needed, but created many lasting works too. We will take you on a journey back in time, to experience what life was like during this pioneer era, with tall tales of life on the fringe, epic yarns of solidarity amongst outcasts, and discuss how forming your own “Digital Outlaw Biker Club” may be a better idea than it ever was.

So, you've gone to a bunch of conferences, and you've seen the movie Swordfish, and now you think you want to be a super l337 h4x0r, right? This will be a fast-paced, comedy-driven reality check for aspiring pro hackers and others hoping to jump in to infosec as a career.

Code emulation, a technology capable of detecting malware for which no signature exists. It’s a powerful step in the right direction for client security, but it’s a long way from mature. This talk will demonstrate how the code emulation engine in Anti-Virus Guard (AVG) can be reverse engineered by progressively testing its features, and ultimately evading detection. The result is a Command-and-Control (C&C) bot, in a non-obfuscated windows shell script, that AVG and many other leading AV engines will not detect. I will propose solutions on how these code emulation environments can be improved, making the detection of zero day malware far more successful going forward. This is not a jab against AVG, as they get enormous credit for including such a powerful tool in a free antivirus client.

Threat Intelligence feeds are now being touted as the saving grace for SIEM and log management deployments, and as a way to supercharge incident detection and even response practices. We have heard similar promises before as an industry, so it is only fair to try to investigate. Since the actual number of breaches and attacks worldwide is unknown, it is impossible to measure how good threat intelligence feeds really are, right? Enter a new scientific breakthrough developed over the last 300 years: statistics!

At BSides LV 2013, I shared a dream…of a day when all-the-things would be endowed with…with huge…encryption! YES! BIG ENCRYPTION! Where NSA is spelled with F & U! Of a future where I can share my data without sacrificing ownership, confidentiality, or anything else. Where my memes and social awkwardness will be appreciated! Um…seriously though, we played “fantasy defense-in-depth”, sacrificed an “admin dude” dressed like the black knight, and generally shocked the world that the internet isn’t a safe place. Wait…ok…now seriously, we explored why the “escalation of weaponry” means defense is futile; why the networks of the future, pervasive ubiquity, and other unknowns won’t fit into a secure perimeter; that we need to protect data over devices; that if we can’t control how our data is transmitted, processed, or stored we need to figure out how to protect it! Can we create data resilient to attack even when the host it resides on is compromised? How do we not lose availability or the ability to share & collaborate with others? We were on the trail last year, but now we think we have a solution & can’t wait to show you! Fast forward 1 year & we have possibly the first open source destined & patent protected comprehensive framework for data protection. It’s a big idea with big challenges destined for failure without your input and expertise so come join the conga line to crazy town!

Our friends lose their jobs. McJobs don't cut it, and unemployment sucks. We decided to make a framework that would allow them to start their own businesses, and to keep their technical skills sharp. We made an open source MSSP framework. Download it, install it, you're in business. Firewalls, IDS, threat feeds, the work. Hell, we even threw in a ticketing system and marketing fliers. And we want your help. Make it better. Use it. Tweet about it. MAKE MONEY WITH IT!!!

Information security compliance regulations like PCI, HIPAA, SB1386 have been around for many years now, but we continue to suffer large data breaches. In this talk, an experienced PCI QSA will discuss why even the best efforts at compliance fail to prevent breaches, provide examples from the field of what goes wrong despite these best efforts, and how to win by not playing - by getting the sensitive data the thieves want out of your environment.

If (school < hackerspaces) && (textbooks < wikipedia) Then While (self-motivated = true){ experiment; } If knowledge is power, then schools make us dumb and docile. Hackers know that we learn by doing -- by asking the inappropriate questions, breaking the rules, and being too stubborn to fail. Ironically, educational theorists in ivory towers also know this -- and they are all terrified of the future. Learn how we keep them scared.

Suppose there is a stream of packets coming through your gateway, their contents apparently encrypted. They may be from a standard VPN such as OpenVPN or an IPSec implementation running over some non-standard ports or protocol, but you missed the initial negotiation that could tell you what sort of a VPN that might be. Can you still find out what software stack and what cipher are being used? We found out that, if you introduce a periodic disturbance to an encrypted VPN connection, you can fingerprint the VPN and, in particular, the cipher using nothing but packet timings of typical file transfers. We found out also that many things we take for granted aren't necessarily true - e.g., that double encryption may not be better for resisting fingerprinting, and that the most common encryption algorithms differ more in performance than one would think they do. We believe that the fingerprinting signatures are due to the interactions between the cryptographic and the network layers of the VPN, the cross-layer effects that have been largely overlooked to date. Our findings suggest that these interactions between the layers of a VPN implementation should be studied and taken into account to protect implementations against information leaks.

This talk will discuss real world techniques for implementing and optimizing a security program that we call RADIO(Recon, Analyze, Develop, Implement, Optimize). Conventional wisdom has historically presented guidance that works well in textbook scenarios or for very large companies but often does not integrate well with small to medium size companies. Our Five Step approach aims to provide more reasonable guidance for small to medium size companies or those organizations with operational models that might not lend themselves well to traditional methods.

Project Robus is a search for vulnerabilities in ICS/SCADA protocol stack implementations. Most research and commercial tools to date have focused on the PLC/RTU/controller (server). Project Robus tests both the RTU server and the master (client) sides of DNP3 and Modbus protocol stack implementations. Attacking the DNP3 master in the control center can eliminate the ability to monitor and control an entire SCADA system, such as an entire electric transmission or distribution system … all from accessing a serial or IP connection in one unmanned substation.

Predicting your adversary's behaviour is the holy grail of threat modeling. This talk will explore the problem of adversarial reasoning under uncertainty through the lens of game theory, the study of strategic decision-making among cooperating or conflicting agents. Starting with a thorough grounding in classical two-player games such as the Prisoner's Dilemma and the Stag Hunt, we will also consider the curious patterns that emerge in iterated, round-robin, and societal iterated games. But as a tool for the real world, game theory seems to put the cart before the horse: how can you choose the proper strategy if you don't necessarily even know what game you're playing? For this, we turn to the relatively young field of probabilistic programming, which enables us to make powerful predictions about adversaries' strategies and behaviour based on observed data. This talk is intended for a general audience; if you can compare two numbers and know which one is bigger than the other, you have all the mathematical foundations you need.

Intrusion detection systems, Network Security Monitoring. All too often, these countermeasures are portrayed as the ‘boy who cried wolf’, the magical box with blinking lights that does nothing but get the checkbox from $COMPLIANCE_AUDITOR, or that data that gets logged to your magical SIEM somewhere, and is never heard from again. I’m here to show you how to actually cut the shit on your IDS, get actionable intelligence, and make yourself the hunter, instead of the hunted. This talk will primarily be focused around Snort and Suricata, since for the sake of this talk, they operate about the same, and they are where I got most of my battle scars. I’ll also be introducing resources for standing up your own sensors quickly, and cutting the shit rapidly.

Applications rely on generating random numbers to provide security, and fail catastrophically when these numbers turn out to be not so “random.” For penetration testers, however, the ability to exploit these systems has always been just out of reach. To solve this problem, we've created “untwister:” an attack tool for breaking insecure random number generators and recovering the initial seed. We did all the hard math, so you don't have to! Random numbers are often used in security contexts for generating unique IDs, new passwords for resets, or cryptographic nonces. However, the built-in random number generators for most languages and frameworks are insecure, leaving applications open to a series of previously theoretical attacks. Lots of papers have been written on PRNG security, but there's still almost nothing practical you can use as a pentester to actually break live systems in the wild. This talk focuses on weaponizing what used to be theoretical into our tool: untwister. Let's finally put rand() to rest.

Critical Infrastructure security has been on the news and the talk of the town since 2005. While there are many talks and demonstrations about how to penetrate and exploit SCADA systems, little discussions about the pre-exploitation phase were shared and discussed. I'm talking of course about the Vulnerability Assessment phase. Some may have performed such assessment before and many are curious as to how to start it in the first place. Questions like, what are the methodologies used in performing an assessment on SCADA networks? What information is required before we click the 'Start Scan Now' button? What plugins should be used? And do my scans guarantee that these ultra sensitive systems will not go down? And which approach (automatic or manual) should be used in which situation. This talk is to share my personal experience and challenges faced during a SCADA assessment. I will also give an overview of a typical SCADA environment, the tools used for the assessment, the type of vulnerabilities found and how easy it is for an attacker to potentially 'own' the Power Grid and why the US is vulnerable.

So you want to be a non-profit charitable corporation, eh? Do you understand what that means, the amount of work involved, and the restrictions 501(c)(3) places on your fundraising? In this talk, I will review the process Security BSides Las Vegas, Inc. went through to become a 501(c)(3), and discuss the restrictions imposed by being an IRS-recognized charitable organization. I'll also discuss a few options to 501(c)(3), as well as the advantages to federal non-profit status. Participants in this talk will have a better idea of the pros and cons of 501(c)(3) status, and the challenges involved in becoming a 501(c)(3)

Have you ever had to justify to your company why you had to go to that expensive conference and give away all that swag — or why you came back with so much of it? Tired of explaining who “HardOn Soft” is when clients see their coffee mug on your desk? Who needs that many XXXXL T-shirts, anyway?! Guess what — that’s all money that’s flying out of those companies’ hands with almost no return on investment (ROI)! Even worse, with so many ways to repurpose and repackage 90% of the swag out there, they can’t even claim they’re generating brand awareness! Learn from a self-diagnosed Swag Hoarder on how to avoid your company wasting its hard-earned money on swag no self-respecting person would use (without a few “alterations”) — or if you’re just another face in the crowd, how to exploit what other companies are up to both by figuring out how to make sure of all the crap- er, ‘promotional material’ they give you, as well as how to win an iPad or other great prizes! (No, I won’t be GIVING one out at this talk, but there are tricks that will make it a lot easier for you to get one at your next big trade show!)

Everybody is aware of the buzzword BINGO wining square of "Machine Learning", but how can we apply this to a real problem? More importantly what output can we drive from doing some analysis! This talk will cover clustering (unlabeled data) of file types based off various static features. Then, using information from the clusters, is it possible to automatically generate Yara signatures to go hunting for files that are similar? We believe so, and we'll show you how you can do this at home.

Every IT organization accessing sensitive data, regardless of their size, must protect that data. Otherwise, your company is exposed to unacceptable risk. However, since cyber attacks on small and medium size businesses (SMB’s) rarely make headlines, it is easy for these IT organizations to develop a false sense of security. Information security is becoming increasingly challenging as both IT complexity and the threat landscape are evolving at an accelerated pace. During this presentation, I will share my methodology, including key, actionable recommendations to help you meet the challenge and manage your IT risk.

Cedit card stealing RAM scraper malware is running amok compromising point-of-sale (POS) systems. Recent breaches have shown that exposure to such attacks is high and there is a lot at risk. This presentation shows how the attack is carried out by looking at the nuts-and-bolts of a home grown malware sample. During the demo we will pretend to be the bad guy and steal information from the belly of the POS process. Then we switch hats, expose the malware to multiple environmental hazards to study its behavior and identify strategies that can be implemented to make it hard for the malware to behave correctly and deter the bad guys. If all goes well, you will walk away with RAM scraping and prevention mojo.

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the big boys. This presentation covers several analysis environments and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

In Europe, security systems are built with the end goal to safe-keep the privacy of sensitive data. In the U.S, security systems are architected with the goal of securing sensitive infrastructures. Recent revelations about the NSA snooping and international backlash demonstrate the dramatic international differences in privacy vs. security values. Those differences also play out in how security systems are architected. Beginning with “what is the data being protected?” vs. “how do we keep the bad guys out?” will lead to two very different security solutions.

“Can I learn how to use the product my company sells by interfacing with its API?” That was the question I asked myself when I started at OpenDNS in the marketing department. Having learned and used Python in business school, I decided to create an application that would monitor my organization’s DNS queries and email me a daily list of all new domains. This talk walks you through my journey of re-familiarizing myself with Python, interoperating with a new product’s API, and massaging the results into a daily alert. The end goal: to create something useful to reference for future development, to learn about the API, and to impress my colleagues - many of whom have no idea that I’m doing this in the first place. In my talk, I will provide examples of my logic, coding decisions, and any other stumbling blocks I ran into along the way in the hopes that attendees will take the plunge and hack away at something cool to further their knowledge.

In real world systems, operators are often inundated with alarms which alert when various anomalous events are detected. A software tool was developed that makes use of machine learning methods to allow the operators the ability to prioritize events of high interest. This tool relies heavily on the quality and validity of the data used for training.

For years the government has been using CDS to bridge networks with different classification levels. This talk will focus on what CDS systems are, how they’re built, and what kind of configurations are common in the wild. Furthermore, we’ll look at testing techniques to evaluate the security of these systems and potential ways to exploit holes in configuration and design. We’ll also look at the ways the commercial world might benefit from a data and type-driven firewall as well as some of the downfalls and negative aspects of implementing a cross-domain system.

Cluck Cluck presents an architectural, OS-independent method for accessing arbitrary physical memory from kernel shell-code or forensics memory acquisition tools where the virtual addresses of the paging structures are not known -- 'breaking out' of virtual memory. Currently, the virtual address for the page directory is hard coded in the kernel, but this is specific to each OS and version thereof. Cluck Cluck solves the chicken and egg problem (needing access to the page structures to gain access to the page structures) at an OS-independent, architectural level, highlighting how a newer Intel feature violated existing guarantees.

People who know that I have visited all seven continents tell me all the time, “I could never travel as much as you do.” Granted, North Korea, Antarctica and Myanmar are not for everyone, but if you’re living in the developed world, travel is very much within your reach. All you need is flexibility and your hacker ingenuity. In this talk, you’ll learn why you should travel, and how you can do it for little or nothing by applying hacker ingenuity and using travel hacks.

Techniques to fully automate finding certain vulnerabilities while reversing have become much easier due to research using XUtools (extended grep and diff). This talk will explore these newly discovered automated techniques for reversing. Join us while we help to demystify certain aspects of reversing while pissing off prima donna reversers. What more can you ask for in an underground talk?

Critical infrastructure systems are frequently constructed with components never designed for use in today's networked environment. While security conscious enterprises have extensive security mechanisms, these do not immediately transfer to many of our critical infrastructure networks. And yet we still need to move data in and out of them safely. This talk examines how to use the computer science concept of state to provide the equivalent of system isolation from hostile traffic on the network. Forget firewalls, air-gaps, and VPNs, and learn to embrace state transfers. This talk will explore the use of state transfer as a safer alternative to network data transfers. As more and more of our critical infrastructure is using TCP/IP networking and being connected via the Internet, methods to isolate the systems from a traffic signal point of view offer the best current technology to protect our networks, both operational technology (OT) and IT. This talk will give real world examples showing how to maintain all desired functionality, and yet sever the connection to unwanted signals carried in network traffic.

This talk will cover a high level vulnerability analysis of a modern digital home security system, which includes technologies such as an android touch screen, wireless motion sensors, cameras, zigbee components, mobile application(s), digital door locks, and thermostats.

As Big Data and Machine-Learning start to make strides into Infosec, most of the rest of us are still working in SQL databases, CSV files and glueing things together with python and javascript - while the folks with the Math degrees seem to be having all the fun with the data. Well, no more. We're information security practitioners : data is nice, but information is better - but how can we go from wikis, notes and whitepapers to processing the information we generate and doing something fun with that? Semantic Data systems open up machine learning and reasoning to the rest of us, with plain-language operations and natural language storage of information, not data. The Semantic Web has been around since the early days of the web, but is still misunderstood, and difficult to get into - so I've done all the hard work for you already - come and learn some practical tools, technologies and techniques for encoding the 'things we know' on top of the 'things we have' and show the world that you don't need a PhD in Applied Mathematics to come take part in the emerging world of information-drive information security.

Have you ever clicked a phone number in Safari to get the phone app to call that store/car dealership/pizza place you were searching for? In iOS, this interaction between apps happens via URL schemes, which are available to Apple applications as well as third party applications. Everyone uses them without noticing they exist. They are the most flexible of the imperfect methods available right now. They are, however, a source of user input that should never be trusted as safe. In this presentation, we will look at real life examples of implementations of URL Schemes that could lead to issues such as destruction of data or help a malicious person identify an iOS user. We will also look at simple ways to improve URL Scheme security for users of your apps as well as how to find URL Scheme vulnerabilities, for the ones out there who would like to help out.

There is a lot of talk about sharing and the security of our data. A recent Ponemon Report on Exchanging Cyber Threat Intelligence states that current threat sharing mechanisms are broken. Data is not timely enough, scalable or actionable as it often lacks context to a type of threat or actor. Today, government, military, and private organizations do share through unofficial channels (spreadsheets, email listservs, and “fight clubs”), but the time has come for security teams to have a tool to aggregate and analyze the influx of data coming in. More than a feed, and more than a SIEM, the future of threat intelligence lies in the threat intelligence platform. A threat intelligence platform should achieve many things, but most importantly it should offer a singular platform to aggregate, analyze, and act on threat intelligence data as well as offer options for context, sharing, and privacy. Any mature security organization should consider how and from where they are gathering their data, and what they then do with it. Attend this session to learn what a threat intelligence platform is and why you need one, and the real-life use-cases to sharing data, keeping it private to only those you wish to share with, and the benefit to collaboration at a large scale to achieve a predictive defense and ensure your threat data is being optimized to the fullest.

Everyone talks about ATM Malware, we can see videos in Internet hacking these machines but no one explains HOW an attacker can take control of an ATM and command it to dispense the money at will. Is it possible to control an ATM from a cell phone? What about a Man-in-the-middle attack to intercept the traffic between the ATM and the bank? Come to my talk and learn these and many other techniques used from Venezuela to Russia Hackers that are emptying ATMs without restrictions.

Case study of a three year journey of starting and managing a security non-profit. Will talk about lessons learned from the experience and successes and failures. Additionally, will also talk about how the non-profit has made a positive impact on the local community and how the lessons learned are also applicable to other facets of one's life and job. Building a non-profit can help break down "echo chambers".

There's a problem with Internet Explorer's anti-Reflective Cross Site Scripting filter. A problem Microsoft knows about, but has decided not to fix. Drop on by and learn a method for bypassing the anti-XSS filter in all versions of Internet Explorer.

BYOD is a cute and harmless-sounding acronym for a trend that is in reality introducing exponentially more risk to end-users and organizations. The common refrain is to seek out and secure your smartphones and tablets from malware and other malicious software which can wreck havoc on a device and completely ruin its integrity. However, BYOD is about more than just introducing hardware; it also brings the issue of BYOApps. Layers of protection covering both the device operating system as well as the apps running on it is required to have a comprehensive solution to combat this problem, which is actually deeper than it seems. In this co-hosted 45 minute presentation, we will present several real-world case studies of: - How easy it is to App side-jack to gain root (Jailbreak) - How a popular app like Flappy Bird can be trojan-ized to defeat two factor authentication. While the industry loves to talk about sexy malware exploit scenarios, few are exploring the risks that BYOD and BYOApps are introducing, by bringing apps that are hungry for user/private data into the workplace. Does a flashlight app really need access to a corporate address book or calendar? Should a doc-signing app transmit passwords in clear-text? Should a productivity app have access to corporate email attachments and be able to store them to DropBox? As we scratch beneath the surface, the real security issue is deeper rooted in policy decisions that now must be made on which app behaviors should be allowed in an enterprise environment. BYOD has really become BYOApps, bringing with it a new layer of complexity with risks outside of obvious issues like malware. Organizations must make policy decisions about behaviors in apps and look for ways to enforce customized policy. A new approach defines the future of how mobile threats will need to be addressed in an automated and scalable way.

Superpowers, normally used by superheroes in the battle of good versus evil, are also accessible to engineers and hackers in equipment used for failure analysis and verification of PCB fabrication and component assembly processes. In this mostly visual presentation, Joe shares his experiences of using lasers, X-rays, and sound waves to facilitate the reverse engineering of electronic products and circuit boards.

Dynamic malware reverse engineering helps forensic analysts and reverse engineers gather quick data points such as callout domains, file download URLs or IP addresses, and dropped or modified files. These methods have long been used on Windows malware...so why not Mac malware? This presentation introduces the audience to methods, tools, and resources to assist reversing Mac binaries with a Mac. Topics include Mach-O file format, virtualization, analysis VM setup, and various analysis tools (native and 3rd-party). This presentation is intended for those familiar with dynamic analysis (with a touch of static thrown in) or for those reverse engineering masters of the Windows executable to get a introductory idea of how to start analyzing Mac malware.

This is a presentation of case studies from past experience and what I have learned from each case in regards to social engineering and the Human Psyche.

One of the biggest questions facing people trying to learn how to hack is “How do you practice without committing a felony?” Wi-Fi is one of the easiest things to break, but it still requires practice to be proficient. To practice, you can either go after a random Wi-Fi network or you can create your own target network. Using an old router is fine, but the passcode has to be changed manually. A Raspberry Pi was turned into a Wi-Fi access point using Hostapd. The goal was to create a hackable target that changes the access code every time it boots. The Hostapd configuration file has an issue where you cannot store the WEP Key as a variable and then call that variable when the key is defined. This prevents urandom from being used to create a random key. A shell script was written to create the config file every time the Pi boots. This allows for the creation of a random key that can be inserted into the config file before hostapd loads. For verification purposes, the key is logged with creation date and time in a separate monitoring file. To increase the training benefits of using the Pi platform, a web server was added and vulnerable web apps are hosted. This creates a training platform where both Wi-Fi and web app hacking can be practiced. The ultimate goal is to have a device where you break the Wi-Fi, gain root on the Pi, and force it to reboot. Once it reboots, a new passcode is in place, and the process must start all over. This way, the challenge stays fresh and engaging, and previously collected key material cannot be reused.

Some of the most sophisticated rootkit behaviors are implemented by today's anti-cheat gaming software, in a constantly evolving game of cat and mouse. Game hackers often look for flaws in a system or program’s logic, seeking to exploit them for their own performance gains. As cheats evolve to evade detection, so do the anti-cheat software products, employing hooking mechanisms to catch the newest subversions. Often the effectiveness of an anti-cheat implementation will affect legitimate users’ enjoyment (no one likes to play with cheaters, even cheaters themselves!), making it highly profitable for game developers to focus on improving this technology and expediently identifying game hackers. As a natural consequence, anti-cheat software has grown more invasive and intrusive. For example, a recent version of VAC (Valve's Anti-Cheat Software) was found to scrape gamers' system DNS cache in order to spot commercial game cheats and ban users. Just what else is being extricated from our gaming systems and which products are the worst offenders? By analyzing system memory, several anti-cheat software implementations will be isolated. With a cadre of reverse engineers, we will walk through just how these products are monitoring for game hacking behavior and if any of these techniques call into question aspects of their End User License Agreements.

Let’s face it… Many people have better luck at the craps table that they do hiring the right candidate for their INFOSEC opening. Making matters worse, most of us have come from a purely technical background and don’t know the faintest thing about building our own team. There can be nothing more disheartening than finding out that you've hired the wrong guy, or worse yet, let the *right* one walk away. In this presentation we will discuss strategies for making sure the best new employee makes it in the door. This includes everything from recruiting, prescreening, reviewing resumes, conducting good interviews, and asking tough interview questions. This talk is aimed towards both managers who are tasked with hiring and interviewees who want make sure they are at the top of their game.

As pentesters, we all have special techniques and tricks we use that make our jobs a lot easier. A few years back, I presented at BSIDES LV on some of the cool techniques that I use on a regular basis. This talk will dive down into all of the new techniques and latest and greatest hacks to make pentesting something easy and successful. This talk will also discuss how to mitigate some of the techniques and attacks.

Public key certificates are becoming more and more prevalent in software. These certificates are used in more places than just protecting web connections over HTTPS. They are used for authentication, trust, identification and secret trading within apps, behind firewalls and even between services. But, these black magic cryptography tools are only as secure as the code that implements them! Come see how bad practices, designs and testing habits can leave systems vulnerable and prone to exploitation!

Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more -- underscoring why understanding how Drupal works and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists, all of which are open-source and can be downloaded and implemented following the presentation.

Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. In the presentation some runtime techniques will be discussed and a tool will be released that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters.

Producing IEEE 802.15.4 PHY-frames reliably accepted by some digital radio receivers, but rejected by others---depending on the receiver chip's make and model---has strong implications for wireless security. Attackers could target specific receivers by crafting ""shaped charges,"" attack frames that appear valid to the intended target and are ignored by all other recipients. By transmitting in the unique, slightly non-compliant ""dialect"" of the intended receivers, attackers would be able to create entire communication streams invisible to others, including wireless intrusion detection and prevention systems (WIDS/WIPS). These scenarios are no longer theoretic. We present methods of producing such IEEE 802.15.4 frames with commodity digital radio chips widely used in building inexpensive 802.15.4-conformant devices. Typically, PHY-layer fingerprinting requires software-defined radios that cost orders of magnitude more than the chips they fingerprint; however, our methods do not require a software-defined radio and use the same inexpensive chips. Knowledge of such differences, and the ability to fingerprint them is crucial for defenders. We investigate new methods of fingerprinting IEEE 802.15.4 devices by exploring techniques to differentiate between multiple 802.15.4-conformant radio-hardware manufacturers and firmware distributions. Further, we point out the implications of these results for WIDS, both with respect to WIDS evasion techniques and countering such evasion. This is joint work with Travis Goodspeed, Rebecca Shapiro, and other good neighbors.

Take a scientific look at information security incidents reported in the public news sources. This talk introduces the VERIS Community Database (VCDB), a research project aimed at gathering news articles about information security incidents, extracting data, and serving as a public repository of breach data suitable for analysis and research. We will discuss how to apply the methodology of the Data Breach Investigations Report (DBIR) to public data to answer research questions, and how this view of information security incidents differs from the DBIR.

Learn the basics of RFID hacking, in this workshop you will be guided through building an RFID sniffer using an arduino and any RFID reader to output the card data of a prospective target. You will also build a complete RFID sniffer/decoder and “RFID exciter” to energize cards and read them from record distances (up to 10ft). Cost for this workshop is: 33$ USD (if you want to build your own boards; coils and batteries included) Required tools/experience: laptop, arduino (not required, but suggested), basic soldering skills are suggested but not required as well. Soldering irons will be provided.

A view into what hackers are about and what auditors are about, comparison and contrasting.

Your organization’s greatest assets are also its greatest threat: People. Your greatest risk are those you trust. The intentions of these insiders can be sabotage, fraud, intellectual property theft or espionage. However, in many cases, patterns of detectable behavior and network activity emerge that provide indicators of risk, assist in early detection and in speeding up response time of an actual incident.

In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its Advanced Metering Infrastructure (AMI) program, formally known as the Smart Meter & Infrastructure (SMI) program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation. An AMI program requires the introduction of many new devices and applications into a utility’s infrastructure. Some of these devices and software may have never been deployed before anywhere in the world. Many are field deployed, outside of the utility’s physical and cyber security perimeters. Security teams within utilities need to take responsibility for the end to end security of an AMI program. Traditional approaches may not be sufficient to deliver this security. A new approach including pen testing specialist and third party labs may form an important part of this security. A standards based approach will be required to ground the security and penetration testing both in best practice and in a common set of principles that utility and its partners can accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force can form the basis for creation of the test plans. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems. For successful outcomes it is important to consider emerging new factors. These are discussed in the presentation.

We've all seen the steady stream of revelations about the NSA's unconstitutional, illegal mass surveillance. Seems like there's a new transgression revealed every week! I'm getting outrage fatigue. So I decided to fight back... by looking for practical, realistic, everyday actions I can take to protect my privacy and civil liberties on the Internet, and sharing them with my friends. Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let's take back the Internet, one encrypted bit at a time.

The demands of Third Party Service Provider vendor due diligence and compliance management are growing rapidly in light of increased emphasis on these programs by regulators as well as outsourcing to reduce operational costs. Historically vendor diligence programs have not adequately and consistently addressed proactive identification of potential risks, ongoing competence of third party service provider, and production of a vendor management program that truly aligns with business strategies, identifies the risks commensurate with the complexity of the business environment, and produces a clear measure of the effectiveness of the provider. In addition, service providers suffer under the burden of the sheer number of diligence questionnaires, lack of consistency in them, inconsistent workload, and resource conflicts with compliance and sales efforts. Diligence response is potentially labor intensive with the possibility of providing no return on the investment. Aimed at third party service providers and businesses with vendor diligence programs, this presentation looks at case studies from real service providers and their customers to exemplify the ways that traditional vendor management fails to meet the objectives of today’s business and the regulatory environment. It then proposes a means to rectify these failures and evolve vendor due diligence programs to the next step. Participants will learn how to establish the goals of the vendor diligence program, understand the scope of the product and its potential impact on their environment, define a central body of knowledge, address only what is important, and iteratively evolve their diligence process to provide a more valuable product in less time.

Contrary to popular belief and media depictions, hacking is a social endeavor. By examining the evolution of various hacking groups and collectives over the years, we can glean valuable insight into the structure of today’s hacking space and security culture. From white hat companies to prison, we look at how innovation in exploits and anonymity have reformed and regrouped the hacking clubs of yore.

Pwning the hapless or How to Make Your Security Program Not Suck Customer data is our business. Whether within the financial or healthcare industries, the root of our business is to safely house and transmit information to and from trusted parties. With the growing demand of increased access – in healthcare, from providers, employees, visitors and patients, from a variety of devices, increased federal enforcements of privacy and security requirements under the new HIPAA Omnibus Rule, there is an ongoing challenge of ensuring patient and customer information is adequately protected. Numerous breaches within both the healthcare and financial fields have involved lost or stolen unencrypted devices, but mistakes by employees continue to be the biggest security threats to all businesses. Even tech-based companies are shown to be at risk for various social engineering attempts. Why do these breaches keep happening? How can you, as an IT professional, or merely an employee with the safety of your customers’ data a concern, help your business create useful prevention strategies that employees will pay attention to? How do you train your non-tech employees to not be susceptible to social engineering attacks? Emily, an insurance professional with ten years experience of working for 3 of the 5 biggest US disability insurance companies, and Casey, a Security Engineer with history working for commercial financial firms, will explore the unawareness non-tech employees have of their actions, discuss useful training and resource organization and allocation. We will walk through a few scenarios (the successful and non) and discuss what we have learned from human behavior and how it can apply to enforcing security policies or creating a culture of care. Technical solutions will not be discussed specifically, as the focus will be on employee awareness, education and how we can do better. By working through a few scenarios that we have personally encountere

Mobile, the Final Frontier. These are the voyages of two researchers. Their 45 minute mission: to explore strange new apps, seek out new mobile SSL bugs and new SSL implementation flaws, to boldly go where no man has gone before. We'll trek across the mobile landscape showing numerous mobile failures, related to encryption.

Our four intrepid debaters will tackle the most pressing issues facing the security community today, as suggested by you, our insightful audience. See them use their amazing powers of speech, logic, and insinuation to best each other. You vote for the most convincing argument, and the loser drinks. This is a funny and thought-provoking session, driven by audience participation, alcohol, and hugs.

Once again, the Electronic Frontier Foundation returns to the Underground to answer your toughest Off-the-Record queries. Question some of the greatest minds in the field of internet law, in this annual BSidesLV tradition.

When the world ends, the only things that will be left on earth will be cockroaches, Twinkies, Keith Richards, and Phishing emails. With easy access to free and low cost cloud services, the Phisher’s job is easier than ever. This session will shed light on the number, variety, and complexity of Phishing emails in an effort to explain why they have not disappeared and why things will get far worse before they get better. Data from OpenDNS’ PhishTank will be collected, analyzed, and presented to reinforce just how serious the Phishing problem is and how you can help Vinny punch a Phisher in the face by joining the growing community.

Mistakes have been made, and mistakes will be made again. Those unfamiliar with the history of the situation may end up going through the same thought processes and making the same mistakes as the previous generations. This presents both problems and opportunities for security; it means that project managers and developers will need to keep a close eye on the development process to avoid making these known mistakes, and it also means that penetration testers and other red-team members have (provided they research the development history of their target) a list of potential avenues for exploit.

IBM has been touting the security of the mainframe for over 30 years. So much so, that the cult of mainframers believes that the platform is impenetrable. Just try showing how your new attack vector works and you'll be met with 101 reasons why it wouldn't work (until you prove them wrong of course). This talk will take direct aim at the cultist! Previous talks about mainframe security only got you to the front door. Leaving many asking 'great, I got a userid/password, now what?!'. That's what this talk is about: the ‘Now what’. You'll learn a few new techniques to penetrate the mainframe (without a userid/password) and then a bunch of attacks, tricks and mischief you can do to further maintain that access, find important files and really go after the mainframe. During this very Demo Heavy talk you'll learn how to take advantage of APF files, SSL key management, cgi-bin in TYooL 2014, what NJE is and why it's bad, why REXX and SETUID are dangerous and how simple backdoors still work (and will likely go undetected).

Over a decade ago, a friend at the National Security Agency told Richard Thieme that he could address the core issues they discussed in a context of ""ethical considerations for intelligence and security professionals"" only if he wrote fiction. ""It's the only way you can tell the truth,"" he said. Three dozen published short stories and one novel-in-progress (FOAM) later, one result is ""Mind Games,"" published in 2010 by Duncan Long Publishing, a collection of stories that illuminates “non-consensual realities:” the world of hackers; the worlds of intelligence professionals; encounters with other intelligent life forms; and deeper states of consciousness. A recent scholarly study of “The Covert Sphere” by Timothy Melley documents the way the growth and influence of the intelligence community since World War 2 has created precisely the reality to which that NSA veteran pointed. The source of much of what “outsiders” believe is communicated through novels, movies, and television programs. But even IC “insiders” rely on those sources, as compartmentalization prevents the big picture from coming together because few inside have a “need to know.” Thieme asked a historian at the NSA what historical events they could discuss with a reasonable expectation that their words denoted the same details. “Anything up to 1945,” the historian said with a laugh – but he wasn’t kidding. Point taken. This fascinating presentation illuminates the mobius strip on which all of us walk as we make our way through the labyrinth of security and intelligence worlds we inhabit of necessity, all of us some of the time and some of us all of the time. It discloses why “post-modernism” is not an affectation but a necessary condition of modern life. It addresses the response of an intelligence analyst at NSA who responded to one of Thieme’s stories by saying, “most of this isn’t fiction, but you have to know which part to have