BSidesLV 2017

Global stability is more precarious than at any time since the end of the cold war. At the same time, the mass proliferation of digital weapons, including destructive wiper malware, is lending new meaning to asymmetric capabilities. Unsurprisingly, some states are empirically more conflict prone than others, and it is these interstate rivalries that exhibit a higher propensity to use destructive wiper malware. Within this strategic backdrop, we’ll walk through the evolution of wiper malware through a series of real-world examples of its role in interstate rivalries. This includes both the technical features and modes of compromise, as well as its strategic effects and key role in escalating tensions between these conflict-prone states. We’ll conclude with an interactive discussion of the evolution and integration of wiper malware with ransomware, as well as what the proliferation of these digital weapons forebodes for geopolitical rivalries and future conflict.

Google Apps Scripts is a JavaScript cloud scripting language that provides easy ways to automate tasks across Google products and third party services and build web applications. However, it also provides relatively easy ways for attackers to automate infiltration, propagation, exfiltration and maintaining access to a compromised G Suit powered organization. While the platform has been used successfully for C&C (Carabank) previously, we feel it only scratched the surface as potential vectors.

Geeks Without Bounds coordinated the Internet connectivity, radio support, and renewable power for the Dakota Access Oil Pipeline protest camps at the Standing Rock Sioux Reservation in North Dakota from September 2016 to February 2017. Within hours of arriving at Standing Rock, Lisha Sterling discovered problems with her mobile phone, and that began an investigation into the various ways that cyberwarfare techniques were being used against protesters by a consortium of governmental and private security agencies. This talk includes photos and stories from Standing Rock about physical sabotage, IMSI catchers, airborne surveillance, and mystery devices which drain phone and car batteries instantly, along with lessons learned that can be used in a range of situations where activists face heavy-handed opposition.

You have heard of Red Team, Red vs. Blue Team and Purple Team exercises, but these approaches often miss two crucial aspects: communication and mentoring. An organisation doesn’t need to be overly mature to conduct a Purple Team exercise. This type of exercise can be divided into multiple stages when the business risks are well defined with communication and mentoring at the core of the engagement.

This presentation will describe how and why to execute a Purple Team exercise, as well as how to encourage upper management’s participation in this type of engagement. We will discuss techniques for executing a Purple Team exercise, along with the various types and levels of testing to assess the business risk using real case studies. This presentation will also include how to most effectively mentor the Blue Team.

Similarly to a Red Team, Purple Team exercises assess the business risks that can impact the business as a whole. The main difference between these two being that the Blue Team is involved throughout the engagement. Daily, weekly or monthly meetings are set with communication as the main objective. The Blue Team is responsible to detect, monitor and analyze the Red Team’s activities throughout the engagement. They communicate regularly with the Red Team to find solutions related to their findings rather than waiting for a finalized report that ultimately summarizes to the words “You’ve been pwned”.

Multiple levels of Blue Team involvement and mentoring approaches will be shown during the presentation. We will review different types of tests from predefined attack scenarios, which include real Red Team examples. We will focus on how this type of exercise can help the entire organisation improve their security from both a technical and strategic perspective, which will increase the value of this engagement when selling it to upper management.

As technologists and hackers many of us have skills in intelligence gathering or social engineering, but we might not stop to think about how those same skills are being used against us to influence our purchasing decisions as we evaluate vendors for new projects. Now I know you're thinking, "I can spot that a mile away.". No free lunch, vendor party, or booth giveaway is going to sway ME, right? Well, I've got a confession to make - it goes way beyond that. I can be your ally, your advocate, and an asset to your organization. I can also be the secret weapon of the sales team - the guy who speaks both languages - sales and tech.

Let me walk you through what happens behind the scenes during the sales cycle at a typical tech company to influence you into buying from them.

Talks on mental health are starting to emerge across the infosec sphere. This is a great thing, because openness and honesty about our mental states leads to better mental health. This is my attempt to tell my story about my strong personal opposition to my own better mental health and why I am (slowly) changing my mind. We take care of our bodies, why not our minds and hearts?

What sort of legal and policy choices would lead to more secure and safer software and computing-enabled devices? The patchwork of existing legal regimes in the US is based on regulations imposed on a few verticals (finance, healthcare, and education in particular), and a complex web of compliance frameworks, contractual provisions, and consumer lawsuits. As we think about making software safer and more secure for users, the policy choices we preference now may have long reaching effects. This talk will explore the implications of relying on software liability or other ex-post options vs. regulations or similar ex-ante choices.

Software-Defined Networking (SDN) has become an emerging solution to existing virtualized networking problems. Major contributors to the use of SDN is sought through the growing scale of computing power and clustered virtualization solutions. The use of SDN has shown much momentum in newer iterations of hypervisors and provides an area of discussion for vulnerability research. This talk provides a brief introduction to SDN, its components of a switch and a controller, and vectors for fuzzing. To facilitate the focus of SDN in an open source configuration, Floodlight, Open vSwitch (OVS) and the Open Flow protocol will be the prime targets for this talk. Although there are numerous vendor-specific variants, this talk is tailored to individuals who are new to the SDN paradigm, and those who want to learn more about vulnerability research in SDN.

While the bug bounty economy is booming, a novel survey of bug bounty terms reveals that platforms and companies often put hackers in “legal” harm’s way, shifting the risk for civil and criminal liability towards hackers instead of authorizing access and creating “safe harbors”. This is a call for action to hackers to unite, negotiate and influence the emerging landscape of cyberlaw, since hackers’ actions speak louder than scholars’ words. I suggest simple steps that could and should be taken, in order to minimize the legal risks of thousands of hackers participating in bug bounties, and create a “rise-to-the-top” competition over the quality of bug bounty terms. Hackers will learn not only which terms they should beware of in light of recent developments in anti-hacking laws, but which terms they, individually and through the platform, should demand to see to ensure “authorized access”. Most importantly, this is a case study of how a united front of hackers could demand and negotiate important rights, similar to what is done by organizations in other industries. Contracts and laws will continue to play a role in the highly regulated cyber landscape, conflicts of interests will inevitably arise, therefore hackers should not only pay attention to the fine print, but unite and negotiate for better terms.

With the growth of data traffic and data volumetric analysis needs, “Big Data” has become one of the most popular fields in IT and many companies are currently working on this topic, by deploying Hadoop clusters, which is the current most popular Big Data framework. As every new domain in computer science, Hadoop comes (by default) with truly no security. During the past years we dug into Hadoop and tried to understand Hadoop infrastructure and security.

This talks aims to present in a simple way Hadoop security issues or rather its “concepts”, as well as to show the multiples vectors to attack a cluster. By vectors we mean practical vectors or to sum it up: how can you access the holy “datalake” after plugging your laptop onto the target network.

Moreover, you will learn how Hadoop (in)security model was designed explaining the different security mechanisms implemented in core Hadoop services. You will also discover tools, techniques and procedures we created and consolidated to make your way to the so-called “new black gold”: data. Through different examples, you will be enlightened on how these tools and methods can be easily used to get access to data, but also to get a remote system access on cluster members.

Eventually and as Hadoop is the gathering of several services and projects, you will apprehend that patch management in this field is often complicated and known vulnerabilities often stay actionable for a while.

LAST-MINUTE EDIT:
Just a last-minute reminder for attendees: the time slot for our talk has been changed from the 25th 15:00 to the 26th 10:00.
The venue is still Florentine F on the Common Ground track.

POST-CONFERENCE UPDATE:
Slides have been attached to this post.
Video is online (https://youtu.be/B3mMTaer2is?t=5170) 

You’ve heard it before: the bad guys are winning; US companies are under attack every day, and defenders are on the losing end of the war. We are less resourced and, held back by the legal framework, less free to act, to fight back against our adversaries. This is not just a common lament in security circles, it is also the foundation of the ‘hack back’ argument. It continues that organizations on the receiving end of attacks should be able to defend themselves the same way US citizens can defend themselves against intruders in their homes. Defenders should be able to fight back, launch a counterstrike. This is hack back. And today it is illegal for private entities in the US. But there is increasing noise about legalizing it, with a bill introduced to do just that earlier this year, and a number of foreign governments also discussing it. The arguments that support it are appealing, yet it is widely opposed by many in the security community, with dire warnings about potential consequences of authorizing such measures.

This talk will examine the arguments for and against hack back; the current legal constraints; potential outcomes of authorizing it; and how hack back fits within both broader cybersecurity policy discussions, and other security program practices, such as active defense. We will begin with an objective, balanced overview from the Department of Justice’s Leonard Bailey and Rapid7’s Jen Ellis (40 mins) of the legal and practical dimensions of hack back. They will then be joined by advocates for and against authorizing hack back for a lively debate (40 mins). There may also be some bad rapping, but we make no promises.

Most information risk management programs are cumbersome and expensive, requiring expertise and time that smaller organizations may not have. In addition, many attempts to start an information risk management program fail when the program seems to have no relevance to the organization except during audits. This talk will cover a risk management program that is lightweight, useful, and can scale as the organization matures without having to throw out existing work and start over. This process has been successfully implemented; the first stages require no specialized tools.

Every year at DefCon, vendors bring custom-designed electronic badges to sell and give away. These badges are primarily for entertainment, but in some cases are also presented as kits to introduce people to soldering and hardware hacking, and most of them are programmed with puzzles and games.

Getting into the world of badge making can be daunting. How are badge boards designed? How do I pick the right microcontroller for my badge? How do I program my badge to do something cool? This talk will be a crash course in badge design working from a concrete example badge. We’ll go step by step through the process. You might not know exactly how to build your own badge at the end of the talk, but what you will know is 1) it’s not as scary as it seems, 2) what pieces you’ll need to consider in designing your badge, and 3) where to go for more information.

Ever start unpacking your kit on a physical security assessment and then you realize you left your under door tool at home? This talk will teach you how to head into the hardware store and make whatever tools you need. I'll demonstrate live on stage how to build several physical security tools on the fly!

There has been an outpouring of digital dissent in the wake of the new administration. If or when you get ordered by law enforcement to unlock your phone or digital devices or get served with a subpoena or warrant for your digital data and devices, what should you do?

This conversation is meant to provide a basic primer on what to expect from an encounter with law enforcement in various contexts - and some suggestions for how to best deal with them.