David Kennedy is the founder of TrustedSec, Binary Defense Systems (BD) and DerbyCon, a large-scale information security conference. David is an avid gamer, father of three, and passionate about coding. David previously was a Chief Security Officer (CSO) for a Fortune 1000 company with offices in over 77 countries.
Considered a forward thinker in the security field, he is a keynote speaker at some of the nation’s largest conferences in addition to guest appearances on Fox News, CNN, CNBC, MSNBC, Bloomberg and the BBC. His has advised on several TV shows and assisted in some of the content for the popular “Mr. Robot” series.
David has testified in front of US Congress on multiple occasions on the threats faced in security and the government space. A prolific author, he is also the creator of several widely popular open-source tools including “The Social-Engineer Toolkit” (SET). Prior to the private sector, he worked in the United States Marines (USMC) for cyber warfare and forensics analysis activities for the intelligence community including two tours to Iraq.Friday Keynote: Moving Ahead and Beyond Common Tool DetectionsThere’s no question that companies continue to try and get better when it comes to detecting attacks in multiple phases. Instead of just patching and hoping for the best, organizations are spending a substantial amount of investment in trying to detect the 'well what if they get through' situation. As companies focus on enhanced detection capabilities, the focus is often hard to grasp in what to actually look for – there is so much. This talk will dive into where we see most companies fail at detection and how red teams are helping push the bar forward in not just leveraging a checklist, but focusing on the identification of attack patterns in varying levels of sophistication. The over reliance on technology as a method for trying to jump start these programs often causes more harm than good, and we’ll dive into how effective off the shelf endpoint detection tools do when confronted with even basic attackers. As an industry, we have everything we need to get better – it’s a matter of prioritization, focus, and time.
Dan Tentler is the Executive Founder of Phobos Group. He's got a long history of both attack and defense roles, as well as public speaking engagements and press interviews. He is a professional troublemaker and gets excited about getting on stage to share stories about troublemaking, and tips on how to make trouble.Saturday KeynoteDo you keep expensive stuff in your hotel room? Did defcon last year completely chap your ass? Do you like the idea of having visibility of your expensive stuff when you're not in your hotel room? I got you covered. I travel quite a lot for work and I carry lots of expensive things around. I've learned how to deploy 'tells', as well as a slurry of cameras in hotel rooms in an effort to keep tabs on things. This talk will elaborate on stories and experiences, talk about how to build hotel room networks, and cover some of the camera models I bought and use. What's good, What's bad, and how you can fall into this rabbit hole too.
SpeakersAn Overview of hard research problems in Computer Security; Something of a Historical PerspectiveBlaine Burnham, PhD50 minutesWe have been pouring (that might be something of an overstatement) money into computer Security research for decades. How we doing? What have been the research priorities as stated by many of the funding agencies? How we doing? What is not getting done and why? What does the future portend, near and not so near?Dev[Sec]Ops != Dev[Suck]Ops: Mutual of Omaha's Journey Toward a DevOps Security CultureThe traditional approach to software security testing typically involves some form of human interaction. It is accompanied by long wait times, and large, overwhelming scan results. This hardly lives up to the automation hype of the DevOps culture. With the traditional model, follow-up remediation typically includes lengthy conversations with security engineers to a back-and-forth fix and retest cycle. This process is often an afterthought towards the end of the SDLC when code fixes are costly and deployment schedules are tight. The traditional approach does not scale with today's software engineering demands. DevOps, 12 Factor apps, quick agile iterations, and aggressive deployment schedules require security to operate at a new speed; the speed of DevSecOps. How many product owners have had to hit the pause button on a roll-out in order to complete a full SAST or DAST of the entire world before going live? Traditional find, fix, rinse, and repeat methods are being upstaged by more streamlined solutions that integrate directly into the developer's native workflow allowing a real-world shift-left. This includes allowing the developer to interact with SAST/DAST/IAST/Open Source Monitoring from their development workspace, and also in the CI/CD pipeline. Advanced DevSecOps implementations facilitate agility, early fixes, open source visualization, and developer-centric tooling that give dev teams much more control over secure coding models.Basics of Radio Hacking with RTL-SDRGus Gorman50 minutesRadio security is often times neglected because they are only subject to domestic/local threats (physical access). This has left many radio protocols vulnerable to a variety of easy attacksTalk will focus on using inexpensive($20-30) RTL-SDR to intercept & decode various wireless signals, including train telemetry, alarm sensors, smart meters, garage doors, and infrastructure communications. Decode and cloning techniques/hardware will also be covered.Building Security Playbooks 101Lior Kolnik50 minutesSOC and IR professionals are required to use myriad different tools and services to handle alerts and investigate cases, including EDR, Sandboxes, SIEM, pDNS, TIPs and more. Working through all of these GUIs is time consuming and has a learning curve due to the hundreds of different tools and vendors out there - every environment will have different tools. False positives must often be identified manually due to the lack of direct communication between the siloed tools.Building an Application Security Program from ScratchDouglas Swartz50 minutesHave you spent lots of money on firewalls. network security, intrusion detection, and exfiltration prevention? What about the glaring hole left even after all that expenditure: Applications. Join me as I take you through a journey from no application security program at all, to five years later. We'll explore what my team did right, and our failures. I'll provide you with pointers to application security resources, and a possible approach to get started. If your company hasn't headed off on the application security journey yet, maybe you can avoid some of our mis-steps.Building the badge - How you can make small, cheap and custom hardware for function or fashionDrawn to increase in neck bling that people wear around looking like futuristic disco balls? Curious about the rise of IoT and how you can start making your hardware for tests? Want to make your own blinking monstrosity that can scare the cat and blind your neighbors. Cheap PCB fab houses and some free software offers the ability to make all these oddly specific dreams come true. This talk will cover an overview of how you can get your board designed, printed and distributed for your next event without going broke in the process.Bushwacking your way around a bootloaderRebecca (.bx) Shapiro50 minutesEven when you have access to some binary’s source code, it can still be challenging to un- derstand said software. In this talk, I will discuss the techniques and tools I developed in order to understand and navigate the pile of code that is the open-source Das U-Boot bootloader. The tools I developed do not rely on proprietary software and instead make use of free and powerful debugging tools such as Capstone, Unicorn, and the GDB Python plugin API. My approach strives to highlight the temporal and mechanical connections that exist between higher-level behaviors and regions of the code base/binary by instrumenting, tracing, and analyzing all memory writes with respect to the software’s current execution path. This technique allows us to develop and test our understanding of the relationships between code and objects (data structures and/or regions of memory). I will discuss how these tools and techniques can be used to identify and distinguish between different phases of U-Boot execution (including distinct phases of initialization and relocation) and then show how such information can be used to design a coarse-grained memory region-based access control policy.Business Email Compromise (BEC) - The Highly Effective Evolution of Nigerian Fraud SchemesJake Foiles20 minutesAccording to the Internet Crime Complaint Center (IC3.gov), Business Email Compromise and other related schemes account for over half of all cyber crime losses. Learn what BEC is and how you can join the fight against this exploding cyber crime type.Capture the Flag != Pentest (and other Hackworthy shenanigans)Mark Bayley20 minutesCapture the flags are a great way to gain talent and increase technical skill. They’re fun, they bring people together (many who admittedly don’t like to be “together” under normal circumstances), and sites like hackthebox can show you some really unusual and unorthodox ways to break into stuff you’ve probably never considered. Despite their fun and popularity, however, capture the flag events do not always translate into real skill as a penetration tester.Chip-level vulnerability assessment using CHIPSEC and LuvOSDr. Jeffrey (Jeff) Struik50 minutesardware level vulnerability assessment is becoming increasingly important with the increase of state-sponsored threats. The ability to perform chip-level vulnerability assessments provides valuable insights for security managers, specifically for critical assets. This presentation demonstrates the value of using CHIPSEC and LuvOS to conduct chip-level vulnerability assessments. The presentation will provide a demonstration of the various functions of CHIPSEC and LuvOS and will also examine how to install and use CHIPSEC for the purpose of hardware, firmware, and chip-level vulnerability assessments.Containers: Your Ally in Improving SecurityHillary Benson50 minutesContainer and orchestration technologies have brought new standard interfaces to the way applications are built, deployed, and operated. In this session, we’ll show how security, development, and operations teams can speak the common “language” of Kubernetes to operationalize security controls and risk management with greater precision, testability, and clarity than before. We’ll give a brief overview of key container and orchestration technologies and show how to put specific features to work for better security, with live examples.Cybersecurity Education: Inside and OutJessica Rooney & Owen Parkins20 minutesCybersecurity is a developing field that is difficult to learn and even more difficult to teach. This talk describes the challenges of learning various aspects of cybersecurity and of teaching it from the perspective of cybersecurity-focused college seniors. The speakers provide unique perspectives on the state of cybersecurity education in universities, and how this education is helping and hindering students in preparation for the workforce.DSLAMing: Testing WAN Services on DSL ModemsIoT Testing, particularly for consumer grade networking devices, can be difficult when the device doesn't use 802.11 or RJ45 for IP traffic. Take for example the DSL Modem: one of the most commonly deployed networking devices for home users. A typical DSL Modem will have one or more RJ45 LAN ports, but testing the WAN port proves problematic: most DSL Modems use RJ14 ports for the WAN! Enter the DSLAM. The DSLAM is the head end unit for DSL Modems. We'll talk about the underlying technologies used in communicating with the head end system (DSLAM) as well as how you can source, setup, and successfully test WAN services on a DSL modem using a DSLAM. We'll also talk about why you might want to do this and what you might find.Detasseling Docker and Other Kernel Related ProtectionsIt's happened before and it will happen again: that one ancient business application that refuses to die. It's riddled with security holes and is so fragile that a strong gust of wind could take it down. I'll take three perspectives through moving that app into the micro-services climate. Builders, breakers and defenders each get tools and techniques on how this radically popular but 'equally ancient' technology can be their friend.Fuzzing with AFLThe talk focuses on fuzzing approach that can be used to uncover different types of vulnerabilities on open source project. It will also introduce the general idea and the approach to fuzz real-life targets using AFL.Grapl - A Graph Analytics Platform for DFIRTraditionally, detection has been performed on point anomalies - a log comes in, the log is analyzed, and a decision is made to alert based on that analysis. Similarly, investigations are based on searches over isolated events - an alert fires and you manually try to find related events based on ad-hoc queries. Grapl aims to move beyond individual events as the fundamental abstraction and focus instead on relationships. Logs are parsed into graph representations and merged into a master graph representing all actions occurring across your environments. This approach allows for relationship-based detections (ex: word isn't scary, and bash isn't scary, but word spawning bash is scary) and more efficient, ergonomic investigations. Grapl handles the work of turning logs into subgraphs, orchestrating signatures executing across the graph, and automatically scoping investigations through expansion of the graph. I hope to demonstrate the benefits of a Graph based approach to DFIR, and how Grapl can aid in that approach.HASSH it real goodBen Reardon20 minutesIs that SSH client/server really what it says it is ? Now you can tell this and more - with HASSH! Looking for signals in the initialization of encrypted communication channels is not a new concept. There are many examples of fingerprinting both unencrypted and encrypted protocols such as TLS. However somewhat surprisingly, no open source scalable fingerprinting method has been developed for one of our most common and relied upon encrypted protocols SSH — an integral component of the internet. Enter, the HASSH. HASSH is a network fingerprinting standard invented within the Detection Cloud team at Salesforce. It can be used to help identify specific Client and Server SSH implementations. These fingerprints can be easily stored, searched and shared in the form of a standard string of summary text, a hassh for the Client and hasshServer for the Server. Gaining a greater insight into the observable nature of SSH clients and servers opens up a few really interesting possibilities. HASSH can highlight Deceptive implementations, Detect novel exfiltration attempts within the SSH negotiation packets themselves, baseline devices including IOT devices, make a passive assessment of patch levels of SSH servers and clients, and can easily detect anomalous SSH components in highly controlled well understood operational environments. Further to Detection uses, HASSH can also be built into the control pipeline as an active component.IPv6 Security, or... How Not to Deploy IPv6IPv6 has been the Next Big Thing for at least 20 years. Yet few organizations have deployed it since RFC 1883 was formalized in 1995. Or have they? Google has measured US IPv6 adoption at over 35%. Over 25% of the Alexa Top 1000 sites are IPv6-enabled. Chances are good you (and your users) have used IPv6 as well. Was your deployment planned? Did you address common vulnerabilities? Or do you just want to wreak havoc on your local IT guy? Come learn about the state of IPv6 security. All motivations are welcome.MacOS host monitoring - the open source wayMichael George20 minutesI will talk about a example piece of malware(Handbrake/Proton) and how you can use open source tooling detection tooling to do detection and light forensics. Since I will be talking about the handbrake malware, I will also be sharing some of the TTPs the malware used if you want to find this activity in your fleet.More Than Tor: Shining a Light on Different Corners of the Dark WebWhen the terms darknet or dark web are invoked it is almost always in reference to the Tor network, but what about the other extant darknet frameworks? A true understanding of the dark web would be impossible and misleading if it only included the Tor network. In this talk I will expand the field of view to include frameworks such as Freenet, I2P, and OpenBazaar. We’ll take a quick look at the origins and technical underpinnings of these darknets as well as their actors and offerings. I will also discuss the differentiators that set these networks apart from Tor and highlight why they too should be included in modeling our knowledge of the dark web. Audience members will walk away with a fuller understanding of the internet’s hidden corners, the goals of it’s users, and the technologies that help keep them in the dark.Neurodiversity in the workplaceTogether, George and Carla work to bring neurodiversity awareness to the workplace and all around us. Listen as two security professionals discuss how they’ve learned to communicate with people on and off the spectrum. A little bit funny, a little bit brutal, but all honest. George will explain what he hears when Carla skips from subject to subject, and Carla will talk about how she struggles not to finish George's sentences or dismiss something because she doesn't experience it the same way he does. In addition, both Carla and George will talk about the importance of diversity on our teams and throughout the InfoSec community.Note from Underground: Compromised CredentialsBrian C. Carter50 minutes'Notes from Underground: Compromised Credentials' presents several novel use cases for collecting, enriching, and searching so-called dumps of stolen online accounts. Although there are many commercial offerings and some free search tools, these tend to focus on the obvious use of stolen credentials to notify potential victims to change their account password. Victim notification is an important use of the data but researchers can also benefit from collecting and analyzing all of the other relevant details such as IP addresses, user handles, password choice, dates, and sometimes information collected by malicious software. The audience will see tools to parse, enrich, and format stolen data along with multiple ways to index it, search it, and visualize it. The tools will be made available publicly at the time of the presentation using GitLab. Although the presenter cannot give away the data in bulk, sources of compromised credentials will be shared.PCAP Feature Engineering for Machine LearningOnce signature-based methods of intrusion detection were considered fallible, we turned to machine learning to detect malicious traffic. Each machine learning algorithm is only as effective as the data its fed and the data points, also called features, used to train it. This talk will discuss feature engineering of network traffic in a pcap format including a discussion of recent research on features that can help detect malicious traffic when deep packet inspection capabilities are lost in TLS 1.3.Python Obfucation and Evasion TechniquesNick Beede20 minutesPython was designed for rapid development and ease of use which allows for complex tasks to be completed much faster than its counterparts. However, by nature of the language it can be reverse engineered much faster than a compiled language. This limits the language's potential to be used for developing malware and other nefarious tools. We have surveyed current obfuscation and anti-reversing techniques available to harden Python code. We propose that implementing the most advanced and effective obfuscation techniques currently requires too much effort for adversaries at this time, but that situation may rapidly change as frameworks and tools evolve. Our presentation will discuss obfuscation techniques currently seen in the wild and available to adversaries, as well as more advanced techniques that malware analysts should be prepared for in the future.SOC Transformation - From 3-Tier to Functional SOCKevin Houle20 minutesThere are many ways to organize a Security Operations Center (SOC). Among the most pervasive models is the 3-tier SOC model. This talk explores one organization's journey to transform away from a 3-tier SOC model to a functional SOC model focused on Detection, Monitoring, and Response. Discussion includes reasons for making the change and lessons learned along the way.Security of Industrial Control Systems: How IEC 62443 Can HelpAlex Nicoll50 minutesThe IEC 62443 series of standards describes a set of industrial control system security standards that apply to asset owners, system integrators, and product suppliers. There are substantial challenges in applying these standards to existing technologies, but adoption of these standards is beginning to be seen as table stakes by the discrete manufacturing and process communities. This talk will discuss a high level overview of the IEC 62443 series of standards, and some of the challenges in applying them to an industrial control environment. Specific focus will be placed on new initiatives in the industry as a result of a renewed focus on cybersecurity.Self Care in a 24/7 WorldJustin Williams50 minutesThis talk will focus on a period of my life where I was facing incredible burnout while working in IT while ignoring red flags. It will then cover how I switched to Information Security, but apply the lessons learned from my past life in IT to avoid that same scenario from ever re-occurring. The takeaway will be importance of self care.Social Forensication: A Multidisciplinary Approach to Successful Social EngineeringJoe Gray50 minutesThis presentation outlines a new twist on an existing social engineering attack. In the past, we have worked on getting users to plug in USB devices to drop malicious documents and executables. While this attack sometimes proves our point, it is the tip of the iceberg that can be done. Enter Social Forensication. This is a two-pronged attack, consisting first of collecting a memory image for offsite offensive forensic analysis, the second being a rogue Wi-Fi access point attack. During this presentation, we will walk through the steps to perform each attack. Since defense is just as (if not more) important as the attack itself, we will also discuss mitigations (technical and procedural) and relevant windows detections for these attacks.Stop talking about it? Mentoring the next generationSeems like all you read in the twitter verse and in the news is about the shortage of information security talent. This session will highlight personal experiences in mentoring the next generation of information security practicioners and give some options on how to get involved. It will also feature some positive outcomes from giving up some of your precious free time. This talk is for anyone who is sitting on the fence or wonders how they can make a difference.The Art and Science of Report Writing, or, How to present your penetration testing findings wellOver the past 17 years, working in various industries including Airport Weather Observation, Broadcast Communication, Video Engineering and Technology, and finally Information Security, I've learned a thing or two about presenting information. Specifically, how to present a topic that could stir negative emotions, in a way that is non-threatening. I'm a firm believer in presenting penetration testing findings in a way that communicate their urgency without presenting the information using a harsh tone of voice in the writing. This talk will give you, the audience, some useful communication tips on presenting Penetration Testing Findings in a way that doesn't stir negative emotions from the recipient. Tips will include communication styles per personality type, and what I call danger terms, which are words that have a harsh tone when presented in findings, along with alternative words that communicate more effectively.The Power of Physical AccessIan Trent20 minutesWith the glaring financial strain put on the video game industry by hackers, they were among the first private-sector industries to truly focus on security and push for keeping attackers out, but in the face of physical access all their provisions, and yours, are razed in the blink of an eye by adversaries with little to no funding for the project. This will contain a brief history of DRM in the video game industry, how those measures have failed, and why they ultimately always will with an inspection of the Nintendo Switch modding community and the devastating capabilities developed there less than 2 years from the launch date.Under the Unfluence: The Dark Side of InfluenceRon Woerner20 minutesUnfluence is the negative side of influence. It’s a common form of manipulation used to trick people into giving up their access or information. In this talk, the speaker demonstrates principles of influence and psychology and how black hat hackers use them on their victims. You need to identify and stop them before you, your clients, and your employees under their unfluence. Learn how here.WTF, 2FA!? - Y U No Protect Me?Christine Seeman20 minutesAn exploration of two factor authentication from a developers prospective, and why it is so hard to find two factor implementation best practices. Attendees will come out of this talk learning some trials and tribulations of a real life implementation of two factor authentication, why the sms based authentication is by far the least secure, and why two factor is not the security bandage that it is billed to be.What's a Ghidra, and why should you care?The NSA recently announced that they will be releasing one of their in-house reverse engineering tools, named GHIDRA, to the public on March 5th at RSA USA 2019 (https://bit.ly/2sO1GBt). GHIDRA is a disassembler with a feature set similar to that of IDA Pro. In this talk we will highlight GHIDRA's feature set, compare and contrast it with IDA Pro, point out some of its strengths and weaknesses, all in an attempt to help you decide whether GHIDRA or worth adopting for your reverse engineering needs.Tentative Friday Speaking ScheduleBat of DoomTerrified Chipmunk0730Registration Open0850Opening Remarks0900Keynote: Dave Kennedy1000Break (15 min room switch)1015DSLAM: Testing WAN Services on DSL Modems - Nicholas Starke1015More Than Tor: Shining a Light on Different Corners of the Dark Web - Ben Brown1115Automating Secure Development: Practical SecDevOps - Rob Temple1115The Art and Science of Report Writing - Michael Born1135WTF, 2FA!? Y U No Protect Me? - Christine Seeman1135Under the Unfluence: The Dark Side of Influence - Ron Woerner1155Break for Lunch1300Chip-level vulnerability assessment using CHIPSEC and LuvOS - Jeffrey Struik1300Self Care in a 24/7 World - Justin Williams1400Security of Industrial Control Systems: How IEC 62443 Can Help - Alex Nicoll1400Basics of Radio Hacking with RTL-SDR - Gus Gorman1500Break1520Python Obfuscation and Evasion Techniques - Nick Beede1520Cybersecurity Education: Inside and Out - Owen Parkins & Jessica Rooney1540SOC Transformation - From 3-Tier to Functional - Kevin Houle1540Stop talking about it? Mentoring the next generation - John Winger1600Bushwacking your way around a bootloader - .bx1600Pen Testing VS Red Teaming and how to get more from your pen test reports - Sampson Chandler1700An Overview of hard research problems in Computer Security; Something of a Historical Perspective - Blaine Burnham1700Neurodiversity in the Workplace - Carla Raisler & George Walker1800Break for Dinner1900Kernel Panic PartyTentative Saturday Speaking ScheduleBat of DoomTerrified Chipmunk0730Registration Open0850Opening Remarks0900Keynote: Dan Tentler (Viss)1000Break (15 min room switch)1015Building Security That Thinks - Machine Learning Fundamentals for Cybersecurity Professionals - Chris Morales1015Grapl - A Graph Analytics Platform for DFIR - Colin O'Brien1115HASSH It Real Good - Robert Danford1115MacOS host monitoring - the open source way - Michael George1135The Power of Physical Access - Ian Trent1135Business Email Compromise (BEC) - The Effective Evolution of Nigerian Fraud Schemes - Jake Foiles1155Break for Lunch1300Detasseling Docker and Other Kernel Related Protections - Zach Giezen1300IPv6 Security, or... How Not to Deploy IPv6 - Mark Ciecior1400Building an Application Security Program from Scratch - Doug Swartz1400Building Security Playbooks 101 - Lior Kolnik1500Break1520What's a Ghidra, and why should you care? - Chris Eagle1520PCAP Feature Engineering for Machine Learning - Heather Lawrence1540Capture the Flag != Pentest (and other Hackworthy shenanigans) - Mark Bayley1600Notes from Underground - Compromised Credentials - Brian Carter1600Building the badge - How you can make small, cheap, and custom hardware for function or fashion - James Dietle1700Social Forensication: A Multidisciplinary Approach to Successful Social Engineering - Joe Gray1700Own the Con - Kernelcon Crew1800Closing Ceremony and Awards