News

Speaker Workshops at DEF CON 25 Call for Presentations Now Open

The Wall of Sheep would like to announce a call for presentations at DEF CON 25 at the Caesars Palace in Las Vegas, NV from Thursday, July 27th to Sunday, July 30th. This will be the 5th anniversary of our Speaker Workshops.

Read more →

Why are you no longer shipping to country X?

One simple word.. Fraud.   We are still happy to ship to any country via a verified PayPal account, just send an email with your request to sales@wallofsheep.com

Thank you

Wall of Sheep team

Read more →

Packet Hacking Village Equipment Check for DEF CON 24

[Written by @donds.  Originally posted at http://hackvault.blogspot.com/2016/07/phv-equipment-check.html.]

They say not to bring any electronic devices at DEFCON!? .... what's the fun in that? Well, your mother also said not to get in a strange car with a stranger... UBER, anyone?

It’s time to prep your gear for the Packet Hacking Village (PHV) at DEFCON 24. Although, the PHV staff will have some gear for you to use, I highly recommend to bring your own "FOR DEFCON USE ONLY" gear. 

For the Wall of Sheep and WiFi Sheep Hunt you'll need a laptop with wired and wireless sniffing capabilities.  I spent about $200 for a used laptop from eBay. Also invested on an Alpha wireless USB card from Amazon. Load Kali on the laptop and you're basically good to go. Most tools you'll need are already included in Kali.  The PHV staff can help you refine your setup and config depending on what event you want to try out.

For Sheep City, you can use the same laptop you plan to use for WoS and WIFISH.  But it will require a bit more creativity and possibly a visit to the vendor area or Fry's.  Prep for Bluetooth, ZigBee, IrDa, RF...etc. Be ready for anything.

Packet Detective runs like a classroom format. IMHO, this is a "MUST DO" event at PHV. PHV will have laptops setup for PD Agent trainees to use... Yes, you don't have to bring your own laptop to participate.  This is a very popular event and laptops are limited. Sign up early.

WiFi Sheep Hunt will also have a sign-up sheet for the FoxHunt gear. You can use your own equipment to join the FoxHunt and code breaking fun.  There will also be a couple of laptops for players to use, but only for limited time slots. 

Capture the Packet has produced Black Badge winners at DEFCON. If you're just prepping now, you're already behind... you get my drift.

If you're asking which one to do first, I'd say do it all! But if it's your first ever visit at PHV, here's the order of events I'd suggest..

1. Packet Detective
2. Wall of Sheep
3. WiFi Sheep Hunt
4. Sheep City
5. Capture The Packet

Our DEF CON 24 schedule is available at https://www.wallofsheep.com/pages/dc24

Read more →

What’s More Explosive: Palantir's Penetration Test Results or Buzzfeed's Reaction To Them?

Buzzfeed posted a long story last week about leaked penetration test results for Palantir, Peter Thiel's $20 billion private data analysis company funded by the CIA and considered the backbone of US intelligence gathering.

Based on a confidential report, Buzzfeed says HACKERS COULD TAKE CONTROL OF PALANTIR'S ENTIRE NETWORK!!!! AND…! AND…! AND…!

This looked sensational at first glance.

Palantir's valuation and reputation are built on knowing more than everyone else. So how could it do such a lousy job on security? The real-world ramifications would be serious. Well-known clients include big-time financial firms like Bridgewater (world's largest hedge fund) and an alphabet soup of law enforcement agencies (FBI, CIA, NSA, etc.).

Midway through reading the Buzzfeed story, though, a couple things became apparent:

  1. The story reads like a rewritten version of the confidential report. There is little to no analysis.
  2. The pen testers praised Palantir's internal response team. Repeatedly.

Thankfully, Forbes published an accompanying piece just afterward that analyzes  Buzzfeed's story and sums it up nicely with one sentence:

Penetration Tests Almost Always Win

"That Palantir succumbed to the cyber squad it hired specifically to discover its vulnerabilities is no surprise," Forbes wrote. "That's how it goes. One could argue that Palantir should be praised for conducting such proactive testing—as not every company does—and for having an "excellent" response, as the organization called in to conduct the hack said. Nice work, PALs. Patch up and keep at it."

Our two cents is that the Buzzfeed story does a good job breaking down a thorough penetration test for regular folks: How the penetration testers conducted their attacks, what they found, how they would start at Point A to get to Point Z, some cat-and-mouse with the internal Palantir team defending the company against the attack, etc. But the Buzzfeed's reaction feels breathless. Forbes reached the same conclusion:

"Why single out this one company?" Forbes asks. "The implication is that if Palantir can be hacked, then A) anyone can be hacked and B) it probably has been hacked already—especially considering the highly confidential government work it handles as well as the persistence of the United States' adversaries. Even a company as locked down as Palantir has holes."

"To BuzzFeed's credit," Forbes continued, "the story does an excellent job detailing how hackers can make their way around a computer network, hopping from node to node, compromising accounts and servers, and escalating an attack along the way. Still it does a disservice in blasting a firm for taking the very measures it should to learn about and fix its weaknesses."

Read more →

Round Up of Bug Bounties and Resources

At recent  OWASP meeting in San Francisco, bug bounties caused far and away the most spirited discussion. Speaker Craig Steipp, who is head of security at WikiMedia, spoke heavily in favor of them. Yet several audience members spoke against them or offered tepid support.

 

Side stepping that debate, who started them? Who runs them? Who doesn’t? And what’s the largest out there?

 

According to Wikipedia, Jarrett Ridlinghafer started the first such thing in 1995 as a technical support engineer at Netscape Communications. The SVP of Engineering reportedly was the only person against funding the internal program. But he was outvoted and the company went with it. Others followed suit.

 

Bugcrowd, which facilitates a community-approach to security, keeps a running list of bounty programs sent in by its community of users. It can be sort based on four categories: New, Reward, Swag and Hall of Fame. (There’s no description of Hall of Fame so define that as you wish.) They even offer a weekly email for people who want to stay on top of the game.

 

HackerOne, which runs programs for Twitter and other big names, is a good resource for finding out which companies not only offer bounties, but contribute to open-source projects that help bounty programs. 

 

The programs aren’t limited to tech companies either. Somewhat surprisingly, United Airlines is the fourth ranking result for a Google search of ‘bug bounties’. They’ll pay up to 1,000,000 frequent flier miles for serious flaws.

 

There’s no quick-and-easy list of amounts, but that’s not surprising given the subjective nature of what might be discovered and the perceived value. Security firm Netraguard told Forbes in 2010 that it would pay hackers up to $115,000 for an Apple vulnerability.

 

welivesecurity published a story in 2015 showing a list of the highest bounties they could uncover. Although it says Facebook paid more than $1M in total bounties for 2014, Microsoft’s $200,000 payment is the highest one-time reward on there.

 

The New York Times recently put together a nice list of companies that pay, how much (Google will do up to $100,000 for a Chromebook bug)

 

If we missed your bug bounty program or you’re aware any that are noteworthy feel free to send them to add to the list.

Read more →

Our Speaker Workshops Schedule at DEF CON 24 is Now LIVE!

We will be adding more talks in the upcoming weeks.

Link: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24/

Read more →

First Round of Accepted Speaker Workshops at DEF CON 24

The Arizona Cyber Warfare Range: Learn by Destruction

Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter

Want to run all those tools you have always heard about, but don't have the hardware to do it? Or - does your Boss want you to learn NMap, but won't let you run it on any of the corporate networks? This presentation will show what can happen when a couple of dedicated and slightly unbalanced individuals come together to establish the largest volunteer staffed, donation funded Cyber Offensive and Defensive Training facility in the world. Attendees will be shown how real hardware and real tools can be used remotely to further increase their Cyber talents.

Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.

Attacks on Enterprise Social Media

Mike Raggo, Chief Research Scientist at ZeroFOX

Current threat vectors show targeted attacks on social media accounts owned by enterprises and their employees. Most organizations lack a defense-in-depth strategy to address the evolving social media threat landscape. The attacks are outside their network, commonly occur through their employee's personal accounts, and circumvent existing detection technologies. In this presentation we'll explore the taxonomy of social media impersonation attacks, phishing scams, information leakage, espionage, and more. We'll then provide a method to categorize these threats and develop a methodology to adapting existing incident response processes to encompass social media threats for your organization.

Michael T. Raggo (Twitter: @MikeRaggo) has over 20 years of security research experience. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Connections: Eisenhower and the Internet

Damon "Chef" Small, Technical Project Manager at NCC Group

"Rise of the Machines" conjures thoughts of the evolution of technology from the exclusive domain of computer scientists in the early days of our industry to including everyday people using - and often wearing - Internet-connected devices. With that theme in mind, the speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the the Information Superhighway and how information security professionals can prepare.

Chef (Twitter: @damonsmall) earned his handle from his use of cooking metaphors to describe infosec concepts to laypeople. He began his career studying music at Louisiana State University and took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Chef began focusing on cyber security. This has remained his passion, and over the past 16 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Chef completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Project Manager at NCC Group includes working closely with consultants and clients in delivering complex security assessments that meet varied business requirements. Recent speaking engagements include DEFCON 23, BSides Austin, BSides San Antonio, HouSecCon, and ISSA Houston.

Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection

Omer Zohar, Head of Research at TopSpin Security

Today's networks are undergoing all sorts of sinister attacks from numerous sources and for myriad reasons. Security at the perimeter is inadequate for thwarting today's highly intelligent attacks as hackers routinely breach the perimeter and gain entry. It isn't long before the network is compromised and critical information is stolen. We must now assume that, despite significant investments in prevention, breaches are going to happen. An additional approach is required. Security teams must go on the offensive, creating a web of non-stop, real-time detection operations using multiple vectors against an ever-changing landscape of cyber threats. Deception technology now plays a critical role. Used as a strategy for many centuries in actual warfare, the concept of deception is becoming a significant weapon in network-protection schemes. Deception technology doesn't rely on known attack patterns and monitoring. Instead, it employs very advanced luring techniques to entice attackers away from valuable company assets and into pre-set traps, thus revealing their presence. It is able to detect threats in real time without relying on any signatures, heuristics or complex behavioral patterns. But how effective is a deception strategy in detecting breaches? What method works best? How does it integrate with current security operations already in place?

In this talk we will present findings from a first ever research which measured the efficiency of proactive deception using mini-traps and decoys in real-life threat scenarios. We have reconstructed a real enterprise environment complete with endpoints, servers, network traffic and data repositories as well as security tools such as IDS, firewall, SIEM etc. The deception layer was then integrated into the environment in 2 steps: (a) by placing decoys in the network and (b) by placing mini-traps on the assets which point to the decoys, set false credentials, trigger silent alarms and more. We then evaluated the effectiveness of the mini-traps and decoys against both automated, machine-based attacks as well as against sophisticated human attacks: The first stage involved checking the behavior of a variety of malware families against the environment and measuring the deception layer's success in detecting their activity. For the second phase, we invited red-team professionals and white hat hackers to employ real techniques and advanced tools with the task of moving laterally in the environment and exfiltrate high value data.

Omer Zohar has over a decade of experience as a developer and researcher in the data security market. As head of Research for TopSpin Security he is responsible for the research of malware and post-breach detection methods and for defining advanced detection schemes.

Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)

Rod Soto, Senior Security and Researcher at Splunk UBA
Joseph Zadeh, Senior Security Data Scientist at Splunk UBA

The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.

These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone.

Rod Soto (Twitter: @rodsoto) has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEF CON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 Black Hat Las Vegas CTF competition and is the founder and lead developer of the Kommand & KonTroll competitive hacking Tournament series.

Joseph Zadeh (Twitter: @josephzadeh) studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEF CON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanente's first Cyber Security R&D team.

HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things

Catherine (Kate) Pearce, Senior Security Consultant at Cisco Security Services
Vyrus, Senior Security Consultant at Cisco Security Services

The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.

Catherine (Kate) Pearce (Twitter: @secvalve) is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC and several others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.

Carl Vincent (Twitter: @vyrus001) is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As an information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime. He also practices personal information warfare, and most of his biographic details online are somewhat exaggerated.

Now You See Me, Now You Don't

Joseph Muniz, Architect and Researcher at Cisco
Aamir Lakahni, Senior Security Researcher at Fortinet

Many people leave behind bread crumbs of their personal life on social media, within systems they access daily, and on other digital sources. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that leak your information and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators to track individuals. Learn how you can protect your online footprint, reduce your digital trail, and securing your privacy.

Joseph Muniz (Twitter: @SecureBlogger) is a architect at Cisco Systems and researcher. He has extensive experience in designing security solutions for the top Fortune 500 corporations and US Government. Joseph's current role gives him visibility into the latest trends in cyber security both from leading vendors and customers. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including a recent Cisco Press book focused on security operations centers (SOC).

Aamir Lakhani (Twitter: @aamirlakhani)

Presenting Security Metrics to the Board / Leadership

Walt Williams

The board of directors and corporate leadership is not interested in how many attacks your firewall has blocked, and frankly, that is not a metric, that is a measure. Difference between metrics and measurements, how metrics are constructed, and the kinds of metrics the board of directors are interested in will be discussed. In other words, how to identify how to align security metrics with business goals and objectives. The use of frameworks such as ISO 27004 to construct metrics, the pragmatic framework and its uses will also be discussed.

Walt Williams (Twitter: @LESecurity) CISSP, SSCP, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now manages security at Lattice Engines. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides on risk management as the cornerstone of a security architecture. He maintains a blog on security metrics and has presented to boards of three different organizations in diverse industries.

Vulnerability Management: No Excuses, A Network Engineer's Perspective

Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter
Anthony Kosednar, Chief Software Engineer at AZCWR

Vuln Management encompasses 3 out of the top 4 items in the SANS 20 and is a critical item for PCI DSS. Yet, so few companies manage to do it correctly. This presentation will cover the result of the author (a network geek) being unceremoniously thrown into one of those situations, and will detail the lessons learned from it. Tools used: NMap, Tripwire, Qualys, and Crayons.

Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.

Anthony Kosednar (Twitter: @akosednar) is an Information Security Engineer with a background in Aerospace. By day he helps secure corporations and large events (such as Super Bowl XLIX). By night, he puts on the cape of software architect for the Arizona Cyber Warfare Range. Through the darkness of night he helps program the systems that operate the range.

You Are Being Manipulated

GrayRaven, Senior Software Engineer at Cisco Systems

You are being manipulated. There is constant pressure coming from companies, people, and attackers. Millions are spent researching and studying your weaknesses. The attack vectors are subtle. Most times we don't realize that manipulation has occurred until it is too late. Fear not, we can harden our defenses. We can put safeguards in place to help avoid being the victim. For me, the answer came from an unlikely source: my daughter. Small children are fantastic. Society has not yet influenced their development; therefore, children are relentless in pursuing their aims. Since they are naive to right and wrong, they will use any tool available to get their goal. How does this help? My daughter became my trainer, and this talk discusses how interacting with her has improved my defenses. Comparing her strategies to real world examples will show how to build a training framework of your own. Access to small children is not needed.

GrayRaven (Twitter: @_grayraven_) is a senior software engineer at Cisco Systems. He has been fascinated with manipulation since his childhood. Despite receiving a degree in psychology, he spent 18 years as a professional in the Information Technology space. GrayRaven spent the first seven years of his career as a system and network administrator before moving to the dark art of programming. Two years ago he stopped dabbling and tumbled down the security rabbit hole. This journey makes him believe that he is finally using his degree professionally. During his downtime, GrayRaven can be found practicing martial arts, brewing beer and mead, or writing.

Stay tuned for schedule: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24.

Read more →

LinkedIn Breach Resurfaces: 1 in 4 Accounts Compromised

Details are starting to come out about the massive LinkedIn breach that is gaining attention this week even though it first occurred in 2012.

ZDSearch has a nice tally of the worst passwords found in the dump here. Top three worst offenders:

 753,305 people used ‘123456’

  • 172,523 people used ‘linkedin’
  • 144,458 people used ‘password’

 According to Krebs, 117 million accounts are likely compromised instead of the 6.5 million originally stated. (That’s 1 of every 4 users of LinkedIn, which has around 430 million users.) LeakedSource has a searchable database for those interested if their account is one of those affected.

MotherBoard has been in contact with LeakedSource and a hacker known as ‘Peace’ who claims to have the full dump. With security researcher Troy Hunt, they claim to have reverse engineered 90% of the passwords within 72 hours. They’ve reached out to several LinkedIn users and they’ve been confirming account details.

Read more →

Speaker Workshops at DEF CON 24 Call for Presentations Now Open

The Wall of Sheep would like to announce a call for presentations at DEF CON 24 at the Paris and Bally's Hotels in Las Vegas, NV from Thursday, August 4th to Sunday, August 7th. All accepted talks will be announced, recorded, and published by DEF CON Communications, Inc. Please see our YouTube channel for all Speaker Workshops from last year: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.

This year, the Packet Hacking Village at DEF CON 24 will be on the 26th floor of Bally's Indigo Tower. The Call for Presentations will close on Wednesday, June 15th at 11:59 PM. The list of workshops will be finalized and published on Thursday, June 30th.

How: Complete the Call for Papers Form and send to cfp2016[at]wallofsheep[dot]com. Please also refer to the form for more details.

Read more →

All Speaker Workshops from DEF CON 23 Now Posted On YouTube

Read more →