News

First Batch of Speaker Workshops at DEF CON 25 Announced

We are pleased to announce the first batch of Speaker Workshops at the Packet Hacking Village at DEF CON 25 in Las Vegas, NV. Talks and schedule is available here.

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Gabriel Ryan, Security Engineer at Gotham Digital Science

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In a wireless network, EAP actually plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network’s physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel Ryan (Twitter: @s0lst1c3) is a penetration tester and researcher with a passion for wireless and infrastructure testing. His career began as a systems programmer at Rutgers University, where he assessed, diagnosed, and resolved system and application issues for a user community of over 70,000 faculty, students, and staff. Gabriel then went on to work as a penetration tester and researcher for the Virginia-based defense contractor OGSystems. While at OGSystems, he worked as a lead engineer on the Mosquito project, a geospatial intelligence tool that leverages wireless technology to track potential threats. Gabriel currently works for the international security consulting firm Gotham Digital Science at their New York office, where he performs full scope red team penetration tests for a diverse range of clients. He also contributes heavily to his company’s research division, GDS Labs. Some of his most recent work includes a whitepaper on rogue access point detection, along with the popular tool Eaphammer, which is used for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Demystifying the OPM Breach: WTF Really Happened

Ron Taylor, Consulting Systems Engineer at Cisco

In September 2016 the House Committee on oversight finally released their report. Four years after the original breach, we are still asking how the f*#! did this happen. This talk with go over the key findings of the report and the impact on those who were effected.

Ron Taylor (Twitter: @Gu5G0rman) Ron has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting where he gained experience in many areas. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance . In 2012, he moved into a position with the Security Research & Operations group (PSIRT) where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. In his current role, he is a Consulting Systems Engineer specializing in Cisco's security product line. Certifications include GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Co-Founder and President of the Raleigh BSides Security Conference, and member of the Packet Hacking Village team at DEF CON.

Fooling the Hound: Deceiving Domain Admin Hunters

Tom Sela, Head of Security Research at illusive networks

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. Knowing the precise path needed to reach a target decreases the chances of an attacker making mistakes and being detected, putting defenders at a very clear disadvantage.

One traditional defensive approach is to make the ability to map the network more difficult by restricting access to information. However, such restrictions cannot be applied to all platforms, and even if they could be, it is not a trivial task in production environments.

In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected.

To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge. Effectively designed and placed bait would make it very difficult for the attacker to avoid detection, shifting the odds back in favor of defenders.

Tom Sela is Head of Security Research at illusive networks, specializing in Reverse Engineering, Malware Research, and OS internals. Prior to joining illusive, Tom lead the Malware Research team at Trusteer (acquired by IBM). Tom majored in Computer Science at Ben-Gurion University and studied at the Israeli Naval Academy, University of Haifa.

Fortune 100 InfoSec on a State Government Budget

Eric Capuano, SOC Manager at Texas Department of Public Safety

A common misconception is that it takes spending millions to be good at security. Our security team at Texas Department of Public Safety has proved this to be untrue. We run a full-fledged Security Operations Center and leverage some very proactive controls and incident response techniques while spending a fraction of what similar agencies are allocated.

This talk outlines many of the thought processes and "tricks" to doing security well, without breaking the bank. Some concepts include thinking critically about ROIs of existing equipment, not buying into every "shiny box", not being afraid to explore open source options, and where to spend your money for the highest ROI (people!).

This is not the typical "Problem, problem, problem...." talk.... This is a solution-based talk where I'll share SOLUTIONS to very real-world scenarios facing SOC teams everywhere.

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Eric is also a member of the Packet Hacking Village team at DEF CON.

How Hackers Changed The Security Industry

Chris Wysopal, CTO and Co-Founder of Veracode

Before hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Gene Stafford famously said SSL between two PCs is like using an armored car to deliver money from one park bench to another. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does.

This history will be told from a member of the hacker group The L0pht who lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software.

Attendees will learn why we need the kind of tools hackers build to secure our systems and why we need people who are taught to think like hackers, 'security champions', to be part of software development teams.

Chris Wysopal (Twitter: @WeldPond) Chris Wysopal is currently Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.

IP Spoofing

Marek Majkowski, Cloudflare

At Cloudflare we deal with DDoS attacks every day. Over the years we've gained a lot of experience in defending from all different kinds of threats. We have found that the largest attacks that cause the internet infrastructure to burn are only possible due to IP spoofing.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing. We'll explain why L3 attacks are even possible in today's internet and what direct and reflected L3 attacks look like. We'll describe our attempts to trace the IP spoofing and why attack attribution is so hard. Our architecture allows us to perform most attack mitigations in software. We'll explain a couple of effective L3 mitigation techniques we've developed to stop our servers burning.

While L3 attacks are a real danger to the internet, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can fix the IP spoofing problem for all.

Marek Majkowski (Twitter: @majek04). After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.

Layer 8 and Why People are the Most Important Security Tool

Damon Small, Technical Director, Security Consulting, NCC Group North America

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 17 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. As Technical Director for NCC Group, Small has a particular interest in research and business development in the Healthcare and Oil & Gas industries. His role also includes working closely with NCC consultants and clients in delivering complex security assessments that meet varied business requirements.

Read more →

Speaker Workshops at DEF CON 25 Call for Presentations Now Open

The Wall of Sheep would like to announce a call for presentations at DEF CON 25 at the Caesars Palace in Las Vegas, NV from Thursday, July 27th to Sunday, July 30th. This will be the 5th anniversary of our Speaker Workshops.

Read more →

Why are you no longer shipping to country X?

One simple word.. Fraud.   We are still happy to ship to any country via a verified PayPal account, just send an email with your request to sales@wallofsheep.com

Thank you

Wall of Sheep team

Read more →

Packet Hacking Village Equipment Check for DEF CON 24

[Written by @donds.  Originally posted at http://hackvault.blogspot.com/2016/07/phv-equipment-check.html.]

They say not to bring any electronic devices at DEFCON!? .... what's the fun in that? Well, your mother also said not to get in a strange car with a stranger... UBER, anyone?

It’s time to prep your gear for the Packet Hacking Village (PHV) at DEFCON 24. Although, the PHV staff will have some gear for you to use, I highly recommend to bring your own "FOR DEFCON USE ONLY" gear. 

For the Wall of Sheep and WiFi Sheep Hunt you'll need a laptop with wired and wireless sniffing capabilities.  I spent about $200 for a used laptop from eBay. Also invested on an Alpha wireless USB card from Amazon. Load Kali on the laptop and you're basically good to go. Most tools you'll need are already included in Kali.  The PHV staff can help you refine your setup and config depending on what event you want to try out.

For Sheep City, you can use the same laptop you plan to use for WoS and WIFISH.  But it will require a bit more creativity and possibly a visit to the vendor area or Fry's.  Prep for Bluetooth, ZigBee, IrDa, RF...etc. Be ready for anything.

Packet Detective runs like a classroom format. IMHO, this is a "MUST DO" event at PHV. PHV will have laptops setup for PD Agent trainees to use... Yes, you don't have to bring your own laptop to participate.  This is a very popular event and laptops are limited. Sign up early.

WiFi Sheep Hunt will also have a sign-up sheet for the FoxHunt gear. You can use your own equipment to join the FoxHunt and code breaking fun.  There will also be a couple of laptops for players to use, but only for limited time slots. 

Capture the Packet has produced Black Badge winners at DEFCON. If you're just prepping now, you're already behind... you get my drift.

If you're asking which one to do first, I'd say do it all! But if it's your first ever visit at PHV, here's the order of events I'd suggest..

1. Packet Detective
2. Wall of Sheep
3. WiFi Sheep Hunt
4. Sheep City
5. Capture The Packet

Our DEF CON 24 schedule is available at https://www.wallofsheep.com/pages/dc24

Read more →

What’s More Explosive: Palantir's Penetration Test Results or Buzzfeed's Reaction To Them?

Buzzfeed posted a long story last week about leaked penetration test results for Palantir, Peter Thiel's $20 billion private data analysis company funded by the CIA and considered the backbone of US intelligence gathering.

Based on a confidential report, Buzzfeed says HACKERS COULD TAKE CONTROL OF PALANTIR'S ENTIRE NETWORK!!!! AND…! AND…! AND…!

This looked sensational at first glance.

Palantir's valuation and reputation are built on knowing more than everyone else. So how could it do such a lousy job on security? The real-world ramifications would be serious. Well-known clients include big-time financial firms like Bridgewater (world's largest hedge fund) and an alphabet soup of law enforcement agencies (FBI, CIA, NSA, etc.).

Midway through reading the Buzzfeed story, though, a couple things became apparent:

  1. The story reads like a rewritten version of the confidential report. There is little to no analysis.
  2. The pen testers praised Palantir's internal response team. Repeatedly.

Thankfully, Forbes published an accompanying piece just afterward that analyzes  Buzzfeed's story and sums it up nicely with one sentence:

Penetration Tests Almost Always Win

"That Palantir succumbed to the cyber squad it hired specifically to discover its vulnerabilities is no surprise," Forbes wrote. "That's how it goes. One could argue that Palantir should be praised for conducting such proactive testing—as not every company does—and for having an "excellent" response, as the organization called in to conduct the hack said. Nice work, PALs. Patch up and keep at it."

Our two cents is that the Buzzfeed story does a good job breaking down a thorough penetration test for regular folks: How the penetration testers conducted their attacks, what they found, how they would start at Point A to get to Point Z, some cat-and-mouse with the internal Palantir team defending the company against the attack, etc. But the Buzzfeed's reaction feels breathless. Forbes reached the same conclusion:

"Why single out this one company?" Forbes asks. "The implication is that if Palantir can be hacked, then A) anyone can be hacked and B) it probably has been hacked already—especially considering the highly confidential government work it handles as well as the persistence of the United States' adversaries. Even a company as locked down as Palantir has holes."

"To BuzzFeed's credit," Forbes continued, "the story does an excellent job detailing how hackers can make their way around a computer network, hopping from node to node, compromising accounts and servers, and escalating an attack along the way. Still it does a disservice in blasting a firm for taking the very measures it should to learn about and fix its weaknesses."

Read more →

Round Up of Bug Bounties and Resources

At recent  OWASP meeting in San Francisco, bug bounties caused far and away the most spirited discussion. Speaker Craig Steipp, who is head of security at WikiMedia, spoke heavily in favor of them. Yet several audience members spoke against them or offered tepid support.

 

Side stepping that debate, who started them? Who runs them? Who doesn’t? And what’s the largest out there?

 

According to Wikipedia, Jarrett Ridlinghafer started the first such thing in 1995 as a technical support engineer at Netscape Communications. The SVP of Engineering reportedly was the only person against funding the internal program. But he was outvoted and the company went with it. Others followed suit.

 

Bugcrowd, which facilitates a community-approach to security, keeps a running list of bounty programs sent in by its community of users. It can be sort based on four categories: New, Reward, Swag and Hall of Fame. (There’s no description of Hall of Fame so define that as you wish.) They even offer a weekly email for people who want to stay on top of the game.

 

HackerOne, which runs programs for Twitter and other big names, is a good resource for finding out which companies not only offer bounties, but contribute to open-source projects that help bounty programs. 

 

The programs aren’t limited to tech companies either. Somewhat surprisingly, United Airlines is the fourth ranking result for a Google search of ‘bug bounties’. They’ll pay up to 1,000,000 frequent flier miles for serious flaws.

 

There’s no quick-and-easy list of amounts, but that’s not surprising given the subjective nature of what might be discovered and the perceived value. Security firm Netraguard told Forbes in 2010 that it would pay hackers up to $115,000 for an Apple vulnerability.

 

welivesecurity published a story in 2015 showing a list of the highest bounties they could uncover. Although it says Facebook paid more than $1M in total bounties for 2014, Microsoft’s $200,000 payment is the highest one-time reward on there.

 

The New York Times recently put together a nice list of companies that pay, how much (Google will do up to $100,000 for a Chromebook bug)

 

If we missed your bug bounty program or you’re aware any that are noteworthy feel free to send them to add to the list.

Read more →

Our Speaker Workshops Schedule at DEF CON 24 is Now LIVE!

We will be adding more talks in the upcoming weeks.

Link: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24/

Read more →

First Round of Accepted Speaker Workshops at DEF CON 24

The Arizona Cyber Warfare Range: Learn by Destruction

Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter

Want to run all those tools you have always heard about, but don't have the hardware to do it? Or - does your Boss want you to learn NMap, but won't let you run it on any of the corporate networks? This presentation will show what can happen when a couple of dedicated and slightly unbalanced individuals come together to establish the largest volunteer staffed, donation funded Cyber Offensive and Defensive Training facility in the world. Attendees will be shown how real hardware and real tools can be used remotely to further increase their Cyber talents.

Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.

Attacks on Enterprise Social Media

Mike Raggo, Chief Research Scientist at ZeroFOX

Current threat vectors show targeted attacks on social media accounts owned by enterprises and their employees. Most organizations lack a defense-in-depth strategy to address the evolving social media threat landscape. The attacks are outside their network, commonly occur through their employee's personal accounts, and circumvent existing detection technologies. In this presentation we'll explore the taxonomy of social media impersonation attacks, phishing scams, information leakage, espionage, and more. We'll then provide a method to categorize these threats and develop a methodology to adapting existing incident response processes to encompass social media threats for your organization.

Michael T. Raggo (Twitter: @MikeRaggo) has over 20 years of security research experience. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Connections: Eisenhower and the Internet

Damon "Chef" Small, Technical Project Manager at NCC Group

"Rise of the Machines" conjures thoughts of the evolution of technology from the exclusive domain of computer scientists in the early days of our industry to including everyday people using - and often wearing - Internet-connected devices. With that theme in mind, the speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the the Information Superhighway and how information security professionals can prepare.

Chef (Twitter: @damonsmall) earned his handle from his use of cooking metaphors to describe infosec concepts to laypeople. He began his career studying music at Louisiana State University and took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Chef began focusing on cyber security. This has remained his passion, and over the past 16 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Chef completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Project Manager at NCC Group includes working closely with consultants and clients in delivering complex security assessments that meet varied business requirements. Recent speaking engagements include DEFCON 23, BSides Austin, BSides San Antonio, HouSecCon, and ISSA Houston.

Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection

Omer Zohar, Head of Research at TopSpin Security

Today's networks are undergoing all sorts of sinister attacks from numerous sources and for myriad reasons. Security at the perimeter is inadequate for thwarting today's highly intelligent attacks as hackers routinely breach the perimeter and gain entry. It isn't long before the network is compromised and critical information is stolen. We must now assume that, despite significant investments in prevention, breaches are going to happen. An additional approach is required. Security teams must go on the offensive, creating a web of non-stop, real-time detection operations using multiple vectors against an ever-changing landscape of cyber threats. Deception technology now plays a critical role. Used as a strategy for many centuries in actual warfare, the concept of deception is becoming a significant weapon in network-protection schemes. Deception technology doesn't rely on known attack patterns and monitoring. Instead, it employs very advanced luring techniques to entice attackers away from valuable company assets and into pre-set traps, thus revealing their presence. It is able to detect threats in real time without relying on any signatures, heuristics or complex behavioral patterns. But how effective is a deception strategy in detecting breaches? What method works best? How does it integrate with current security operations already in place?

In this talk we will present findings from a first ever research which measured the efficiency of proactive deception using mini-traps and decoys in real-life threat scenarios. We have reconstructed a real enterprise environment complete with endpoints, servers, network traffic and data repositories as well as security tools such as IDS, firewall, SIEM etc. The deception layer was then integrated into the environment in 2 steps: (a) by placing decoys in the network and (b) by placing mini-traps on the assets which point to the decoys, set false credentials, trigger silent alarms and more. We then evaluated the effectiveness of the mini-traps and decoys against both automated, machine-based attacks as well as against sophisticated human attacks: The first stage involved checking the behavior of a variety of malware families against the environment and measuring the deception layer's success in detecting their activity. For the second phase, we invited red-team professionals and white hat hackers to employ real techniques and advanced tools with the task of moving laterally in the environment and exfiltrate high value data.

Omer Zohar has over a decade of experience as a developer and researcher in the data security market. As head of Research for TopSpin Security he is responsible for the research of malware and post-breach detection methods and for defining advanced detection schemes.

Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)

Rod Soto, Senior Security and Researcher at Splunk UBA
Joseph Zadeh, Senior Security Data Scientist at Splunk UBA

The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.

These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone.

Rod Soto (Twitter: @rodsoto) has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEF CON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 Black Hat Las Vegas CTF competition and is the founder and lead developer of the Kommand & KonTroll competitive hacking Tournament series.

Joseph Zadeh (Twitter: @josephzadeh) studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEF CON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanente's first Cyber Security R&D team.

HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things

Catherine (Kate) Pearce, Senior Security Consultant at Cisco Security Services
Vyrus, Senior Security Consultant at Cisco Security Services

The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.

Catherine (Kate) Pearce (Twitter: @secvalve) is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC and several others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.

Carl Vincent (Twitter: @vyrus001) is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As an information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime. He also practices personal information warfare, and most of his biographic details online are somewhat exaggerated.

Now You See Me, Now You Don't

Joseph Muniz, Architect and Researcher at Cisco
Aamir Lakahni, Senior Security Researcher at Fortinet

Many people leave behind bread crumbs of their personal life on social media, within systems they access daily, and on other digital sources. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that leak your information and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators to track individuals. Learn how you can protect your online footprint, reduce your digital trail, and securing your privacy.

Joseph Muniz (Twitter: @SecureBlogger) is a architect at Cisco Systems and researcher. He has extensive experience in designing security solutions for the top Fortune 500 corporations and US Government. Joseph's current role gives him visibility into the latest trends in cyber security both from leading vendors and customers. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including a recent Cisco Press book focused on security operations centers (SOC).

Aamir Lakhani (Twitter: @aamirlakhani)

Presenting Security Metrics to the Board / Leadership

Walt Williams

The board of directors and corporate leadership is not interested in how many attacks your firewall has blocked, and frankly, that is not a metric, that is a measure. Difference between metrics and measurements, how metrics are constructed, and the kinds of metrics the board of directors are interested in will be discussed. In other words, how to identify how to align security metrics with business goals and objectives. The use of frameworks such as ISO 27004 to construct metrics, the pragmatic framework and its uses will also be discussed.

Walt Williams (Twitter: @LESecurity) CISSP, SSCP, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now manages security at Lattice Engines. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides on risk management as the cornerstone of a security architecture. He maintains a blog on security metrics and has presented to boards of three different organizations in diverse industries.

Vulnerability Management: No Excuses, A Network Engineer's Perspective

Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter
Anthony Kosednar, Chief Software Engineer at AZCWR

Vuln Management encompasses 3 out of the top 4 items in the SANS 20 and is a critical item for PCI DSS. Yet, so few companies manage to do it correctly. This presentation will cover the result of the author (a network geek) being unceremoniously thrown into one of those situations, and will detail the lessons learned from it. Tools used: NMap, Tripwire, Qualys, and Crayons.

Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.

Anthony Kosednar (Twitter: @akosednar) is an Information Security Engineer with a background in Aerospace. By day he helps secure corporations and large events (such as Super Bowl XLIX). By night, he puts on the cape of software architect for the Arizona Cyber Warfare Range. Through the darkness of night he helps program the systems that operate the range.

You Are Being Manipulated

GrayRaven, Senior Software Engineer at Cisco Systems

You are being manipulated. There is constant pressure coming from companies, people, and attackers. Millions are spent researching and studying your weaknesses. The attack vectors are subtle. Most times we don't realize that manipulation has occurred until it is too late. Fear not, we can harden our defenses. We can put safeguards in place to help avoid being the victim. For me, the answer came from an unlikely source: my daughter. Small children are fantastic. Society has not yet influenced their development; therefore, children are relentless in pursuing their aims. Since they are naive to right and wrong, they will use any tool available to get their goal. How does this help? My daughter became my trainer, and this talk discusses how interacting with her has improved my defenses. Comparing her strategies to real world examples will show how to build a training framework of your own. Access to small children is not needed.

GrayRaven (Twitter: @_grayraven_) is a senior software engineer at Cisco Systems. He has been fascinated with manipulation since his childhood. Despite receiving a degree in psychology, he spent 18 years as a professional in the Information Technology space. GrayRaven spent the first seven years of his career as a system and network administrator before moving to the dark art of programming. Two years ago he stopped dabbling and tumbled down the security rabbit hole. This journey makes him believe that he is finally using his degree professionally. During his downtime, GrayRaven can be found practicing martial arts, brewing beer and mead, or writing.

Stay tuned for schedule: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24.

Read more →

LinkedIn Breach Resurfaces: 1 in 4 Accounts Compromised

Details are starting to come out about the massive LinkedIn breach that is gaining attention this week even though it first occurred in 2012.

ZDSearch has a nice tally of the worst passwords found in the dump here. Top three worst offenders:

 753,305 people used ‘123456’

  • 172,523 people used ‘linkedin’
  • 144,458 people used ‘password’

 According to Krebs, 117 million accounts are likely compromised instead of the 6.5 million originally stated. (That’s 1 of every 4 users of LinkedIn, which has around 430 million users.) LeakedSource has a searchable database for those interested if their account is one of those affected.

MotherBoard has been in contact with LeakedSource and a hacker known as ‘Peace’ who claims to have the full dump. With security researcher Troy Hunt, they claim to have reverse engineered 90% of the passwords within 72 hours. They’ve reached out to several LinkedIn users and they’ve been confirming account details.

Read more →

Speaker Workshops at DEF CON 24 Call for Presentations Now Open

The Wall of Sheep would like to announce a call for presentations at DEF CON 24 at the Paris and Bally's Hotels in Las Vegas, NV from Thursday, August 4th to Sunday, August 7th. All accepted talks will be announced, recorded, and published by DEF CON Communications, Inc. Please see our YouTube channel for all Speaker Workshops from last year: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.

This year, the Packet Hacking Village at DEF CON 24 will be on the 26th floor of Bally's Indigo Tower. The Call for Presentations will close on Wednesday, June 15th at 11:59 PM. The list of workshops will be finalized and published on Thursday, June 30th.

How: Complete the Call for Papers Form and send to cfp2016[at]wallofsheep[dot]com. Please also refer to the form for more details.

Read more →