News / Defcon

Text of the Opening Remarks / Introduction at the Speaker Workshops (DEF CON 25)

Good morning and welcome to the Packet Hacking Village at DEF CON 25 in Las Vegas, Nevada! We cannot thank you enough for your support and for your continuing support for all these years. The Wall of Sheepʼs mission is and has always been security awareness. This year, the Packet Hacking Village have a number of events and learning opportunities including the venerable Packet Detective and Capture The Packets. We have a fantastic slate of DJs to entertain and keep this village lively. Sheep City and Honeypots have returned this year.  We are also excited for something new this year: hands-on workshops as there is a tremendous demand for training and continuing education in this cyber security. We hope that you will take advantage of the many opportunities here at the Packet Hacking Village and ultimately at DEF CON to learn, to collaborate, and to be inspired.

And of course, here we are at the Speaker Workshops. This is a special year: this is the fifth anniversary of the Speaker Workshops at the Packet Hacking Village. We are going to kick it off right-off-the-bat with a very special keynote. Dan Geer said in his keynote at Black Hat 2014: "cyber security is now a riveting concern, a top issue in many venues more important than this one." Or as Matt Blaze said bluntly at The Eleventh HOPE: "we are in a national cybersecurity crisis." So what does this have to do with our keynote? There are many people now starting to study or entering the field of cyber security which is very welcoming to see. However, the body of knowledge is now too deep and intimidating to grasp and history is easily forgotten. So how did we get into the mess we are in now? In May of 1998, a group of hackers testified in front of a panel of US Senators. The hacker group was L0pht. One of the members of L0pht who testified was Weld Pond, Chris Wysopal. L0pht warned that the Internet, software, and hardware are not safe and security is an afterthought. Their warning was a disaster foretold and tragically ignored (please read the stellar Washington Post article "A Disaster Foretold --And Ignored"). Their warning and efforts also paved way for many of our careers and lifestyles in this field, and why most of us are here today at DEF CON. It is my fantastic honor to introduce you all to Chris Wysopal.

Read more →

Super Secret DEF CON 25 MAP - How to get to the Packet Hacking Village - SHHHHH!!!

Secret Map - How to get to the Packet Hacking Village
Read more →

New Batch of Accepted Speakers and Our Schedule at DEF CON 25 Now Available

Read more →

Speaker Workshops at DEF CON 25 Call for Presentations Now Open

The Wall of Sheep would like to announce a call for presentations at DEF CON 25 at the Caesars Palace in Las Vegas, NV from Thursday, July 27th to Sunday, July 30th. This will be the 5th anniversary of our Speaker Workshops.

Read more →

Packet Hacking Village Equipment Check for DEF CON 24

[Written by @donds.  Originally posted at http://hackvault.blogspot.com/2016/07/phv-equipment-check.html.]

They say not to bring any electronic devices at DEFCON!? .... what's the fun in that? Well, your mother also said not to get in a strange car with a stranger... UBER, anyone?

It’s time to prep your gear for the Packet Hacking Village (PHV) at DEFCON 24. Although, the PHV staff will have some gear for you to use, I highly recommend to bring your own "FOR DEFCON USE ONLY" gear. 

For the Wall of Sheep and WiFi Sheep Hunt you'll need a laptop with wired and wireless sniffing capabilities.  I spent about $200 for a used laptop from eBay. Also invested on an Alpha wireless USB card from Amazon. Load Kali on the laptop and you're basically good to go. Most tools you'll need are already included in Kali.  The PHV staff can help you refine your setup and config depending on what event you want to try out.

For Sheep City, you can use the same laptop you plan to use for WoS and WIFISH.  But it will require a bit more creativity and possibly a visit to the vendor area or Fry's.  Prep for Bluetooth, ZigBee, IrDa, RF...etc. Be ready for anything.

Packet Detective runs like a classroom format. IMHO, this is a "MUST DO" event at PHV. PHV will have laptops setup for PD Agent trainees to use... Yes, you don't have to bring your own laptop to participate.  This is a very popular event and laptops are limited. Sign up early.

WiFi Sheep Hunt will also have a sign-up sheet for the FoxHunt gear. You can use your own equipment to join the FoxHunt and code breaking fun.  There will also be a couple of laptops for players to use, but only for limited time slots. 

Capture the Packet has produced Black Badge winners at DEFCON. If you're just prepping now, you're already behind... you get my drift.

If you're asking which one to do first, I'd say do it all! But if it's your first ever visit at PHV, here's the order of events I'd suggest..

1. Packet Detective
2. Wall of Sheep
3. WiFi Sheep Hunt
4. Sheep City
5. Capture The Packet

Our DEF CON 24 schedule is available at https://www.wallofsheep.com/pages/dc24

Read more →

Our Speaker Workshops Schedule at DEF CON 24 is Now LIVE!

We will be adding more talks in the upcoming weeks.

Link: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24/

Read more →

First Round of Accepted Speaker Workshops at DEF CON 24

The Arizona Cyber Warfare Range: Learn by Destruction

Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter

Want to run all those tools you have always heard about, but don't have the hardware to do it? Or - does your Boss want you to learn NMap, but won't let you run it on any of the corporate networks? This presentation will show what can happen when a couple of dedicated and slightly unbalanced individuals come together to establish the largest volunteer staffed, donation funded Cyber Offensive and Defensive Training facility in the world. Attendees will be shown how real hardware and real tools can be used remotely to further increase their Cyber talents.

Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.

Attacks on Enterprise Social Media

Mike Raggo, Chief Research Scientist at ZeroFOX

Current threat vectors show targeted attacks on social media accounts owned by enterprises and their employees. Most organizations lack a defense-in-depth strategy to address the evolving social media threat landscape. The attacks are outside their network, commonly occur through their employee's personal accounts, and circumvent existing detection technologies. In this presentation we'll explore the taxonomy of social media impersonation attacks, phishing scams, information leakage, espionage, and more. We'll then provide a method to categorize these threats and develop a methodology to adapting existing incident response processes to encompass social media threats for your organization.

Michael T. Raggo (Twitter: @MikeRaggo) has over 20 years of security research experience. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Connections: Eisenhower and the Internet

Damon "Chef" Small, Technical Project Manager at NCC Group

"Rise of the Machines" conjures thoughts of the evolution of technology from the exclusive domain of computer scientists in the early days of our industry to including everyday people using - and often wearing - Internet-connected devices. With that theme in mind, the speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the the Information Superhighway and how information security professionals can prepare.

Chef (Twitter: @damonsmall) earned his handle from his use of cooking metaphors to describe infosec concepts to laypeople. He began his career studying music at Louisiana State University and took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Chef began focusing on cyber security. This has remained his passion, and over the past 16 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Chef completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Project Manager at NCC Group includes working closely with consultants and clients in delivering complex security assessments that meet varied business requirements. Recent speaking engagements include DEFCON 23, BSides Austin, BSides San Antonio, HouSecCon, and ISSA Houston.

Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection

Omer Zohar, Head of Research at TopSpin Security

Today's networks are undergoing all sorts of sinister attacks from numerous sources and for myriad reasons. Security at the perimeter is inadequate for thwarting today's highly intelligent attacks as hackers routinely breach the perimeter and gain entry. It isn't long before the network is compromised and critical information is stolen. We must now assume that, despite significant investments in prevention, breaches are going to happen. An additional approach is required. Security teams must go on the offensive, creating a web of non-stop, real-time detection operations using multiple vectors against an ever-changing landscape of cyber threats. Deception technology now plays a critical role. Used as a strategy for many centuries in actual warfare, the concept of deception is becoming a significant weapon in network-protection schemes. Deception technology doesn't rely on known attack patterns and monitoring. Instead, it employs very advanced luring techniques to entice attackers away from valuable company assets and into pre-set traps, thus revealing their presence. It is able to detect threats in real time without relying on any signatures, heuristics or complex behavioral patterns. But how effective is a deception strategy in detecting breaches? What method works best? How does it integrate with current security operations already in place?

In this talk we will present findings from a first ever research which measured the efficiency of proactive deception using mini-traps and decoys in real-life threat scenarios. We have reconstructed a real enterprise environment complete with endpoints, servers, network traffic and data repositories as well as security tools such as IDS, firewall, SIEM etc. The deception layer was then integrated into the environment in 2 steps: (a) by placing decoys in the network and (b) by placing mini-traps on the assets which point to the decoys, set false credentials, trigger silent alarms and more. We then evaluated the effectiveness of the mini-traps and decoys against both automated, machine-based attacks as well as against sophisticated human attacks: The first stage involved checking the behavior of a variety of malware families against the environment and measuring the deception layer's success in detecting their activity. For the second phase, we invited red-team professionals and white hat hackers to employ real techniques and advanced tools with the task of moving laterally in the environment and exfiltrate high value data.

Omer Zohar has over a decade of experience as a developer and researcher in the data security market. As head of Research for TopSpin Security he is responsible for the research of malware and post-breach detection methods and for defining advanced detection schemes.

Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)

Rod Soto, Senior Security and Researcher at Splunk UBA
Joseph Zadeh, Senior Security Data Scientist at Splunk UBA

The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.

These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone.

Rod Soto (Twitter: @rodsoto) has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEF CON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 Black Hat Las Vegas CTF competition and is the founder and lead developer of the Kommand & KonTroll competitive hacking Tournament series.

Joseph Zadeh (Twitter: @josephzadeh) studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEF CON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanente's first Cyber Security R&D team.

HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things

Catherine (Kate) Pearce, Senior Security Consultant at Cisco Security Services
Vyrus, Senior Security Consultant at Cisco Security Services

The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.

Catherine (Kate) Pearce (Twitter: @secvalve) is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC and several others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.

Carl Vincent (Twitter: @vyrus001) is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As an information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime. He also practices personal information warfare, and most of his biographic details online are somewhat exaggerated.

Now You See Me, Now You Don't

Joseph Muniz, Architect and Researcher at Cisco
Aamir Lakahni, Senior Security Researcher at Fortinet

Many people leave behind bread crumbs of their personal life on social media, within systems they access daily, and on other digital sources. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that leak your information and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators to track individuals. Learn how you can protect your online footprint, reduce your digital trail, and securing your privacy.

Joseph Muniz (Twitter: @SecureBlogger) is a architect at Cisco Systems and researcher. He has extensive experience in designing security solutions for the top Fortune 500 corporations and US Government. Joseph's current role gives him visibility into the latest trends in cyber security both from leading vendors and customers. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including a recent Cisco Press book focused on security operations centers (SOC).

Aamir Lakhani (Twitter: @aamirlakhani)

Presenting Security Metrics to the Board / Leadership

Walt Williams

The board of directors and corporate leadership is not interested in how many attacks your firewall has blocked, and frankly, that is not a metric, that is a measure. Difference between metrics and measurements, how metrics are constructed, and the kinds of metrics the board of directors are interested in will be discussed. In other words, how to identify how to align security metrics with business goals and objectives. The use of frameworks such as ISO 27004 to construct metrics, the pragmatic framework and its uses will also be discussed.

Walt Williams (Twitter: @LESecurity) CISSP, SSCP, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now manages security at Lattice Engines. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides on risk management as the cornerstone of a security architecture. He maintains a blog on security metrics and has presented to boards of three different organizations in diverse industries.

Vulnerability Management: No Excuses, A Network Engineer's Perspective

Richard Larkins, Network Architect at Arizona Cyber Warfare Range and President of the ISSA Phoenix Chapter
Anthony Kosednar, Chief Software Engineer at AZCWR

Vuln Management encompasses 3 out of the top 4 items in the SANS 20 and is a critical item for PCI DSS. Yet, so few companies manage to do it correctly. This presentation will cover the result of the author (a network geek) being unceremoniously thrown into one of those situations, and will detail the lessons learned from it. Tools used: NMap, Tripwire, Qualys, and Crayons.

Rich Larkins (Twitter: @arahel_jazz) is a Network Systems Engineer with way too many expired Cisco certifications. He has touched networks on 4 out of the 7 continents, over 10 countries, and is currently working on his third global satellite constellation ground control system. To further make life more unbearable, he has undertaken the role of network architect for the Arizona Cyber Warfare Range, which requires listening to hackers playing horrendous techno music at loud enough levels to drown out all the equipment in the room. Rich's real bright spot in life is his wife of 23 years, Patricia, and their two Cocker Spaniel rescue dogs (Luna and Orion) who have seven legs between them. You do the math.

Anthony Kosednar (Twitter: @akosednar) is an Information Security Engineer with a background in Aerospace. By day he helps secure corporations and large events (such as Super Bowl XLIX). By night, he puts on the cape of software architect for the Arizona Cyber Warfare Range. Through the darkness of night he helps program the systems that operate the range.

You Are Being Manipulated

GrayRaven, Senior Software Engineer at Cisco Systems

You are being manipulated. There is constant pressure coming from companies, people, and attackers. Millions are spent researching and studying your weaknesses. The attack vectors are subtle. Most times we don't realize that manipulation has occurred until it is too late. Fear not, we can harden our defenses. We can put safeguards in place to help avoid being the victim. For me, the answer came from an unlikely source: my daughter. Small children are fantastic. Society has not yet influenced their development; therefore, children are relentless in pursuing their aims. Since they are naive to right and wrong, they will use any tool available to get their goal. How does this help? My daughter became my trainer, and this talk discusses how interacting with her has improved my defenses. Comparing her strategies to real world examples will show how to build a training framework of your own. Access to small children is not needed.

GrayRaven (Twitter: @_grayraven_) is a senior software engineer at Cisco Systems. He has been fascinated with manipulation since his childhood. Despite receiving a degree in psychology, he spent 18 years as a professional in the Information Technology space. GrayRaven spent the first seven years of his career as a system and network administrator before moving to the dark art of programming. Two years ago he stopped dabbling and tumbled down the security rabbit hole. This journey makes him believe that he is finally using his degree professionally. During his downtime, GrayRaven can be found practicing martial arts, brewing beer and mead, or writing.

Stay tuned for schedule: http://www.wallofsheep.com/pages/speaker-workshops-at-def-con-24.

Read more →

All Speaker Workshops from DEF CON 23 Now Posted On YouTube

Read more →

Sponsor Us At DEF CON 24

If you are interested in sponsoring the Wall of Sheep at DEF CON 24 (August 4-7, 2016 at Paris and Bally's in Las Vegas, NV), please contact us for additional information:

Email: info@wallofsheep.com

Phone: (302) 365-0026

Read more →

DIY - Awesome video showing off the use of the AC400 Access Control System in the 23B Hacker Sapce!

The creator of the Open Access v4 shows off its use in the 23B Hacker Space in Fullerton California.

 

Read more →