Tymkrs & AND!XOR

Tymkrs & AND!XOR compukidmike

compukidmike

Badge Makers Panel

Come listen to how new world’s are created for your curiosity and enjoyment!


Daniel Creed

Daniel Creed

Stop, think about the psychology of the hack and hacker FIRST!

We are by nature technologist, and far to often when we see something suspicious on the network, we immediately jump to a technological solution without stopping to think about the psychology of what we are seeing, and what that can mean in the form of an attack/breach.


Ron Kuriscak

Ron Kuriscak

When your IoT goes bump in the night

In our always connected world the prevalence of internet connect devices has multiplied significantly. Internet connected devices have skyrocketed in our businesses, factories, infrastructures, and hospitals. This “Internet of things” (IoT) is becoming an increasing topic of conversation both in the workplace and outside of it. It’s a concept that not only has the potential to impact how we live but also how we work and are secured. IoT devices have become prevalent in many of the products and services that we have come to rely upon in our everyday lives. IoT security is the safeguarding of connected devices and networks in the IoT world. Managing and securing the ever-growing number of internet connected devices is posing new challenges to organizations of all sizes. Businesses must now address this new threat landscape to determine how to protect themselves. What are some examples of IoT devices? What is the threat? How prevalent is the risk? How are organizations protecting all of these IoT devices? What should do to reduce the risks.


Russell From

Russell From

Zero to Hero: Starting a Cyber Security Career

This talk is for all those looking for a guide into how to break into a cyber security or information security career with local tips for those living in Wisconsin. Whether you are still in college, debating going to college, or an experienced professional looking to change careers, I wrote this talk for you as I wished this guide existed when I changed careers. Flashback to four years ago where something changed, I woke up and was no longer passionate about what I was working on like I used to be. The challenges were still there and a management career was just around corner but cyber security looked so much more exciting and got me excited to get up and out of bed in the morning. So with no previous cyber security roles or training, I made a hard career pivot from a well paid and stable Principal Engineer job at a large international company to an entry level security role and enrolled in a security degree program. From there, I ended up changing roles a few more times with different companies while picking up many cyber security certifications along the way. Before I knew it, I was invited or selected to speak at many local Wisconsin cyber security conferences and was speaking in front of my peers at local cyber security focused organizations. This talk is a summary of my experience to break starting a cyber security career down into a simple strategy while providing an overview of the information sources, certifications, local communities, and trade offs to consider for someone starting down this path.


Aamil Karimi

Qualitative Analysis for Critical, Timely Intelligence

Every day, researchers and analysts are bombarded with new sets of data and information pertaining to threats and adversaries. This is not very different from what intelligence analysts encounter in physical terrain warfare. In both cases, intelligence can only succeed in looking beyond the flavor of the week by applying timely, qualitative analysis to relevant information. In this presentation we will discuss:

Examples of observing common and older tactics and vulnerabilities that are actively being leveraged (instead of theoretical risks)
Using historical information to make well-informed assessments of future adversary courses of action
Applying qualitative-based risk assessments to adversaries based on observed capabilities and intent
Utilizing non-technical methods of intelligence collection such as human intelligence

We’ll also walk through real-life examples, including our hands-on experience in confirming tactics used by hacktivists during an actual campaign, and tracing suspected ties between a Middle Eastern paramilitary organization and a domestic cyber adversary.


Olivia Stella

Olivia Stella

Deciphering Aviation Cybersecurity Regulations

The aviation industry is synonymous with government regulation, but what does that mean in regards to cybersecurity? The industry is historically reluctant to provide information, leading to an assumption by those on the outside that security by obscurity is the standard. However there are several statutes in place if you know where to look. This presentation aims to decipher current aviation cybersecurity regulation by focusing on what would directly impact security researchers and how to better educate oneself on current & future regulation.


Josh Bressers

Josh Bressers

Next Generation Enterprise Security

The single best way Humans transfer knowledge is through stories. We are a social species and there are no better stories than Star Trek episodes. Nearly every episode of Star Trek involves some sort of security incident. Everything from someone stealing data (or Data), insider threats, APT, malware, and more. There is a lot of content we can use as examples to help teach and learn.
What would the Star Trek lessons look like if we break them down into their core components? Even though the stories are fictitious, we can use them to help tell a story as a way to teach others about security and why it matters. We can start to ask questions like who is the biggest insider threat the ship faces: Data or Wesley? Why is security so terrible, does Worf ever do his job? Have these people ever heard of two factor authentication? Maybe the holodeck should be sandboxed? No the Romulans aren’t telling the truth this time.
Our industry is one of very serious questions and discussions, but sometimes you can be too serious. It can be a challenge to explore security topics even inside of the industry, sometimes we need a new way to think about a problem. Rather than focus on serious security lessons, let’s have some fun made up security stories. There are a lot of lessons to be learned in Star Trek TNG episodes.
In this session we are going to break down the security themes in Star Trek. Who are threat actors. Who are defenders. What are some mitigations that could be applied. What are some proactive ideas that should have been put in place. There are even some examples of recurring incidents because nobody fixed the problem the first time.
You will walk away from this one not just having a lot of fun because Star Trek is awesome, but learning some new ways to look at common problems. Sometimes a little perspective can really get the creative juices flowing.

Mike ‘Shecky’ Kavka

Mike ‘Shecky’ Kavka

It’s Log, It’s Log… or Why are standards not standard

There are so many things we deal with in the field of Information Security, and so many vendors out there to deal with. The money to be made is staggering for vendors, but at what cost? Using a non-standard standard (i.e. Syslog), and not supporting easy of integration seem to be the norm, but is that not creating a less secure world? We shall take a brief look at reasoning why the world of security vendors might be hurting the security field overall with the non-standard standards used.


Alexander Rasin

Alexander Rasin

Is your Database Leaking Encrypted Data?

Forensic tools often operate in adversarial conditions, without cooperation from the device owner. Storage encryption (either device-drive or software) prevents forensic tools from accessing and reconstructing data in persistent storage. Meanwhile, RAM and its cache can provide an alternate source of decrypted data to forensic tools. Prior data encryption research considered disk partition encryption, encryption in file systems, and client-side encryption. However, such work does not account for encryption in database management systems (DBMS). DBMSes manage their own storage instead of relying on the operating system with native DBMS support for disk and RAM cache management, access control configuration, and built-in encryption features.
The first part of this talk teaches the basic principles of disk-to-RAM data flow within a DBMS. We describe different allocated RAM areas and their purpose in major relational DBMSes (including  Oracle, SQL Server, PostgreSQL, and MySQL). We also survey the built-in encryption features available in these DBMSes, including deployment trade-offs. The second part of this talk describes DBMS encryption vulnerabilities through examples. We discuss SQL operations that potentially expose decrypted data in RAM. We also demonstrate the quantity of data cached by SQL queries and the lifecycle of that data in memory.

Rob Carson

Rob Carson

Guerillia Warfare for the Blue Team

Blue teamers in the trenches need to stop living groundhog’s day. Time to punch Bill Murray in the face and change the game in our favor. The game has changed but the basics are the same.

Coined in the 90’s by General Krulak, the three-block war is described as full-scale military action, peacekeeping operations (PKO) and humanitarian aid within the space of three contiguous city blocks.

How does this compare to starting your morning activating your incidence response (IR) plan due to a suspected credential breach, Change management meetings (Compliance), and handing out hugs while CXO’s change their passwords for the first time.

1. No one is shooting at you.
2. Not much else

Just as methods of warfare have changed, so too has the way we must run security programs. What does takes to prepare and execute your own 3 block Blue team war?


Nick Chapel (CRYPTY MCCRYPTOFACE)

Nick Chapel (CRYPTY MCCRYPTOFACE)

CryptoParty Like It’s 1499

Long before it became an infosec capture-the-flag staple, steganography had its birth in the Steganographia of Johannes Trithemius, an early 16th century book of magic and secret writing. Though it remains perhaps the most widely known, this is but one among countless examples of cryptography from the Renaissance and early modern eras used by alchemists, magicians, and dissidents to conceal their hidden knowledge from the prying eyes of the uninitiated.  By applying the lens of cyber threat intelligence to the Steganographia and other examples of Renaissance and early modern cryptography, we can give ourselves greater insight into the motivations and threat models that drove subversive actors centuries before PGP was a gleam in Phil Zimmerman’s eyes. As we explore these historical examples through a threat intel lens, I will show how modern-day incident responders and other infosec practitioners can enrich their investigations by applying this same approach to their daily work.


Sarah Petkus

Sarah Petkus

Mother of Machine: Teaching a Robot to See and Recognize

Raising a Robot (5min)
• Introduction to myself, NoodleFeet, and the “Mother of Machine” project
Designing Familiarity (~10min)
• How I used TensorFlow to teach my robot how to relate objects to other objects
• Show the mechanism, hardware and electronics involved in doing so
• Share my process of object training with intentional flaws built-in to help produce more
‘human-like’ results
Cause and Effect (~7min)
• How I used object recognition to trigger behaviors: mechanical responses that help
communicate the robot’s personality
Wrap-up (~3min)
• Show the results and share my resources


Bruce Krawisz

Bruce Krawisz

Human Health and Climate Destabilization

Extreme heat is the result of higher temperatures due to atmospheric heat retention by green house gases.  As temperatures rise, more water evaporates and the concentration of water vapor (humidity) in the air rises.  This means that some places, particularly temperate areas, will receive more rain resulting in more flooding.  Droughts occur sooner in places that do not receive rain because it is hotter.  Tropical storms and hurricanes are powered by the heat energy in ocean water.  As ocean temperatures rise, tropical storms tend to become larger, more powerful, and associated with greater rainfall.  Many of these events are happening now.  This year has seen record heat waves across the U.S., Europe, and Greenland; floods in the U.S. Midwest; and wildfires in Alaska, Siberia, Greenland, Australia, and the Western United States.  In 2017 and 2018 there were unusually powerful and large hurricanes such as Harvey (Houston, TX), Florence (North Carolina), Maria (Puerto Rico), and Irma (Florida and Caribbean).  Lyme Disease and West Nile virus encephalitis have been spreading north from the U.S. into Canada as warmer temperatures make survival easier for ticks and mosquitoes.  As the tropics expand towards the poles, diseases carried by mosquitoes such as Dengue follow.  The Middle East (Southwest Asia) may become too hot for human habitation.  Coastal cities such as Jakarta, Indonesia, Mumbai, India, Shanghai, China, London, U.K., Miami, New Orleans, and New York may become uninhabitable due to sea level rise.  Today’s children are in the crosshairs of climate change.


Eric Escobar

Eric Escobar Matt Orme

Matt Orme

Your Corporate Networks are Showing

Sysadmins, CISO’s and compliance officers run pentests on their internal and external infrastructure, and commonly ignore their wireless footprint. However, access to a corporate wireless network is seldom monitored and provides covert access to an attacker. Think a long random passphrase or individual user authentication will protect your perimeter? Think again. Current wireless attacks take advantage configuration oversights, deceiving end users, and circumventing what had been thought to be reasonable network segmentation. Such compromise can have disastrous implications resulting in the “attacker from the parking lot” scenario. Curious to see how a compromise from a “secure” wireless network happens? Eric & Matt will discuss their evolving wireless pentest methodology and answer audience questions.


Dan Walters

Dan Walters

Your cable modem is secure Right? Oh!

Most people think their devices are “secure” well its time to talk about things most cable company don’t want you to be aware of…. ignorance is bliss right?


Kat Traxler

Kat Traxler

The Cloud Attack Surface – Laughing at the OSI Model

Security Professionals are comfortable reasoning about the security posture of systems within the framework of the OSI model. We classify attacks as network based or application based each with their own set of understood preconditions or rules.
Enter ‘The Cloud’ or as I like to think about it “Other Peoples Datacenters”. The Cloud Platforms and their associated APIs are harnessed by a new bread of operations teams to define network or application systems in code. It’s on the Cloud API Platforms that a new attack surface has opened and it plays by none of the old rules.

J. Wolfgang Goerlich

J. Wolfgang Goerlich

Zero Trust for Zero Days

Zero Trust has evolved from hype to security concept, and is evolving into a security standard. Zero Trust has gone from being network-centric to applying to people, applications, and data. And yet? The value of any defensive security control can only be determined within the context of the offensive tactics. The value gets further obscured when unexpected vulnerabilities rip holes in our defenses. In this presentation, threat models and attack scenarios will highlight the strengths and weakness of Zero Trust. This session provides an adversarial view of limiting trust in our environments.


Byron Franz

Byron Franz

The FBI Wants You! (To help in Protecting the U.S. From Cyberattacks)

System Administrators, information security professionals, and ethical hackers are often the first line of defense in protecting U.S. companies and public institutions from cyberattacks.  However, there are local, state, and federal resources available to assist in mitigating and investigating a cyber incident.  Presidential Policy Directive 41 (PPD-41) established the FBI as the lead federal agency for cyber threat response activities in the U.S.  How does the FBI conduct this threat response?  This presentation will discuss various cyber threats to U.S. institutions, seek to dispel various myths about the FBI’s cyber efforts, and seek to clarify what an institution can expect when contacting the FBI to report a computer intrusion, ransomware attack, or other incident.  Special Agent Franz will also discuss the vital importance in IT professionals both reporting IOCs to the FBI and considering applying for an FBI Special Agent, Intelligence Analyst, or related position to bolster the U.S.’ national  cyber defense capabilities.


Alyssa Miller

Alyssa Miller

KEYNOTE: Stealing Reality – Deepfakes Ushering in a New Paradigm of Attacks

As a result of continuing advancements in neural networks, deep fake media has become increasingly convincing and easy to produce. Experts have warned of the impact this could have on elections and personal security. Additionally, deepfakes also pose very real threats to businesses and global markets, although these threats receive far less attention. Hacker and Security evangelist Alyssa Miller will analyze the technology behind creating deep fake media, showing how Generative Adversarial Networks (GAN) create convincing fake videos and audio from very limited samples. She will examine research into both low-tech and AI/ML based detection methods and counter measures, including leveraging the same neural network approaches being used to create deep fakes to help detect them. She’ll continue by discussing the theory and research behind
countermeasures such as Adversarial Perturbations and show how they can defeat facial recognition algorithms that deepfake generation relies on. Finally, Alyssa will present methods being developed to help certify the authenticity of real media.

As she concludes, Alyssa will offer up a hopeful viewpoint of the good that can be accomplished through the use of deepfake technology. From its use in entertainment, to improved analysis of medical imaging and even how GANs are being leveraged in malware identification.


Amy Upthagrove

Amy Upthagrove

Sonic Pi – A Creative Coding Movement for Everyone

This talk will explore the use of the Sonic Pi live coding environment as a means of using code to create music, as well as to provide an accessible gateway into more complex coding environments and applications.


Dustin Heywood (evil_mog)

Dustin Heywood (evil_mog)

Silver Tickets Through the Printer Bug: How NTLMv1 Brings Down the Kingdom

Have you ever wanted to know how the MS-RPRN Print Spooler service can lead to local admin? This talk will go through the NTLMv1 hash format, reverse it to an NTLM hash, and show how to use that information to generate Silver Tickets. It will also cover defenses for this devastating attack.


Jo Jones

Jo Jones

Duck and Cover 2.0: How Preparing for the End of the World Can Prepare You for Anything

Even though the Cold War ended almost 30 years ago, there are still a lot of valuable lessons that can be learned from that era. One of the hallmarks of Civil Defense was to prepare yourself and your family for the coming Nuclear War. There were thousands of pamphlets, ads and movies created to teach people how to survive and thrive when Mutually Assured Destruction came to fruition. In this presentation, I will go over some of the more famous Civil Defense campaigns of the Cold War and how you can apply these tips to keep yourself and your companies safe in the modern world.


Anita Nikolich

AI

Anita Nikolich


Robert Lerner

Robert Lerner

418 I’m a Teapot – And other headers

What happens when you overshare HTTP headers and how to check if your’s are “up to code”


Melanie Ensign

Melanie Ensign

Why Should Anyone Listen? Practical Advice for Security Pros to Build Influence & Impact

This talk is about earning influence and becoming a trusted advisor inside and outside a security organization. It is for everyone who wants to effectively advise business leaders, technical managers, and decision-makers. It’s also for anyone yearning to be heard by their boss or peers.


Susan Lincke

Susan Lincke

The Ethics of Risk

Security is often not funded because risk costs, as evaluated by an organization for its own benefit, has a ROI that is below other possible investments. However, there are multiple benefits of evaluating risk from an ethical perspective. This presentation proposes a maturity model for the ethics of risk, based on an evaluation of research related to ethical risk. The framework describes risk, management, legal, and engineering concerns appropriate to risk analysts, security staff, or software engineering professionals. The framework provides a list of actionable items for each of five levels of ethical risk maturity.


Trenton Ivey

Trenton Ivey

KEYNOTE: Make(){Break()};Break(){Make()};

By definition, hackers make things work in unexpected and unintended ways. To many outside this community, hacking seems like a destructive process. However, anyone that has ever created or utilized an exploit in an imaginative way knows that, at its heart, hacking is all about making something new. This talk, full of technical examples taken from opposing disciplines in information security, shows how healthy competition between makers and breakers drives progress.


F4R4D4Y

F4R4D4Y

Epstein Faraday didn’t kill himself

What happens when a social-media addicted hacker and Twitter Troll quits the internet for six months? What happens to a human being – whom are social animals – when their main contact methods with friends, family, enemies, and coworkers is dissolved?
Did erasing his data from OSINT and family tree/ancestry sites help with privacy, at least? What about the memes? WHAT ABOUT THE MEMES?!
Listen to his story how it simultaneously saved and ruined his social life at the same time as his health improved (with all the consequential data he could collect) to help you make an informed decision if you decide to make the ultimate pièce de résistance of our digital age.

Pilar Speranza-Weigel

Pilar Speranza-Weigel Yuliana Bellini

Yuliana Bellini

Online Dating Scams – Low Blows

Over time dating scams have claimed many victims, becoming an immense industry that uses psychological approaches, photographers, graphic designers, call centers, extortion and blackmail, as well as human trafficking. These scams have been around for many years, and they continue to grow and evolve, and the hackers have become much more elaborate and sophisticated with their methodologies, making them even more profitable than ever. We will dissect this dark business and identify its patterns and vulnerabilities, as well as bring awareness to a topic that is not often discussed.


Adam Baso

Adam Baso

Crowdsourcing and Collaborative Product Development at Wikipedia

The early days of the open web encouraged a collaborative model of software development – technology built from the ground up, systems that were developed collectively and without hierarchy. For the past two decades, Wikipedia has succeeded to a large degree because of that collaborative model. It invites contributions, from our content down to our code. This talk will discuss how to build a truly participatory product development model, the opportunities and challenges Wikipedia has faced as a result of its open approach to technology platforms, and what the future looks like.


Kat Sweet

Kat Sweet

Knock Your SOCs Off: Modernizing Security Operations

The model still in wide use for security operations – the tiered SOC in a windowless room staring at a single glass of pain – is a product of technological environments in rapid decline. As infrastructure and organizational structures evolve, so too must the teams responsible for keeping the lights on evolve their people, process, technology, and culture. So what does this look like for those on the ground?

 

From the brain of a former security analyst building out operations in a cloud-first and zero-trust environment (buzzword bingo cards not provided), we’ll reflect upon what problems we’re trying to solve in security operations and how to reimagine our solutions for the environment in front of us, whether it’s a distributed workforce, shiny new cloud infrastructure mixed with old servers in the basement, or a fleet of unmanaged endpoints. Attendees will gain practical approaches to adapting our own processes and tooling, revisiting our sources of truth, and turning our focus outward to engagement and visibility within the larger org.


Michelle Meas

Michelle Meas

COVID-19: Pandemic Pandemonium

The novel coronavirus outbreak that started late last year has already
shaken up the global economy, caused massive public unrest, and given us
the equal parts funny and dystopian situation with those
face-recognizing drones that yell at people for not wearing masks. But
with so many people talking about the same thing, how do we sort out
what’s real and what’s conspiracy? Is the novel coronavirus a bioweapon?
Are pangolins secretly humanity’s great adversary? Do masks actually
work? Why the heck are we talking about Russia? This talk will begin
with an overview of the latest literature on COVID-19 and highlights of
the outbreak so far. From there we will dissect the various claims made
by private entities, separating fact from fanatical and tracking how
information travels through meatspace.


Dr K, Jen and Darren

Dr K, Jen and Darren

Brain Hacking – Train Your Brain for Love, Joy and Peace

Meditation is becoming a buzz-word for “beating” stress but seems very complicated to learn. We will show how DIY (Do It Yourself) brain technology projects such as DIY EEG (electroencephalogram) and tDCS (Transcranial direct current stimulation) can actually work as training wheels for a relaxed and energized mind. Transcranial direct current stimulation (tDCS), is a non-invasive, painless brain stimulation treatment that uses direct electrical currents to stimulate specific parts of the brain. A constant, low intensity current is passed through two electrodes placed over the head which modulates brain activity.

Volunteers will be invited for on-screen demos and DIY designs will be shared.

Disclaimer:  These are not FDA approved devices, caution must be observed. Do at your own risk


Rene Kolga

Rene Kolga

Ransomware And How It Evades Our Defenses

Remember WannaCry – the ransomware attack that infected Windows devices across 150 countries? What is often forgotten is that WannaCry was completely preventable. Microsoft had issued a patch two months prior to the attack. If you think WannaCry was bad, how about a ransomware that we don’t have any protection from?

This talk will cover a Windows evasion technique called “RIPlace” that, when used to maliciously alter files, bypasses most existing anti-ransomware technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes.

The technique leverages an issue with error handling of an edge-case scenario by filter drivers of security products. While not a vulnerability per say, the technique is extremely easy for malicious actors to take advantage of with barely two lines of code. RIPlace abuses the way file rename operations are (mis)handled using a legacy Windows function.

The talk will include a live demo of RIPlace bypassing a number of anti-ransomware technologies as well as the release of a RIPlace testing tool for the community to leverage in your own organizations.


Shannon Fritz

Shannon Fritz

Is that a PickleNIC in your Pocket or are you just Cap’n Password Hashes?

When a device is set to automatically connect to wifi it may actually be exposing themselves AND the networks to attacks, but what you can do about it? The PickleNIC is a combination of custom hardware and software that was built to automate the collection and cracking of WPA2 Password Hashes. Hear the story about my daily commute with a raspberry pi that collects thousands of hashes using hcxtools and then automatically submits them to hashtopolis for distributed cracking. We’ll cover how the PickleNIC works and how it was built in order to help expose the risks in a fun way that (hopefully) encourages better security practices in my friends and strangers. You too can have a pickle in your pocket, in your bag, or in your car, and you’ll get all the information you need to make your very own PickleNIC today. This is going to be fun!