I Know What You Did Last Summer… I’m Still Hacking Your Small Business

Speaker:Vincent Matteo

Abstract:In 2021, nearly 50% of all cyberattacks targeted businesses of 1000 employees or less. Why do attackers target small businesses? Because these organizations lack the resources and the security expertise – they are the proverbial low-hanging fruit.

In this talk, we’ll explore the steps an attacker might use to mask their identity, hide their tracks, and we’ll examine some real-world scenarios from over the past year where full compromise had been accomplished through human error, seemingly harmless configurations, and vulnerable products. We’ll then explore avenues for engaging employees and management through gamification and we’ll outline several cost-effective measures to create a more hardened environment.

Bio:Vincent Matteo is a security researcher and a senior penetration tester at Seven Layers where he focuses on securing small to medium-sized businesses. Vincent is an Air Force veteran as well as a veteran of the technology world with over 30 years of experience — 20 years of which spent running Seven Layers. Vincent is an author, a speaker at Grrcon, BSides, and Snowtalks security conferences, and a recreational bug bounty hunter with 17 CVEs. In his spare time, Vincent drinks copious amounts of coffee, he enjoys petting his two dogs, and when he’s not in front of a computer, he’s out running hundred-mile ultramarathons.

Reverse Engineering an N-Day Vulnerability

Speaker: Nicholas Starke

Abstract:This presentation will cover reverse engineering someone else’s discovered vulnerability and how to use public information to create a proof of concept. Recently a vulnerability was discovered in a kernel module of many different consumer routers. The original researcher whom discovered the vulnerability did not publish a proof of concept demonstrating the vulnerability. We’ll walk through the entire process of creating a proof of concept from an advisory, including extracting the kernel module from a vulnerable firmware image, analyzing and annotating the vulnerable kernel module in Ghidra, and then adapting a proof of concept for a different but related vulnerability into a proof of concept for this new vulnerability.

Bio:Nicholas Starke is a Threat Researcher within Aruba Threat Labs, which is the offensive security team at Aruba Networks, A Hewlett Packard Enterprise Company. Nick specializes in all types of firmware security, from consumer embedded devices all the way to UEFI-based firmware. He enjoys breaking all types of firmware.

Hacking Azure Products For Fun, Bounties, and Credentials

Speaker:Josh Magri

Abstract:As attackers, we often have to work with what we’re given. When we gain access to an Azure environment, we have to work with whatever services are in use to further our goals. While there is a growing body of Azure research, sometimes we find ourselves in a position where no public research is applicable and we have to get creative. This talk will walk through real examinations of several Azure services performed by the NetSPI team. We will examine the process used by the NetSPI team to identify several evergreen techniques for lateral movement/privilege escalation, as well as three high severity privilege escalation bugs that resulted in bounties and fixes from Microsoft. The goal of this talk is to provide attendees with real techniques that they can use to secure their Azure environment immediately, and also insights that they can use to find new issues.

Bio:Josh is a member of the Adversarial Simulation team at IBM’s X-Force Red. He previously worked at NetSPI, where his primary focus was Azure security and where this talk was conceived. Josh is a contributor to the MicroBurst project, an open-source collection of scripts for Azure security assessments. Josh holds the OSCP, GSEC, GCIH, and GCFA certifications. When not hacking in the cloud, Josh is training for RAGBRAI or out with his dog.

Threat Hunting Your Alerts

Speaker:Stuart McIntosh

Abstract:Analyzing your security alerts and incident response data (alert type, closure status, systems/users involved) can yield you a unique and powerful perspective on how to make controls more effective and improve alert quality. In this talk I will outline:
• How to get started (this may be even easier than “traditional” threat hunting)
• Some simple examples (that you’ll see in almost every environment)
• Lessons learned (Battle field successes & failures)
If you are a detection engineer, threat hunter, or SOC Analyst/lead, you will leave this talk with a punch list of action items to get you some quick wins with the alert data you have today.

Bio:Stuart is the CTO at Outpost Security (outpost-security.com), a cyber defense company focused on security operations, alerting and control design . With 17 years of experience in Fortune 500 organizations, he has held multiple roles in developing and maturing security programs. He has spoken at conferences such as DerbyCon, Splunk .conf and CircleCityCon. He also helps manage a slack workspace for defenders to be able to share their knowledge and experiences and has members from over 80 different enterprises from around the world.

SElfies in SErver rooms: Talking your way Through the Front Door

Speakers:Jack Potter and Max Gruenberg

Abstract:Want to know how to talk your way into secure areas, especially in small offices where tailgating isn’t an option? In this talk, Max and Jack explore the tips, tricks, and techniques they’ve used to talk their way into a myriad of secure environments, from local credit unions to major multinational financial firms. Leave the lockpicks, under door tools and bump keys at home because all you need to access the server room is your quick wits, some solid recon, a phone, and a friend. This talk focuses primarily on physical penetration tests and red team efforts at smaller facilities where after-hours and stealth entry aren’t an option. Max and Jack will talk through each step of a physical penetration test: reconnaissance, pretext development, assembling your disguise, and finally getting the target to invite you in. They’ll share stories and anecdotes about what works and what doesn’t, when things went off the rails, their best times, and their favorite adventures. Be regaled with their tales, tips, and advice on how to succeed in physical penetration testing. Whether you want to learn some tricks for your next physical penetration test or how to secure your organization so you never see Max and Jack in your server room, join us for an hour of social engineering, “how to” learning, and a good laugh.

Bio:Jack (https://twitter.com/HackPotter): Jack Potter is a security professional who briefly bounced around cloud and embedded security before finding his current role as a general penetration tester specializing in social engineering and physical security engagements. While he finds the whole world of security to be fascinating, he’s been dedicated to the idea of breaking into banks for a living ever since reading the works of Kevin Mitnick (as well as watching too many heist movies) at an impressionable age. He’s performed social engineering, network, and web application testing for all manner of clients, though much of his experience is centered around the financial industry. Here, he’s targeted everything from small town credit unions through major multinational banks with vishing calls, phishing emails, and of course the classic physical penetration test, usually with Max backing him up on his way through the doors. When he isn’t hanging out in your server room, he enjoys collecting hobbies (currently into ham radio and knitting), spending time outdoors (usually by cycling or camping), and recreational paranoia.

Max (https://twitter.com/Max_Gruenberg): Max has spent the last five years in information technology, focusing the last two on information security. After doing everything from academic research into embedded system side-channel attacks to secure full-stack development, he found himself running the security awareness phishing program for a Fortune 1000 company. This started him down the path of the social engineering dark arts, leading him to his current role as a penetration tester and red teamer at RSM. Currently, he splits his time between breaking into networks via sophisticated exploit chains and simply calling up employees to provide Jack, or himself, the keys to the kingdom. Over the last two eventful years, he’s taken over and helped remediate countless corporate networks, run social engineering awareness campaigns for companies of all sizes, and hidden from security guards under a non-zero number of desks. When he isn’t busy taking over your network and convincing your employees to run payloads, he can be found refereeing hockey games, rock climbing, or cycling around his home city of Chicago.

Pico-Ducky – Automated Keyboard Injection Attacks for Cheap

Speaker: Dave Bailey

Abstract:Unlocked and unattended computers can be a source of significant risk. Tools like the USB Rubber Ducky can act like keyboards and very quickly inject keystrokes on these types of computers. The pico-ducky is a lower cost option to the USB Rubber Ducky based on a Raspberry Pi Pico. The pico-ducky project uses CircuitPython running on the Raspberry Pi Pico board to interpret Ducky Script from Hak5. This talk will discuss the origin of the project and process to set up a Pico board. I will also cover the creation of a custom PCB that includes some switches for payload selection, stealth mode and programming mode. Finally, I will discuss the use of a Feather S2 board that moves the attack range to be from Wi-Fi distance, allowing remote attacks while the computer is unlocked.

Outline
Intro
USB rubber ducky
Pico Board
Circuit Python
Ducky Script
Keyboard layouts
Script parsing
PCB Creation
S2 boards
Wifi support
How to install
Payloads

Bio: Dave is a Senior Staff Embedded Security Engineer with over 25 years of programming experience. Dave has worked on operating systems and embedded systems for most of his career.

Security Minus: A New Approach to RF Garage Door Hacking

Speaker: Trevor Kems

Abstract: The Security+ and Security+ 2.0 protocols are at the heart of the most popular garage door openers in the US and around the world. Used in homes and businesses, we trust rolling codes keep our doors closed. In this talk, we will go into how the Security+ and Security+ 2.0 rolling code algorithms can be captured, decoded, edited, and transmitted to gain access to a garage door using a HackRF. We will also go into the basics of how one can use off-the-shelf hardware to build an inexpensive transceiver that you can build at home, no soldering required.

Bio: Trevor Kems is a graduate of Iowa State University and is a penetration tester at Pratum. While at ISU he was active in multiple Cyber Defense Competitions and the Information Assurance Student Group (IASG). In his free time he enjoys restoring vintage computer and reverse engineering various devices.