From Crash Override to TRISIS, the past decade has made it clear that the threat of cyber attacks on Industrial Control Systems (ICS) is real, and poses a fundamental risk to our way of life. The demand of ICS security professionals far exceeds the supply. But how does a information security professional learn to function in such a different environment? Mark Stacey and Lesley Carhart of Dragos Inc. (who both transitioned from traditional DFIR) will provide an overview of some great ways to learn about the operational and technical aspects of ICS networks and grow one’s skill set without breaking the bank.
David Bryan (VideoMan)
In the last year, I’ve found some pretty stupid security mistakes. Blatantly overlooked controls, or flat out lazy system admins. I will show real-world examples of misuse & abuse, and improper data handling of passwords inside application code. When talking about the security of a system as a whole, we must remember a breech in one system, can lead to a breach on another system because of the implicit trust relationships we build to get the job done.
I will cover how we pulled down 1.2M hashes and cracked them and what controls were missed, and how to prevent it from happening again.
Big time farmers are getting rich off fungi –
Ripping off consumers and controlling the supply –
Don’t be cheated by all the claims that science would deny –
Learn how mushrooms are medicinal
from what the clinical trials imply!
Yes, from Star Trek to Starbucks, mushrooms seem to be popping up everywhere lately, doing amazing
things like fighting cancer, boosting immunity, improving cognition, making mario SUPER BIG, and
sending starships across the galaxy at faster than warp speeds! As our science catches up with our
science fiction, marketers are getting away with murder selling “mushroom products.” In a market that
enjoys zero quality control yet is expected it hit $50 billion in the coming years, they can literally sell you
the dirt mushrooms grew in and get away with it.
Don’t believe the hype. Come to this presentation and learn which compounds mushrooms produce that
are medicinal and how you can easily grow them at home. We’ll review the latest research from clinical
trials and unveil the low cost, high yield techniques gleaned from the forums of anonymous mushroom
Disciplines such as genetics and chemistry have a long history of discoveries that were initially overlooked and not appreciated for their transformative implications until decades later. These findings were often made by researchers working on the fringes of the mainstream scientific community who published in obscure journals, if at all. Through sheer luck their work formed the basis for larger discoveries. The cybersecurity community has many parallels. If you look at the titles of talks at serious academic conferences and DefCon there’s a surprising overlap of topics and methods, but the two worlds never meet. There is a prevalence of virtual and physical collaborations of cybersecurity experts performing research and deriving tangible, noteworthy results that are never published and is often not taken seriously enough to influence the timely design of security systems and software. How can we create feedback loops between the academic community, cybersecurity operators and underground security researchers who may not even think of themselves as “researchers”? I’ll present some ideas about how three communities with different incentives, yet the same goals, can work together to shorten the time to discovery and overcome many of the obstacles that impeded progress in the sciences centuries earlier.
New developments in Hashcat have brought some new WiFi attack techniques to light. We’ve taken concepts from classic WiFi attacks, added a little special sauce, and created a whole new attack vector for WiFi devices everywhere. All it takes is a friendly introduction and a little cracking time to gain access to protected networks. Also, Cynosure Prime will be releasing source for a new password cracking technique. Come get some code and that uneasy feeling of being vulnerable.
SARS, H1N1, MRSA, Zika, Ebola. The human body is terrifyingly vulnerable. With the rise of novel gene-editing techniques and our increasing knowledge of genomics, we are forced to confront the idea of a microscopic enemy. This talk will explore the not-so-theoretical aftermath of an unchecked pandemic of unknown origin, the monsters we created in our own medical hubris, and the ever-present threat of bioterrorism. The unpredictability of such weapons, and our inability to create safety brakes for the ones we do create will also be discussed.
Tim Medin (nidem)
Tim Medin discuss the dumbest red team tricks and hacks encountered over the years. We are going to take the A out of APT, because so few attackers really need to use advanced techniques. We’ll also discuss the simple defenses that make an attacker’s life much more difficult.
Risk is important to cybersecurity professionals to justify security controls, to engineers during the
requirements phase of an engineering project and to management in project planning. In its Internet
Security Threat Report, Symantec reports that in 2016, 791,820,040 data records were breached in the
United States, which averages two breaches per American. France, Canada and Taiwan also
encountered breaches above or near their population levels – or double it. This begs the question: are
we doing and spending enough for security?
Risk management states that an organization shall not pay more for controls than it may lose due to risk.
In information security, it is commonly accepted that corporations underspend for risk because as a
Tech Republic news article is titled: “The real reason companies don't take security seriously: Their
money isn't on the line.” The commonly held view of risk is that risk management is a cost-saving
measure to protect the organization. Following this philosophy, it is possible for an organization to
protect itself at the expense of customers, the neighborhood, employees and/or the environment. This
view can frustrate engineers and IT staff when their best efforts to protect organizations and customers
are not sufficiently respected and prioritized.
What does an interdisciplinary study of risk indicate about how we should evaluate risk? As we develop
automated vehicles and other Internet of Things products, security breaches may not just divulge
information, but could potentially harm health, homes and lives. This interdisciplinary study of ethical
risk considers how to calculate risk and engineer solutions for this new environment. I also introduce a
maturity model of ethical risk.
Brice Williams (bricex)
Software developers often make mistakes when using cryptography in applications, which tends to result in code with dangerous and subtle weaknesses. Some of this can be addressed through training, but should we expect all developers to be cryptography experts? Many developersonly know to avoid writing their own ciphers, and rely on one of the many incomplete or incorrect code examples that exist on the internet. To make things worse, most cryptographic libraries in use today are designed to be used by experts and often result in misunderstandings by the average application developer.
In this talk we will look at some common cryptography usage errors and why popular libraries often fall short. We will also discuss nuances such as backwards compatibility, FIPS 140-2 validation, and weak standards such as JOSE/JWT that contribute to the overall confusion. I’ll share some advice that you can provide to the development/engineering teams in your organization to not only make their job easier, but also ensure more secure cryptographic implementations.
Zach Grace (1=1--)
The security community hasn’t done a great job at making it easy for developers to choose the right algorithms and ciphers for their applications. Even when the right crypto primitives are chosen, subtle programming mistakes can lead to issues with the efficacy of the encryption. This presentation is aimed at helping developers avoid common cryptography pitfalls when encrypting sensitive data by giving guidance on what algorithms to choose and identifying common implementation issues observed in real-world applications.
Exploring the forensic methodology and tasks using free open source software. We won’t be focusing on what tools are available, the focus of the presentation is explaining the methodology and where these tools fit in to the process to get the job done.
Ever hear the phrase, “Read between the lines?” This usually refers to one’s ability to infer hidden meaning from text. This ability has always been reserved for humans (or those who appear human). That is, until now. This session will look at the tools and efforts needed for “Text Mining” or using Data Mining techniques to infer meaning, biases, misconceptions, and/or hidden agendas from common documents. Participants will leave with a general understanding of the text mining process along with a list of free/inexpensive tools and services they can use to start text mining right away.
In this talk, we’ll be exploring how wireless communication works. We’ll capture digital data live (with Software-Defined Radio [SDR]), and see how the actual bits are transmitted. From here, we’ll see how to view, listen to, manipulate, and replay wireless signals. We’ll also look at interrupting wireless communication, and finally, we’ll even generate new radio waves from scratch (which can be useful for fuzzing and brute force attacks). I’ll also be demoing some brand new tools I’ve written to help in the interception, manipulation, and generation of digital wireless signals with SDR.
Steganography is the practice of hiding a message “in plain sight” inside an image, video, sound, text, or file. The practice goes back centuries, and in recent years has seen a rise in use for digital watermarking.
Unlike cryptography, steganography seeks to hide even the presence of a message.
Steganography can be used for communication, leak prevention, or copyright protection. We’ll look at steganographic techniques, analysis, and detection through the lens of digital watermarking.
Brian Genz, Jason Lange, and Ben Zimmerman
We face a shortage of qualified information security professionals, a high volume of security alerts, and a dynamic threat landscape rapidly evolving toward automated attacks. Security Orchestration, Automation and Response (SOAR) enables defenders to operate at attacker speed by codifying detection and response expertise into automation playbooks. This talk will examine the core components of SOAR, the skills required to design and implement it in your organization, common use cases in detection and response, and potential opportunities for security control testing in a defense-in-depth environment.
Mike “Shecky” Kavka
Sequestered, Cordoned Off, Separated, even Out of Touch. These words have been used by plenty of non-infosec folks. From Dev teams to Admins, Sales people and more, we get looked at as these mystical people who say NO! The people who are stopping others from doing their job. Maybe it is time for our team to take a different approach…
David "Heal" Schwartzberg
“Frequently, people who go along a treasonous path do not know they are on a treasonous path until it is too late”, as per testimony from former CIA Director John Brennan, May 2017. The definition of social engineering (SE) is: “any act that influences a person to take an action that may or may not be in their best interest”. Using an old US Army acronym called SAEDA, Subversion and Espionage Directed Against the Army, will discuss how today’s use of SE is essentially trade craft of espionage, commonly known as spying.
“There is no patch for an untrained user or even an experienced security professional who forgets, in the heat of the moment, to follow what they have been taught.” Espionage is the practice of secretly gathering information about a foreign government or a competing industry, with the objective of placing one’s own government or corporation at a strategic or financial advantage. Presenting case examples of military and industrial espionage will illustrate how tricks of the spy trade are parleyed against ordinary individuals every day. The ultimate goal is for individuals to become self-aware as today’s cyber threat landscape is essentially ‘them against you’.