Public security incidents continue to plague software companies, and each public event brings with it a loss of reputation, customer confidence, and even market cap. We’ve all read headline after headline about vulnerabilities found in products with a PR quote from the software vendor saying they will issue a software update; but what happens leading up to the public disclosure? Who is working at the software vendor ensuring customers are safe?
We will go behind the scenes of a Product Security Incident Response Team (PSIRT) including definition of a PSIRT, its responsibilities, vulnerability lifecycles, emergency response events, customer support, researcher outreach, and other PSIRT duties. The talk will provide examples of the type of reports that PSIRT teams deal with on a daily basis, including reports from traditional end users, enterprise customers, researchers, and other sources.
The value of a PSIRT will be highlighted with recommendations for how to get started if your organization is looking to build a PSIRT, and thoughts on the various struggles associated with the endeavor
Tyler works at BlackBerry as the Director of Security Program Management. He is responsible for various programs across the Product Security organization including security advisory and communications, pentesting coordination and fulfillment, security quality measures, open source... Read More →
The transition from a Security Operation Center to a Cyber Security Incident Response Team (CSIRT) isn’t just a branding change. It is a change from the ineffectual monitoring for compliance driven events like failed logins and system outages to actively building detection for indications of adversarial activity through detailed investigation and threat intelligence gathering. A recent CSIS study shows a perceived skills gap in cybersecurity which inhibits organizations from creating an effective CSIRT. Another survey by SANS supports the perception of ineffectual incident response capabilities. Universities are failing to produce entry level Security Professionals capable of stepping into IR positions. I will discuss ways an organization can overcome this staffing challenge through internal and open source training opportunities as well as the need to drive change in academic curriculum to better prepare collegiate graduates for careers in incident response.
Ben is an incident responder at Target Corp’s CSIRT and possesses 8 years of information security experience defending networks in the military as well as the defense and retail industries. Ben has had the opportunity to guide the development of two cyber security incident response... Read More →
Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass.
I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.
Researcher, Fujitsu System Integration Laboratories Limited
Soya Aoyama is cyber security researcher at Fujitsu System Integration Laboratory. But this work has not been three years.
Previously, Soya was developing LAN driver, Bluetooth profile, Winsock application etc.
The first presentation of cyber security was AVTOKYO 2016.
Two-factor authentication has become almost commonplace in defending against ubiquitous credential brute-forcing and has reduced the criticality of password theft.
However there is a component of the original RFC (request-for-comment) that has been overlooked and undervalued. Meaning that 2FA in its current form is not as effective at mitigating phishing and replay attacks as it could be.
This talk will demonstrate attacks against time-based and HMAC-based OTP (one-time pad) authentication, and will propose detailed countermeasures and mitigations for these attacks.
This talk will examine egregious security vulnerabilities found in adult content mobile applications. Highlights include: lack of HTTPS usage, code execution in update mechanisms, and less then stellar vendor responses.
Follow me on a journey where we p0wn one of the most secure platforms on earth. A giant mammoth that still powers the most critical business functions around the world: The Mainframe! Be it a wire transfer, an ATM withdrawal, or a flight booking, you can be sure that you've used the trusted services of a mainframe at least once during the last 24 hours. In this talk, I will present methods on pentesting mainframe applications, deploying shells and elevating privileges on the system, all starting with zero authentication. If you are interested in mainframes or merely curious to see a what a shell looks like on MVS, you'll want to attend this session.
Founding and running information security clubs has enriched my life in concrete, positive ways. In this talk, I encourage others to form groups devoted to hacking and security. By doing so, I hope that listeners go on to kickstart security scenes in their hometowns while also enjoying the same benefits that I enjoyed. Much of the advice comes from personal, hands-on experience. I will be discussing the misconceptions that I had about running an information security club, the struggles encountered, and the successes enjoyed.
Christopher Lamberson spends much of his time building Splunk dashboards and doing security related oddjobs for Columbus State University. Much of the money earned in these part-time positions goes straight to feeding his learning addiction. Other than that, he is president of a... Read More →
Beginner oriented talk on reverse engineering and pwning, details are confined to the linux x86 platform. Practical exercises are made available and attendees encouraged to work through exercises ask questions.
Security Researcher from the Pacific Northwest, love board things, hacking and school. Evergreen State College Grad. CTF with GNU-E-Ducks, OpenToAll.
Interests include reversing iOS things, game consoles, IoT
In the world of information, it's easy to see how people can get tricked. Social Engineering is spreading like wildfire on the phones, on the internet, and even in your very own city. Phone scams are becoming more of a problem, and it doesn't seem like it's stopping soon.
Attending this talk with help you gain more understanding on how these scams are structured, where your data is, how data is transmitted between scammers, how "employees" are funded for these operations, an example call center setup, and most importantly: how to stop this phenomenon.
This summer, witness a Canadian, self-taught, self-proclaimed, rebellious information technology administrator hack his way into die hard situations.
Featuring Nathan Clark, and his whole suite of tools, you can't miss all the action packed adventures.
In all seriousness, I'm... Read More →
Social engineering attacks remain the most effective way to gain a foothold in a targeted organization. But those attacks are only as good as the information used to create them. This presentation will arm you with the latest open-source intelligence (OSINT) tools and techniques needed for gathering detailed information on your targets, turning your social engineering ops into carefully targeted precision strikes that can greatly improve your results. We'll also cover steps that you can take to reduce your own OSINT exposure, protecting you and your organization. You'll see techniques for phishing, vishing, pretexting, impersonation, and more. Tool demonstrations will include how to make the best use of OSINT Websites and standalone tools such as Datasploit and recon-ng.
Security Threat Hunting & Intelligence Engineer, Mercari US
Joe Gray, a veteran of the U.S. Navy Submarine Force, is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe is the Founder and Principal Instructor at The OSINTion.As a member of the Password Inspection Agency... Read More →
The purpose of this talk is to share the results of a comparative analysis between different automated Open Source Intelligence (OSINT) gathering tools. To do so, a list of reputable, popular and open source tools was compiled and then compared against three (3) different benchmarks: Data variety, Data quality and Currency. I then added useful details such as an overview of tool Modules, Output formats, Supported Operating Systems (OS) and more. The results include a table which will help security professionals easily find the appropriate tool for their type of engagement, their available time and the type of information they seek. Finally, the talk will answer some practical questions a security professional might have during engagements, such as: “What tool is the best for e-mail lists?" "What tools are awesome for beginners?" and others! :-)
Émilie St-Pierre is currently a security analyst at Rapid7, where she asks a lot of questions and works on offensive engagements. She has been a part of the infosec community for 5 years and has been co-hosting the weekly Greynoise podcast for the past 2 years. Émilie is a Director... Read More →
This talk will take a look at how inadvertently leaked technical information from businesses, can be used to successfully trade stocks. This results in making huge profits. We look at different methods of influencing the stock market, such as DDOS attacks (at critical time periods) and simple techniques such as Phish-baiting CEO's to acquire sensitive, relevant information that can be applied in the real world to make massive gains in profit.
We will also take a look at historic trends. How previous hacks, breaches and DDOS attacks have affected stock prices and investor confidence over time. Specific reference will be made towards listed companies and a POC will hopefully be completed by the presentation date.
Over the past few years, Russia has proven itself to be an undeniable master of information operations. The techniques vary, but the majority of them focus on creating new realities and subverting Western values. This makes response efforts much more challenging, and Russia’s info ops strategies have become a key part of the arsenal the country draws upon in achieving its aims both at home and abroad.
By describing personal experience with a steady diet of state-sponsored propaganda while studying abroad in Russia, and by examining the country’s annexation of the Ukrainian peninsula of Crimea as a case study, I will give you an in-depth look at Russia’s info ops and why they’re so effective. I will explain why it’s useful to frame Russian information operations as large-scale social engineering and the implications that has for mitigating the security problems involved.
Graduate Student, University of Maryland University College
Meagan Dunham Keim is a Russian language nerd and InfoSec enthusiast who studied Global Security and Russian at the University of Wisconsin-Madison. She is also an alumna of the Russian Flagship, which is an intensive language and cultural studies program with a study abroad component... Read More →
While browsing CFP's for conferences this summer, one speaking track named "The Art of Defense" had a statement that “only the largest enterprises can afford a robust defense”. I disagree, and argue that in many ways small-to-medium-size businesses can be more secure than large enterprises. I will provide an overview of the security program my team and I built that achieves enterprise-level protection AND regulatory compliance WITHOUT a massive budget or huge silo'd teams. Consider it a case study or howto for building an effective security program at a small business.
Russell is the Director, Infrastructure & Security of a software and financial services company in the DC area and an organizer with BSides Charm (Baltimore is Charm City!) Russell has seventeen years' experience in IT operations and enterprise defense and is responsible for the... Read More →
Security awareness training is one of the last defenses to dastardly effective social engineering threats. Yet traditional vendor purchased security awareness training is largely ignored by the workforce and can merely serve to ensure compliance without reducing the risk substantially. In fact a 2016 Ponemon Institute survey found that 52% of interviewed organizations found their vendor purchased security training product ‘somewhat or not effective’. Using American Campus Communities, the nation's largest developer, owner and manager of high-quality student housing communities, as a case study, this presentation will demonstrate to session attendees the difference between informational videos and a security awareness gamification program. Attendees will hear obstacles we faced, what worked and what didn't as we introduced a range of interactive games, contests, and rewards to motivate users to buy in to following security protocols.
Drew has a Bachelors of Science in Cybersecurity with a CISSP and a passion for building security programs and reducing risk. He has worked with institutions in the government, private and public sector. His specialty lies in understanding human behaviors and how emotions impact everyday... Read More →
SOC teams are consistently forced to create their own suites of in-house tools because commercial solutions rarely meet all that is expected of them in both usability and functionality. While creating customized tools helps internal teams ensure the tools meet their own needs, working with a large number of enterprises has shown that these teams often lack the approaches to extract the most impactful requirements. Adopting some targeted user experience research methods can help developers create better tools more quickly.
To help teams conduct fast actionable research on their own, I’ve compiled a set of questions that an in-house tool developer can use to clarify tool ideas, validate them, and direct tool design. In this talk we will walk through a fast mock research session to address either a predefined common problem or something suggested by the audience.
Karolyn Bachelor is a user experience consultant with Brass Hill Research & Design and has had clients in the security industry varying from start-up software firms to established enterprise companies. She is very much an all around user evangelist who thrives on helping teams make... Read More →
Windows' VSS snapshots are great. The VSS service quielty runs in the background, periodically making snapshots of just about everything on the disk. What happens if you accidentally delete a file? No worries. Pull a (somewhat old) copy out of a snapshot! But what happens if you intentionally delete a file? And write over it 35 times? Well, you can also pull a copy out of a snapshot. Snapshots are a treasure trove of information that people thought was gone. Forensic analysts use the data from them with little concern of tampering because there are no tools available to modify the contents of a snapshot. So, I decided to tamper with them. The snapshots, not the analysts.
This talk covers the basics of how VSS snapshots work and their on-disk format from the perspective of a malicious actor. A modified version of libvshadow, an open source VSS library, is presented which adds write support to VSS snapshots. The challenges and limitations experienced when modifying old snapshots are discussed, as well as a demonstration of the tool.
I'm James Clawson and I like messing stuff up.
I make things every once in a while too. I enjoy forensics, I love fuzzing, and I consider malware to be art.
When not busy driving drunk on the information super highway, I sometimes visit the zoo.
InfoSec is no longer reserved for those with the right degrees and certifications, or willing to pay the price for hacking into something. Now we can find university curriculum built upon the success stories touting professionals who went from “zero to hero”. Yet, while careers in Information Security are a hot topic, getting there isn't a straightforward journey for many. We need pilots to navigate the uncharted realms of this evolving field, willing to risk turbulence, trust their sense of direction through uncertainty and engineer what they need as and when they need it. I want to share my flight plan with you.
Disclaimer: The views presented here are solely my own and do NOT represent those of my employers, past or current.
@ADN_SECURITY is a passionate Information Security
researcher and pentester, currently with a big four in Toronto, Canada as a
Cyber Security Consultant. After a masters degree in
information security, she decided to chart her own flight path
for a successful and interesting... Read More →
Attacks are more and more likely to come from internal network sources, possibly being allowed in by unwitting accomplices. While it’s commonplace to have a web server DMZ and possibly a guest wireless network, few organizations take any steps to further segment their networks that might help prevent or detect lateral movement by an attacker. If the current common approach is that internal attack surface management is just as important as external hardening, then why aren’t more defenders doing anything about it? In this talk, we’ll look at common pitfalls that mire down internal segmentation efforts and ways to overcome them.
We take it for granted that our mobile devices are helpful, brightening our lives, making us feel warm, fuzzy, connected and safe. Our devices let us know that the temperature is dropping and that it is closing the windows. What does this RF data look like, how easy is it to view and how much of it is sent to the manufacturer or third parties with implicit use of the app?
After a few war driving and capture the flag competitions, Keya changed careers from an itinerant filmmaker and teacher to working within the realm of cyber security. When Keya isn't conducting security audits, information systems assessments, Wi-Fi assessments, pentests, network... Read More →
Despite the fact that on any given weekend of the year you can find at least one capture the flag (CTF) event going on, many security professionals have still never played in one. Want to learn without the drudgery of studying a thick book? Want to retain more of what you learn by putting it into practice? Want to get to know other security professionals? Take advantage of this gamified method of improving your skills. Capture the flag and capture the fun.
Matt Pardo is obsessed with learning, and his latest focus is on web application security. In his pursuit of better ways to learn all the things a few years ago, he discovered CTFs and realized that the gamification aspect helped him to learn at an accelerated rate. It also exposed... Read More →