Speaker: David Linder
Talk: IoT Attack Footprint
David Lindner is the Vice President of Solutions at nVisium. David is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support, IT security and consulting, security training, and application security. Over the past 8 years, David has specialized in all things related to mobile applications and securing them. David has supported many different clients including financial, government, automobile, healthcare, and retail. In his spare time, David hones his Mobile and IoT testing skills by participating in numerous bug bounties.
The Internet of Things (IoT) is not new terminology. However, the sheer amount of connected devices we have at home and at our businesses is growing exponentially and increasing the attack surface. Attacking and assessing IoT can easily lead us down a rabbit hole only to hit a wall on the other side. However we need to be extremely comprehensive in our methodology and not end up down that rabbit hole for too long. We’re here to discuss the attack footprint of a typical IoT infrastructure, whether at home or at the office. We will discuss a threat model and verification of a real-world IoT assessment including every component from hardware, protocols, mobile applications and devices, web APIs, etc. We will discuss attack vectors, attack motivation, typical attack vectors, and common shortfalls in IoT systems. Join David as he walks through an assessment of an IoT system including a high level threat model and attack chain discussion.
Speaker: Nicholas Starke
Talk: USB Gallagher – Testing USB interfaces for Great Destruction!
Nicholas Starke is a security researcher and penetration tester based in Des Moines, Iowa. He is a member of the ^Lift Security team and likes developing exploits. When he is not destroying things, he can be found hanging out with his wife and daughter.
Do you remember Leo Gallagher? The comedian who smashed watermelons for Great Comedic Effect? We’re going to do the equivalent for devices with USB interfaces – live on stage! We’re going to take a look at the “USBKill” device, explain how it works, explain under what circumstances it might be useful, and then plug it into several devices and see what happens!
Speaker: Brandon Murphy
Talk: RFID Stuff and Things
Brandon is a geek who found an interest in attacking RFID after watching too many episodes of Mr. Robot. Inspired by the movies, he wanted to be l33t. He watched a bunch of defcon videos and became an RFID script kiddie.
Come to this talk, so you too can become an RFID script kiddie.
Speaker: Eric Johnson
Talk: Continuous Integration: Stalking Vulnerabilities with Puma Scan
Eric Johnson is a Senior Security Consultant at Cypress Data Defense. His experience includes web and mobile application penetration testing, secure development lifecycle consulting, secure code review assessments, static source code analysis, security research, and developing security tools.
Eric also works with the SANS Institute as the Application Security Curriculum Manager and a certified instructor. He is the author of the DEV531 Mobile App Security Essentials and DEV544 Secure Coding in .NET courses, as well as an instructor for DEV534 Secure DevOps and DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules.
Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now…
With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs, teach you how to create a live static analysis rule, and introduce you to Puma Scan: an open-source static analysis rules engine. Come prepared to see a live demonstration of the Puma hunting source code for vulnerabilities, and walk away with a static analysis engine to help secure your organization’s .NET applications.
Speaker: Solomon Smith
Talk: Security stuck in the middle of tech & exec
Solomon Smith, MBA, CISSP, ISO 27001 Lead Implementer, COO, ProCircular
As Chief Operating Officer for ProCircular, Solomon leverages over 15 years of leading security programs and helping large government, insurance, and educational industries reduce risk. His experience ranges from designing and implementing large scale security programs to governance to compliance to security awareness to data loss prevention. Solomon has an MBA in Technology Management, memberships with multiple professional security organizations, and a CISSP. He also teaches MBA courses in business development, management, and information technology. Solomon consistently is learning and expanding his industry knowledge with hands on research at conferences like SANS, Blackhat, and DefCon. He has a passion to share experiences, stories, and threats so others can be more aware of the global risks and become better protected.
Are you technical? Are you an executive? Or are you in between? This presentation would explore the challenges of being stuck in the middle of security technologists and executives. It will dive into the what each group is accustomed to saying and hearing. It will also explore ways to merge that gap and create a bridge to talk to either side to effectively understand each other. It will be a great session with lots to learn for everyone!
Speaker: Ben Schmitt
Talk: Defense Wins Championships
Ben Schmitt is the Director of Information Security @ Dwolla. Prior to this role, Ben held the position of Global Director, IT Security & Compliance at the Danfoss Group responsible for Network and Application security (including ERP systems). Ben is a Wisconsin native hailing from Manitowoc, WI (yes, he has watched Making a Murderer) and started his InfoSec career with TDS Telecom in Madison, WI covering ISP and Enterprise security as a Security Architect.
My name is Ben and I play defense. Let me tell you why I think defense wins championships.
My father is a retired firefighter and I often times naturally think about the evolution of the fire service. The fire service has shifted from putting out fires as fast as possible with great equipment, carefully placed fire stations and rapid response to significant investments in fire prevention and survival such as education, inspections, building codes and careful design. Simply put: don’t just build faster and bigger fire trucks…focus on preventing or mitigating the damn fires in the first place.
So, what does this mean when compared to Information Security? Information Security has a current fascination with playing offense and for good reason. You can’t play great defense without knowledge of the offense. If you can’t run nmap, tcpdump or a proxy to meddle with things, it’s going to be hard to play defense. You need some knowledge of offense to make sure your defensive controls actually perform as-expected.
Despite the need for offensive knowledge, I am concerned with the industry’s absolute fascination with offense. Penetration testing is all the rage – breaking things, pivoting around an organization and pillaging sysadmins to uncover high-value data can be perhaps exciting? It seems that most resumes which cross my desk must include Kali Linux for a coolness factor. Maybe it is a result of Mr. Robot or maybe people just think breaking things is the pinnacle of achievement in a win/loss scenario.
We going to go point/counterpoint in this talk to focus on the glory of playing defense. Offense wants to sniff traffic, then defense ensures proper TLS is enforced. Offense wants to steal credentials, then defense ensures MFA is required. Offense wants to brute force a web app form, defense ensures throttling and CAPTCHAs. Offense wants to brute force password hashes offline, defense ensures Argon2 is waiting. Offense wants to spoof, tamper, repudiate, disclose information, denial of service or elevate privilege, defense performs threat modeling.
A football team’s defense keeps points off the board and can turn a fumble into an opportunity. Defense matters and wins championships. Let’s take some time to glorify the defenders out there.
Speaker: Andy Thompson
Talk: Ransomware: History Analysis & Mitigation
Andy Thompson aka Rainmaker(@R41nm4kr), has 20 years in the fields of Web Development, Systems Engineering/Administration, Architecture, and Information Security. Currently, he is a Strategic Advisor for CyberArk Software. He’s a active member of the Dallas Hackers Association and Shadow Systems Hacker Collective. In his free time he enjoys going on adventures all over the world with his wife and two girls. Andy holds a Bachelors of Science in Information Systems from the University of Texas at Arlington as well as the Systems Security Certified Practitioner (SSCP) and Certified Information Systems Security Professional (CISSP) from (ISC)2.
Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It’s no longer just for PC’s. Linux, Mac, IoC, and Mobile platforms are all ripe for extortion!
This humorous and entertaining talk teaches everyone, from Mom & Pops to large enterprise organizations, what’s really happening and how to protect themselves.
Speaker: Andy Thompson
Talk: Protecting Against Advanced Targeted Attacks with IAM Best Practices
Andy Thompson, has 20 years in the fields of Web Development, Systems Engineering/Administration, Architecture, and Information Security. Currently, he is the Customer Success Strategic Advisor in the Southwest region for CyberArk Software. He works with clients to ensure they are properly deploying their privileged account security programs. He’s a active member of the Dallas Hackers Association and Shadow Systems Hacker Collective. In his free time he enjoys going on adventures all over the world with his wife and two girls. Andy holds a Bachelors of Science in Information Systems from the University of Texas at Arlington as well as the Systems Security Certified Practitioner (SSCP) and Certified Information Systems Security Professional (CISSP) from (ISC)2.
This talk highlights the risks of kerberos attacks on Active Directory…specifically the Golden Ticket Attack. Andy demonstrates the phases of an Advanced Targeted Attack against a SWIFT banking organization using nothing but PowerShell Empire and some bad techno music. It’s so easy a 400lb hacker in their mother’s basement could do it!
Speaker: Josh Stroschein & Dr. Matt Miller
Talk: Still Penetrating Your Perimeter – A Deep Dive into Malicious Documents
Josh Stroschein is an assistant professor at Dakota State University where he teaches malware analysis, software exploitation, reverse engineering and penetration testing at all academic levels. He also works part-time as a malware analyst for Bromium, an end-point security company and is a senior consultant for VDA Labs, in which he is responsible for malware analysis, incident response, penetration testing, and an instructor at leading security conferences. Under VDA, he has taught a two-day application security class at DerbyCon, a 3 day advanced malware analysis class at Hack-In-The-Box Amsterdam and will teach a two-day advanced malware class at BlackHat USA 2017.
Dr. Matt Miller is an assistant professor at the University of Nebraska at Kearney. He teaches computers science and cyber security courses including assembly and reverse engineering. Dr. Miller works as an expert witness for Federal Public Defenders across the country, in cases that involve binary code. He provides analysis and verification of the Network Investigative Techniques used by the government to unmask Tor users.
Office documents have proven a reliable means of distributing malware. While not a new problem in the industry, they continue to plague the enterprise. In this talk we’ll discuss how to break apart a malicious document – inspect macros, identify the use of embedded objects and discuss social engineering aspects to ensure delivery. We will analyze the details of recent attack trends such as the use of PowerShell, process hollowing and application whitelist bypasses, shellcode, encrypted payloads and embedded content. We will also explore techniques used by malicious documents that do not rely on macros and even samples targeting OS X. This will be a fast-paced talk that will prepare you to deal with any malicious document.
Speaker: Andrew Freeborn
Andrew Freeborn is a security junkie who provides product expertise from a background of pen testing, custom exploitation development, and software development. From the perspective of a hacker, he specializes in secure software development validation for software and web applications. Prior to joining Tenable, Andrew served as a Senior Penetration Tester for a national financial organization, providing technical assistance with penetration testing of mobile and web applications, analysis of multiple in-house developed APIs, and software source code security review.
Speaker: Brad Duncan
Talk: Exploit Kits and Indicators of Compromise
Brad Duncan specializes in network traffic analysis and exploit kit detection. After more than 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010. He is currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad is also a volunteer handler for the Internet Storm Center (ISC) and has posted more than 80 diaries at isc.sans.edu. He routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net.
Exploit kits are a well known method used by criminals to distribute malware. Many security professionals know about exploit kits, but the full sequence of events is often misunderstood. In this presentation, Brad explains the concept behind a successful malware infection by criminals using exploit kits. This talk traces the sequence of events, starting with a compromised website and ending with the exploit kit delivering its malware payload.
Different steps of an exploit kit’s kill chain are sometimes identified through an organization’s intrusion detection system (IDS). These IDS alerts provide indicators of compromise (IOC). However, in many cases the kill chain is incomplete, and no infection has occurred. Brad discusses examples of exploit kits detected in a security operations center (SOC) environment, how analysts investigate this activity, and the overall impact to an organization.
Speaker: Kelcey Patrick-Ferree
Talk: You Detected a Data Breach: Now What?
Kelcey Patrick-Ferree is an attorney who has been working in the area of privacy and data breach law for 10 years. She is a member of the International Association of Privacy Professionals (IAPP). She assists companies with compliance with and responses to data privacy issues. She holds a B.A. from University of Iowa and a J.D. from Duke University School of Law. Her virtual practice is based in Iowa City.
Cybersecurity professionals are becoming more and more sophisticated; unfortunately, so are criminals and hostile nation-states. And while companies are becoming more aware of and therefore better at cybersecurity, they are only as strong as their weakest link: the employee who politely holds the door open for a stranger, the employee who clicks on a link in a spear phishing email, the home-grown encryption software someone had to put together because there was no budget for commercial software. It is axiomatic at this point that “it is not if, but when” your company or clients will suffer a data breach. As much as cybersecurity professionals focus on prevention, it is equally important to know what to do after you have discovered that “when” is “today.” We will discuss the laws governing data breaches, the steps you should take in response to a breach, and who should be involved in responding to a breach.