Please give as your heart directs and as you are able.
]]>There is a GoFundMe currently running to support the family of StilettoedMacgyver during this difficult time, and to help with her final expenses.
Please give as your heart directs and as you are able.
]]>It is with great sorrow and love that we pay tribute to one of our Shepherds. StilettoedMacgyver passed away on October 17, 2023. She gave selflessly of her time and energy to help the hacker community, and we are all diminished by her loss. It was her last wish that the community help to keep her daughter engaged and involved, and we will honor that.
This page will continue to be updated with pictures and tributes as we receive them.
From her husband:
Hey everyone, it is with the utmost sadness and love that I inform you that StilettoedMacgyver has logged off for the last time. On Tuesday night my beautiful wife Lynne May Farrell passed away after a hard fought years long battle with cancer. After exhausting all palliative options during a couple of lengthy final hospital stays I was able to bring her back for home hospice. It was a tough two weeks at home, but we were surrounded by our friends and family, and she is at peace now. I know you all know, but I want to reiterate how much the love and community meant to her. We had such a wonderful time in Vegas during our last family vacation and Roz is really excited for the two of us to come back. We love you all and I am truly so grateful for the friendships she had with all of you.
All talks will be held at the Village Stage in the Contest Area. You can enter via Room 232.
Title: Pwning the Pwners with Mindware
Speaker: Frank "D9" DiGiovanni
Abstract: Traditionally the cyber attacker has an asymmetric advantage over the cyber defender. But does it have to be that way? Is it possible for the cyber defender to take an "offensive stance." This talk will show how the emerging science of cyberpsychology and the leveraging of AI can provide the defender with the ability to pwn the most vulnerable component in the cyberattack kill chain, the attack's human operator. Leveraging the DoD's "Tularosa Study," this talk will cover a theoretical framework for achieving this objective, outline an operational vignette, and then cover some the specifics for such an approach.
Speaker Bio: Forty-one years of government service, Frank DiGiovanni is a retired USAF Colonel and DoD Senior Executive Service. Co-Led with the DoD CIO the development of the SecDef's DoD Cyber Workforce Strategy. Built from scratch a six-month DoD Cyber Operations training course, repurposed DEFCON's CTF and CTP technical architecture to support DoD cyber operations training, and now working advanced cyber R&D projects in private sector. UPENN doctoral dissertation examined what makes hackers extraordinary unique from the average human population.
Title: The Importance of Arts and Crafts in ThreatOps
Speaker: Pete Hay, Editor-in-Chief, TheCyber.Report
Abstract: Cybersecurity professionals spend an huge amount of time attempting to use a visual medium to communicate complicated concepts in a simple yet information-dense manner. However if you ask 10 analysts to map out the same incident, you'll get 10 divergent diagrams. In this presentation we present a method of leveling-up your cybersecurity-related arts and crafts skills: effectively diagramming incidents, threat reports, threat intel, and reporting to support full-spectrum ThreatOps.
Speaker Bio: In addition to being SimSpace's Principal Security Strategist, Pete is the Co-Founder & Editor-in-Chief of TheCyber.Report. Pete has an extensive & diverse background in technology driven fields including Computer Network Operations (CNO), Network Forensics, & Nuclear Chemistry, as well as one of the few patents issued in Cybersecurity & ZTA. A life-long learner & security enthusiast, Pete helps Fortune 10 banks test & refine their security postures, while running TheCyber.Report as a passion project.
Title: Death by 1000 Likes: How Much Do You Really Leak in Social
Media?
Speaker: Will Kay
Abstract: As lonely Aussies attending our first Defcon last year, we were frequently drawn to the hilarity/uniquness of the Wall of Sheep board. One of our group suggested people leaking at the con was super entertaining, but what about throughout the rest of the year? We decided to use the time between DC30 and DC31 scraping the r/defcon subreddit to create the Wall of Sheep - online edition.
Speaker Bio: Will works for a private security consultancy in Australia. He is cybersecurity advisor and insider threat consultant. His professional career began many years ago in military intelligence to which he owes his knowledge of traditional targeting methods. The organisation and team he works for today provides security awareness and reinforcement training. His passion is removing the weakness that exists across society to social engineering techniques, and believes a more secure and prosperous future begins with people.
Title: OSINT for Physical Security Intelligence
Speakers: Mike Raggo, Security Researcher, SilentSignals; Chet Hosmer,
Chief Scientist
Abstract: Organizations seek rapid intelligence about critical situations that impact their teams, locations, or assets. Yet when it comes to OSINT we find organizations performing Open Source Information gathering; wasting time sifting through data to get to the actionable intelligence. In this presentation we demonstrate how to collect curated data and eliminate 99% of the time spent on reliminary data analysis. Furthermore, all of this data can be combined to perform trending and predictive analysis for natural disasters, geo-political situations, or business risk. The goal is to provide attendees with ideas for formulating new approaches for physical security OSINT.
Speaker Bios: Michael T. Raggo has over 30 years of security research experience. During this time, he has uncovered and ethically disclosed vulnerabilities in products including Samsung, Checkpoint, and Netgear. Michael is the author of "Mobile Data Loss: Threats &Countermeasures" and "Data Hiding" for Syngress Book. He is also a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, SANS. He was also awarded the Pentagon's Certificate of Appreciation.
Chet Hosmer is an international author, educator, researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.
Title: WINE Pairing with Malware
Speaker: Jared Stroud, Lead Security Engineer, The MITRE Corporation
Abstract: The growing popularity of playing AAA Windows video games on Linux has increased the compatibility of tools such as WINE and Proton. These same platforms that enable the latest games to run also can be used to execute the latest Malware. This talk will walk through configuring an environment to rapidly collect IoCs from unknown samples without having to use expensive sandboxes. Learn how to leverage your favorite UNIX tools to awk, grep, and pipe your way to extracting valuable forensic evidence without submitting your samples to $VENDOR. More on the offensive side? Come see how to shorten the feedback loop from idea generation, to testing and finally deployment!
Speaker Bio: Jared Stroud is a Lead Security Engineer at The MITRE Corporation tackling problems related to Container and Kubernetes security. Jared also contributes to ATT&CK via Adversary Emulation for Linux threats.
The Wall of Sheep would like to announce a call for presentations at DEF CON 31 in Las Vegas, NV from Thursday, August 10th to Sunday, August 13th. Packet Hacking Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. We are accepting submissions from individuals and organizations on any of the topic areas, including, but not limited to, the following technologies and applications:
DEF CON attracts a wide range of technological skill sets, presentations need to be accessible, with explanatory information to help the audience understand.
The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply! We will also not accept talks that have been given elsewhere, including at DEF CON / Black Hat / BSides.
All accepted talks will be announced, recorded, and published by Aries Security, LLC. and DEF CON Communications, Inc. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w and https://www.youtube.com/channel/UC6Om9kAkl32dWlDSNlDS9Iw.
The Call for Presentations will close on Friday, June 16th at 11:59 PM PST. The list of talks will be finalized and published on Friday, June 30th.
Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
Presentations will be hosted from the Packet Hacking Village where they will be simulcast live over Discord Stages. This is a compromise to save space and maximize participation and engagement. Q+A will be available digitally and speakers should be prepared to answer questions that come in online.
To submit a presentation, please provide the following information in the form below to cfp2023[at]wallofsheep[dot]com
Your abstract will be used for the website and printed materials. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.
The Wall of Sheep will provide 1 projector feed, and microphones. If you need to use multiple outputs for a demo, please mention this below.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc. should be sent along with this email to cfp2023[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication by DEF CON Communications, Inc. and Aries Security, LLC. and that I will promptly supply DEF CON Communications, Inc. and Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give DEF CON Communications, Inc. and Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, June 30th, 2023.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 30th, 2023.
3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me --not running over the time allocation.
5. I understand that the Wall of Sheep will provide 1 LCD projector feed, 2 screens, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.
6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.
Yes, I, (insert primary speaker name), have read and agree to the Grant of Copyright Use.
I, (insert your name here), have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.
In the case that a speaker is a child under the age of 13 years old: in compliance with the Children's Online Privacy Protection Act (COPPA) regulations, http://www.coppa.org, any child under age 13 must have parental consent for the collection, use, or disclosure of that child's personal information by a website. Parent/Guardian Consent: I (insert parent/guardian's name here) am the parent or guardian of the minor/s named above. I have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.
]]>PHV will be doing load/unload and setup all day.
Feel free to come around and say hello. If we have gear, there will be beats.
I press enter!
sync & destroy
I'd like to buy a vowel.
oontz oontz oontz
"Published a book and stuff. math is cool" is what someone thinks I would write in my bio.
oontz oontz oontz
Are you the police? No Ma'am, we're DJs
One time in 2018, he got a noise complaint for playing music in the middle of the Mojave desert.
synth freaks, massive beats, plywood boxes, spicy grooves
"When I eat fire, you shouldn't think about how I'm doing it; I really do get burned. You should think about -why-..." -Penn Jillette
With over a decade of experience as a college radio DJ at KWCR on Nerd Show, kampf has waded long and deep through the muddied waters of electronic music, casting his rod time and again to obtain, then share the eclectic, the compelling, the sounds off the beaten path and those lesser know varieties or species. Resident DJ for the DEF CON Chillout Lounge and for DEF CON Radio on SomaFM.com. Spinning vinyl for WoS/Packet Hacking Village since DEF CON 20!
Miss Jackalope is DEF CON's resident community DJ. She has a weekly Twitch show and a legendary Jackalope Army merch store. She plays drum and bass and bass house and is known for ceiling destruction! Happy to be back at the PHV!
Devoted disciple of the darker electronic sounds. Specializing in murky shades of Techno, D&B, and everything in-between.
crunchy kicks and bleeps and bloops from outer space
]]>All times are in PDT. Schedules are subject to change.
The perfect introduction to network analysis, sniffing, and forensics. Do you want to understand the techniques people use to tap into a network, steal passwords and listen to conversations? Packet Inspector is the place to develop these skills! For well over a decade, the Wall of Sheep has shown people how important it is to use end-to-end encryption to keep sensitive information like passwords private. Using a license of the world famous Capture The Packet engine from Aries Security, we have created a unique way to teach hands-on skills in a controlled real-time environment.
Looking to upgrade your skills or see how you would fare in Capture The Packet? Come check out what Packet Detective has to offer! A step up in difficulty from Packet Inspector, Packet Detective will put your network hunting abilities to the test with real-world scenarios at the intermediate level. Take the next step in your journey towards network mastery in a friendly environment still focused on learning and take another step closer to preparing yourself for the competitive environment of Capture The Packet.
Come compete in the world's most challenging cyber defense competition based on the Aries Security Cyber Range. Tear through the challenges, traverse a hostile enterprise class network, and diligently analyze what is found in order to make it out unscathed. Not only glory, but prizes await those that emerge victorious from this upgraded labyrinth, so only the best prepared and battle hardened will escape the crucible.
Don't know how to make a network cable and want to learn? Has it been years? Or do you think you're a pro? Come see if you can... make the best cable at con by cut/wire/crimp.
You are the world's greatest hacker. You find vulnerable machine open to SSH and brute force the root credentials easily! Hooray! But wait, are you actually on a vulnerable machine full of secrets, or a honeypot logging your every keystroke?
In this half hour workshop, you'll get your very own Cowrie honeypot (https://github.com/cowrie/cowrie) running on Ubuntu, and learn how to modify it, administer it, and watch the logs for hackers in action!
This workshop is great for both advanced Linux users who want to learn a new skill or those who have never used Linux before! We'll give you command-by-command instructions along with helpful guidance and starting points if you want to go off and do something cool.
Knowing how to use the Linux command line is a critical skill for any good security practitioner. This trainer will have 10+ problems covering some of the most fundamental Linux commands. This trainer is for people new to field and for those who want to hone their Linux command line-fu.
The NetworkOS workshop will take you into the mysterious world which underpins modern computing and allows people to talk across the globe. This of course being the network itself. In this workshop you will familiarize yourself with the command line of network devices. Step by step, you will configure devices to talk to each other, share information about the computers connected to them, and relay their network information and traffic between each other. No experience needed, know how to type and copy/paste.
Regular Expressions or RegEX are used everywhere! If you aspire to be a Pentester, Threat Hunter, Programmer, Network Engineer, DevOps or really anything in technology today, RegEx is a skill all the greats have and the majority of the industry are terrible at. Come learn or brush up on your RegEx skills in on our live trainer.
Thursday, August 11th | Friday, August 12th | Saturday, August 13th | Sunday, August 14th | |
---|---|---|---|---|
10:00 |
PHV will be doing load/unload and setup all day. Feel free to come around and say hello. If we have gear, there will be beats. |
Funktribe | Canyon | kampf |
11:00 | phreakocious | Y&T | kampf | |
12:00 | tense x phreak | Deep Therapy | Athlex | |
13:00 | Tense Future | Miss Jackalope | Closing Ceremony | |
14:00 | Y&T | icetre normal | ||
15:00 | Hanz Dwight | phreakocious | ||
16:00 | DotOrNot | tavoo | ||
17:00 | heckseven + pals | T A N |
I press enter!
sync & destroy
I'd like to buy a vowel.
oontz oontz oontz
"Published a book and stuff. math is cool" is what someone thinks I would write in my bio.
oontz oontz oontz
Are you the police? No Ma'am, we're DJs
One time in 2018, he got a noise complaint for playing music in the middle of the Mojave desert.
synth freaks, massive beats, plywood boxes, spicy grooves
"When I eat fire, you shouldn't think about how I'm doing it; I really do get burned. You should think about -why-..." -Penn Jillette
With over a decade of experience as a college radio DJ at KWCR on Nerd Show, kampf has waded long and deep through the muddied waters of electronic music, casting his rod time and again to obtain, then share the eclectic, the compelling, the sounds off the beaten path and those lesser know varieties or species. Resident DJ for the DEF CON Chillout Lounge and for DEF CON Radio on SomaFM.com. Spinning vinyl for WoS/Packet Hacking Village since DEF CON 20!
Miss Jackalope is DEF CON's resident community DJ. She has a weekly Twitch show and a legendary Jackalope Army merch store. She plays drum and bass and bass house and is known for ceiling destruction! Happy to be back at the PHV!
Devoted disciple of the darker electronic sounds. Specializing in murky shades of Techno, D&B, and everything in-between.
crunchy kicks and bleeps and bloops from outer space
]]>Friday, August 6, 2021 (all times PDT [GMT-7]) | |
---|---|
09:00 - 11:00 |
Web App Penetration Testing Workshop Dr. Sunny Wear |
12:00 - 14:00 |
Hunting Evil with Wireshark Michael Wylie |
Saturday, August 7, 2021 | |
09:00 - 11:00 |
APT Hunting with Splunk John Stoner |
12:00 - 14:00 |
Security Investigations with Splunk Robert Wagner |
Sunday, August 8, 2021 | |
09:00 - 11:00 |
Intrusion Analysis and Threat Hunting with Suricata Josh Stroschein, Peter Manev |
12:00 - 14:00 |
Hands-On TCP Deep Dive with Wireshark Chris Greer |
Gain hands-on experience learning how to perform web application penetration testing in this two-hour workshop with the author of the Burp Suite Cookbook, Dr. Sunny Wear. Students will learn Injections attacks such as Cross-site Scripting and SQL Injection attacks, brute-forcing tactics, and optimization techniques for Burp Suite including configurations and macros.
Dr. Sunny Wear (Twitter: @SunnyWear) is a Web Security Architect and Penetration Tester. She provides secure coding classes, creates software, and performs penetration testing against web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture and security experience and holds a Doctor of Science in Cybersecurity. She is a published author, "Burp Suite Cookbook", a developer of mobile apps, such as the “Burp Tool Buddy,” and is a Pluralsight content creator, "Burp Suite for Beginners/Advanced/Writing Plugins". She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.
This workshop will take attendees’ Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and identifying anomalous network traffic. This workshop will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Throughout the workshop, we’ll examine what different attacks and malware look like while using Wireshark. Attendees will then have hands-on time in the lab to search for Indicators of Compromise (IOCs) and TTPs utilizing staged packet capture files. Labs start out easy and quickly progress in difficulty. There will be plenty of take-home labs for additional practice.
Michael Wylie, MBA, CISSP (Twitter: @TheMikeWylie) is the Sr. Manager of a threat hunting team. In his role, Michael is responsible for managing a global team of analysts hunting for hands-on keyboards activity within customer environments. Michael has developed and taught numerous courses for the U.S. Department of Defense, DEFCON, Universities, and for clients around the world. Michael is the winner of numerous SANS challenge coins and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GMON, GPEN, GCFE, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Project+, and more.
Interested in practicing your hunting skills? If so, this is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the “fictional” APT group Violent Memmes. We discuss the Diamond model, building hypotheses, LM Kill Chain, and MITRE ATT&CK and how these concepts can frame your hunting. Using Splunk, we will hunt for APT activity riddling a small startup's environment. During the event, we will be presented with a "notable event" and pull on that string to conduct our own hunts based on indicators that we uncover or are identified. Depending on the hunt, we will uncover persistence, exfiltration, c2 and other adversary tactics. We may even find some PowerShell scripts. We will regroup and review the specific hunt conducted and discuss the timeline of events, a narrative that could be shared with others on your team, the artifacts that were uncovered to better identify potential future hunts, ATT&CK techniques referenced as well as what could be operationalized. At the end, we will highlight some additional datasets and content that you can take with you and try newly learned techniques yourself.
John Stoner (Twitter: @stonerpsu) is a Principal Security Strategist at Splunk where he enjoys writing, problem solving and building stuff, including APT Scenarios. When not doing cyber things, you can find him watching his boys play hockey, reading or binge-watching TV series that everyone else has already seen.
Investigating with Splunk is a hands-on workshop designed to familiarize participants with how to investigate incidents using Splunk and open source. This workshop provides users a way to gain experience searching in Splunk to answer specific questions related to an investigation. These questions are similar to what would be asked in their own organizations. The workshop leverages the popular Boss of the SOC (BOTS) dataset in a question-and-answer format. Users will leave with a better understanding of how Splunk can be used to investigate in their enterprise. The class includes access to download the free “Investigating with Splunk” app that can be used to review the exercises after the class.
Robert Wagner (Twitter: @mr_minion) is a security professional with 15+ years of InfoSec experience. He is a co-founder of the “Hak4Kidz” charity, a co-organizer of BurbSec and BurbSecCon in Chicago, and is on the Board of Directors of the ISSA Chicago Chapter.
In today’s threat landscape, sophisticated adversaries have routinely demonstrated the ability to compromise enterprise networks and remain hidden for extended periods of time. In Intrusion Analysis and Threat Hunting with open-source Tools, you will learn how to dig deep into network traffic to identify key evidence that a compromise has occurred, learn how to deal with new forms of attack, and develop the skills necessary to proactively search for evidence of new breaches. We will explore key phases of adversary tactics and techniques - from delivery mechanisms to post-infection traffic to get hands-on analysis experience. Open-source tools such as Suricata and Moloch will be utilized to generate data, perform exhaustive traffic analysis, and develop comprehensive threat hunting strategies. By the end of this workshop, you will have the knowledge and skills necessary to discover new threats in your network.
Josh Stroschein (Twitter: @jstrosch) is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activity for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is also an Associate Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight, and a threat researcher for Bromium.
Peter Manev (Twitter: @pevma) is a co-founder of Stamus Networks, where he acts as CSO. He has been an active OISF member for a decade and has a 15 year-long record of activity in the field of IT security. An adamant admirer and explorer of innovative open-source security software, Peter is also the lead developer of SELKS.
A solid understanding of how TCP works is critical for anyone interested in cybersecurity. Almost all enumeration, incident response, and traffic forensics require the analyst to dig into and interpret TCP flows. In this video we will take a look at how TCP is used to investigate and establish connections, how data is transmitted and acknowledged, how connections are torn down, and what problem indicators should catch our eye in Wireshark. This video welcomes all cybersecurity and Wireshark experience levels.
Chris Greer is a network analyst and Wireshark instructor for Packet Pioneer, a Wireshark University partner. He has focused much of his career at the transport layer, specifically TCP, specializing in how this core protocol works to deliver applications, services, and attacks between systems. Chris is a regular speaker at Sharkfest - the Wireshark Developer and User Conference, as well as an author for Pluralsight.
]]>Recording discusses Linux and Unix processes, starting with a high level overview of what a process is and what the key components are. We then take a look at how the operating system manages multiple processes, what are the main components of a running process, and finally some common syscalls used in Linux when creating processes. Finally, we look at a few code samples to show how these calls are used with a simple shell. All code can be found here to compliment the video: https://github.com/superducktoes/syscall_processes
Nick Roy (Twitter: @superducktoes) currently works for a global security vendor creating training content and researching new attacker patterns and techniques. Previously he worked at an automation platform startup teaching people about the joys and benefits of automation. While not working he lives in Boston with his wife and two cats hunting out the best dive bars in Boston and solving math problems on college chalkboards overnight.
The Internet Protocol is one of the foundational protocols of the Internet, and is what keeps devices connected. This video talks about the fundamentals of the Internet Protocol.
Roy Feng (Twitter: @LPF613) is a networking and cybersecurity enthusiast. He has six years of experience working as a network engineer and one year working in threat intelligence. His latest role is at a managed security service provider, where he leads a team of incident responders and threat hunters to help investigate and respond to incidents as well as hunt for threats in customer environments. In his spare time, Roy can be seen building and maintaining his home lab, and learning about and tinkering with the latest and greatest technologies.
The strace utility allows for deep insight into what an application is doing on a nix host. While the amount of data produced can be overwhelming, in this video I'll demonstrate how to filter, log and obtain relevant information for a wide variety of use cases around file analysis. From diagnosing a bisheaving application, to revealing a malware's secrets. This video will give a practical introduction in using strace to spy on *nix applications at the syscall level. All resources can be found here: https://www.github.com/lacework-dev/strace_lab_PUBLIC
Jared Stroud (Twitter: @DLL_Cool_J) is a Cloud Security Researcher at Lacework where he focuses on emerging Linux and Cloud platform threats. Previously, he worked at The MITRE Corporation where he contributed Unix and Windows tooling for the ATT&CK Fin7/CARBANAK Evaluation and the Open Source adversary emulation utility CALDERA.
For 10+ years MITRE has been engaged in denial, deception, and adversary engagement operations for internal defense and research purposes. We have created MITRE Engage as a framework for planning and communicating about adversary engagement operations. In our talk we include:
Dr. Stanley Barr is a three-time graduate of University of Massachusetts Lowell. He has a BS in Information Sciences, an MS in Mathematics, and a PhD in Computer Science. He has coauthored papers in malware analysis, barrier coverage problems, expert systems for network security, and robotic manufacturing. He has spoken at MILCOM and been a panelist for several conferences. Additionally, he has appeared on several podcasts on adversary engagement and presented at TEDx. Currently, he is a Principal Scientist at The MITRE Corporation. He currently is the Capability Area Leader for Cyber Denial, Deception, and Adversary Engagement. Stan lives with his wife, 5 rescue dogs, and 15 chickens.
Gabby Raymond is a two-time graduate from Tufts University. She holds a B.S. in Mathematics and Computer Science and a M.S. in Computer Science. Her research has spanned topics in intrusion detection, cyber-physical systems, and machine learning applications for security. Gabby recently co-authored a Choose Your Own Adventure style book called "The Toolbox of Innovation" with members of MITRE's Innovation Toolkit team. Outside of work, Gabby enjoys knitting and judging science fairs. Gabby is the Co-Capability Area Lead for Cyber Deception and Adversary Engagement at The MITRE Corporation.
Maretta Morovitz is a graduate of Tufts University School of Engineering, where she graduated with a degree in Computer Science. She is a Senior Cyber Security Engineer at the MITRE Corporation where she works in the areas of adversary engagement, malware analysis, and reverse engineering. She is a founding member of MITRE's Cyber Deterrence and Adversary Management (CDAM) team and has helped shape MITRE's adversary engagement work for the last two years. She was recently named as one fo the AFCEA 40 Under 40 Awardees for 2021. Outside of work you can find her nerding out about the latest Brandon Sanderson novel, still anxiously awaiting her letter from Hogwarts, or snuggling with her dog and hedgehog.
I will touch Some Alternative Bypass Restriction Techniques. Then I will present a vulnerability of Ericsson Network Location that provides the infrastructure of the research and we are going to touch on the meow variant with details through this vulnerability Towards the end we are going to prepare a Metasploit module and exploit the vulnerability.
Ozkan (Twitter: @ehakkus) is a vulnerability researcher and senior cyber security consultant in Turkey. Ozkan publishes security vulnerabilities on international platforms that he has discovered. He shares his experiences and works on his personal blog (https://www.pentest.com.tr). He gave training and presentations in many universities and institutions in his country. In addition to these studies, He gave the presentation of "The Vulnerability That Gmail Overlooked and Enabling Threat Hunting" in Packet Hacking Village at DEF CON 28 and "0day Hunting and RCE Exploitation in Web Applications" in AppSec Village at DEF CON 27.
During an incident, everyone knows you need to review the logs – but what are they actually telling you? There's a wealth of information to be had in your logs event logs, but most analysts miss the forest because they don't understand the trees. In this talk, Jake will walk you through some of the most impactful event logs to focus on in your analysis. We'll target some old favorites covering login events, service creation, and process execution. We'll also examine task scheduler logs, useful in uncovering lateral movement and privilege escalation. Finally, we'll discuss some of the new event logs available in Windows 10 (if only you enable them first). If you don't want to be barking up the wrong tree during your next insider investigation or getting axed because you failed to identify the lateral movement attempts, make sure to watch this video.
Jake Williams (Twitter: @malwarejake) is an incident responder, red teamer, occasional vCISO, and prolific infosec shitposter. He has traveled the world, but isn't welcome in China or Russia (and avoids most countries they have extradition treaties with). When not speaking at a conference like this one, it's a good bet that Jake is engaged in hand to hand combat with an adversary rooted deep in a network or engineering ways to keep them out. Jake's career in infosec started in the intelligence community, but has taken around the world securing networks of all shapes and sizes, from utilities to hospitals to manufacturing plants.
This talk is a brief summary of how to collect and centralize Windows Event Logs for analysis and free tools that can be used to do so. There is also a demonstration of how to use Elastic Stack to investigate an incident using these collected logs.
Matthew Gracie (Twitter: @InfosecGoon) has over a decade of experience in information security, working to defend networks in higher education, manufacturing, and financial services. He is currently a Senior Engineer at Security Onion Solutions and the founder of the Infosec 716 monthly meetup. Matt enjoys good beer, mountain bikes, Debian-based Linux distributions, and college hockey.
Pervasive monitoring of the Internet by both government, corporate, and criminal actors has triggered an encryption wavefront as wide as the Internet itself. DNS, as the map of the Internet's territory, is seen as especially sensitive and there are now several competing encryption standards waiting to be deployed. In this short talk, Dr. Vixie will explain the original problem, describe the protocol-level solutions, and then show how vendors like Google, Mozilla Corporation, Microsoft, and Apple are deploying these technologies across their product lines. Opinions may also be offered.
Dr. Paul Vixie (Twitter: @PaulVixie) is an Internet pioneer. Currently, he is the Chairman, Chief Executive Officer and Cofounder of Farsight Security, Inc. He was inducted into the Internet Hall of Fame in 2014 for work related to DNS and DNSSEC. Dr. Vixie is a prolific author of open-source Internet software including BIND, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). He earned his Ph.D. from Keio University.
We have identified these topics as the fundamental pillars of knowledge in Cyber Security. Our Packet Detective, Packet Inspector, and Capture The Packet events each provide attendees a way to apply knowledge from these topics and more in an engaging learning environment. Our goal is to build a glossary of fundamentals for Cyber Security people of all kinds: students, practitioners, teachers, lawmakers, government officials, and professionals.
Product or vendor related pitches are not welcomed.
To submit a talk, please provide the following information and link to presentation video in the form below to cfp2021[at]wallofsheep[dot]com. The Call for Presentations will close on Friday, July 30th, at 11:59 PM PDT. The list of talks will be finalized and published on Sunday, August 1st.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
As for video format, please use MP4.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
]]>The Wall of Sheep would like to announce a call for workshops at DEF CON 29, "You Can't Stop the Signal." This hybrid conference will take place from Thursday, August 5 to Sunday, August 8, 2021. The Packet Hacking Village Virtual Workshops' goal is to deliver hands-on virtual training sessions that increase security awareness and provide skills to help bridge the gap between existing knowledge and more advanced topics with the intent to allow for immediate application after the conference. Our audience ranges from those new to security to the most seasoned security practitioners. Introductory workshops are welcome! A nominal fee will be charged for advanced registration of these workshops. However, all proceeds will go directly to The National Upcycled Computing Collective. Here is your chance to give back to the community in multiple ways! Each student will have access to a Kali Virtual Machine (VM) and other VMs that the instructor requires. Teaching assistants will be available to provide students with essential support if necessary.
Potential topics could include:
The Wall of Sheep will not accept product or vendor-related pitches. If your content is a thinly veiled advertisement for a product or service your company is offering, please do not apply!
The Call for Presentations will close on Friday, June 25, 2021, at 11:59 PM PDT. The list of talks will be finalized and published on Wednesday, July 21, 2021.
Each teaching slot is 1, 1.5, or 2 hours maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
(1, 1.5, or 2 hours)
Your abstract will be used for the website and printed materials. Summarize what your workshop will cover. Attendees will read this to get an idea of what they should know before your presentation and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFW reviewers like to see what tools will be used and what materials you suggest reading in advance to get the most out of your presentation.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your workshop. Show how you intend to begin, where you intend to lead the audience, and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then, the better we can review your presentation against other submissions (and the higher chance you have of being accepted).
SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc., should be sent along with this email to cfw2021[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
Attendees will be allowed to pre-register for the workshop prior to DEF CON; there will be a small charge with the proceeds going to a charity of the Packet Hacking Village's choice.
By submitting, you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area; otherwise, your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication by Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. Permission to duplicate, record, and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, online, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all the tool(s), law(s), Web sites and/or publications referenced at the end of my talk and as described in this CFW submission by noon PDT, July 21, 2021.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PDT, July 21, 2021.
3. I will include a detailed bibliography as either a separate document or contained within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me - not running over the time allocation.
More events, including new ones, will be announced soon. We look forward to seeing you all in some capacity.
The perfect introduction to network analysis, sniffing, and forensics. Do you want to understand the techniques people use to tap into a network, steal passwords and listen to conversations? Packet Inspector is the place to develop these skills! For well over a decade, the Wall of Sheep has shown people how important it is to use end-to-end encryption to keep sensitive information like passwords private. Using a license of the world famous Capture The Packet engine from Aries Security, we have created a unique way to teach hands-on skills in a controlled real-time environment.
Looking to upgrade your skills or see how you would fare in Capture The Packet? Come check out what Packet Detective has to offer! A step up in difficulty from Packet Investigator, Packet Detective will put your network hunting abilities to the test with real-world scenarios at the intermediate level. Take the next step in your journey towards network mastery in a friendly environment still focused on learning and take another step closer to preparing yourself for the competitive environment of Capture The Packet.
Come compete in the world's most challenging cyber defense competition based on the Aries Security Cyber Range. Tear through the challenges, traverse a hostile enterprise class network, and diligently analyze what is found in order to make it out unscathed. Not only glory, but prizes await those that emerge victorious from this upgraded labyrinth, so only the best prepared and battle hardened will escape the crucible.
]]>The Wall of Sheep would like to announce a call for Workshops at DEF CON 28 “Safe Mode.” This virtual conference will take place from Thursday, August 6th to Sunday, August 9th. The Packet Hacking Village Workshops’ goal is to deliver hands-on training sessions that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory workshops are welcome! A very nominal fee will be charged for advanced registration of these workshops. However, all proceeds will go directly to The National Upcycled Computing Initiative (NUCC). This is your chance to give back to the community in multiple ways!
Each student will have access to a Kali virtual machine (VM) and other VMs that are required by the instructor. Teaching assistants will be available to provide basic support if necessary.
Topics of interest include:
The Wall of Sheep will not accept product or vendor related pitches. If your content is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!
The Call for Presentations will close on Friday, June 26th at 11:59 PM PDT. The list of talks will be finalized and published on Wednesday, July 15th.
Each teaching slot is 1, 1.5 or 2 hours maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
(1, 1.5, or 2 hours)
Your abstract will be used for the website and printed materials. Summarize what your workshop will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFW reviewers like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your workshop. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc. should be sent along with this email to cfw2020[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
Attendees will be allowed to pre-register for the workshop prior to DEF CON; there will be a small charge with the proceeds going to a charity of the Packet Hacking Village's choice.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFW submission by noon PST, July 15, 2020.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, July 15, 2020.
3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me - not running over the time allocation.
The Wall of Sheep would like to announce a call for virtual presentations from Thursday, August 6th to Sunday, August 9th. Packet Hacking (Virtual) Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.
Topics of interest include:
The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!
All accepted talks will be announced, recorded, and published by Aries Security, LLC. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.
The Call for Presentations will close on Friday, June 26th at 11:59 PM PDT. The list of talks will be finalized and published on Wednesday, July 15th.
Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
To submit a presentation, please provide the following information in the form below to cfp2020[at]wallofsheep[dot]com
Your abstract will be used for the website. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc. must be sent along with this email to cfp2020[at]wallofsheep[dot]com to be considered. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, Wednesday, July 15th, 2020.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, Wednesday, July 15th, 2020.
3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me - not running over the time allocation.
The Wall of Sheep would like to announce a call for Workshops at DEF CON 28 in Las Vegas, NV from Thursday, August 6th to Sunday, August 9th. The Packet Hacking Village Workshop's goal is to deliver hands-on training sessions that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory workshops are welcome! A very nominal fee will be charged for advanced registration of these workshops. However, all proceeds will go directly to Hackers for Charity. This is your chance to give back to the community in multiple ways!
The hands-on workshops area will have 40 computers pre-loaded with the necessary tools so attendees will not need to bring their own laptop. There will be one computer available for the presenter that is a mirror of the attendees. The mirror laptop will be displayed on one screen; a second projected display and hookups is available for you to present your material. We will be able to pre-load any software (within reason) including one virtual machine for your presentation. The computers will boot Kali Linux. While network access is available to all machines, it should not be relied upon for your presentation... this is DEF CON after all. :)
Topics of interest include:
The Wall of Sheep will not accept product or vendor related pitches. If your content is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!
The Call for Workshops will close on Friday, June 12th at 11:59 PM PDT. The list of talks will be finalized and published on Friday, June 26th.
Each teaching slot is 1, 1.5 or 2 hours maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
(1, 1.5, or 2 hours)
(0, 1, 2, 3+, unknown)
Your abstract will be used for the website and printed materials. Summarize what your workshop will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFW reviewers like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.
The Wall of Sheep will provide laptops pre-loaded with software for the attendees, you will have 1 projected laptop setup the same as the attendees for demonstration, 1 projector feed for your laptop/material, and microphones. The laptops will boot Kali; please let us know if there is any software you will need pre-loaded on the workshop laptops. If you have a VM, please make sure it works with VirtualBox. One month before DEF CON, you will be asked to provide all software so it can be pre-loaded on the systems. Changes to your software configuration cannot be made after this time or during the conference. We cannot accept workshops that require multiple VMs to be running simultaneously.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your workshop. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc. should be sent along with this email to cfw2020[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
Attendees will be allowed to pre-register for the workshop prior to DEF CON; there will be a small charge with the proceeds going to a charity of the Packet Hacking Village's choice.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFW submission by noon PST, June 30th, 2020.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 30th, 2020.
3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me - not running over the time allocation.
5. I understand that the Wall of Sheep will provide 1 Laptop pre-loaded with software with a projector feed, 1 LCD projector feed, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.
6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.
The Wall of Sheep would like to announce a call for presentations at DEF CON 28 in Las Vegas, NV from Thursday, August 6th to Sunday, August 9th. Packet Hacking Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.
Topics of interest include:
The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!
All accepted talks will be announced, recorded, and published by Aries Security, LLC. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.
The Call for Presentations will close on Friday, June 12th at 11:59 PM PST. The list of talks will be finalized and published on Friday, June 28th.
Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
To submit a presentation, please provide the following information in the form below to cfp2020[at]wallofsheep[dot]com
Your abstract will be used for the website and printed materials. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.
The Wall of Sheep will provide 1 projector feed, and microphones. If you need to use multiple outputs for a demo, please mention this below.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc. must be sent along with this email to <strongcfp2020[at]wallofsheep[dot]com to be considered. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, June 26th, 2020.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 26th, 2020.
3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me - not running over the time allocation.
5. I understand that the Wall of Sheep will provide 1 LCD projector feed, 2 screens, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.
6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.
phreakocious is just this guy, you know?
DJ / Producer from San Juan, Puerto Rico. Now resides in Brooklyn, New York.
Los Angeles, CA. The soundtrack to autonomous vehicle gridlock.
Resident Chillout DJ with SomaFM on Fluid and DEF CON Radio. Vinyl hangover cure.
DJing since the 80s, Performed at chill out and pool at DEFCON XX, XXI. DEFCON XXIII.
With 20+ years djing, including residencies at various nightclubs, Tineh Nimjeh live sets will always get your body moving. Tineh is an active member of DC562, and works in Vulnerability Management.
Icetre has been dj'ing since defcon 13. One of Icetre's superpowers is rearranging space and time in the process of epic party creation. He isn't always available to chat, as he may be being smuggled past hotel security for his own safety. When not digging in the crate to field a request for Freebird, Icetre is usually being asked to turn down the volume on his house and electro beats.
DJ duo inspired by the masters, they seek to bring listeners on a journey ranging from the depths of techno to the expansive sounds of progressive house
Classic Electro - "If network packets were to dance, they would surely dance to this..."
]]>1. *YOU MUST HAVE A DEF CON BADGE TO ATTEND* Just registering for a workshop will not get you into DEF CON. You still need to get into DEF CON first. You need a DEF CON badge or something that looks close enough to fool the goons.
2. Your donation of $25.00 to NUCC reserves a conditional seat. If you are 1 second late, your seat will be given away (first come first serve) to those present. Please be there before the workshop start time!
3. The ticket ONLY has value to the individual with the ID matching the name on the ticket. No transfers, no returns. Amazing Fake IDs may be accepted at the discretion of the PHV staff and any random Fed they choose to bring into the discussion.
4. No Refunds! 0, None, Not at all!
5. *MAXIMUM OF TWO WORKSHOPS PER PERSON*
While Eventbrite may allow you to buy more than two workshops, you are only allowed to attend a maximum of two workshops. Feel free to buy 3, the third will be an extra donation to NUCC. You only get to go to two.
Did we mention that you only get to go to two? Oh... And we will choose randomly which one(s) you lose out on in true DEF CON style.
Important!
Donations to NUCC above the base amount will be accepted at https://PayPal.me/NUCC - This is a good cause cheap-ass. Pony up some $.
Ticket Sales Schedule:
The first run of 20 tickets for Reverse Engineering Malware 101 will start at 0900PDT on Saturday, July 13, 2019. The next workshop’s ticket sales will start one hour later with each of the following workshop sales becoming available at the top of the next hour. The second and the last run of 20 tickets will begin on Wednesday, July 17, 2019 at 1700PDT.
Saturday, July 13, 2019
0900PDT
20 tickets available for REVERSE ENGINEERING MALWARE 101
AMANDA ROUSSEAU, FACEBOOK
1000PDT
20 tickets available for WIRESHARK FOR INCIDENT RESPONSE & THREAT HUNTING
MICHAEL WYLIE, DIRECTOR OF CYBERSECURITY SERVICES, RICHEY MAY TECHNOLOGY SOLUTION
1100PDT
20 tickets available for HACKING KUBERNETES - CHOOSE YOUR OWN ADVENTURE STYLE
JAY BEALE, CTO OF INGUARDIANS
1200PDT
20 tickets available for INTEL-DRIVEN HUNTS FOR NATION-STATE ACTIVITY USING ELASTIC SIEM
SEAN DONNELLY, CEO, RESOLVN, INC.
PETER HAY, DIRECTOR OF STRATEGY AND INNOVATION, RESOLVN, INC.
1300PDT
20 tickets available for BURP SUITE WORKSHOP
SUNNY WEAR, NESTOR TORRES
1400PDT
20 tickets available for TOOLS? WE DON’T NEED NO STINKIN’ TOOLS: HANDS-ON HACKING WITH PYTHON
JASON NICKOLA, DIRECTORY OF TECHNICAL SERVICES, PULSAR SECURITY
WAYNE MARSH, SENIOR SOFTWARE ENGINEER, PULSAR SECURITY
1500PDT
20 tickets available for WRITING WIRESHARK PLUGINS FOR SECURITY ANALYSIS
NISHANT SHARMA, R&D MANAGER, PENTESTER ACADEMY
JESWIN MATHAI, SECURITY RESEARCHER, PENTESTER ACADEMY
1600PDT
20 ticket available for ADVANCED APT HUNTING WITH SPLUNK
JOHN STONER, PRINCIPAL SECURITY STRATEGIST, SPLUNK
RYAN KOVAR, PRINCIPAL SECURITY STRATEGIST, SPLUNK
1700PDT
20 tickets available for THREAT HUNTING WITH SURICATA
JOSH STROSCHEIN, DIRECTOR OF TRAINING, OPEN INFORMATION SECURITY FOUNDATION (OISF) / SURICATA
JASON WILLIAMS, JACK MOTT, TRAVIS GREEN
Wednesday, July 17, 2019
1700PDT
20 tickets available for REVERSE ENGINEERING MALWARE 101, AMANDA ROUSSEAU, FACEBOOK
1800PDT
20 tickets available for WIRESHARK FOR INCIDENT RESPONSE & THREAT HUNTING
MICHAEL WYLIE, DIRECTOR OF CYBERSECURITY SERVICES, RICHEY MAY TECHNOLOGY SOLUTION
1900PDT
20 tickets available for HACKING KUBERNETES - CHOOSE YOUR OWN ADVENTURE STYLE
JAY BEALE, CTO OF INGUARDIANS
2000PDT
20 tickets available for INTEL-DRIVEN HUNTS FOR NATION-STATE ACTIVITY USING ELASTIC SIEM
SEAN DONNELLY, CEO, RESOLVN, INC.
PETER HAY, DIRECTOR OF STRATEGY AND INNOVATION, RESOLVN, INC.
2100PDT
20 tickets available for BURP SUITE WORKSHOP
SUNNY WEAR, NESTOR TORRES
2200PDT
20 tickets available for TOOLS? WE DON’T NEED NO STINKIN’ TOOLS: HANDS-ON HACKING WITH PYTHON
JASON NICKOLA, DIRECTORY OF TECHNICAL SERVICES, PULSAR SECURITY
WAYNE MARSH, SENIOR SOFTWARE ENGINEER, PULSAR SECURITY
2300PDT
20 tickets available for WRITING WIRESHARK PLUGINS FOR SECURITY ANALYSIS
NISHANT SHARMA, R&D MANAGER, PENTESTER ACADEMY
JESWIN MATHAI, SECURITY RESEARCHER, PENTESTER ACADEMY
Thursday, July 18, 2019
0000PDT
20 ticket available for ADVANCED APT HUNTING WITH SPLUNK
JOHN STONER, PRINCIPAL SECURITY STRATEGIST, SPLUNK
RYAN KOVAR, PRINCIPAL SECURITY STRATEGIST, SPLUNK
0100PDT
20 tickets available for THREAT HUNTING WITH SURICATA
JOSH STROSCHEIN, DIRECTOR OF TRAINING, OPEN INFORMATION SECURITY FOUNDATION (OISF) / SURICATA
JASON WILLIAMS, JACK MOTT, TRAVIS GREEN
END OF TICKET SALES
]]>9:00-12:00 |
Reverse Engineering Malware 101 Amanda Rousseau |
---|---|
12:15-14:15 |
Wireshark for Incident Response & Threat Hunting Michael Wylie |
14:30-16:30 |
Hacking Kubernetes - Choose Your Own Adventure Style Jay Beale |
16:45-18:45 |
Intel-driven Hunts for Nation-state Activity Using Elastic SIEM Sean Donnelly, Peter Hay |
9:00-11:00 |
Burp Suite Workshop Sunny Wear, Nestor Torres |
---|---|
11:20-13:20 |
Tools? We Don’t Need No Stinkin’ Tools: Hands-on Hacking with Python Jason Nickola, Wayne Marsh |
13:40-15:40 |
Writing Wireshark Plugins for Security Analysis Nishant Sharma, Jeswin Mathai |
16:00-18:00 |
Advanced APT Hunting with Splunk John Stoner, Ryan Kovar |
11:00-14:00 |
Threat Hunting with Suricata Josh Stroschein, Jason Williams, Jack Mott, Travis Green |
---|
This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.
Prerequisites: Basic understanding of programming C/C++, Python, or Java
Amanda Rousseau (Twitter: @malwareunicorn) absolutely loves malware. She was as a Senior Malware Researcher at Endgame who focused on dynamic behavior detection both on Windows and OSX platforms. She worked as a malware researcher at FireEye before joining Endgame. She previously worked a reverse engineer and computer forensic examiner working for DoD forensic investigations and commercial incident response engagements. She received her MS in Information Systems Engineering from Johns Hopkins University. Research interests include malware evasion techniques, dynamic behavior classification, and developing runtime detections.
This workshop will take student’s Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and malicious network traffic analysis. We will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Placement, techniques, and collection of network traffic will be discussed in detail. Throughout the workshop, we’ll examine what different attacks and malware look like in Wireshark. Students will then have hands-on time in the lab to search for Indicators of Compromise (IOCs) and a potential breach to the network. There will be plenty of take home labs for additional practice.
Michael Wylie (Twitter: @TheMikeWylie) is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, Moorpark College, California State Universities, and for clients around the world. Michael is the winner of the SANS Continuous Monitoring and Security Operations challenge coin and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GPEN, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, and more.
Kubernetes continues to gain steam, as developers build microservice-based applications and everyone moves to the software-defined data center. A small minority of our Infosec industry has experience attacking container orchestration systems like Kubernetes. We aim to address that shortage, culminating in an audience-directed Choose Your Own Adventure, "Hackers" movie-themed demo. In this demo-heavy talk, we will show you how to attack Kubernetes clusters and discuss what hardening techniques and freely available tools can break those attacks. We'll review the components of a Kubernetes cluster, then show how a threat actor can chain configuration vulnerabilities to pivot and escalate privilege, pilfer data and take over clusters and the cloud environments on which they run. To be clear, you'll see multiple attacks against real clusters from start to finish. You will also gain exposure to a new open source tool attack tool for Kubernetes called Peirates, available on Github. You will leave this talk with exposure to attacks against clusters that organizations have built themselves, as well as clusters provided by the major cloud providers, like AWS, Azure and GCP. You will be able to repeat specific attacks and know what defenses can break those attacks.
Jay Beale (Twitter: @jaybeale) works on Kubernetes and cloud native security, as a professional threat actor, a Kubernetes Contributor and as a member of the Kubernetes Security Audit working group. He's the architect and a developer on the Peirates attack tool for Kubernetes. In the past, Jay created two tools used by hundreds of thousands of individuals, companies and governments, Bastille Linux and the Center for Internet Security's first Linux/UNIX scoring tool. He has led training classes on Linux security and Kuberntes at the Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training, since 2000. As an author, series editor and speaker, Jay has contributed to nine books and two columns and given over one hundred public talks. He is CTO of the information security consulting company InGuardians.
Hunting for advanced threats can be a daunting task for network defenders. In this workshop we’ll demystify threat hunting by guiding attendees through the development and execution of network traffic and host analysis workflows. Using a six-stage model, attendees will leverage threat intelligence to plan and conduct 20 small hunts, configuring and tuning their defensive tool-suite along the way. The use of IOC-based, tool-based, and TTP-based detection methods will ultimately lead to the discovery of nation-state activity on a complex, near-to-spec enterprise network.
Sean Donnelly (Twitter: @resolvn) is the CEO of Resolvn, Sean is a passionate cybersecurity researcher with extensive experience in the industry. As an active-duty U.S. Navy Cryptologic Warfare Officer, Sean worked for the National Security Agency (NSA) before becoming the Technical Director of the Navy Blue Team (NBT). Sean has developed internal tools for threat detection, such as the NBT’s Blue P.E.A.R and Expanse’s ETHIR, trained countless service members on detection techniques, and led critical security operations around the world. He holds CISSP, GPEN, and OSCP certifications along with a B.S. and M.S. from the United States Naval Academy and Boston University, respectively.
Peter Hay (Twitter: @ResolvnPete) is Resolvn’s director of strategy and innovation, Pete has an extensive and diverse background in technology driven fields including Computer Network Operations (CNO), Network Forensics, and Nuclear Chemistry. From his Navy service in leading a quick-response team of NSA cryptologists and developers who designed solutions to some of the agency’s most vital problems, to delivering multi-domain cyber security training to thousands of students world-wide, or applying for cyber security patents in the U.S. and Europe, Pete continues to stretch the edges of technology, its use, and application.
Gain hands-on experience with Burp Suite in this four-hour workshop with the author of the Burp Suite Cookbook, Sunny Wear. You will learn how to use Burp Suite to hone your web application penetration testing skills. Each student receives a virtualized environment complete with a copy of Burp Suite and a vulnerable web application to hack. Lessons covered in the workshop include Burp configuration settings, Injections attacks such as Cross-site Scripting and SQL Injection attacks, automated attacks using Intruder, recommended BApp extensions and their uses, and finally, how to build and use Burp Macros.
Sunny Wear (Twitter: @SunnyWear) is an Application Security Architect and Web Application Penetration Tester. Her breadth of experience includes network, data, application and security architecture as well as programming across multiple languages and platforms. She is the author of several security-related books including her most recent, Burp Suite Cookbook, assists pentesters and programmers in more easily finding vulnerabilities within applications while using Burp Suite. She conducts security talks and classes locally and at conferences like BSides Tampa, BSides Orlando, AtlSecCon, Hackfest CA, and BSides Springfield.
Nestor Torres (Twitter: @N3S____) is a security analyst working closely with developers to pentest and fix their Web Applications. He is passionate about helping others and teaching others who are hungry for learning cybersecurity. Some of his hobbies involve building labs for vulnerability testing and setting up small to medium enterprise network.
The hacking world is full of fantastic tools, but the ability to write your own in order to customize and achieve new functionality is the real black magic. This workshop quickly builds from programming and python fundamentals to manual construction of real-world attack tactics and techniques. Prior hacking and programming skills are not required (although they help), but basic technical knowledge and an ahead-of-time review of introductory topics are highly recommended. Come in with nothing and leave with experience writing your own host and port scanner, reverse shell, packet parser, and more in a controlled (legal) environment.
Jason Nickola (Twitter: @chm0dx) is the Director of Technical Services at Pulsar Security where he also serves as Principle Security Consultant. He can frequently be found working with clients to develop creative solutions to red- (and increasingly blue-) team challenges. Passionate about both technology and the lifelong learning process, Jason enjoys enabling others via teaching and aiding in career development. Jason is a SANS instructor for SEC560: Network Penetration Testing and Ethical Hacking and holds the GIAC Security Expert, GXPN, GREM, and OSCP certifications among others.
Wayne Marsh (Twitter: @infogroke) is a Security Consultant and the Senior Software Engineer at Pulsar Security where he spends his time programming, architecting enterprise products, and breaking into the occasional network. His varied career has involved television and satellite broadcast systems, games development, and marketing before finally focusing on the infosec industry in recent years, where he realized that the common thread in all of these areas of development is security. He loves both obsolete and new, as well as increasingly unfashionable genres of music. Wayne’s security credentials include OSCP, GPYC, GXPN, and GCIA.
Network traffic always proves to be a gold mine when mined with proper tools. There are various open source and paid tools to analyze the traffic but most of them either have predefined functionality or scalability issues or one of a dozen other problems. And, in some cases when we are dealing with non-standard protocols, the analysis becomes more difficult. But, what if we can extend our favourite traffic analysis tool Wireshark to accommodate our requirements? As most people know, Wireshark supports custom plugins created in C and Lua which can be used to analyze or dissect the packets. In this workshop, we will learn the basics of Wireshark plugins and move on to create different types of plugins to perform dissection of non-standard protocol, provide macro statistics, detect attacks etc. We will use examples of older and newer protocols (including non-standard ones) to understand the plugin workflow and development.
Nishant Sharma (Twitter: @wifisecguy) is an R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 7+ years of experience in information security field including 5+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, DEF CON China, Wireless Village, IoT village and Demo labs (DEFCON USA). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.
Jeswin Mathai (Twitter: @jeswinmathai) is a Researcher at Pentester Academy and Attack Defense. He has presented/published his work at DEF CON China, Blackhat Arsenal and Demo labs (DEFCON). He has a Bachelor's degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.
You wanna learn how to hunt the APTs? This is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the “fictional” APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre ATT&CK framework and how these concepts can frame your hunting. Using the freely available version of Splunk and OSINT, we will hunt for APT activity riddling a small startup's network. During the event, you will be presented a hypothesis and conduct your own hunts, whether it is for persistence, exfiltration, c2 or other adversary tactics. Heck, there might be some PowerShell to be found, too. We will regroup and review the specific hunt and discuss findings and what opportunities we have to operationalize these findings as well. At the end, we give you a dataset and tools to take home and try newly learned techniques yourself.
John Stoner (Twitter: @stonerpsu) is a Principal Security Strategist at Splunk where he enjoys writing, problem solving and building stuff. When not doing cyber things, you can find him reading or binge watching TV series that everyone else has already seen.
Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.
Finding threats in your network traffic starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this workshop, you will learn how to leverage Suricata to generate alerts, produce protocol specific logs and identify malicious or anomalous activity in your network traffic. You will get hands-on with managing alerts through EveBox and hunting through traffic with Moloch. You will also learn how to create custom Kibana visualizations and dashboards to help focus your analysis efforts. In-depth log analysis and hands-on real-world exercises will be used to reinforce the detection techniques and tactics explained throughout the workshop. This is an ideal workshop for security analysts, blue teamers and malware researchers to get hands-on diving deep into malicious traffic and see what Suricata can do.
Prerequisites: To help prepare for this workshop, we recommend that you are familiar with the basics of network security monitoring, IDS/IPS systems and Linux environments. Familiarization with IDS rules is recommended, but not required.
Josh Stroschein (Twitter: @suricata_ids) is a subject matter expert in malware analysis, reverse engineering and software exploitation. He is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis, reverse engineering, software exploitation and other related security topics. Josh is also an accomplished trainer, providing training in the aforementioned subject areas at Black Hat, DerbyCon, Toorcon, Hack-In-The-Box and other public and private venues. Josh is also the Director of Training for OISF/Suricata, an author on Pluralsight and a threat researcher for Bromium.
Jason Williams (Twitter: @switchingtoguns) is a security researcher with global enterprise experience in detecting, hunting and remediating threats with open source technologies. Primarily focusing on network communications, Jason has written thousands of commercial and community Suricata rules for Emerging Threats to help defenders protect their networks. Jason participates as a Signature Development and User Training instructor for the OISF.
Jack Mott (Twitter: @malwareforme) is a security researcher who focuses on open source solutions to detect, track and hunt malware and malicious activity. He has been a signature writer for the Emerging Threats team for several years, producing community/premium Suricata signatures to help protect networks worldwide. Jack is a strong believer in the open source mission as well as helping people and organizations solve security issues with open source solutions. He resides in the USA.
Travis Green (Twitter: @travisbgreen) is a passionate Cyber Security researcher and consultant with a 20-year career that includes extensive international work leading security initiatives and advising government and military clients, consulting to enterprise businesses, and mentoring teams in best practices. Effective communicator and self-starter able to analyze data to create security policy, develop and execute strategy, and develop tools to automate processes. OISF core team member with conference presentation experience and multiple certifications.
]]>Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!
Emilio Couto (Twitter: @ekio_jp) is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT. In his spare time he enjoys playing with RFID, computers and home made IoT devices. Over the last 5 years presenting tools in conferences (Black Hat Asia, HITB, AV Tokyo and SECCON)
Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named "mask attack" where the attacker needs to assume a password's structure. Even if it narrows the combination pool significantly, it can be still too large to use for online attacks or offline attacks with low hardware resources. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist.
Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.
Mapping of network assets and their behaviors is a vital step needed for the prevention and response to cyber-attacks. Today active tools like NMAP are used to discover network assets, however, these methods take a momentary snapshot of network devices. By passively monitoring network activity the discovery of rogue devices, aberrant behavior, and emerging threats is possible. This talk and demonstration will utilize a Raspberry Pi and a custom Python solution to map network assets and their behaviors and demonstration the identification of rogue devices and unauthorized behaviors.
Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.
]]>While you can patch against malware infecting your tech stack or targeting your competitors, what about malware that hasn't been in the news? This presentation will cover what malware and tools are popular among underground forum members based on prevalence in forum ads, how malware presence differs between forums, and why understanding that difference matters.
Winnona DeSombre (Twitter: @__winn) is an Asia Pacific threat intelligence researcher at Recorded Future, focusing on Chinese underground hacking communities and East Asian cyber espionage campaigns. She was recently featured in Threatcare's "Tribe of Hackers" book, containing career advice from some of the world's best information security professionals.
This presentation is the story of the success and failures of building a security awareness program at a Top 20 CPA firm, and finding "the hidden side" of why users fail phishing exercises (both simulated and not!). The presentation will cover how Elasticsearch was used to correlate awareness training, phishing test, and HR data together, examine real results from this work, and the improvements that were made to improve user awareness and reduce phishing related security incidents.
Russell Butturini (Twitter: @tcstoolhax0r) is head of information security for a top 20 CPA and financial services firm. He has authored tools for both red and blue teams with his C- and Python coding skills. His most popular tool, NoSQLMap, was featured in the Hacker Playbook 2.
The presentation will introduce viewer to geofencing - the technique successfully used by law enforcement agencies to pinpoint suspects in an array of anonymous metadata coming from wireless devices. The presentation will teach viewer how to build such system from scratch using freely downloadable analytical tools. Different ways to visually define GeoFencing zones and investigation constraints will be explained. Samples of working scripts, search queries, data formats and working dashboard layouts will be provided.
Gleb Esman (Twitter: @gesman) helps to guide research, product planning and development efforts in the areas of fraud detection, data security analytics and investigations at Splunk Inc. Currently Gleb manages number of security projects in healthcare space such as drugs and opioids diversion platform and healthcare privacy monitoring platform. Before Splunk Gleb was engaged at Morgan Stanley overseeing fraud detection platform and enterprise wide data analytics systems within retail banking space. During his career, Gleb worked in a various positions at a number of enterprises involved in research and development of solutions against advanced malware and computer viruses as well as solutions for secure payments and data protection in e-commerce space. Gleb is an author of several patents in Deep Learning, Security, Behavior Biometrics and Healthcare Data Analytics.
As adversaries look for new methods of creating malware, steganography has seen a resurgence. In this session, we'll review this black art and uncover recent steganographic malware weaponizing techniques. We'll cover techniques that include file and image embedding techniques invisible to malware and intrusion detection systems, methods of exploiting weak networking protocols for covert communications, mischievous IoT devices, and cloud data hiding methods. But we don't stop there, our organic research has uncovered numerous other ways in which malware could be embedded in an effort to prepare threat researchers with the knowledge to improve their tools and fortify their networks.
Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.
Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.
With the widespread use of wireless Internet access, we see that the use of portable technologies is rapidly increasing. Increasing public networks and facilitating access to these networks have attracted the attention of attackers. Due to easy availability of mature honeypot creation tools, this attack is a slam dunk for even the most novice of Wi-Fi attackers. Enterprise security products have tried but failed to solve this problem with rule and lockdown based approaches. In this talk, we are going to tell a story experienced about Wi-Fi network attackers. We will practically demonstrate how using new detection and deception techniques we can make Wi-Fi clients and environmentally secure.
Besim Altinok (Twitter: @AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, ASIA, Defcon, and others. Besim ALTINOK works currently at BARIKAT Internet Security in Turkey. Besim also founded Pentester Training project.
Can Kurnaz (Twitter: @0x43414e) is conducting penetration tests from internet and internal networks to web-based applications, network infrastructures, wireless devices, IoT devices and operational technology infrastructures such as ICS/SCADA systems and components.
]]>
At this point the thief is able to use multiple financial institutions (Paypal, Banks, Etc.) insecure password recovery mechanism to have a password rest link sent to the sim they now control. For Example, once Inside the users Paypal account they immediately change all account details, & transfer the entire account balance to a credit card they control.
MetroPCS users can defend themselves from this type of attack immediately by changing their 8 digit pin, or by contacting MetroPCS and having their account placed into high security mode. Doing the later will remove the 8 digit pin from the account, and in order to perform a sim swap the user will need to call in and provide a voice password. The caveat to enabling high security mode though, is that the user will no longer be able to use mymetropcs.com account as it only supports 8 digit pin passwords as a login credential.
]]>
The Wall of Sheep would like to announce a call for Workshops at DEF CON 27 in Las Vegas, NV from Thursday, August 8th to Sunday, August 11th. The Packet Hacking Village Workshop's goal is to deliver hands-on training sessions that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory workshops are welcome! A very nominal fee will be charged for advanced registration of these workshops. However, all proceeds will go directly to Hackers for Charity. This is your chance to give back to the community in multiple ways!
The hands-on workshops area will have 40 computers pre-loaded with the necessary tools so attendees will not need to bring their own laptop. There will be one computer available for the presenter that is a mirror of the attendees. The mirror laptop will be displayed on one screen; a second projected display and hookups is available for you to present your material. We will be able to pre-load any software (within reason) including one virtual machine for your presentation. The computers will boot Kali Linux. While network access is available to all machines, it should not be relied upon for your presentation... this is DEF CON after all. :)
Topics of interest include:
The Wall of Sheep will not accept product or vendor related pitches. If your content is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!
All accepted workshops will be announced, recorded, and published by Aries Security, LLC. and DEF CON Communications, Inc. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.
The Call for Workshops will close on June 1st at 11:59 PM. The list of workshops will be finalized and published on June 14th.
Each teaching slot is 1, 1.5 or 2 hours maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
(1, 1.5, or 2 hours)
Your abstract will be used for the website and printed materials. Summarize what your workshop will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFW reviewers like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.
The Wall of Sheep will provide laptops pre-loaded with software for the attendees, you will have 1 projected laptop setup the same as the attendees for demonstration, 1 projector feed for your laptop/material, and microphones. The laptops will boot Kali; please let us know if there is any software you will need pre-loaded on the workshop laptops. If you have a VM, please make sure it works with VMware Player. One month before DEF CON, you will be asked to provide all software so it can be pre-loaded on the systems.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your workshop. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc. should be sent along with this email to cfw2017[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
Attendees will be allowed to pre-register for the workshop prior to DEF CON; there will be a small charge with the proceeds going to a charity of the Packet Hacking Village's choice.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication by DEF CON Communications, Inc. and Aries Security, LLC. and that I will promptly supply DEF CON Communications, Inc. and Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give DEF CON Communications, Inc. and Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFW submission by noon PST, June 30th, 2019.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 30th, 2019.
3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me - not running over the time allocation.
5. I understand that the Wall of Sheep will provide 1 Laptop pre-loaded with software with a projector feed, 1 LCD projector feed, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.
6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.
The Wall of Sheep would like to announce a call for presentations at DEF CON 27 in Las Vegas, NV from Thursday, August 8th to Sunday, August 11th. Packet Hacking Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.
Topics of interest include:The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!
All accepted talks will be announced, recorded, and published by Aries Security, LLC. and DEF CON Communications, Inc. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w and https://www.youtube.com/channel/UC6Om9kAkl32dWlDSNlDS9Iw.
The Call for Presentations will close on Friday, June 14th at 11:59 PM PST. The list of talks will be finalized and published on Friday, June 28th.
Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.
To submit a presentation, please provide the following information in the form below to cfp2019[at]wallofsheep[dot]com
Your abstract will be used for the website and printed materials. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.
The Wall of Sheep will provide 1 projector feed, and microphones. If you need to use multiple outputs for a demo, please mention this below.
This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.
You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.
Additional supporting materials such as code, white papers, proof of concept, etc. should be sent along with this email to cfp2019[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.
By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.
I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication by DEF CON Communications, Inc. and Aries Security, LLC. and that I will promptly supply DEF CON Communications, Inc. and Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give DEF CON Communications, Inc. and Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.
1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, June 28th, 2019.
2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 28th, 2019.
3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.
4. I will complete my presentation within the time allocated to me - not running over the time allocation.
5. I understand that the Wall of Sheep will provide 1 LCD projector feed, 2 screens, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.
6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.
The time for those of hardened mettle is drawing near; are you prepared to battle? Compete in the world’s most challenging cyber defense competition based on the Aries Security Cyber Range . In order to triumph over your competitors, contestants must be well rounded, like the samurai. Tear through the challenges, traverse a hostile enterprise class network, and diligently analyze what is found in order to make it out unscathed. Not only glory, but prizes await those that emerge victorious from this upgraded labyrinth.
The Dark Tangent has asked that we extend your time in the labyrinth and this has caused the difficulty of challenges to be amplified, so only the best prepared and battle hardened will escape the crucible. Follow us on Twitter or Facebook (links below) to get notifications for dates and times your team will compete, as well as what prizes will be awarded.
An interactive look at what could happen if you let your guard down when connecting to any public network, Wall of Sheep passively monitors the DEF CON network looking for traffic utilizing insecure protocols. Drop by, hang out, and see for yourself just how easy it can be! Most importantly, we strive to educate the “sheep” we catch, and anyone else interested in protecting themselves in the future. We will be hosting several ‘Network Sniffing 101’ training sessions using Wireshark, Ettercap, dsniff, and other traffic analyzers.
Come chill with us while we play all your favorite Deep, underground house, techno, breaks, and DnB beats mixed live all weekend by your fellow hacker DJs. We will provide the soundtrack for all your epic PHV hax, just like we do every year. Schedule of DJs available at: https://wallofsheep.com/pages/dc26
Looking to upgrade your skills or see how you would fare in Capture The Packet? Come check out what Packet Detective has to offer! A step up in difficulty from Packet Investigator, Packet Detective will put your network hunting abilities to the test with real-world scenarios at the intermediate level. Take the next step in your journey towards network mastery in a friendly environment still focused on learning and take another step closer to preparing yourself for the competitive environment of Capture The Packet.
Taking the place of Packet Detective as your introduction to network analysis, sniffing, and forensics. Do you want to understand the techniques people use to tap into a network, steal passwords and listen to conversations? Packet Inspector is the place to develop these skills! For well over a decade, the Wall of Sheep has shown people how important it is to use end-to-end encryption to keep sensitive information like passwords private. Using a license of the world famous Capture The Packet engine from Aries Security, we have created a unique way to teach hands-on skills in a controlled real-time environment.
Join us in the Packet Hacking Village to start your quest towards getting a black belt in Packet-Fu.
The Packet Hacking Village brings yet another Def Con premiere: Walkthrough Workshops, where you will go on a self-guided journey to building your own honey pot, taking it live and hopefully trapping some unsuspecting users. Fear not though, like with all our other training events, we will have helpful and knowledgeable staff on hand to assist you along the way!
Back for a sixth year, we continue to accept presentations focusing on practice and process while emphasizing defense. Speakers will present talks and training on research, tools, techniques, and design, with a goal of providing skills that can be immediately applied during and after the conference. Our audience ranges from those who are new to security, to the most seasoned practitioners in the security industry. Expect talks on a wide variety of topics for all skill levels. Updated schedule available at: https://wallofsheep.com/pages/dc26
A returning favorite from last year, we have hands-on labs and training sessions from an amazing line-up of instructors covering beginner to advanced level material. See our website for updated schedules. Updated schedule available at: https://wallofsheep.com/pages/dc26
]]>There will be three waves of registration:
You wanna learn how to hunt the APTs? This is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the "fictional" APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre Att&ck framework and how these concepts can frame your hunting. Then we look deep in the data using Splunk and OSINT to find the APT activity riddling a small startup's network. We walk you through detecting lateral movement, the P of APT, and even PowerShell Empire. Then at the end, we give you a similar dataset and tools to take home and try newly learned techniques yourself.
Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.
John Stoner is a Principal Security Strategist at Splunk. During his career he has worked in operations, consulting and solutions engineering. In his current role, he leverages his many years of experience in log management, SIEM, security operations and threat intelligence to provide solutions that drive greater situational awareness for organizations.
This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis. Prerequisites: Basic understanding of programming C/C++, Python, or Java . Provided: A virtual machine and tools will be provided. Features: 5 Sections in 1.5 hours:
Amanda (Twitter: @malwareunicorn) absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on threat research focusing in dynamic behavior detection both on Windows and OSX platforms.
Intended for an audience of IT managers and admins who are either responsible for systems with deployed Python apps and/or interested in the security implications of developing their own tools/scripts/apps in Python. This will be a hands-on exercise from start to finish designed to leave you with a sense of the mentality of Python and an ability to quickly look up what you need when expanding your knowledge of Python in the future. Prior programming experience not required. However it would be helpful if you've seen lots of Monty Python skits before.
Davin Potts is a Python Core Developer and lead dev for the multiprocessing module in the Python standard library. For a day job, Davin is a scientific software consultant working primarily on data science projects. Also refer to https://www.crunchbase.com/person/davin-potts.
Mallet is an intercepting proxy for arbitrary protocols. More accurately, it is a framework for building proxies for arbitrary protocols. Mallet provides the basics required of all proxies: A way to receive the data, a way to send the data, and a user interface to intercept and edit the data. It builds on the Netty project, and as such has access to a large, well-tested suite of protocol implementations that can be used to transform a stream of bytes into useful, high-level protocol objects.
This workshop will introduce attendees to Mallet, and show how to construct pipelines of arbitrary complexity, to successfully decode and intercept messages in various protocols, as well as automating modifications of the various messages.
A basic familiarity with Java will enhance the delegate's understanding of what they are taught, but is not a requirement.
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague's frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies, WebScarab.
Kali Linux can be deeply and uniquely customized to specific needs and tasks. In this workshop, we will customize Kali Linux into a very specific offensive tool, and walk you through the process of customization step by step. We will create a custom Kali ISO that will: load very specific toolsets; define a custom desktop environment and wallpaper; leverage customized features and functions; launch custom tools and scripts; install Kali automatically, without user intervention as a custom "OS backdoor". This workshop will guide you through all the aspects of Kali customization and give you the skills to create your own highly-customized Kali ISO, like the much feared Kali "ISO of Doom".
Kali Live USB With Persistence And LUKS (2.5hrs)
In this section we will show you how to deploy your customized Kali ISO to a secure, encrypted, USB device. ➤ We will show you how to add standard and encrypted USB persistence so you can save your data and we will walk you through a custom LUKS "nuke" deployment that will obliterate your encrypted data when presented with a specific kill phrase. We will also will discuss strategies to help you safely and legally cross international borders with your encrypted data without compromising it. When you complete this course, you will have the skills to create a completely customized, powerful, portable Kali ISO or USB with full encryption, persistence and the peace of mind of LUKS nuke. And, to sweeten the deal, we will provide super-cool custom Kali-branded USB drives.
Johnny Long spent his career as a professional hacker. He is the author of numerous security books including No-Tech Hacking and Google Hacking for Penetration Testers and is a contributor to Kali Linux Revealed. He is the founder of Hackers for Charity and currently works with the Offensive Security team.
This course starts with an introduction to modern web applications and immediately starts diving directly into the mapping and discovery phase of testing. In this course, you will learn new methodologies used and adopted by many penetration testers and ethical hackers. This is a hands-on training where will use various open source tools and learn how to exploit SQL injection, command injection, cross-site scripting (XSS), XML External Entity (XXE), and cross-site request forgery (CSRF). We will wrap up our two hour fast-paced course by unleashing students on a vulnerable web application with their newly found skills.
Omar Santos (Twitter: @santosomar) is a Principal Engineer in the Cisco Product Security Incident Response Team (PSIRT) within Cisco's Security Research and Operations. He mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products, including cloud services. Omar has been working with information technology and cyber security since the mid-1990s. Omar has designed, implemented, and supported numerous secure networks for Fortune 100 and 500 companies and the U.S. government. Prior to his current role, he was a Technical Leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.
Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance. In 2012, he moved into a position with the Security Research & Operations group, where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. He then spent some time as a Consulting Systems Engineer specializing in Cisco's security product line. His current role is working within the Cisco Product Security Incident Response Team (PSIRT). He has held a number of industry certifications including GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP, and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Cofounder and President of the Raleigh BSides Security Conference, and an active member of the Packet Hacking Village team at DEF CON.
Write Python web bots using Selenium and BrowserMob Proxy to crawl the Internet looking for non-public APIs. We will look at several ways to identify vulnerabilities in discovered APIs as a means for penetration testing and large scale data gathering. Participants should have some Python experience, as well as a familiarity with HTTP requests.
Ryan Mitchell is a senior software engineer at HedgeServ in Boston, where she develops APIs and data analytics tools for hedge fund managers. She is a graduate of Olin College of Engineering and Harvard University Extension School with a master's in software engineering and certificate in data science. Since 2012 she has regularly consulted, lectured, and run workshops around the country on the topics of web scraping, Python automation tools, and data science.
]]>The Domain Name System is one of the foundational technologies that allow the internet to function, but unfortunately, DNS is surprisingly brittle to certain issues, such as bitsquatting.
Lookups to names that are a "bitflip" away from well-known sites (like 'amczon.com' instead of 'amazon.com' since 'c' and 'a have a single bit difference) can be caused by memory failing due to defect or overheating situations, rogue cosmic rays, or even (allegedly) radiation caused by nuclear reactions.
I was curious how realistic the last case really was - can we 'detect' active nuclear tests based solely on bitsquatting data? To find out, I revisited bitsquatting. First I'll briefly introduce the key concepts required for understanding bitsquatting (including ASCII, DNS and HTTP, Internet infrastructure, and memory error scenarios). I'll show the tools and techniques used to identify and register over 30 newly identified bitsquat domains, monitor DNS and HTTP requests, and process, enrich, and investigate the data. Finally, I will discuss any observations gathered from the data, with a focus on regional trends, specific devices, and current events - and try and see if I could prove any correlation.
In the end, attendees should leave with knowledge of the prevalence of bitsquatting and how it has evolved since the phrase was coined 8 years ago, as well as a few techniques for analyzing bitsquatting data and drawing some interesting conclusions.
Ed Miles (Twitter: @criznash) is a researcher at DiDi Chuxing's California-based DiDi Labs. Working in technology professionally since 2001, and as a hobbyist since 1991, Ed has been focused on forensics, incident response, malware analysis, reverse engineering, and detection since 2010.
Effective security monitoring is an ongoing process. How do you get everyone participating? How do you on-board junior colleagues to continuous improvement? The purpose of this presentation is to show methods for encouraging participation from all members of the security monitoring team as well as tactics for communicating effective with the organization.
Andrew Johnson (Twitter: @pierogipowered) is implementing a dedicated security operations team at Carnegie Mellon University. The security operations group has a dual focus on both the traditional aspect of securing the university as well as a focus on training student colleagues on the practical application of their degree. Prior to Carnegie Mellon University, Andrew was with HM Health Solutions. He had been responsible for creating a security operations platform in the heavily regulated health insurance/provider space. Andrew is a co-organizer for the BSides Pittsburgh (@bsidespgh) conference and enjoys recreational cycling and cooking when not participating in information security related activities.
It's easy for us to take for granted when tools allow us to start capturing network traffic without any real hardships. However, what happens when the data you want isn't so easy to capture. This talk will look at two cases in which environments needed to be bent in order to capture the data needed for analysis.
Silas Cutler (Twitter: @silascutler) is a Senior Security Researcher at CrowdStrike, Project Director for MalShare and DEFCON 21 Black Badge (from Capture the Packet). Endorsed on LinkedIn by [REDACTED] for "tcpdump". His prior managers have described him as "a guy" and "meeting necessary skills to perform job functions."
The battle for supremacy for the control of the dashboard display or infotainment systems has always been a race. Most of these systems run on Linux, Android, Windows (customized dashboards - perhaps Windows ME or CE) and Blackberry's QNX. In-Vehicle Infotainment (IVI) or In-car entertainment (ICE) Systems are indeed fun consoles where you can play media, movies, or work with your car's navigational system. But somehow it also comes with a risk of being hacked or attacked because they have also been plagued with vulnerabilities. In this talk, join Jay as he presents his own Car Hacker's Methodology in finding security bugs in order to pwn a car's infotainment system without having to do a drive by wire or CANbus hacking tools but will simply point out the common attack surfaces e.g WiFi, Bluetooth, USB Ports, etc. and some scenarios on how to exploit it just like how he popped a shell or issue an arbitrary command in his car which he tweeted in Twitter before.
Jay Turla (Twitter: @shipcod3) is an application security engineer at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework and presented at ROOTCON, Nullcon, and TCON. He used to work for HP Fortify where he performs Vulnerability Assessment, Remediation and Advance Testing.
In this presentation you will learn how Akamai has spent the past 4 years working toward preventing the next TLS heartbleed incident. Nothing hypothetical --only deployed defense-in-depth systems will be discussed. This talk will include how we deployed Intel SGX at scale in our network.
Sam Erb (Twitter: @erbbysam) is a 2x black badge winner with Co9 in the Badge Challenge and is working to make the Internet a safer place.
This talk will cover the basics of protocol analysis using Wireshark and lead into analyzing two custom application protocols used for extending the mouse and keyboard of a remote system. The two applications covered are HippoRemote, and iOS app to use a iPhone as a trackpad and keyboard, and Synergy, an application to allow for control of multiple operating systems with one mouse and keyboard. By performing a MITM attack, an attacker can abuse this protocols to send keystokes to a remote machine to gain remote code execution similar to a USB rubber ducky attack. The talk will also discuss mitigations and open source code will be provided for exploitation. The target audience should have a basic understanding of Wireshark, ARP spoofing, and reverse shells.
Esteban Rodriguez (Twitter: @n00py1) a Security Consultant at Coalfire Labs. He primarily perform network and web application penetration testing. Esteban worked previously at Apple Inc performing intrusion analysis and incident response. Outside of work, Esteban blog at n00py.io and perform independent security research. He have authored multiple penetration testing tools and have presented at BSides Puerto Rico covering penetration testing techniques.
Phishing and social engineering has been around since Han Solo has flown the Millennium Flacon. The typically response is deleting the messages and giving the middle finger however, what more could be done to strike back? This talk will cover how to build an artificial environment and develop anti phishing tools used to respond to phishing attempts. Results could include owning the attacker's box "hypothetically" since some legal boundaries could be crossed.
Joseph Muniz is an architect at Cisco Systems. Aamir Lakhani (Twitter: @SecureBlogger) is a lead researcher at Fortinet. Together, they have spoken at various conferences including the infamous Social Media Deception RSA talk quoted by many sources found by searching "Emily Williams Social Engineering." They are also making their fourth appearance for the DEF CON Wall of Sheep. Both speakers have written books together including a recent title Digital Forensics for Network Engineers released on Cisco Press late February 2018. They have been friends for years and continue to collaborate on research and other projects.
FOIA (otherwise known as the Freedom of Information Act or FOI/Freedom of Information in Australia) are government-based initiatives to permit the public to request information on various government records. In practice, these acts enable transparency of the operations of government to the masses with relative ease. In reality, submitting FOI requests can be a cumbersome and frustrating process for citizens.
For two years now I have been hacking this human black box - finding out what you can/cannot ask for and more importantly how to ask for information and get it! Have you ever asked the government for a log file, Cisco IOS running config or Active Directory group policies? Do you ever wonder if a government employee would provide you with such information if you asked really really nicely? Let's find out together! For the past couple of years I have been performing various technology-focused FOI requests in an attempt to answer one simple argument: Can you utilize freedom of information to enumerate technical information from government agencies? I present my research, findings and results of multiple years of submitting FOIA requests to various USA and Australian government institutions including multiple intelligence agencies. We will discover the fun times and challenges when performing such requests.
Attendees will gain practical knowledge about: what FOIA is, the caveats of FOIA, how you can utilize FOIA on red team engagements and other open source intelligence gathering activities and finally the results of my research in multiple requests to intelligence agencies.
Elliott Brink (Twitter: @ebrinkster) is an information security consultant based out of NYC. He specializes in internal/external pentesting, security architecture and social engineering. He loves computer history, tracking bad guys, honeypots, an expertly crafted bloody mary, and traveling the globe.
The security of automobiles accesses control system is a topic often discussed. Today's vehicles rely on key-fob control modules, to ensure the vehicle is accessible to authorized users only. While most traditional automobile key-fob systems have been shown to be insecure in the past, here comes a game changer. Instead of the regular key-fob system, some car owners will be able to access their vehicle by having their smartphone authenticates as a digital car key.In this talk, we will reveal the research and attacks for one of digital car keys system in the current market. By investigating how these features work, and how to exploit it through different possibles of attack vectors, we will demonstrate the security limitations of such system. By the end of this talk, the attendees will not only understand how to exploit these systems also which tools can be used to achieve our goals.
Huajiang "Kevin2600" Chen (Twitter: @kevin2600) is a security researcher at Ingeek. And a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. Team members have worked extensively with binary reverse engineering, mobile security, and hardware security. Kevin2600 has spoken at various conferences including XCON, KCON, OZSecCon, BSides, and Alibaba-Cloud-Zcon.
Jin Yang is a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. He work in network security industry for over 10 years and focus on the Automated Virus Analysis, IoT Security, Threat Intelligence and Rootkits. Jin has spoken at XCon; AVAR and KCon.
Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to deploy automation to accelerate response time, consistency, scalability and efficiency. This talk will cover techniques to design a reliable automated tool in security. We will discuss about techniques of tunning the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We will walk through steps of creating an automated tool and the essential factors to be considered to avoid any false positive.
Gita Ziabari (Twitter: @gitaziabri) is working at as a Senior Consultant Engineer at Verizon. She has more than 14 years of experience in threat research, networking, testing and building automated tools. Her main focus is creating automated tools in cybersecurity for mining data.
IoT offers new protocols and frequencies over which communication travels. Due to lack of familiarity amongst most enterprises, most organizations are ill-equipped to monitor or detect these mysterious channels. This introduces a plethora of covert channels by which data could be exfiltrated, or malware to be infiltrated into the network. In this session we explore this new frontier by focusing on new methods of IoT protocol exploitation by revealing research conducted over the last 2 years. Detailed examples will be provided, as well as demo of a python tool for exploiting unused portions of protocol fields. From our research, we'll also reveal new methods of detecting aberrant behavior emanating to/from these devices gathered from our lab and real world testing.
Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.
Chet Hosmer is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.
Mallet is an intercepting proxy for arbitrary protocols. More accurately, it is a framework for building proxies for arbitrary protocols. Mallet provides the basics required of all proxies: A way to receive the data, a way to send the data, and a user interface to intercept and edit the data. It builds on the Netty project, and as such has access to a large, well-tested suite of protocol implementations that can be used to transform a stream of bytes into useful, high-level protocol objects. This workshop will introduce attendees to Mallet, and show how to construct pipelines of arbitrary complexity, to successfully decode and intercept messages in various protocols, as well as automating modifications of the various messages. A basic familiarity with Java will enhance the delegate's understanding of what they are taught, but is not a requirement.
Rogan Dawes (Twitter: @RoganDawes) is a Senior Researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague's frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies, WebScarab.
Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area along with all devices connected to them? Or maybe you want to know who's hogging all the bandwidth? Or, what if you want to know when a certain someone's cell phone is nearby. Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud?
For all these use-cases, I've developed a new tool called "trackerjacker". In this talk, we'll use this tool to explore some of the surprisingly-informative data floating around in the radio space, and you'll come away with a new skill point or two in your radio hacking skill tree, as well as a new magical weapon... I mean tool.
Caleb Madrigal (Twitter: @caleb_madrigal) is an Applied Researcher at Mandiant/FireEye.
As security researchers, we are always looking for the next device that will make our jobs easier and our research more effective. In many cases, physical gear can be expensive and limited in capability which can be prohibitive, especially in engagements where dead drops are required. However, with the skyrocketing popularity of microcontrollers and single board computers, that barrier has been reduced significantly and has created a host of new possibilities for everything from dead drops to wired and wireless network intrusion and analysis. gh057 will introduce some of the more popular options in this genre and some live demonstrations of their more fun uses. gh057 will demonstrate three devices he built to solve specific problems and that are based on these platforms: ATtiny85, ESP8266 / ES32, Raspberry Pi Finally, and as a bonus, gh057 will demonstrate a simple technique that uses Applescript and Bash that can be used to create a simple USB trojan and can be useful for end-user training.
gh057 has worked on almost every aspect of the software development lifecycle. For the majority of his career, he worked as a front-end, full stack engineer specializing in UI/UX. During this time, he was involved in development and also testing efforts, which included quality and security best practices. In the last few years, gh057 completed a career transition to application security, most notably through security evangelism roles, where he worked closely with development teams. As an application security engineer, gh057 is responsible for security best practices, which encompasses both digital and physical threat vectors. Most recently, gh057 has been the concept creator and team lead for the Day of Shecurity conference which took place on June 16th in San Francisco, CA. In his free time, he is passionate about promoting equality in the cybersecurity industry and offering mentorship to young technologists. His goal is to leave behind a better industry than the one he found when he first began his career.
Perimeter defenses are holding an important role in computer security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on "assume breach" type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intrusion Detection Systems). In this session, we will discuss one of the most famous post-exploitation tool, Empire's situation against payload-based anomaly detection systems. We will explain how to normalize Empire's traffic with polymorphic blending attack (PBA) method. We will also cover our tool, "firstorder" which is designed to evade anomaly-based detection systems. firstorder tool takes a traffic capture file of the network, tries to identify normal profile and configures Empire's listener in such way.
Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on following areas: application security, network security, tool development. He presented his tool, Leviathan Framework in Black Hat USA Arsenal and DEF CON Demo Labs in 2017. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016.
Gozde Sinturk is Security Researcher and Python Developer who involved in projects related to machine learning, natural language processing, and big data. She is developing security tools in her current position.
In the era of third party cloud service providers where enterprise critical data is hosted and shared with various vendors, third party security reviews have become essential part of Information Security. It has become a challenge for security teams to ensure parity is maintained between security controls that are available on premise, to those offered by the cloud provider. Typically, companies send a word document or excel sheet to get answers from cloud providers, however, this process is done only once and the review is point in time. In this talk, the attendees will learn about various methods of identifying security posture of the third-party cloud service using information available on Internet, how to use this information for performing cloud service review and improve their own cloud offerings. This can also supplement the tedious questionnaire process and provide an option to fast track the vendor reviews.
Lokesh Pidawekar (Twitter: @MaverickRocky02) work as Senior Cloud and Application Security Engineer in Cisco InfoSec team where he is responsible for designing secure architecture for applications, evaluating third party cloud service providers, and providing training to enterprise architects. He has Master's in Information Assurance & Cyber Security from Northeastern University, Boston. Previously, he has spoken at BSides Las Vegas, DEFCON Packet Hacking Village talks, OWASP Boston chapter and CarolinaCon. He likes to read about application vulnerabilities in free time and has reported security bugs to vendors as part of their bug bounty program.
Data exfiltration through DNS typically relies on the use of DNS query fields to exfiltrate data via the attacker's DNS server. This approach has several shortcomings. The first is attribution, since attackers end up creating a trail back to their own infrastructure. The second is awareness, as DFIR analysts have made careful study of DNS fields as exfiltration vectors. The third is access, since companies are increasingly using DNS server whitelisting to prevent or alert on outgoing DNS queries to servers controlled by attackers. But what if data could be transferred using the target's own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration?
Through a combination of DNS queries and text-based steganography, we'll cover the methods used to transfer data across a network, hidden in plain sight, without direct connectivity between systems, while employing multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts. The presentation will include a demonstration of PacketWhisper, a new tool written in Python, that automates all of these steps for you. PacketWhisper will be made available on GitHub to coincide with this session (https://github.com/TryCatchHCF).
TryCatchHCF (Twitter: @TryCatchHCF) is Red Team Lead at a Fortune 500 company, and creator of the Cloakify Exfiltration and DumpsterFire Incident Automation Toolsets (https://github.com/TryCatchHCF). Previous roles have included Lead Pentester and AppSec Team Lead. He hacked into his first systems in 1981 and wrote his first malware the following year, all while nearly being eaten by a grue. He has 25+ years of security and software engineering experience, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. Education includes a bachelors degree in Cognitive Science, a masters degree in Information Assurance, and the collective HiveMind of the global hacking community.
In the last year or so, we have seen a massive increase in the value of cryptocurrencies and the emergence of hundreds of new coins and ICOs, getting millions of people into an investment frenzy. A lot of them being non-technical regular consumers that rushed to create new accounts in the most popular crypto exchanges like Coinbase or Bitstamp. Crypto exchanges are naturally appealing for attackers and have been targeted since as long as we can remember. However, since last year, they are also being targeted by Man-in-the-Browser (MITB) attacks. Malware families such as Zeus Panda, Ramnit and Trickbot are already aiming at websites such as Coinbase.com or Blockchain.info. In this talk, we will detail how these attacks work, from account takeover to moving out the coins to attacker-controlled wallets. We'll discuss current defenses e.g. multi-factor authentication or strong SSL encryption and why they are failing to mitigate this type of attacks.
Pedro Fortuna (Twitter: @pedrofortuna) is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes to web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.
How do we scale a deeper level of security awareness training without sacrificing efficacy? This talk will explore strategies and tactics for developing security education based on employees' roles, access, and attack surface while designing not only for efficiency but also for effectiveness. By prioritizing the highest-risk teams, pooling teams to collaboratively threat-model, and contextualizing universal truths of security hygiene to those threat models, we can deliver training that leverages employees' roles, fosters retention via active participation, and eases the burden on trainers within the security team. Attendees will walk away with a roadmap for building scalable, contextual, and collaborative role-based employee security education within their organizations.
Kat Sweet (Twitter: @TheSweetKat) works for Duo Security's corporate security team as an information security analyst (and senior pun architect). A passionate security educator, she is heavily involved in building her team's employee security awareness and engagement program, and is frequently the first security team member that new Duo employees meet. She also serves as the lockpick village coordinator for BSides Las Vegas, a mentor for the SANS Women's Immersion Academy, and a teaching assistant for the Ann Arbor chapter of Girl Develop It. When she's not in security mode, you can often find her bursting into song or picking unsuspecting locks.
The police body camera market has been growing in popularity over the last few years. A recent (2016) Johns Hopkins University market survey found 60 different models have been produced specifically for law enforcement use. Rapid adoption is fueling this meteoric increase in availability and utilization. Additionally, device manufactures are attempting to package more and more technology into these devices. This has caused a deficiency in local municipalities' skills and budget to accurately assess the attack surface and exposure to the organization. Furthermore, departmental policies and procedures governing the secure deployment of these devices is largely insufficient.
At DEF CON, we will be introducing tactics, techniques, and procedures to assess the security of these devices. We will cover attacks against the physical devices, RF components, smartphone app's, and desktop software. The capabilities demonstrated and discussed will encompass publicly and privately available technologies. Additionally, the talk will cover multiple products and vendors, shedding light on industry wide issues and trends. Finally, we will be releasing software to detect and track various devices and tie these issues into real world events.
Josh Mitchell has more than a decade's experience as an information security researcher. He has authored numerous technical documents and presented his findings at conferences, academic discussions, and in the classroom. Josh is an expert at discovering and exploiting vulnerabilities and writing code to protect operating systems and programs. He holds patents in classifying computer files and executable files as malware or whiteware. Josh has served in the United States Air Force and held numerous defense contracting roles covering electronic signals intelligence exploitation, electronic warfare, malware analysis, exploit development, and reverse engineering. He also provided security services for General Dynamics Advanced Information Systems, Endgame, and Accuvant and assisted multiple computer emergency response teams with investigations vital to national security.
In this talk we briefly introduce common SMTP/TLS implementation weaknesses explain how governments, criminals, and malicious insiders can exploit them to remotely reset account passwords, create/update/delete firewall rules, control windows desktops/laptops, access online backup systems, download full-disk Encryption Keys, watch security cameras, listen to security camera microphones, control social media accounts, and takeover AWS virtual machines.
Chris Hanlon (Twitter: @ChrisHanlonCA) has been maintaining Unix, Linux, and Windows Servers since 1998 and submitting vulnerability reports since 2000. Chris's submissions have resulted in security and privacy enhancements in Google Apps, the Linux Kernel, and Interac email transfers.
Have you ever been asked 'what is the best way to protect against $ATTACK'? (usually shortly after $ATTACK makes headlines). Have you ever been challenged to provide the reasoning behind your suggestion? If you were in a room full of experts, would your reasoning hold up under scrutiny? When you discuss with your security-savvy peers, you're quickly come to a consensus on the 'best' control (!= device) to protect against $ATTACK. But do you know WHY it's the 'best'? The Target-Based Security Model is essentially a framework that breaks down attacks to their component level. This breakdown makes it easy to see what the 'best' security controls are - as well as alternative security controls that could also be applied. Its not so much something new, as it is a new way for the industry to communicate about security. In much the same way that the OSI model allows for developers to know they are talking about the same thing, a common security model allows security professionsals to communicate in a vendor-agnostic manner. Think of it as a translation tool for vendor-speak. In this talk we'll present the Target-Based Security model and discuss the following: how it came to be, what it is, and how to use it. And of course, we'll talk about how it can be used to make the world a better place - provided we all agree to use it.
Garett Montgomery (Twitter: @garett_monty) has been a Security Researcher at BreakingPoint (since acquired by Ixia; since acquired by KeySight) for the last 6+ years. Prior to joining BreakingPoint he had been employed as a Security Analyst at the Naval Postgraduate School and then an IPS Signature Developer. He holds an MS in Information Assurance and numerous (likely since-expired) security certifications. A self-described packet-monkey, he enjoys automating all the things.
Deceptions use attackers' own tactics to force them to reveal themselves. Deception techniques are typically used inside the network once attackers have broken in. Once inside, attackers use credentials to move laterally. But before penetrating their target, attackers often study publicly available data to plan their attack. Can we assume that attackers continue to use public information once they've broken in? Could externally-planted deceptions expand our range of visibility on the adversary's activity? In this session, we will present research we conducted to answer these questions, and introduce a tool you can use to "try it at home." We first took a deeper look at various OSINT resources-social media, paste sites, public code repositories, etc.-to refine our picture of the types of publicly-available data, attackers might use to further an attack. Then we planted various deceptive information. For example, on PasteBin we created a fake "paste" page containing a dump of fake credentials. On GitHub we created a fake repository of code containing "accidental" commits (git commit -am 'removed password'). Next, we paired these deceptions with relevant data and user objects within a simulated network environment. We then started monitoring and waited for an attacker to bite.
Hadar (Twitter: @hadar0x) is a Security Researcher at Illusive Networks. He has eight years of experience in cyber security, with six of those years focused on digital forensics and incident response (DFIR), both in the Israeli Air Force and in the private sector. Before joining Illusive Networks, he was a malware researcher for IBM Security where he hunted for new malware families and researched new techniques for malware detection. Hadar holds a Bachelor's degree in Computer Science from the Holon Institute of Technology, and several certifications, including the GIAC Certified Forensic Analyst (GCFA). In his free time he likes to develop open source forensic tools and solve forensic challenges.
Tom Sela (Twitter: @4x6hw) is Head of Security Research at Illusive Networks. He specializes in reverse engineering, malware research, deception development and OS internals. Prior to joining Illusive, Tom headed the Malware Research team at Trusteer (acquired by IBM), where he was responsible for Trusteer's anti-fraud endpoint product. At Trusteer he also led a team of reverse-engineers, researching the internals of advanced malware. As an active contributor to the security research community, Tom has spoken at DefCon and IEEE events. He attended the Israeli Naval Academy at the University of Haifa and holds a B.Sc. from Ben-Gurion University.
Tom Kahana (Twitter: @tomkahana1) is a Security Researcher at Illusive Networks, with over nine years in cybersecurity. He specializes in Windows internals. Prior to Illusive Networks, Tom worked for Trusteer, where he specialized in exploitation techniques. Among other accomplishments, he is credited with discovery of ASLR security bypass vulnerability CVE-2016-0012. Tom served five years in an elite unit of the Israel Defense Force (IDF), specializing in Cyber Security Research and Development. Tom is studying for his Bachelor's of Computer Science degree at the Open University of Israel.
Many industries have well-defined points of entry and well-understood education and training requirements. Information Security is not one of those industries. Successful infosec pros often have wildly diverse backgrounds so it is difficult to know which is the "correct" way to enter this field. As our industry has evolved and matured, what do organizations now look for in a candidate? What combination of skills, experience, and education will get you in your "dream job?" SPOILER - there are many predictors of success, and organizations have different priorities, so there is no single answer.
The speaker will describe his experiences as a 22-year veteran of IT and infosec, both from the perspective of working for internal support teams and as a client-facing consultant. In addition to direct observations, this presentation will include the perspectives of other infosec pros that currently work in various capacities in our industry. The goal is not to answer the question of how to successfully develop one's career, as such, but rather to continue the dialogue of what is important to us as we develop our future experts and leaders.
Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Over the past 18 years as a security professional he has supported infosec initiatives in the healthcare, defense, aerospace, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Director includes working closely with NCC Group consultants and clients in delivering complex security assessments that meet varied business requirements.
Started as pet project in 2011, wpa-sec collects WPA handshake captures from all over the world. Contributors use client script to download handshakes and special crafted dictionaries to initiate attack against PSKs. With more than 115 GB captures from 240 000 submissions, collected samples represent invaluable source for wireless security research. This includes:
During the talk I will explain how wpa-sec works, provide statistics and a lot internals on optimization and how to use the database as OSINT source during pentests and red team actions.
wpa-sec is opensource project available at https://github.com/RealEnder/dwpa.
Live installation at https://wpa-sec.stanev.org.
Alex Stanev (Twitter: @RealEnderSec) started as a software developer in late 90s working on a wide range of projects - from specialized hardware drivers to large scale information systems for private and public sectors, including e-government services, elections management and smart cities. Going through virtually all mainstream enterprise platforms, Alex also took some time to explore various niche technologies and did a lot of low level stuff.
As a security consultant, Alex led penetration test audits in Europe, America and Africa for financial and government institutions.
Currently Alex serves as CTO in largest Bulgarian systems integrator Information Services JSC.
]]>