Speakers | SAINTCON 2019

Content Lineup

The following content has been confirmed but is not yet scheduled.

SHOW ALL KEYNOTES PRESENTATIONS TRAININGS COMMUNITY TALKS LEADERSHIP TRACK


By: Michael Whiteley & Mike Weaver  compukidmike & bashninja

All about the badge. How it was made, what it does, maybe some challenge hints...

By: Troy Jessup  Jup1t3r

We will discuss the importance of having a security framework to plan, implement, and measure security progress within an organization. We will specifically discuss the fundamentals of the CIS Critical Security Controls framework as a recommended light-weight framework to start with, where to focus, and how to be successful in starting to implement a framework.

By: Sean Jackson  74rku5

A SOC II attestation is needed for companies offer SaaS. It's a third party that says you take care of your infrastructure, your data, your availability, privacy, and that all your ducks are in a row. It's a daunting process, and in all my experiences, the big question is "what is covered?" and "what do we need to do to be ready?" This talk is to pull back the curtain for all the companies that think they might need to have one, and for those that see the audit coming up on the calendar and want to get a head start.

By: Keenan Fessler  K33n

The presentation goes over the evolution of safe combination locks, and how to manipulate them into revealing the combination

By: James Pope  Pope

I have been running security conferences since I was voluntold 5 years ago and have been looking for a way to abuse my trusted position to get out of it ever since. Get the most security conscience hacker in front of 1,000+ people with a technical issue and quickly they will concede their security morals to "just make it work"

By: Chase Palmer  RaideR6672

Trusting someone else with your data and your customer's data can be a scary thing. When looking at potential vendors to help out with your work, whether it is open source or off-the-shelf, there are certain things that should be taken into consideration to make sure that your data and your customer's data stays safe. Come learn some tips and tricks for conducting a vendor security review the right way.

By: MicK Gomm  @7YR43L

Since the advent of Agile development and cloud computing, application security and tooling has become increasingly complex. In this talk we'll discuss emerging trends in AppSec, including DevSecOps and how to reach that next level of mature that fosters agile velocity through automation.

By: Shaun Price  Klipper

We will be going over building your own home lab utilizing low-cost but high-value hardware. (Think along the lines of re-purposing headless network appliances that have gone out of warranty / support and can no longer serve their intended function ((Riverbed for example...most are low power 8 core Xeons that make fantastic hypervisors)) This includes everything from hypervisor platforms (Compute..most CPU for your buck....CPU's often overlooked), storage (Local, DAS trays, you name it), networking (Open platform software routers, cheap enterprise gear that falls through the cracks), racking and mounting (Yup, we can rack-mount on the cheap) and even some cheap cabling / optical options to go up to 10Gb and beyond. We'll identify the potential uses for the Homelab, as well as the pitfalls that we've run into along the way (noise, power usage, wife acceptance factor, etc.) The advantages of a Homelab are obvious, but sometimes it takes a little help knowing on how and where to get started. We'll get you dumpster diving / and thinking outside the box in no time.

By: Aelon Porat  

This live demo will reenact an infiltration to an organization's network. We will follow the attacker's footsteps to learn how they gain access to a desktop and the internal environment, then discuss how each part of the attack could have been detected and/or prevented. We begin by taking control of a user's desktop using one of a few common techniques and connecting it to a command-and-control center for the rest of the attack. Next, we steal passwords and documents, copy screen and email content, install a keylogger, record sound and stream webcam, control the mouse and keyboard, modify anti-malware settings, execute programs, reshape network traffic, and create a hidden, persistent data exfiltration channel. Time allows, we'll perform network reconnaissance and take over other computers, bypassing MFA and network segregation restrictions. This interactive demonstration will be rendered in a simulated, but fully operational, corporate setting. Our objective is to carefully examine and understand the attack procedures step-by-step, and then detail several defensive strategies against them.

By: Troy Jessup  Jup1t3r

We will discuss the evolution of wireless security options, the pros/cons of each and the challenges of each progression. We will also discuss better IoT/Guest wireless options.

By: Andrew Brandt  Spike

The world of information security spends much of its time focused on looking forward, trying to tackle the bleeding edge of malicious code and obfuscation, which is as it should be. Lost in the rapid pace of technological adaptation in the malware arms race is a sense of history: the origins of malware and its earliest days. How did malware get its start, and what lessons can today's defenders learn about the origins of malicious code, back from the days when analysts first coined the term "virus" as a binary analogue to biological illness? To learn more about malware's origins, we obtained samples of some of the oldest extant malicious code and devised ways of putting that malware onto the retro storage media required by the computers that were the earliest malware victims. With the assistance of the Media Archaeology Lab, an educational museum of retro computing based at the University of Colorado at Boulder, the author executed those samples on real, physical retrocomputing devices like the Apple II, the Commodore 64, an IBM PC 5150, and early Apple Lisa and 68k Macintosh computers running Mac OS System 7. Running malware on ancient computer systems is no different from using modern virtual or physical testbeds for detonation: you need to do it safely, in a "detonation chamber" of sorts, so the author and other volunteers also had to devise methods of safely moving the infected code from device to device or storage medium to storage medium, without spreading the infection to hard drives or other floppy disks or cassette tapes, or potentially damaging irreplaceable software or hardware. Finally, we analysed these malware samples using both modern reverse engineering tools, and the rudimentary analysis utilities that would have been available in the era (roughly 40 years ago, on average) in which the computers used in the study were still contemporary devices, to see what we could learn about this ancient malicious code, and whether it bears any resemblance to modern malware. The author believes the malicious code of the present day bears a more-than-passing resemblance to the malware of prior eras. If studying dinosaur bones contributes to science's understanding of evolutionary processes and biology, the study of retromalware surely can contribute to our modern understanding of sophisticated threats, and may help plan countermeasures against future ones.

By: Dallin Warne  

There's no question the prevalent adoption of SSL/TLS changes how organizations do network security monitoring (NSM). It raises some questions about how relevant NSM is such as: -What value does network security monitoring bring in an age where so much traffic is encrypted? -Can organizations still find intrusions and breaches by monitoring encrypted traffic? -What strategies are organizations employing to gain security insights into such traffic? In addition to answering these questions, we consider other purposes of network monitoring such as how it supports cybersecurity frameworks and strengthens an organization's security posture especially in environments with decentralized or shadow IT. Finally, we highlight the power of decryption. General principles are discussed supported by practical and technical examples found in Palo Alto firewalls and Zeek.

By: Kevin Crook and Blake Moss  

Generally, the effectiveness of any security operations center is largely determined by the level of efficiency demonstrated when analyzing, responding to, and remediating threats across its stewardship. However, with limited personnel, resources, and time, even inefficiently accomplishing these tasks can be daunting. Due to the asynchronous nature of cybersecurity threats, manual monitoring and even polling-based functionalities are quickly becoming ineffective to counter the increased sophistication of bad actors. The emergence of event-driven microservices in IT represent a growing desire for organizations to increase efficiency, awareness, and organization throughout the enterprise. These same benefits are especially applied to security, an inherently event-driven environment. Converting to an event-driven/microservice architecture however, can quickly become a chaotic mess of interdependent services. Especially in large enterprises where uniformity is not always guaranteed and hybrid infrastructures exist, a flexible design is needed to maintain consistency, in addition to providing the benefits of a microservice architecture. In order to facilitate and coordinate security functionality across three distinct institutions/IT environments, the Church Educational System (CES) Security Operations Center at Brigham Young University decided to adopt an event-driven microservice architecture. In this presentation we will describe the challenges, benefits, and applications of this architecture. Specifically, we will detail our evolution toward event-driven security, the requirements necessary for us to effectively transition, and how we are currently using this architecture to enable security functionality throughout the enterprise.

By: Kaydan L  Pips

RFID-based access control is everywhere in your life. It's at your work, its in your apartment building, it lets you into hotels. Come and learn how it all works, how it is implemented in the real world (often incorrectly), how it can be exploited, and how these problems can be mitigated. This is a beginner level talk; everyone can learn something from it!

By: Daniel Zappala  

The Secure Socket API: How to Make Secure Sockets with as little as one line of code SSL/TLS libraries are notoriously hard for developers to use, leaving system administrators at the mercy of buggy and vulnerable applications. We demonstrate a new API we have developed, which modifies the standard POSIX socket API to vastly simplify how a developer interacts with TLS, while also giving administrators the ability to control applications and tailor TLS configuration to their needs. We first assess OpenSSL and its uses in open source software, recommending how this functionality should be accommodated within the POSIX API. We then demonstrate the Secure Socket API (SSA), a minimalist TLS API built using existing network functions and show how it can be employed by existing network applications by modifications requiring as little as one line of code. We next describe our SSA implementation that leverages network system calls to provide privilege separation and support for other programming languages. We end with a discussion of the benefits and limitations of the SSA and our accompanying implementation, describing the status of our implementation and ongoing efforts to improve it.

By: Adam Fishre  8gauge

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

By: Erich Ficker  burnd0wn

Locksport is cute but if you're not into pin and tumbler science why bother with it? We'll talk through the most common ways to bypass physical security controls WITHOUT bothering with picks and tension wrenches. We'll look at a set of tooling that can be used to bypass many physical controls, how to use them and for most a demo.

By: Robert Kerby  beardedwanderer

The dark web is often portrayed as a scary, mysterious "place" where drugs, illegal goods and hackers selling identities run rampant. The reality is that the dark web is simply technology. The dark web is neither good or bad. Like all technology, the dark web is what we make of it. This is a call to action for the security community to embrace the dark web and make the dark web a place that everyone can utilize and find value in.

By: Ryan Burnett  j4v3l1n

This presentation will focus on current countermeasures that a blue-team can/should leverage against motivated attackers and pen testers. Participants will leave with the knowledge of how to make attackers and red-teams cry tears of frustration when they stumble upon your network with the ultimate goal of making them take their ball and go home. `Let's make blue-teams great again`

By: Jake Bernardes  

Much has been said about GDPR in the past two years & I am sure much will be said about CCPA in the coming two years. Wide reaching international implementations to solving both issues have led me across the globe, on one assignment meaning getting home only 12 hours before my wife went in to labour with our second child! I will talk about the truth & reality of a changing privacy landscape (hidden beneath the legal terminology and complex regulations) and, inside a series of hopefully humorous anecdotes about my professional & family life, give some concrete advice on what to believe, what do act on & what to actually do!

By: Mike Weaver  bashNinja

Maybe you've been to SAINTCON before and have a box of dusty electronic badges or maybe this is your first time and are wondering what to do with these 'electronic badges' after the conference? We'll go over the last few years of SAINTCON badges and different projects that you can do to make them useful again. This will be a very 'demo' style presentation. Sit close if you'd like the opportunity to ask questions.

By: Steve Ball  hamster

Making a minibadge is not as hard as it looks. In this presentation, I'll walk you through the steps from artwork, to using KiCad to design the board, to tips for ordering.

By: Matt Lorimer  zodiak

Come learn why you should play games to get ahead in your career and life. This session will talk about participating in the SAINTCON Hacker's Challenge game, CTFs, wargames, pros vs joes, and other types of skills based games. Suggestions will be provided on where to find games, who to play with, benefits of playing, and ways that you can give back to the community through these games.

By: Matt Lorimer  zodiak

Come peek behind the curtain into this year's SAINTCON labs. This session will cover the hardware and software running the labs, some of the challenges faced, automation tools used, environment building, and ways I hope to continue to grow the SAINTCON labs.

By: Andrew Brandt  Spike

In spring, 2019, Sophos detected a widespread ransomware attack using a malware that calls itself MegaCortex. The ransomware was spread around victims' networks using compromised Domain Admin credentials on domain controller computers to distribute it as if it were a software patch, using WMI. Subsequent analysis into both the attack and the malware itself showed the attack killchain was orchestrated using complex (and somewhat redundant) Windows batch files. The malware also featured a number of anti-analysis features, including a password string that was unique to the sample, and a hardcoded "active" time that analysts discovered: samples would not run in sandboxes unless the system date was changed to a three-hour window starting at around the same time the original attack began. But the MegaCortex phenomenon actually raised more questions than answers. There are significant similarities between the code style and behavior of other malware families in the MegaCortex samples we initially examined. There were also odd connections and false flag ties to completely unrelated malware families that sent researchers down a number of dead end rabbit holes. None of the questions of why the malware had these unique characteristics have been answered, and the low key nature of MegaCortex may mean we'll never understand its creators' motives.

By: Chris Mather  Whitecapper

The rules of passwords have changed, but are you keeping up? Find out about new NIST Digital Identity Guidelines as well as recommendations from the 2019 OWASP Application Security Verification Standard 4.0. Now, depending on who you are, the rules may be different. Which horseman are you? Which horseman are you dealing with? I'll address those frequently asked questions; how long should my password be and what's the minimum length my website should require. Find out why my 3-character password is stronger than your 17-character password. I'll dive into the statistics of a 25 GPU password cracking machine and several modern hashing algorithms. See how much of a difference your algorithm makes as well as the rules you use for your passwords. There’s also a mystery horseman you should be aware of that's sewing lots of dissension. And pay attention, there might even be something to help with your Hackers Challenge.

By: Bryce Kunz  TweekFawkes

Cloud services are frequently misconfigured due to their rapid adoption and engineers not fully understanding the security ramifications of different configurations, which can frequently enable red teams to gain, expand, and persist access within Google Cloud Platform (GCP) environments. In this talk we will dive into how GCP services are commonly breached (e.g. SSRF vulnerabilities, discovering insecure cloud storage), and then show how attackers are expanding access within Docker & Kubernetes (K8s) environments (e.g. CVEs, insecure daemons). Finally we will demonstrate some unique techniques for persisting access within GCP environments for prolonged periods of time!

By: George Bekmezian  offroad99

Are you using DNS for content filtering or for identifying and mitigating risks and attacks in your network today? How are recent DNS changes affecting your environment and what does the future hold? What about changes in TLS 1.3 and encrypted SNI?

By: Daniel Dayley  Cronocide

Correctly implemented, a Security Information and Event Manager (SIEM) is one of the best tools a blue team has in defending a network. This presentation covers introductory topics about SIEMs including what they are, why you need one, and the considerations that one must take in building one. We will discuss the types of events that a SIEM can detect We will discuss the core technologies involved and demonstrate the setup of a SIEM with ElasticSearch, Logstash, Kibana, RabbitMQ, ElastAlert, and Zeek.

By: Jeremy Cox  supertechguy

Exponential returns on minimal investment. The difference between doing nothing and doing something can take up so little time and make so much difference.

By: Clint Russell  

The world of video surveillance has remained largely unchanged since shifting from analog to IP based cameras. In this presentation, we will explore how video surveillance has evolved over time, and how new solutions are leveraging cloud computing, artificial intelligence and machine learning to make the jobs of security professionals easier.

By: Kimber Duke  

As environments become more complex and robust, how do threat hunters stay on their toes to remain quick and effective? The scientific method allows a threat hunter to develop a flow to their working process that ensures they remain on target while deepening their knowledge of the environment they're working in. This presentation will give an overview of how to adapt the scientific method to a threat hunting position on an IT security defense team, while providing a methodology for more effective detection of malicious actors.

By: Ryan Otteson  

A year ago Ryuk came onto the scene, an adopted version of the Hermes ransomware. Attribution for the group running the scheme remains unknown, some think North Korea, others Russia. What's for sure is that the group is leveraging long-dwelling Trickbot infections to cripple organizations of all sizes and making millions of dollars a week. In this presentation we talk about how they leverage a Trickbot foothold to shut down an entire organizations network in 2-5 days.

By: Jonathan Smith  rev

Building a long range RFID reader capable of stealing badge information from several feet away, using a reader and a Raspberry Pi. I will also go in depth in RFID and the Wiegand protocol. I will also be publishing the code and any other information.

By: Victor Steven Morales  zero_virus

We will be covering the types, strategies, benefits and implementation of security frameworks. Giving you a starting point in increasing your security posture. Making more difficult for script kiddies to enter your network. Find out if you are leaving the door wide open for an hackers to come in. Its not a matter if you are going to get hack but when.

By: Chris Larsen  

For the last few years, Fake News has become a buzzword, used in so many contexts that it's lost any precise meaning. Researchers in this area prefer to talk about Disinformation (or Propaganda, if nation states are involved). Having spent much of the last year working in these areas, I'll present my findings, along with recommendations, and fun examples.

By: Spencer Heywood  

Docker is a versatile and powerful tool. Learn how to use Docker in conjunction with your shell to improve your Red Team workflows and also learn how to strengthen your security posture by running applications in containers.

By: Hanna Bennett  

This presentation will provide an overview of the Utah Department of Public Safety (DPS), Statewide Information & Analysis Center (SIAC) and the SIAC Cyber Program.

By: Karl Sickendick  Rosie

The NSA recently open-sourced the Ghidra software reverse engineering tool. While it's unlikely to steal IDA-heads, Binjas, or those 5 people who remember Radare2's command line, it is a mature RE tool with a huge feature set. It's also easily extensible through Java, Python, and a command line batch mode. This talk will introduce Ghidra briefly, then demonstrate/release an open-source Ghidra intermediate language emulation capability, and finally describe the basics of extending Ghidra via Python scripting.

By: Sean McHenry  

1.Strategy vs Tactics 1a. What is Strategy 1b. What are Tactics 1c. The relationship 2. Strategy in cyber security 2a. Framework 2b. Define Policy 2c. Establish Controls 2d. Establish Metrics 3. Cyber Risk Management vs. "Corporate" Risk Management 3a. What is the relationship 3b. The relationship of Cyber Risk Management and Cyber Strategy 4. Tactics for driving strategy and managing risk 5. Conclusion

By: Mike Spicer  d4rkm4tter

Over the last 3 years Mike has learned a lot about how to effectively capture and process WiFi data. This talk will discuss the improvements and frustrations that lead to the creation of the WiFiKraken as well as data that has been captured. Difficulties in data analysis will be discussed and solutions and methodologies will be presented including Mike's tool PCAPinator that addresses the issue of dealing with very large PCAP files. Interesting examples of data captured at some of the largest hacker conferences in the world will be discussed including things like credential, leaked APIs and DNS.