Fully comprising an embedded device isn’t always as easy as sending a GET request with admin=true. Sometimes, owning an embedded device takes multiple different vulnerabilities, creativity, and a little finesse. In this live demo, we show how we were able to chain multiple vulnerabilities in the Lenovo ix4-300d network attached storage (NAS) device into a remote exploit that can be executed with little user interaction. As a result, an adversary can provide the victim with a link to a malicious page that grants the attacker the ability to extract all information stored on the victim’s NAS, and the ability to execute arbitrary operating system (OS) commands on the compromised NAS. In the talk we cover how we first identified command injection, then used cross-site scripting (XSS) and cross-site request forgery (CSRF) to build an exploit that would hijack values stored in the victim’s browser storage, issue a malicious request on the user’s behalf, and issue an OS command to open a remotely accessible operating system shell.
Recently, all major browser vendors agreed in principle to end support for TLS (Transport Layer Security) versions 1.0 and 1.1 in 2020. SSL (Secure Sockets Layer) version 3.0 support was removed from Chrome in early 2015 effectively ending the use of SSL completely. Akamai will discontinue support for TLS 1.0/1.1 on January 7th, 2019. These protocols have all been found to have various vulnerabilities that no longer make them safe for use in the negotiation of secure connections between end points.
With the deprecation of these cryptographic protocols, several new security exploits have come to light. These exploits including Heartbleed, POODLE, BEAST, CRIME and others attempt to disrupt the availability of services or stealing data. The most common service using TLS is obviously web traffic that is transmitted via https. Since SSL and TLS are secure connection negotiation protocols, the process for establishing a secure connection can be used for almost any type of traffic. Some of the more common ones aside from https are DNS, VPN, SMTP, POP3 and IMAP. All rely on the ability of client and server to understand a common protocol and the ability to negotiate a connection based upon a commonly understood version.
Many server-side instances still utilize older versions that support deprecated SSL/TLS versions leaving them vulnerable to availability and integrity attacks. Many client applications have the same issues with many of those built into IOT devices which are rarely upgraded.
We needed to find a means to understand what types of conversations were happening on our publicfacing proxy services. We noticed a rash of SSL downgrade attacks that resulted in intermittent outages.
We also wanted to be able to proactively engage our customers by letting them know that they had devices on their network reaching out to us using deprecated or soon to be deprecated SSL/TLS versions.
This talk will provide a quick overview of the major SSL/TLS versions along with their major vulnerabilities. I will then discuss how we were able to use some F5 iRule magic on our load balancers combined with Graylog (a log aggregation platform) to track as well as block undesirable client and server connections to our proxy end points. This strategy can easily be adapted to any protocol scenario that uses TLS connection negotiation.
Do you ever wonder what happens with disk drives, flash drives, even floppy drives when you drop them off at thrift stores or e-recycling centers? You signed an agreement saying they would wipe your data, so that no one could ever find those text files filled with passwords and sensitive information. Well, even though you signed that piece of paper, these thrift stores and e-recycling centers have not been making good on their contractual obligations.
We all have a box of wires, 10 flash drives and 5 hard drives laying around. How do you properly dispose of those devices safely and securely? In this presentation, we take a dive into thrift shopping all around Wisconsin, in particular, buying your data back from those who agreed to destroy it. You signed an agreement saying that your disks would be wiped, your data destroyed, but based on what i found, that couldn’t be further from the truth.
Do you know why the hacker community is so interested in HAM radio? You probably do; it is the ultimate nerd hobby. It invokes a variety of abilities involving multiple competencies and skills. What skills you may ask? Too many to list here…
Devices from IoT to satellites to power meters all use radio signals to communicate. Since security is often an after-thought, it is the wild west in the radio realm for a hacker.
Let’s introduce you to some things to increase your appetite for becoming a HAM. Whether you have an SDR laying around or hand-held you have had since the last hackercon, you should to know how to use it. For those HAMs out there, this should still get you excited to try something new. Since it wouldn’t be Cyphercon without the “cypher”, there will be some fun things here to spir the curiosity in your old hackerself.
This presentation introduces Micro-Segmentation and includes industry adoption statistics, strategies, and implementation examples. This presentation came from my personal experience implementing Micro-Segmentation in a fully virtualized hosted infrastructure environment for many large hospital systems. This talk will cover why we need segmentation, what the benefits are, how it evolved, and what it enables before explaining a flaw of Micro- Segmentation and how it is addressed using the recently defined term Nano-Segmentation. I also briefly touch on the famous Zero Trust Model and how Micro-Segmentation makes security more effective by following the principles of the Zero Trust Framework. Last, I will briefly cover how any organization can implement Micro and Nano-Segmentation using Tanium in a physical and/or virtual environment that scales up to millions of endpoints.
Ever cyber professional wants to stop an APT from hurting their company. But when they can’t stop an attack, they seek to expose the criminal, so they can learn from the incident and identify preventative measures. To beat the bad guys and keep pace with today’s evolving cyberattacks, we need an equally dynamic, adaptive, and engaging cybersecurity skills strategy to save our enterprises. Digital forensics—the process of identifying, preserving, analyzing, and presenting digital evidence—is one of many cyber skills necessary in today’s hacking culture.
To support this discipline, Keenan will share how gamified cyber range environments are emerging to assist investigators in the capture, analysis, and preservation of evidence. She will explain how these virtual environments can deliver realistic cybersecurity scenarios for professionals to train both individual and overall team competencies. Keenan will share how users can engage in life-like cyber scenarios inspired by modern-day hacking events to not only refine digital forensic investigation processes but also help professionals learn from beginning to end how and why a hacker attacks in the first place.
Keenan will explain the benefits of gamified cyber range learning and how it can benefit cyber teams. As a result of this new game-inspired learning method, digital forensic professionals gain the ability to “beat the hacker” at their own game—through a game-like cyber range that most authentically represents future scenarios they will encounter. Cyber professionals can learn new, more efficient approaches to deploying computer/network/mobile digital forensics leveraging real-world examples of incidents. Further, gamifying cybersecurity exercises allows teams to better protect enterprises from future attacks and bring cybercriminals to justice.
DNA sequencing has gotten exponentially cheaper since its invention, and is rapidly becoming a popular consumer good, given as Christmas presents and advertised on Facebook. However, the companies that perform this sequencing are effectively unregulated, and what they do with the mountains of data accumulated in this process is hardly transparent. This talk will begin with an overview of gene sequencing technology, then discuss the data actually collected by many popular companies. The talk will conclude with a discussion of how this data could be weaponized by bad actors after a data breach, both now and going forwards.
· Curiosity killed the cat, but in OUR world, that’s the job of an OSINT analyst.
· Speaking of cats, plan ahead, they are faster and more agile… think BEFORE acting
· Puppy eyes, drool AND sideways looks work…social engineering IS a good skill to have
· Try everything at least once, even if it means sticking your head in the trashcan…
· Always be upfront, that way there’s no miscommunication
· If at first you fail, try again; eventually you will get the chew toy on top of the bookcase.
· Never underestimate the need for a good hug
· Nothing is forever; live every moment as if it were your last.
These lessons and more will be covered, dissected AND somehow related to us as humans and us as tech folks.
J Wolfgang Goerlich
Werewolves attack? We have silver bullets. Vampires attack? We have holy water. Criminal hackers attack? We have encryption. Or at least, that’s how we’d like it to play out. The villains come and the heroes beat them back. But too often, encryption is like water without the holy, bullets without the silver. The configuration is wrong, or the code is incomplete, or other simple flaws trip us up. This talk will cover how and where to architect for encryption to get real protection
This talk will be about phreaking back in the late 80’s, up until the mid 90’s roughly. It will cover what phreaking was, why it worked, and why we did it. We will discuss some of the devices used, the theory behind them, as well as some entertaining stories about those devices. We will also talk about the slew of ‘secret’ numbers that existed in the phone system, including but not limited to, ANI, loops, and sweep tones. Finally, we will discuss the decline in phreaking with the newer versions of ESS, as well as how VOIP has brought forth an entirely new generation of folks interested in how the phone systems work.
Often times it only takes a small oversight to cause a vulnerability, even when it comes to severe vulnerabilities. The Buffalo TeraStation NAS demonstrates this idea beautifully in that it has a variety of features that do just a tad more than they should. Using these oversights as examples, I’ll provide an overview of the thought processes, mindset, and skills used to turn happy little oversights into happy little shells. There will be an abundance of facepalms and IoT war stories, and if that wasn’t enough, there’s a good chance these vulns will still be unpatched.
Stephanie "Snow" Carruthers
What does a pig in a poke, pigeon drops, and salting have in common? They are just a few of old school confidence tricks (cons) used from the late middle ages to more recently which swindled marks out of money. In this presentation Stephanie will cover how some famous historic cons were used in their day, and how they are now being transitioned into today’s digital world.
On June 29, 2018, Toys R Us shut its doors to the public after filing Chapter 11 bankruptcy. The months leading up to that day consisted of liquidating its assets, including the computer hardware found in local stores. While everything should have been sanitized before being let go, it wasn’t. In this talk, we’ll take a look at what happened and I’ll review my forensics investigation: what I was able to recover, how I did it, and the importance of sanitizing devices before disposing. Spoiler alert: it’s bad…
Attackers are commonly broken into two camps: low skilled opportunists (script kiddies) and the APT – Advanced Persistent Threats (funded organized crime, nation states). In between lurks a skilled persistent threat, capable of doing more damage than either. Their skills have developed past script kiddies while lacking the resources of the APT. Their ability to fly under the radar makes them a significant threat. These adversaries require human responders to identify, track, and oppose. Understand the constraints of the persistent threat, and you can learn to counter them.
Building good teams (either in the “elite” sense or the “healthy culture” sense) is hard. Our university security club had its ups and downs between boring meetings and inaccessibility to newcomers — we stepped it up this year with on a tighter meeting format, approachable 24-7 internal CTF, and internal documentation. We saw better attendance, more people staying after meetings, and freshmen successfully completing projects with upperclassman mentorship. Other exciting developments include reusable published meetings and writing our own fuzzers.
Is it possible to contribute to the security community without dropping an 0 day or coding the next nmap? How about running a CTF? Kris and Chris Silvers, creators of the OSINT CTF, share some lessons learned along their journey. They’ve run into some interesting problems — like their scoring engine’s exploitable vulnerabilities to targets changing their attack surface mid-competition — and met them all head-on. Laugh along and learn something as they walk through their toughest challenges and how they handled them.
In the field of digital forensics, we have our tried and true artifacts and methods to find them. However, occasionally we uncover information or methods that challenge what we’ve always known, especially when we expect to see nothing and instead uncover a wealth of information. Digital forensics expert Cindy Murphy, M.Sc. will use this session to unpack the myths of digital forensics she uncovered since her career pivot from law enforcement to private digital forensics work. For example, when an SD card shows all zeros, is it actually empty? Or, are we really getting a full forensic image from this hard drive? From there, she will discuss how to navigate those myths and most importantly, how to keep moving forward in an ever-changing industry. Session attendees will walk away feeling empowered to ask questions and challenge the status quo in the digital forensics profession.
When the terms darknet or dark web are invoked it is almost always in reference to the Tor network, but what about the other extant darknet frameworks? A true understanding of the dark web would be impossible and misleading if it only included the Tor network. In this talk I will expand the field of view to include frameworks such as Freenet, I2P, and OpenBazaar. We’ll take a quick look at the origins and technical underpinnings of these darknets as well as their actors and offerings. I will also discuss the differentiators that set these networks apart from Tor and highlight why they too should be included in modeling our knowledge of the dark web. Audience members will walk away with a fuller understanding of the internet’s hidden corners, the goals of its users, and the technologies that help keep them in the dark.
The shift to the cloud, Agile and DevOps is making it more difficult than ever for security teams to control what happens in their organizations and secure systems.
The obvious solution is more security tools, more security people, and ever-inventive ways to reign in your environment.
You. Will. Fail.
The only way to get better is by giving up the illusion of control and the delusion that you can achieve control.
Instead, we’ll talk about how engineering automation to create a culture of empowerment, self-reliance and trust can result in better security outcomes. Along the way, we’ll learn about how the adoption of Agile and DevOps is creating value in some unexpected ways…
Kinesthetic (also sometimes referred to as tactile) learning style usually means that someone learns best by physically doing something to fully learn and memorize a topic. As a kinesthetic learner, it is a must for me to see and fully engage with a topic before I grasp it fully. I’ve found that Capture The Flag (CTF) competitions are the best way for me to fully understand security concepts because I can read about it and understand the concepts and then apply it and watch it in action, creating a full multi-sensory learning experience that helps me to retain those concepts in my memory for later use. This talk explores my approach to learn more about RSA and AES through the recreation of CTF challenges. We’ll look at my (very long and extremely frustrating) process of recreating an AES ECB challenge and an RSA short key-length challenge, the lessons I learned from both, the lessons I’m still trying to understand, and why I believe it doesn’t matter whether you’re a novice or an expert, CTFs are the best way to learn something new —especially if you have a kinesthetic learning style.
With the Soviet Union’s launch of the first Sputnik satellite in 1957, the Cold War
soared to new heights as Americans feared losing the race into space. This
presentation tells the enthralling yet little-known story of the hypersonic X-15, the
winged rocket ship that met this challenge and opened the way into humancontrolled spaceflight.
This remarkable research aircraft held the world’s altitude record for 41 years,
and still has no equal to match or better its speed of more than 4,500 mph.
Beyond the X-15 are the stories of the 12 men who guided it into space, and all
the people who kept the rocket plane flying for nearly a decade. This is the story
that has never been told of the vehicle that was the true precursor to the Space
Shuttle by being the first piloted and winged vehicle to exit Earth’s atmosphere,
and make a controlled reentry to a landing on hard-packed dry desert lakebeds.
In her research, Ms. Evans interviewed nearly 70 people, including 9 of the 12
pilots, including Neil Armstrong, Scott Crossfield, and Robert White, with family
representatives for the remaining pilots. Others she spoke with include
managers, flight planners, and the technicians and engineers who made the X-15
ready to fly its next research mission at high altitude and high Mach.
Scripting and automation are absolutely critical to many aspects of an attacker’s effectiveness, penetration tester or otherwise. Modern WAFs and “bot detections” often add a small layer of intelligence to their monitoring, attempting to determine whether or not an attack is being automated, and shut the bot/botnet down. This presentation will be a mini-tutorial on how the various forms of “bot detection” out there work, and how to modify/spoof the necessary client environments to bypass nearly all of them using anything from Python Requests to Selenium, Puppet and beyond.
Wireless pentesting typically requires physical proximity to a target which requires time, limited resources, and constant traveling. Eric & Matt have pioneered an inexpensive device to covertly perform wireless pentests anywhere on earth. Their unique solution to the problem centers around the ability to perform a wireless pentest remotely. To achieve this lofty goal they did what any hackers would do; scrounge up pieces and parts until they had a workable prototype that could phone home via multiple LTE connections and give remote access to the wireless environment surrounding their device. Much improved since it’s tangle of wires and packing peanuts, a year later their device has compromised dozens of enterprise networks spanning 3 continents. In this talk we’ll discuss why we built it, how it works, and why we think it will revolutionize wireless pentesting.
Dustin Heywood (EvilMog)
There are few topics that capture the imagination and headlines like Bitcoin. Many of us understand what Bitcoin is and how it works on a technical level. Bitcoin’s blockchain is a bit like art; sometime you just have to see it with your own eyes.
What if we use modern big data tools to store the blockchain data in a format that can be searched, viewed, and explored? Once you can see the data you can start to discover what Bitcoin is and how it works. It stops being ones and zeros and becomes a story we can watch unfold.
We tend to think about Bitcoin in the context of moving coins around. The coins that get mined and traded are certainly interesting but they’re not the whole story. There are plenty of other interesting aspects in the Bitcoin data. Watching the difficulty of the work, seeing how time of day and seasons affect the transactions flowing through the system. Even understanding what some of the upper bounds on what Bitcoin will be able to accomplish are. We can explore this data in a visual way that can be understood.
The most interesting part of Bitcoin isn’t the coin however. It’s something called nonstandard transactions. Most transactions in the blockchain are strings of data that move coins around. But a transaction isn’t limited to only moving around coins, it can be any random string of data. There are a substantial number of transactions that contain unique and interesting strings. Strings that don’t move the coins around, strings that contain messages. Strange things that only the anonymous person who placed it there may ever understand. There are hundreds of thousands of nonstandard transactions in Bitcoin’s blockchain. We have the ability to see them now, it feels like finding a secret note someone left behind.
Let’s spend some time looking at all this data. What can we learn about how Bitcoin works. What are some trends we’re seeing. And most importantly what are some of the secrets the blockchain holds for us to find. The best part is everything we look at is open data and all the tools we use are open source. You can continue the investigation on your own using what you learn in this session as your inspiration and guide.
Subtitle: The Ultimate Insider in the Cloud
We all know someone who has a Nintendo Entertainment System (NES) sitting around collecting dust. The 1980s gaming console was limited in its capabilities, but just how much wiggle room does that leave for mischief? In this talk, Vi Grey will demonstrate how it is possible to innovate under the limitations the NES restricts us with to create new ways a person can interact with a game. You will see NES games that are also fully functioning web pages and ZIP files, console memory dumps that can be opened as JPEG images, game cartridges that secretly contain other entire NES games, and much more.
Have you ever noticed that much of the mission of cyber- and information security professionals seems to be focused on vulnerabilities? Have you ever heard of the risk equation? Perhaps you are familiar with one or more versions that help you derive the risk to your organization (sometimes referred to as residual risk). I have been wondering for a while how to suggest to our industry that there is perhaps TOO much focus on vulnerabilities and not enough attention or focus on the other elements that derive the standard risk equation. Remember how the disclosure of Meltdown/Spectre introduced a “perfect storm” scenario where the vulnerability wasn’t easy to patch or fix, and the solution seemed to be break things? This created a situation where the “security solution” wasn’t simply to apply the patch – and that left many organizations scrambling to figure out how to deal with this example of a persistent vulnerability. This is a great example of what I’ve wanted to discuss for a while – what else should we focus on in terms of security if/when the vulnerabilities still remain. Interested? Intrigued? Come join the discussion!
The mechanical pin and tumbler locks we use on our homes, schools, and businesses have not changed much in over 100 years. Sure, there have been some exotic new designs but most are just not fiscally feasible compared to their relatively minor improvements (if any) in security. A feature desired on large scale deployments is called Master Keying, which allows for many unique key/lock combinations while supporting multiple permission levels commonly referred to as “janitor keys” or “security keys” that can open multiple locks. While these systems are still in use around the globe in medium-to-large scale businesses, schools, and government buildings, they are also susceptible to what some consider to be the original privilege escalation attack. We will talk about an optimization attack against the most common master keyed lock systems in use today, reducing the potential attack surface from 1,000,000 permutations for an SC4 keyway system down to 42 steps to find the highest privilege key.