BSidesLV 2017

Industrial Control Systems (ICS) are the silent machines that control the world all around us. ICS systems are used to control elevators, subways, building HVAC systems and the electricity we use. The convergence of information technology (IT) and operational technology (OT) in the ICS marketplace has been taking place over the last 20 years. This convergence, while increasing ICS operational efficiency, is also increasing cyber risk. In this course, you will learn how to identify the protocols being used in OT networks, how to decode them and the tools and procedures to perform network assessments on these networks.

This full-fledged hands-on workshop will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the
platforms. The main objective of this workshop is to provide a proper guide on how the mobile
applications can be attacked and provide an overview of how some of the most important security
checks for the applications are applied and get an in-depth understanding of these security checks.

The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.

This workshop will mainly focus on the following :
1. Reverse engineer Dex code for security analysis.
2. Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.
3. Runtime analysis of the apps by active debugging.
4. Modifying parts of the code, where any part can be specified as some functions, classes and
to perform this check or to identify the modification, we will learn how to find and calculate
the checksum of the code. Our objective in this section will be to learn, Reverse Engineering
an application, get its executable binaries , modify these binaries accordingly, resign the
application.
5. Runtime modification of code. Objective is to learn how the programs/codes can be changed
or modified at runtime. we will learn how to perform introspection or overriding the default
behavior of the methods during runtime and then we will learn how to identify if the
methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.
6. Hooking an application and learn to perform program/code modification.
7. By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges.
The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.
NOTE:
1. The tools and techniques used in the workshop are all open source and no special proprietary
tools need to be purchased by the attendees for analysis post the training. Some of the tools
taught in the training will be helpful in analysis and automating test cases for security testing
of the mobile apps:
✔ Drozer
✔ Introspy
✔ Apktool
✔ Dex2jar
✔ Cycript
✔ JD-Gui
✔ SSL Trust killer

Ham Tech Review and Exam Session

In this session we’ll be providing a 30-45 minute review for the tech level exam, providing details on each of the subject areas (including operating practice, rules, and basic RF and electronics theory). While the registration is full, if there is a chair, you are more then welcome to sit in.

After the review session is complete, people are welcome to drop by anytime during the training time to check for an open chair and write their ham exam (leave yourself at least 45 minutes to write).  We can also facilitate general and extra.

If you do not already have a callsign, please register for an FRN at the FCC site, or we will make you do it in front of us while you send your SSN over the con wifi. You can register at https://apps.fcc.gov/coresWeb/publicHome.do.  Applicants without an SSN are required to do this in advance.

You must have photo ID (foreign passports OK) and use your real name and US address (consider using a PO box).  There is no fee for the session.

In this workshop we will show a workflow to analyze security posture of an IoT device. We will start with a high level evaluation of architecture of solution (IoT device - mobile app - cloud) and proceed to specific techniques and tools most effective for vulnerability search on IoT devices. Information shared in this workshop will allow you to quickly identify vulnerabilities present in your device using a set of documented actions.