Anita Nikolich

AI

Anita Nikolich


Rene Kolga

Rene Kolga

Ransomware And How It Evades Our Defenses

Remember WannaCry – the ransomware attack that infected Windows devices across 150 countries? What is often forgotten is that WannaCry was completely preventable. Microsoft had issued a patch two months prior to the attack. If you think WannaCry was bad, how about a ransomware that we don’t have any protection from?

This talk will cover a Windows evasion technique called “RIPlace” that, when used to maliciously alter files, bypasses most existing anti-ransomware technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes.

The technique leverages an issue with error handling of an edge-case scenario by filter drivers of security products. While not a vulnerability per say, the technique is extremely easy for malicious actors to take advantage of with barely two lines of code. RIPlace abuses the way file rename operations are (mis)handled using a legacy Windows function.

The talk will include a live demo of RIPlace bypassing a number of anti-ransomware technologies as well as the release of a RIPlace testing tool for the community to leverage in your own organizations.


Alexander Rasin

Alexander Rasin

Is your Database Leaking Encrypted Data?

Forensic tools often operate in adversarial conditions, without cooperation from the device owner. Storage encryption (either device-drive or software) prevents forensic tools from accessing and reconstructing data in persistent storage. Meanwhile, RAM and its cache can provide an alternate source of decrypted data to forensic tools. Prior data encryption research considered disk partition encryption, encryption in file systems, and client-side encryption. However, such work does not account for encryption in database management systems (DBMS). DBMSes manage their own storage instead of relying on the operating system with native DBMS support for disk and RAM cache management, access control configuration, and built-in encryption features.
The first part of this talk teaches the basic principles of disk-to-RAM data flow within a DBMS. We describe different allocated RAM areas and their purpose in major relational DBMSes (including  Oracle, SQL Server, PostgreSQL, and MySQL). We also survey the built-in encryption features available in these DBMSes, including deployment trade-offs. The second part of this talk describes DBMS encryption vulnerabilities through examples. We discuss SQL operations that potentially expose decrypted data in RAM. We also demonstrate the quantity of data cached by SQL queries and the lifecycle of that data in memory.

Dustin Heywood (evil_mog)

Dustin Heywood (evil_mog)

Silver Tickets Through the Printer Bug: How NTLMv1 Brings Down the Kingdom

Have you ever wanted to know how the MS-RPRN Print Spooler service can lead to local admin? This talk will go through the NTLMv1 hash format, reverse it to an NTLM hash, and show how to use that information to generate Silver Tickets. It will also cover defenses for this devastating attack.


Shannon Fritz

Shannon Fritz

Is that a PickleNIC in your Pocket or are you just Cap’n Password Hashes?

When a device is set to automatically connect to wifi it may actually be exposing themselves AND the networks to attacks, but what you can do about it? The PickleNIC is a combination of custom hardware and software that was built to automate the collection and cracking of WPA2 Password Hashes. Hear the story about my daily commute with a raspberry pi that collects thousands of hashes using hcxtools and then automatically submits them to hashtopolis for distributed cracking. We’ll cover how the PickleNIC works and how it was built in order to help expose the risks in a fun way that (hopefully) encourages better security practices in my friends and strangers. You too can have a pickle in your pocket, in your bag, or in your car, and you’ll get all the information you need to make your very own PickleNIC today. This is going to be fun!


Tymkrs & AND!XOR

Tymkrs & AND!XOR compukidmike

compukidmike

Badge Makers Panel

Come listen to how new world’s are created for your curiosity and enjoyment!


Trenton Ivey

Trenton Ivey

KEYNOTE: Make(){Break()};Break(){Make()};

By definition, hackers make things work in unexpected and unintended ways. To many outside this community, hacking seems like a destructive process. However, anyone that has ever created or utilized an exploit in an imaginative way knows that, at its heart, hacking is all about making something new. This talk, full of technical examples taken from opposing disciplines in information security, shows how healthy competition between makers and breakers drives progress.


Robert Lerner

Robert Lerner

418 I’m a Teapot – And other headers

What happens when you overshare HTTP headers and how to check if your’s are “up to code”


Eric Escobar

Eric Escobar Matt Orme

Matt Orme

Your Corporate Networks are Showing

Sysadmins, CISO’s and compliance officers run pentests on their internal and external infrastructure, and commonly ignore their wireless footprint. However, access to a corporate wireless network is seldom monitored and provides covert access to an attacker. Think a long random passphrase or individual user authentication will protect your perimeter? Think again. Current wireless attacks take advantage configuration oversights, deceiving end users, and circumventing what had been thought to be reasonable network segmentation. Such compromise can have disastrous implications resulting in the “attacker from the parking lot” scenario. Curious to see how a compromise from a “secure” wireless network happens? Eric & Matt will discuss their evolving wireless pentest methodology and answer audience questions.


Kat Traxler

Kat Traxler

The Cloud Attack Surface – Laughing at the OSI Model

Security Professionals are comfortable reasoning about the security posture of systems within the framework of the OSI model. We classify attacks as network based or application based each with their own set of understood preconditions or rules.
Enter ‘The Cloud’ or as I like to think about it “Other Peoples Datacenters”. The Cloud Platforms and their associated APIs are harnessed by a new bread of operations teams to define network or application systems in code. It’s on the Cloud API Platforms that a new attack surface has opened and it plays by none of the old rules.