Presented by d1dymu5 and n8zwn (Colin Jackson and Nathan Smith) At a recent conference, a few of us were discussing how there are a ton of great info security peeps in the area that have really cool ideas and project, yet many don't feel comfortable presenting them or submitting papers about their ideas. We've also felt that many of the same people present due to lack of submissions. The overall goal of this presentation will be about stepping out of our comfort zone, overcoming your imposter syndrome and offering some tips of giving your 1st or your 20th conference talk.
If you are like the many organizations out there, you have a large number of unaddressed vulnerabilities. The question lies, where to start? Which vulnerabilities are most important and why? Can you rely on CVSS or an arbitrary risk score alone? This presentation and discussion will address how I have worked with organizations in the past to tackle these challenges and what your organization can do about it.
Port scanning is a simple way to find vulnerable targets within a network. Learn how to use tools like nmap, masscan and Shodan to do external scanning of your network and find the low-hanging fruit before somebody else does.
Information Security has a near 0% unemployment rate. We are increasing the demand while reducing the entry requirements, and it is still extremely difficult to find enough bodies to fill the seats. This talk will be summary of the hiring issues we face today along with some solutions to help ease the pain for organizations trying to step into this industry.
We live in a world of smart phones, smart TVs, smart kitchen appliances and security ignorance users. The main target of all cyber attacks is human--people like you and me who are driven to exploit the millions of data that's being captured today. User behavior plays a key role in many security breaches and incidents because humans are the biggest threat to data security. The tremendous increase of cyber security attacks due to human error is often depicted as a security pandemic. Past research has shown that lack of training, support, motivation and the increase use of social media platforms are all human habits that weaken security. Therefore, it is important to first understand the essential link between privacy and security in a cyber security context and identify the human factors that may weaken this link.
An introduction to Cross Site Request Forgery, why it is an issue and why you shouldn't assume your framework is protecting you.
On-demand IT services are being publicized as the new normal, but often times these services are misunderstood and hence misconfigured by engineers which can frequently enable red teams to gain, expand, and persist access within Azure environments. In this talk we will dive into how Azure services are commonly breached (e.g. discovering insecure blob storage), and then show how attackers are pivoting between the data & control planes (e.g. mounting hard disks, swapping keys, etc...) to expand access. Finally we will demonstrate some unique techniques for persisting access within Azure environments for prolonged periods of time.
SAINTCON 101 - Learn how to "own the con". Get the most out of SAINTCON, all the in's and out's of Utah's Premier Security Con
Off-the-shelf malware, custom developed malware, or just living off the land are ways to attackers to not only compromise your environment, but also reside within it. Attackers are regularly able to breach perimeters, and easily maintain access due to a lack of defensive technologies preventing them from doing so. Anti-Virus, EDR? These can be effective, but aren't a brick wall. What if there's another way, and it's likely built right into the operating system you are running? Let's talk about Windows Defender Application Control (WDAC). WDAC is a highly effective application whitelisting technology that's built right into Windows 10 and Server 2016. WDAC easily stops attacks from ever beginning, or provides you with the audit capabilities to know when it did. This talk will cover exactly what Windows Defender Application Control is, how policies are created, how to distribute policies within an environment, and demo its effectiveness against modern attacks.
What parts were used this year and why - Short timeframe - New Designer - IoT integrations - Minibadges - Feedback - Next year ideas/plans
In this presentation, we will go over the basics of writing shellcode, focusing on writing shellcode for Linux 32/64 bit operating systems. We will go over the basics of setting up a development environment along with common troubleshooting techniques.
End-users care that your site looks nice, and that your name hasn't recently been in the news for a security breach. More sophisticated users care that your website is HTTPS and doesn't show any warnings. But now we're talking about enterprise-class security. What kind of security features open up the Fortune-500 market? Come and listen as we review many of the security gotcha's and lessons Lucidchart.com has learned on the road to Enterprise.
By leveraging security instrumentation platforms, you are bringing together red and blue teaming initiatives with greater symbiotic mutualism across three major areas. First, you can validate the efficacy of security controls such as firewalls, WAFs, DLPs, EDRs, and SIEMs. If those controls aren't working as needed, you can leverage perspective analytics to instrument them. Second, you can apply configuration assurance to verify that a change that has been made actually does what's desired. You can also determine if that change negatively impacts other facets of security. Third, you can utilize automated, ongoing checks to ensure that what was working continues working in perpetuity. Should something stop functioning, blocking, detecting, correlating, etc., as needed, alerts will be generated in response to the environmental drift. We need to readjust so that we are focusing on security effectiveness and the efficacy of our security controls. We need to industrialize our approach to red and blue teaming with security instrumentation through automation, environmental drift detection, prescriptive actions, and analytics that enable us to finally and empirically manage, measure, and improve security effectiveness.
Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an "introspecting" hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn't. We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor to determine the potential presence (or lack) of introspection. These techniques are developed to examine properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. Moreover, we have developed timing methods such as thread racing to determine whether a hypervisor is monitoring regions of memory or hooking instructions.
I have worked on cracking the message on the Kryptos statue at the CIA headquarters. The fourth section has not been solved "publicly", but I have come up with a methodical way to decrypt the text. In doing so I have identified general troubleshooting patterns that can help solve complex problems in a systematic way.
First an Intro to self driving cars, hardware, software, meetups and handy URLS, then inside the defcon26 Mad Max Valhalla Self Driving Car Challenge
Instrumenting cloud for security issues with cloud first strategy - ways to instrument the cloud for security to enable incident response and forensics - network traffic techniques and traffic agents - cloud log collection - show/talk about configuration monitoring and compliance
We will discuss different career paths that ultimately lead toward becoming a pentester and beyond. We'll discuss options for schooling, training, and initial career moves. We'll also talk about ways to improve your skills and I'll share some hard lessons I learned on my own that I wish someone shared with me early in my career. This will be somewhat of a Q&A format so bring all questions.
Beginning last year, a honeypot I run on the DMZ of my lab network started receiving a lot of traffic on a TCP port I wasn't familiar with. Out of curiosity, I investigated and discovered that the machine was getting hit, over and over again, by an elaborate, automated attack that used a sequence of Microsoft SQL database commands in an attempt to commandeer what it thought was an MS-SQL server. In this talk, I'll step attendees through the attack from its initial connection to the delivery of the malicious payload, and what I was able to determine about the IP addresses from which the attack originated and their checkered history.
There are many ways to disrupt WiFi. I will go over the different types of attacks used against WiFi and different types of mitigation that can be used.
For those new to cyber security, is easy to get into the mindset that all hacks are big, targeted hacks and that hackers generally don't go after the small guys. The reality is, hackers will often times just go after what is easy and available. If you are connected to the internet, you are a target. Just how big of a target depends on many different factors. Are you low-hanging fruit? What can you do to reduce your chances of being a hacker's next target?
ATM Jackpotting isn't something new, as security researcher Barnaby Jack famously demonstrated jackpotting an ATM machine at Black Hat 2010. However, in the past year there has been a significant rise of jackpotting ATM machines across the United States. Most criminals that try to rob money out of an ATM machine use less technical means, such as skimming credit card numbers or physically trying to break open an ATM machine. This presentation sheds light on both the technical means of jackpotting an ATM machine, as well as the organized crime nature of how teams are assembled to accomplish this task.
Where is the line between convenience and intrusion? What is your expectation of privacy? There are those who argue that your data is already collected on servers across the globe, and with social media like Facebook, Snapchat, and Instagram many have willing given up their data. With all of the breaches in the last five years, society is now asking, â€œHow do we put the genie back in the bottle? New privacy laws are driving requirements to update standards. We'll look at the history of privacy, current events, and the coming standards we can leverage to help ensure privacy.
Business Email Compromises (BEC) continue to plague organizations world-wide, inflicting catastrophic, financial damages. This presentation will be live demo of an actual BEC using the same TTP’s criminal organizations are currently employing to attack their victims. We will dissected each step of the scheme and learn how to identify pre-attack signatures to help detect and defend against an imminent attack. We will explore several tools and methods to conduct incident response to identify the attacker and his/her actions on your system. Of interest, we will explore the previously undocumented Office365 Activities API to access once-undisclosed logs that are incredibly detailed and helpful when conducting BEC incident response. Lastly, we will discuss tips and best practices when coordinating with law enforcement.
Information security is fast growing discipline. However, the weakest link still remains the human element. Social Engineering is the 'art' of exploiting human behavior in order to gain access to sensitive information and breach security. This presentation highlights about one such recent experience I had with social engineering where in a person stole a laptop from a company and took free lunch to avoid suspicion. I will be highlighting what are the key takeaways from it and through this presentation I also want to emphasize on why physical security still matters and steps one should be taking to avoid social engineering attacks.(NOTE:I will be anonymizing the company and the person in the video to avoid any legal issues).
Network segmentation is one of the most important steps you can take to secure your network today. Footholds on networks are all too common, and when that is combined with a fully open network it becomes a ripe for pwnage and abuse. In this track we will discuss turning your software and chewy center into a hardened jawbreaker.
Just when you thought you had all your users trained to use passwords properly, they change the rules again. In this track we will discuss the most recent password recommendations and how to deploy those recommendations in your organization.
You are constantly being scanned, every single day. It's often fully automated and never sleeps. In this track we will discuss one method of automaticly blocking those who maliciously scan your network by building and leveraging a darknet address space.
I will talk about the skills and approaches necessary to succeed at winning Hackers Challenge and other CTFs. We will walk through 1 or 2 basic challenges to get you started.
We will walkthrough several challenges and answer questions about the stumpers and more complex Hackers Challenge puzzles
New to lock picking? Just curious? Why would you want to learn this? Why is there always a LPV at security cons? Legal concerns? This and more will be addressed in this quick intro to lock picking. We’ll cover basic locks, mechanisms, parts, lock picking tools, and methods.
Helping you see what a hacker sees and putting yourself in their mindset
IPv6 support is built in throughout the Internet now, so there's not as much talk about it as a few years ago. Things are pretty quiet out there. Too quiet. In the last year, some advanced attackers abused IPv6 in some way. We'll take a look at a few of those, and talk about the need to ensure IPv6 visibility and control in your network, so you don't leave a door open.
First, Dragnet collects dozens of OSINT data points on past and present social engineering targets. Then, using conversion data from previous engagements, Dragnet provides recommendations for use on your current targets: phishing templates, vishing scripts and physical pretexts- all to increase conversions with minimal effort. Finally, features like landing page cloning and domain registration (alongside your standard infrastructure deployment, call scheduling and email delivery) make Dragnet one hell of a catch.
Locky is dead, and Coinhive has replaced it. Here's a look at the types of Cryptomining that has become the threat du jour.
The various Ministries-of-Positive-Nouns and their Large Relatives are engaging in illegal backroom exchanges of your information. Governments and ultra-capitalists around the globe have seized the means of communication and are snorting our traffic like it's Columbian nose candy. What are the Winston Smiths of the world to do in order to avoid landing in Miniluv's Room 101? Learn how to make your own USB-based hardware GPG token that is easy to assemble, cheap, feature-rich, open, and secure. Many people keep their GPG/SSH private keys on their primary storage. This provides a large attack surface, whereas using a hardware token can prevent key extraction. Considerations include using open source cryptography libraries, firmware, and hardware, as well as tamper resistance and EMI shielding.
You have been tasked with building a security awareness program for your organization. Where do you start? You can forage for fruit and nuts with the other forest creatures, get lost down a spiraling staircase with no end in sight, throwing out idea after idea, Wall of Sheep, Security Shepherd, pulling from your plethora of security buddies to come do a lunch with your staff on why phishing is bad, very very bad! Orâ€¦you can build a program based on some sound logic and practicality. Not to say having your buddy talk on phishing techniques isn't a good start, but where do you go from there? So, how many licks does it take to get to the center of a good security awareness program? You can be that wise old owl, and go with three, but a really good program has a few more layers than that. Having done my own research on where to start, and what tools to use, I stumbled upon a few industry standards and recommendations from our friends in security awareness like SANS, KnowBe4, as well as a few others. But with all things, you have to add your own spin to it. This talk will focus on security awareness best practice, where to start, and how to build a mature program everyone( especially the business) can benefit from.
Covering the basics and low hanging fruit for network security.
Define your role as a penetration tester, security architect, or cloud/privacy expert and learn what it takes to earn and maintain a security certification. Invest time and effort in the security community to help you stand out and give you opportunities for education and growth in your career.
The quantum computing era is upon us. So, what does that mean for the cybersecurity space? Are all of our secrets on the verge of being easily revealed through quantum power? Is our secure internet about to be ransacked by nation states with large quantum machines? Are you prepared for quantum cryptology Armageddon? The future isn't as bleak as some may paint it. Come learn about what is really going on and where we are headed. We will bring you up to speed on the very basics of quantum physics and how they apply to the cybersecurity industry. We will discuss the current state of quantum computing and the success of China and American in turning this new technology into real world applications. We will also cover cryptology research and recommendations by the National Institute of Standards and Technology (NIST). Learn what you can do now to protect your data and prepare for the future.
At face value, the PCI Data Security Standard seems very black-and-white. But as anyone involved in PCI compliance or Information Security knows, there is a great amount of nuance that can sometimes escape folks attempting to comply with the standard. I have compiled a list of "gotcha's" that I intend to explain to help attendees of the conference more fully comply with the PCI Standard in order to protect the payment ecosystem (and more easily pass those audits!).
A live demo of HackerMode 2 for Amazon Alexa an Open Source Kali-integrated skill that can hack a machine and retrieve passwords with a single command. Forget working smarter; don't work at all, and don't tell anyone!
In this presentation, we will go over the basics of bluetooth, with a focus on vulnerabilities. We will go over the basics of setting up an environment to monitor bluetooth packets.
The #WiFiCactus is a wireless monitoring tool that is capable of listening to 50+ channels of WiFi at the same time. This talk will discuss the events and data from the last year traveling with the #WiFiCactus including warwalking at DEF CON China. This talk will discuss why wireless monitoring is important to the security of your network and the interesting things you can find when you have 100+ antennas strapped to your back while traveling the world. This talk will breakdown upgrades and optimizations that have been added in order to make it more effective and discuss the results of those upgrades. This talk will also discuss wireless tools like Kismet and how to get the most out of them.
Icebreaker is a tool for when you have a compromised box on an internal network, but no Active Directory credentials. It automatically performs 5 network attacks to gain usable AD credentials.
Undoubtably you've heard of the OWASP Top 10. But do you know what they really are? Do you know why they're a concern? Do you know how to fix them? I'll show you what's changed, what's been added, how each vulnerability works, and how to prevent them in your code and applications. This is for any developer who has to write code for public consumption, and any InfoSec professional who either has to help the developers or is paid to break stuff.