Loading…
BSides Austin 2018 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Technical [clear filter]
Thursday, March 8
 

9:00am

SniffAir – An Open-Source Framework for Wireless Security Assessments
SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws. Along with the prebuilt queries, SniffAir allows users to create custom queries for analyzing the wireless data stored in the backend SQL database. SniffAir is built on the concept of using these queries to extract data for wireless penetration test reports. The data can also be leveraged in setting up sophisticated wireless attacks included in SniffAir as modules.

Speakers
SD

Steven Darracott

Steven Darracott works as a Security Consultant on Optiv’s Attack and Penetration team. Steven’s primary role is to conduct security penetration testing and red teaming assessments for Optiv’s clients, while also developing detailed remediation procedures in order to provide... Read More →
ME

Matthew Eidelberg

Matthew Eidelberg is a husband, father, and big security fanatic. Matthew works as a Security Consultant on Optiv’s Attack and Penetration team. Matthew’s primary role is to conduct security penetration testing and red teaming assessments for Optiv’s clients, while also developing... Read More →


Thursday March 8, 2018 9:00am - 10:00am
Lil Tex Auditorium

10:00am

Security Development: Going Beyond the Tool
Development is not only something that software developers do. As security professionals, we need to continuously grow our development skills and bolster our team’s efficacy. Contributing to and expanding security tools is a vital task that requires more attention and further advancement. This presentation addresses the need for security development in the security industry, personal success within the role, and how to make that terrifying wall of source code on GitHub less intimidating.

Speakers
ZE

Zach Evens

Zach Evens joined General Motors in 2016 and works on the Information Security and IT Risk Management team.  He is based in the GM IT Innovation Center in Austin, TX.   Zach earned his Computer Science degree from the University of Utah, and achieved his Certified Ethical Hacker... Read More →


Thursday March 8, 2018 10:00am - 11:00am
Stadium

10:00am

Target-based Security Model: Mapping Network Attacks to Security Controls


This talk will present a categorization of network-based attacks for the purpose of mapping to appropriate security controls. Using a layered security-zone model allows easy visualization of how/where various security controls can be applied to protect against network-based attacks at different layers. Categorizing network-based attacks according to the targeted zone then allows for direct mapping of security controls to the types of attacks they can be used to prevent.
The goal is a simple, publicly available reference model, allowing vendors, customers, and 3rd-party testers to all speak the same language.

Speakers
GM

Garett Montgomery

I've been working in InfoSec for the past 10+ years, first as a blue-teamer (Security Analyst) followed by IPS-Signature developer, and now as a red-teamer developing attacks for BreakingPoint. I've spent the last couple of years raising awareness around problems with IPS devices... Read More →


Thursday March 8, 2018 10:00am - 11:00am
Big Tex Auditorium

11:00am

Quick and Dirty Malware Analysis for the Rest of Us
Have you ever been under attack by an APT group using new malware families and novel techniques that security vendors have never been seen before? Having the ability to quickly perform your own malware analysis can be the difference between being in business and going out of business.

In this talk I’ll share some of what I’ve learned from dealing with this very scenario over the last several years. I’ll give you actionable information on how to build your own mini malware lab and perform quick and dirty malware analysis so that you can better prepare, defend and respond to attacks against your environment.

You won’t need years of experience in Intel architecture or expensive training. Everyone who attends will be able to walk away from this talk and start building their own lab tomorrow. I’ll also be releasing a new tool that will help make this easier than it has ever been before.

Speakers
avatar for Ian Robertson

Ian Robertson

Ian Robertson has over [mumble] years of experience in the security industry, ranging from engineer, architect, pentester, software developer, CISO and just about everything in between. He holds a Bachelor’s of Science in IT Security, and is nearing completion of his Master’s... Read More →


Thursday March 8, 2018 11:00am - 12:00pm
Big Tex Auditorium

1:30pm

50 Shades of Graylog
Abstract: Everywhere you turn, there’s a vendor trying to sell you the latest in “AI-powered triple-next-gen threat detection.” While some of these solutions may hold up to the claims, it’s becoming more and more difficult to tell apart truly effective solutions from overhyped marketing. Worst of all, the average cost for good or bad enterprise defense technologies is somewhere between ‘unaffordable’ and ‘is that even a real number?’

This is the talk SIEM vendors don’t want you to attend. We’ll explore some incredible open source solutions that you can implement to not only add significant value to your detection efforts, but even provide active defense capabilities. I encourage you to reach out to your vendor of choice and get a quote for “magic box that can detect and then automatically defend from attacks.” Take the amount they quote you and use it to hire 4 new FTEs, get a new RedBull machine for the SOC, send your entire team to ShmooCon 2019, buy yourself something nice, and then donate the rest to the open source projects I’ll share with you in this deep dive.

Speakers
avatar for Eric Capuano

Eric Capuano

CTO, Recon InfoSec
Eric Capuano injects his passion for forensics into every facet of his life. "There is nothing dull or boring about studying advanced adversarial tactics in an effort to become a highly effective defender," he says, comparing this work to a never-ending game of chess where the impacts... Read More →


Thursday March 8, 2018 1:30pm - 2:30pm
Big Tex Auditorium

1:30pm

Security instrumentation: Be the hero getting value from security
You have many security products, probably too many. But you are still not secure because it's nearly impossible to know if your security products are actually doing what you want. Through live network and endpoint attack demonstrations, see how to use attack behaviors with Bartalex, Vawtrak, Mimikatz, PowerShell, Tunneling and others to validate your actual security products are working. See startling statistics, based on real-life case studies, that illustrate how ineffective many organizations, some with massive security budgets and teams, actually are because of a lack of validation. See how you can turn these attacks into an opportunity to instrument more effective security.

Speakers
avatar for Brian Contos

Brian Contos

CISO, Verodin
Brian Contos is the CISO & VP, Technology Innovation at Verodin. He is a seasoned executive with over two decades of experience in the cybersecurity industry as well as a board advisor, entrepreneur, and author. After getting his start in cybersecurity with the Defense Information... Read More →


Thursday March 8, 2018 1:30pm - 2:30pm
Stadium

2:30pm

Hiding in the Clouds - Leveraging cloud infrastructure to evade detection
The information security landscape is changing. More organizations are taking the right steps to detect attackers operating against their network environments. This is why penetration testers need to start leveraging tactics and techniques that further obfuscate their operations in order to provide a robust and realistic attack simulation.

Cloud infrastructure has introduced unique solutions to new problems that have arisen with the issue content delivery. These very same solutions can be repurposed and leveraged to create a robust and resilient attack infrastructure which will give blue teams a very hard time. Techniques to be covered will include, but not limited to, domain fronting, managing c2 infrastructure, and obfuscating traffic ranging from scanning to web application attacks.

Speakers
avatar for Mike Hodges

Mike Hodges

Senior Consultant, Optiv
Mike Hodges is a senior consultant for the Optiv Attack and Penetration Practice. He has a background in application development and is currently OSCP, Assoc CISSP, and CEH certified. He is currently interested in evasive penetration tactics and techniques and is constantly looking... Read More →


Thursday March 8, 2018 2:30pm - 3:30pm
Lil Tex Auditorium

2:30pm

Rise of the Machines
Many of the top security vendors, InfoSec specialist, and cyber security professional are claiming how artificial intelligence and machine learning are changing the face of defending against the most advanced attacks. Most vendors fail to be transparent on how these technologies work. We are bombarded with buzzwords, yet we don't understand what they mean, what the technology does, and how we should keep vendors accountable. When we look for the details on the specifics of what makes these products effective we are usually given vague answers or told it is a proprietary technology. The truth is there is no magic behind machine learning.

This talk will examine the details behind the mechanics on artificial intelligence and machine learning. How different techniques are being used to detect malware, malicious domains, phishing emails, and other threats. We will examine how these systems need to be setup, trained, and what are some of the inherent weaknesses built into them.

We will examine why these technologies fail and how attackers routinely bypass these methods for detection to infiltrate systems. Attendees will learn about advance attacker techniques and how hackers are using machine learning against organizations that use them.

Learn to look past the marketing hype and understand the true value and limitation of cyber security AI. You will understand what the technology actually has the capability of achieving and how to hold vendors who claim they utilize the technology accountable.

Speakers
avatar for Aamir Lakhani

Aamir Lakhani

Senior Security Strategist, Fortinet
Aamir "Dr. Chaos" Lakhani is a leading senior security strategist. Aamir has designed offensive counter-defense measures for the Department of Defense and national intelligence agencies. He has also assisted organizations with safeguarding IT and physical environments from attacks... Read More →


Thursday March 8, 2018 2:30pm - 3:30pm
Stadium

3:30pm

How (Not) to Patch Command Injection Bugs
In 2014 ZDI received a report of a command injection vulnerability in Dell's Sonicwall GMS Virtual Appliance. Normally this type of analysis is relatively simple. However, this analysis took a windy path from the JSP web interface through two XMLRPC sockets, to a binary, which delegated to shell scripts, which sourced yet another shell script that actually parsed attacker-supplied input. All this, just to make simple host modifications. Presumably, the code complexity drove the developers to patch this bug at the webapp level, instead of closer to the root cause. The resultant patch was immediately bypassed and the subsequent patch was also flawed.

A few months later, other researchers reported an additional attack vector involving direct communication with one of the XMLRPC sockets to trigger the same underlying vulnerability outlined in the very first ZDI report.

Ultimately, it appears the soft chewy center remains, but the crunchy outer shell has been significantly hardened, and thus, the hunt continues. This talk will detail the various patch attempts, how they failed or succeeded, and how they were analyzed, bypassed, and exploited with a Metasploit module we are releasing. We'll also discuss the much more comprehensive defense measures currently implemented by the developers.

Speakers
MF

Michael Flanders

Michael Flanders is a Vulnerability Intelligence Intern at Trend Micro's Zero Day Initiative. His focus includes analyzing and performing root-cause analysis on zero-day vulnerabilities submitted to the world's largest vendor-agnostic bug bounty program by researchers from around... Read More →
JS

Joshua Smith

Kernelsmith is a senior security researcher and the "FuzzOps" Manager at Trend Micro's Zero Day Initiative. When he's not herding cats or managing infrastructure, they let him think he's still analyzing vulnerabilities submitted to the program.  He was a pentester in the United States... Read More →


Thursday March 8, 2018 3:30pm - 4:30pm
Lil Tex Auditorium

4:30pm

Develop the Best: Artifact Based Mentoring for Security Engineers
Many security engineers struggle in a few key areas when it comes to professional career development. Artifact based mentoring can help address these challenges. In this talk we will discuss how to select the right mentoring artifacts to create, learn to be “lucky” and how to drive influence via authority management. A free mentoring template will be provided to help kick-start engineers interested in artifact based mentoring.

Speakers
JS

Josh Stevens

Josh is a Sr. Security Engineer for Amazon's Vulnerability Management program.  Prior to Amazon, Josh was Chief Architect for Security Operations at Hewlett Packard where he led the technical direction for adaptive response and automated IR. Before HP, Josh was instrumental in building... Read More →


Thursday March 8, 2018 4:30pm - 5:30pm
Stadium
 
Friday, March 9
 

10:00am

Caught my WebApp cheating on me!
We trust that the web application code executed inside the browser is exactly the code that was sent by our application servers, but that is often not the case. The reality is that current WebApps are very susceptible to client-side injections and tampering. This can be performed by malicious extensions, Man-in-the-Browser trojans, or any kind of injection attack (e.g. reflected XSS).
These attacks are very concerning not only because they change the behavior of the webpage right on the website that the user trusts, but can also be used to leak sensitive information that the webpage has access to. All of this, without the web application owner knowing anything about it.
In this talk, based in our work, we demo a new set of techniques that can be used to monitor a webpage for malicious modifications (DOM-tampering, code injection, event-hijacking, code poisoning, etc) and how to remove them in real-time. The techniques are a combination of recent browser features (such as Mutation Observers) and integrity checks from tamper-resistant JavaScript code running in the webpage.

Speakers
avatar for Pedro Fortuna

Pedro Fortuna

CTO, Jscrambler
Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade... Read More →


Friday March 9, 2018 10:00am - 11:00am
Lil Tex Auditorium

10:00am

Compromise Assessments: Best Practices & Lessons from the Field
Compromise Assessments are a recent and hotly demanded service designed to inform organizations whether their networks are compromised or not. This is not an easy task, especially when it is not a network you are familiar with.

In this talk, we will discuss some of the real-world challenges and best practices of conducting proactive hunts in other peoples' networks. From gaining access to finding persistent threats, malware, and misuse of credentials. We will explore defining, scoping, and conducting these types of assessments to effectively find possible threats while being as efficient and non-invasive as possible.

Speakers
CG

Chris Gerritz

Chris is co-founder of Infocyte, a developer of threat hunting solutions focused on proactive breach discovery and response.Prior to founding Infocyte, Chris was an incident responder for the Air Force CERT. While there, he helped establish and led the DoD's first Enterprise-scoped... Read More →


Friday March 9, 2018 10:00am - 11:00am
Big Tex Auditorium

10:00am

Introduction to Smart Cards and leveraging them in attacks
Most admins assume that deploying the cumbersome smart card will secure their identity challenges. The fact is, PKI smart cards suffer similar vulnerabilities that most other security controls do and can be bypassed using reasonable software attack vectors. In this workshop, pen testers will get an overview of how smart cards work including example call stacks, common use cases and deployment configurations, learn workarounds for poor policies and configurations, how a smart card defends itself, and how to leverage their high trust in attacks. This high level overview will cover OS-level and software based attacks, and will not cover hardware, wireless, or physical attacks on smart cards.

Speakers
avatar for Tim Honker

Tim Honker

Security Solutions Engineer II, Rapid7
Tim Honker enjoys building things and breaking other people’s things. Since 2010, Tim has served at several cybersecurity companies specializing in IAM, MFA, vulnerability management, and penetration testing. Currently a Senior Solutions Engineer at Rapid7, Tim previously worked... Read More →



Friday March 9, 2018 10:00am - 11:00am
Stadium

11:00am

Credential Stealing Emails - What you need to know
The latest vector in email attacks is credential stealing.  This is nothing new, but there has been a serious increase of activity in this space and it is VERY successful.  Why? Because they criminals are manning the phishing campaigns with live people who are logging into people’s Internet facing systems without 2-Factor Authentication and sending out more campaigns.  Better yet, they are sending it to recent contacts, in small amounts so people are falling for it since they are actively, or have recently communicated with the victim giving the phishing campaign legitimacy.
This talk will walk through several examples of these credential stealing emails, what the emails look like, and what the cred stealing websites tend to look like once clicked.  The discussion will focus on how to investigate this type of attack, what kinds of things you will need, what to look for, what works, and why time is ultimately critical for this type of attack.

Speakers
avatar for Michael Gough

Michael Gough

Founder, Malware Archaeology
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free... Read More →


Friday March 9, 2018 11:00am - 12:00pm
Big Tex Auditorium

1:30pm

Make Vishing Great Again
The purpose of this talk is to describe methodologies which one could follow when performing telephone pretexting. Social dynamics have changed over the years causing the entry barrier to being successful with Vishing more difficult and talking on the telephone less comfortable. The aim of this speech will be to crack the code for a newb getting started so he or she can hit the ground running, jump on the horn, and start pwning some folks like it’s 1989.

Speakers
avatar for Jonathan Stines

Jonathan Stines

Pen Tester, Rapid7
Jonathan Stines is a Senior Security Consultant with Rapid7 and has 5 years of penetration testing and consulting experience. Jonathan has worked on a wide breadth of projects which range from social engineering and internal penetration tests to controls audits and maturity asses... Read More →


Friday March 9, 2018 1:30pm - 2:30pm
Lil Tex Auditorium

1:30pm

Peering into the Abyss - Understanding the dark side of Uninitialized Structures
Structures are an important data type within programming languages. However, they are often improperly initialized, which results in vulnerabilities ranging from information leaks to memory corruption resulting in arbitrary code execution. Be it a local struct or a global variable, improper initialization could have dire consequences with real-world security implications.

This talk covers many of the various ways structures can be initialized and the types of vulnerabilities that can occur if done incorrectly. By reviewing examples in the Apple macOS kernel and in the Microsoft Windows kernel, we identify code patterns to seek out to enable researchers to find bugs and for developers to prevent them. Finally, we’ll end by looking at how developers can make modifications to their compilation process to avoid these issues.

Speakers
W

WanderingGlitch

WanderingGlitch is a security researcher with Trend Micro’s Zero Day Initiative (ZDI). In this role, he analyzes and performs root-cause analysis vulnerabilities submitted to the program, which represents the world’s largest vendor-agnostic bug bounty. His focus includes performing... Read More →


Friday March 9, 2018 1:30pm - 2:30pm
Big Tex Auditorium

2:30pm

Enhancing SOC1 by using feedback loops
Cloud enabled Security Operations Center level 1 workflows can be enhanced
by using security outcome data. This feedback becomes a force multiplier that
helps experience analyst to create more accurate threat profiles and the
possibility of predicting new attack campaigns. The proposed approach is based
on crowdsource operator feedback. This crowdsourced operator feedback is possible by creating a global reinforcement crowdsourced learning engine.

The objective is to provide defenders/operators with the ability to compare their
local responses/feedback about threats and malicious campaigns against global data by providing a distributed learning network with open standards that reflect patterns and behaviors of experienced defenders/operators. These feedback loops can then be used to train algorithms and implement automated functions that will enhance less experience SOC operators.

Speakers
RS

Rod Soto

Rod SotoDirector of Security Research at JASK.AI. Joseph ZadehDirector of Data Science at JASK.AILonger Bios --> https://www.blackhat.com/eu-17/presenters/Rod-Soto.htmlhttps://www.blackhat.com/eu-17/presenters/Joseph-Zadeh.html


Friday March 9, 2018 2:30pm - 3:30pm
Big Tex Auditorium

3:30pm

A story of writing malware for 5 years
I am writing malware simulators; ShinoBOT family for 5 years.
ShinoBOT family includes…
-ShinoBOT; the backdoor.
-ShinoBOT Suite; the APT framework.
-ShinoLocker; the ransomware simulator.
-ShinoC2; the C&C server provided as a server (C&C as service)
-And other modulable components.
Those tools are used to test the security products, to perform penetration testing by a few clicks. After publishing those malwares, many security solutions added signatures, black-listed the IP address, domain name. In this talk, I will explain how I implemented ShinoBOT to evade the detection of those security solutions including AV, IPS, Sandbox, AI-based AV. Steganography, special encoding method, cryptography, fileless malware, polymorphic malware and some techniques that will be introduced. And this will give an idea about how the attackers observe those security solutions and how they reacts.

Speakers
avatar for Shota Shinogi

Shota Shinogi

Security Researcher, Macnica Networks Corp
Malware simulator ShinoBOT Family author. Penetration Tester/ Red Team tool developer. My hobby is breaking the security solution.


Friday March 9, 2018 3:30pm - 4:30pm
Big Tex Auditorium

3:30pm

Metasploit Minus Metasploit
What do you get when you take a million-line, open-source security project and remove all its code?

With Metasploit Framework, the answer used to be "not much": a couple of test payloads, some dangling database tables, and a few dusty modules stashed in your home directory. While our monolithic design has served well for over a decade, Metasploit has also become the victim of its own success: tight coupling between components has made adding new features increasingly difficult. As the open-source security ecosystem grows more diverse, it is clear that Metasploit needs to evolve in order to continue being fun and hackable for the next generation of coders and researchers.

Last year, the Metasploit team rethought how modules run and how to store and query data, giving careful thought to documentation, usability, testability, automation, and performance. The fruits of this labor include new Python modules, improved performance, better usability, and reduced start time.

During this presentation we will cover the challenges we face isolating modules and data and the solutions we are working on. We will demonstrate new open-source additions to Metasploit: a Python module, a pivoting proxy, and a way to store and query data without the console.

Speakers
JB

James Barnett

James is a sysadmin turned developer and has spent the last 3 years applying his real-world experience to enhancing Nexpose and Metasploit. He has also applied his knowledge to Metasploitable3, and the principles learned to expanding Metasploit Framework through the Goliath API p... Read More →
AC

Adam Cammack

Adam Cammack and James Barnett are Software Engineers for Metasploit at Rapid7. Adam is relatively new to security, coming from application development with emphasis on distributed computing and systems programming. He enjoys breaking things (then fixing them) and abusing protocols... Read More →


Friday March 9, 2018 3:30pm - 4:30pm
Lil Tex Auditorium