View
 

BSidesAugusta 2017

 

 

What is BSides ?


Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

 

 

Questions? Want to volunteer? Want to sponsor? Email us at BSidesAugusta [at] gmail.com

 

Follow us on Twitter: @BSidesAugusta Hashtag: #bsidesaugusta

 

 

Date:   September 16, 2017 

 

Location:    Augusta University Harrison Education Commons Building

                       1301 R.A. Dent Blvd

                       Augusta, GA 30901

 

 

Campus Map: BSidesAugusta on Augusta University Health Campus.pdf

 

 

 

Preferred Hotel:

DoubleTree by Hilton Hotel Augusta

2651 Perimeter Parkway

Augusta, Georgia, 30909

706-855-8100

 

The DoubleTree by Hilton Hotel Augusta is offering a special rate for the Security Onion / BSidesAugusta 2017 conference attendees for September 10 - 17. To book the hotel at the special rate, click here. Alternatively, you can find the hotel's website via your favorite search engine and use Group Code BSD when booking. The code expires August 20, 2017. 

 

Parking:  Parking for BSidesAugusta is annotated on the map (link) below.

 

BSidesAugusta on Augusta University Health Campus.pdf  

 

Things to do/see while in Augusta.

 

Things To Do and See In Augusta 2017.pdf

 

 

Dates: 

  • Call For Papers (CFP) open - 4/10/2017

  • CFP close - 6/5/2017

  • Speakers selected and notified - 6/29/2017 

  • Registration Opens - 6/29/2017 12PM ET

  • BSidesAugusta - 9/16/2017

 

 

Training:

We are excited to announce two great training opportunities provided in conjunction with this year's conference! Both classes will be held at the Double Tree by Hilton Hotel Augusta.

 

Schedule:

 

Start End Track 1
Setec Astronomy
Track 2
Werner Brandes
Track 3
Bishop v Coz
Track 4
Whistler and Mother
7:45 AM - 1:00 PM

Check-in

8:30 - 9:00

Opening Remarks

9:00 - 10:00

Opening Keynote - Russ McRee

 

10:00 - 11:00

Alissa Torres - Black Mirror of Execution: How new artifacts have changed the 'O' and the 'D' Tim Tomes - Burping for Joy and Financial Gain Paul Burbage - Necurs Botnet: Mass Distribution for all the Bad Things Wes Widner - Say hello to my little friend - An introduction to iOS security and forensics
11:00 - 11:15

BREAK

BREAK

BREAK

BREAK

 

 

11:15 - 11:45

Chris Sanders and Jason Smith - Hacking Food Brian Stucker - Building a Secure Environment for Operations using Docker Jason Blanchard - Inception Presentation Tigran Terpandjian - Be a Human nMAP! – Cultivating a ‘Renaissance & Reconnaissance Approach’ for the Social Engineer

 

11:45 - 12:30

 

LUNCH

 

12:30 - 1:30

Tim Crothers - Machine Learning Fueled Cyber Threat Hunting Josh Rykowski and Sean Eyre - Don't Google 'PowerShell Hunting' Bob Wheeler - Managing Your Cyber Career & Job Hunt Daniel West - The Homeland of Things (HoT) Framework

 

1:30 - 2:00

Michael Banks - Bet You Won't Block Google: Evil APIs on the Rise Ismael Valenzuela - Hunting Adversaries with Investigation Playbooks & OpenCNA David Peeler and Keaton Sadoski - Simplified Home VPN Solution: A How To Guide Alek Rollyson - Automating Event Log Production and Testing for SIEM Detection
2:00 - 2:15

BREAK

BREAK

BREAK

BREAK

 

 

2:15 - 3:15

Paul Melson - Unmasking Cybercriminals on the Open Internet Toni de la Fuente - Security Automation in the cloud Jack Koons - Zero Days and Zero Trust Part 2: Microsegmentation, Critical Infrastructure Protection, and a World of Many Ernest "Cozy Panda" Wong - The Next Big Idea for Cyber Innovations--A Framework to Drastically Improve Cyber Defense (and Offense) Capabilities

 

3:15 - 3:45

Russell Eubanks - Lessons Learned ISAC – How to Get Wisdom as Cheaply as You Can Tommy Chin - Localization of Wireless Threat Actors and Evasion Tactics Brice Self - Probing Toms: Creepy hackers on your house doorstep Monica Jain - Removing haystacks to find needles - playing to our strengths
3:45 - 4:45

Closing Keynote - Jake Williams

   

 

 

  FALE Lock Picking Village  NetWars: CyberCity
9:00

 

 

 

 

 

 

 

 

 

 

 

 

 

* All-DAY *

 

 

 

 

 

Session 1

First come first serve.

Bring your own laptop! YES, you can attend both sessions.

 

9:30
10:00
10:30
11:00
11:30
12:00
12:30

 

LUNCH

13:00
13:30

 

 

 

 

 

Session 2

First come first serve.

Bring your own laptop! YES, you can attend both sessions.

 

14:00

14:30

15:00

15:30

16:00

16:30

 

 

 

Keynotes:

 

Opening

Russ McRee (@holisticinfosec)

Manager, Security Incident Management & Pentesting Services, Microsoft

 

Russ McRee, GIAC+, CSIH, CISSP manages the Security Incident Management & Penetration Testing Services team for Microsoft’s Online Services Security & Compliance organization. McRee writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, SysAdmin, Linux Magazine, and OWASP. He speaks regularly at events such as DEFCON, Black Hat, RSA, FIRST, and RAID, amongst others. He conducts constant vulnerability and malware research, wrestling with the challenges of web application security and new ways to interpret malicious network traffic. He advocates a holistic approach to the practice of information assurance and, as such, maintains holisticinfosec.org IBM's ISS X-Force cited Russ as the 6th ranked Top Vulnerability Discoverers of 2009.

 

Closing

Jake Williams (@malwarejake)

President of Rendition Infosec.

 

He has more than a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Before founding Rendition Infosec, Jake worked with various cleared government agencies in information security roles. Jake is a certified SANS instructor and course author. Jake regularly responds to cyber intrusions performed by state-sponsored actors in financial, defense, aerospace, and healthcare sectors using cutting edge forensics and incident response techniques. He often develops custom tools to deal with specific incidents and malware reversing challenges.

 

Title: Why Snowden’s leaks were inevitable and why leaks will likely continue.

 

Abstract: Edward Snowden has been vilified by the US Government while being held out as a hero by privacy rights activists.  After examining the publicly available data around the leaks, it’s fairly easy to reach the conclusion that the leaks were inevitable – whether or not you agree with Snowden.  In this session, we’ll examine US Government disinformation around the leaks and their suggested alternative courses of action.  For each alternative suggested course of action, we’ll detail why the course of action was not feasible/plausible for Snowden to take.  Finally, we’ll talk about other leakers and courses of action organizations can take to prevent future leaks (it’s about WAY more than shutting down USB access).

 

Please note: this talk will not be recorded and we ask that you not have electronic devices out during the talk.  If you are seen with a potential recording device, you will be asked to leave and will not be allowed back into the session.

 

 

Abstracts:

 

Alissa Torres (@sibertor)

Black Mirror of Execution: How new artifacts have changed the 'O' and the 'D'

 

Windows tracks system/user activity with growing sophistication and granularity. Let's walk through some of this forensic evidence of execution that few examiners know about and seldom used by such a Srum, AmCache and SCCM data. Alissa will dissect 4 case studies where these newly identified artifacts cracked the case and unlocked the story of what happened on the system, and who did it and when.

 

 

Chris Sanders (@chrissanders88) and Jason Smith (@automayt)

Hacking Food

 

Being a hacker isn’t just about breaking into computers, it’s about looking for creative ways to make your life better. What better way to increase your quality of life than to hack your food? This presentation will be all about applying the hacker mindset to cooking in an effort to make tastier food in less time. This isn’t a security talk, but it is geared toward people who think with a security mindset. Even if you have trouble boiling water or microwaving hot pockets you’ll walk away with a much deeper understanding of how to hack together something delicious.We’ll even provide a few of our favorite recipes!

 

Tim Crothers (@soinull)

Machine Learning Fueled Cyber Threat Hunting

 

Cyber Threat Hunting can be difficult to do well but most organizations have come to realize how critical it can be for their overall detection and response programs.  In this session Tim will be releasing a new open source tool to aid your hunters in their efforts.  We'll explore how machine learning can be used to both speed your hunts as well as help find things you might have otherwise missed.  No expertise in machine learning required for this session, just a desire to find bad actors who may be lurking in your organization.  You'll walk away with a new tool plus a knowledge of what ML can and can't do to help you find evil (hint: it's not magic despite what the security vendors say).

 

Michael Banks (@4mikebanks)

Bet You Won't Block Google: Evil APIs on the Rise

 

API’s are a significant utility in today’s information age. Some will argue it’s almost a necessity. While defenders will get better and better at looking at their environment, it is left to the attackers to utilize other methods to exfiltrate data to a source and method that the defender wouldn’t expect. API’s! Many companies implement API’s as extensions of their core products. Some companies implement API’s better than others and more securely than others. What happens when the attackers utilize the security and privacy measures that other companies provide through their API? I’ll show you. One of my favorites are Google, but there are many others. I’ll demonstrate how to exfiltrate data from environments from many different types of APIs you can leverage and show how it looks to defenders. I’ll also explain the importance of SSL inspection and the complicacies of utilizing it."

 

Paul Melson (@pmelson)

Unmasking Cybercriminals on the Open Internet

 

Cybercriminals operate under the presumption of anonymity during their intrusions and thefts. Using easy-to-apply analysis techniques  to extract patterns of behavior from the tools used by cybercriminals, we can build profiles that offer us the chance to predict their next attack or even discover their real identities.  This presentation will give real world examples of hunting real bad guys using data collection and analysis techniques available to anyone that wants to try.  It will also contain zero references to "machine learning" or pictures of hackers in ski masks.

 

Russell Eubanks (@russelleubanks)

Lessons Learned ISAC – How to Get Wisdom as Cheaply as You Can

 

Our failure to learn from others misfortune leads us down the same path that fellow cyber security practitioners in order to have to learn our lessons the hard way. There is the easy way and there is the hard way. Both will be explored in this conversation, with a focus on how to learn our cyber security lessons the easy way. By intentionally connecting with fellow cyber defenders and actively avoiding the root cause(s) that led to their compromise(s). There is no need to share the details (or pictures), rather a need for us to openly share the things that as a result of incident response cause us to “always” and “never” do so long as we both shall live.

 

Tim Tomes (@lanmaster53)

Burping for Joy and Financial Gain

 

If you do application security and don't use Burp Suite, then you're likely doing it wrong. If you do use Burp Suite, then you know that Burp is chock full of features that are either counterintuitive in their placement or complicated to use. In this talk, my goal is to leverage experience gained from years in the field with Burp Suite to demystify some obscure features of Burp and share unintended ways I use the tool to be a more effective and efficient application security tester.

 

Jason Blanchard (@BanjoCrashland)

Inception Presentation

 

In less than 30 minutes, you'll smile, nod in agreement, be amazed, become incredibly self-aware of how you perceive information, and learn the basics of storytelling and audience persuasion so when you need to explain something to someone, they'll understand. Essentially this is a presentation on presenting presentations within a presentation he likes to call “Inception Presentation.” It will get way meta and you'll love it.

 

Josh Rykowski (@ryko212) and Sean Eyre (@oni_49)

Don't Google 'PowerShell Hunting'

 

The pervasiveness of PowerShell in today's networks speaks to its usefulness to admins and users alike.  However, where one sees a useful tool for network administration the adversary sees a tool for general mayhem.  We use this talk to discuss how to harden the enterprise against PowerShell based attacks and then hunt for these attacks while living off the land. During our discussion we will highlight current techniques and their weaknesses then discuss memory artifacts that may be discovered during and following PowerShell execution.

 

Ismael Valenzuela (@aboutsecurity)

Hunting Adversaries with Investigation Playbooks & OpenCNA

 

As SOCs mature and start to formalize their operations, they typically focus on preparedness, escalation process and incident response plans. However, even with these plans in place, SOCs report that 25% of the alerts are not triaged and that investigations take too long. Why so? In many cases, this can be attributed to the lack of a standardized investigation process and community wide tools that can be applied consistently & repeatedly over time, preventing less experienced analysts and incident responders from doing their job effectively.

 

Toni de la Fuente (@ToniBlyx)

Security Automation in the cloud

 

What it was hardware, now is software, it is just an API call. We deploy infrastructure the same way we deploy applications. That fact has many implications in security and automation. We can automate recon, attacks and lateral movement but also automate many incident response processes along with hardening. This talk will cover some generic concepts and challenges doing forensics in cloud vendors and it will go deeper to show some attack vectors and hardening for AWS in particular.

 

Tommy Chin (@tommychinjr)

Localization of Wireless Threat Actors and Evasion Tactics

 

Widely used throughout public space, mobile computing devices such as smartphones and Internet of Things (IoT) have littered the wireless spectrum of high volume network traffic. Traditional communication of these electronic devices use wireless mediums such as, but not limited to, Wi-Fi, Bluetooth, Near-Field-Communication (NFC), GSM, and ZigBee. From an offensive perspective, the use of wireless as an attack vector can be a prominent approach as both unencrypted data communication channels and misconfigured networking devices can lead to security concerns for an end user. Localization of a wireless threat actor from a physical perspective presents a challenge as wireless networks provide service for a large area, and specifically--real-world (meatspace). This talk discusses techniques of wireless localization (physically locating a target using wireless measurements), tracking enhancements, and presents concepts of tracking evasion in Wi-Fi networks. Additionally, real-world experiments were conducted in high-density noise regions using robotic moving targets in a controlled environment. The results of such evaluation demonstrates the viability of Wi-Fi tracking.

 

Paul Burbage (@hexlax)

Necurs Botnet: Mass Distribution for all the Bad Things

 

This presentation will include the latest research on the Necurs botnet which has historically spammed lures for Locky ransomware, Dridex banking trojan, and most recently, Jaff ransomware . Paul has been monitoring this botnet for over two years and will discuss the history, infrastructure, and threat actors behind this Crimeware as a Service (CaaS) offering. 

 

Brian Stucker (@b_stucker)

Building a Secure Environment for Operations using Docker

 

Running an environment with containerized applications can help drastically reduce security issues and mitigate risk while providing a flexible and consistent environment for development.  This talk will focus on the orchestration of Docker Containers using existing configuration management framework with a focus on auditing, applying access controls, and leveraging best security practices.  Specifically, audience members can expect to walk away with a better understanding of how to securely maximize their operational and developmental environments. This talk is meant for those interested in achieving a more secure and stable DevOps culture, or for those desiring a more robust personal developmental network. Audience members can expect to see a demo that will build on experience gained from a Case Study focused on building an environment for Industrial Security.

 

Bob Wheeler (@sailordoc)

Managing Your Cyber Career & Job Hunt

 

Despite the fact that Cyber Security / Info Sec professionals possess skills that are in great demand in many cases operating in a negative unemployment environment (meaning more open jobs than qualified people) successfully landing a great job is not always a guarantee.  This talk will help turn great cyber pro's into great job seekers as well.

 

David Peeler and Keaton Sadoski

Simplified Home VPN Solution: A How To Guide

 

Overall, this will cover why the general public should be educated about privacy and VPN's as well as how to set up a home VPN using OpenSwan. With privacy becoming a thing of the past, VPNs are becoming more prominent. VPN's are a logical solution to this problem; however, not everyone utilizes a home VPN because not everyone realizes how easy it is to set up one. One of the simple solutions to this problem that not everyone may be aware of is running a Raspberry Pi with OpenSwan. With a Raspberry Pi, this means of obfuscation is comparatively cheap and easily reproduced, allowing for anyone to have a means of privacy. OpenSwan, the “de-facto VPN software since 2005”, delivers flexibility in its configuration, and is open sourced, limiting the cost of the home VPN as well as providing a community that supports the end user. 

 

Jack Koons (@JackKoons)

Zero Days and Zero Trust Part 2: Microsegmentation, Critical Infrastructure Protection, and a World of Many

 

The role of microsegmentation, particularly when combined with advanced encryption and software defined networking, represents a powerful security solution in the world of critical infrastructure protection – to include operational technology (OT), industrial control systems (ICS), and supervisory control and data acquisition (SCADA) systems, as well as the emerging world of IoT/IoE. This talk builds on last year’s Security BSides Augusta presentation and will lay out the threat landscape and discuss microsegmentation tactics, techniques, and procedures to enhance security, mitigate threats, and ensure network resiliency.

 

Brice Self (@B__Selfless)

Probing Toms: Creepy hackers on your house doorstep

 

It's something simple and small that everyone has done or does every day. We leave our wireless cards on when leaving the house or simply not using them. What does this mean? Probe requests! So, what? Even when your miles away from your home, a malicious person can find out where you live and could lead to compromising your network or even worse. 

 

Wes Widner (@kai5263499)

Say hello to my little friend - An introduction to iOS security and forensics

 

iPhone security is still a relatively obscure field. I'll walk you through a brief history of iPhone hacking, the current landscape of threats and exploits facing iPhone users, and finally I'll demonstrate forensics steps you can do without jailbraking to test the security of your Apple mobile devices.

 

Tigran Terpandjian (@th3CyF0x)

Be a Human nMAP! – Cultivating a ‘Renaissance & Reconnaissance Approach’ for the Social Engineer

 

As a security analyst with an atypical entry into the information security world, one of my research questions posed in social engineering is why reading a diverse array of topics is beneficial to the social engineer, be it something they are passionate about or not. In building upon last year’s presentation at DefCon24's Social Engineer Village by Tomohisa Ishikawa: “Does Cultural Differences become a barrier for social engineering?” cultural differences presented by different countries place emphasis on different genres; therefore, what one person from a certain country holds dear, the other may not. Therefore, your pretexts and elicitation's and the support required must be able to adapt. I have found this to be true. Reading like a renaissance individual (knowledgeable on a variety of topics but not ameliorates this challenge. The answer came from attending the Advanced Practical Social Engineering (APSE) bootcamp  in 2016 and a self-reflection; all the reading I loved and hated as a child and as an adult has given me an extensive web to build rapport through as a social engineer.  In my talk, I would like to discuss how to develop a strategy and which areas to focus on so you would be available to navigate even through the ‘darkest of waters’ and the ‘coldest of individuals’

 

Daniel West (@reaperb0t)

The Homeland of Things (HoT) Framework

 

During 2016, we witnessed the resiliency of our adversaries as they transitioned from zombifying personal computers to zombifying vulnerable and easily accessed IoT nodes with the Mirai botnet. As an informed American citizen, you likely follow best practices for securing your personal computers, but when was the last time you updated the firmware on your wireless router or smart toilet? As a cybersecurity professional, what procedures will your company or government agency follow to detect and mitigate the compromise of IoT devices within your organization? As a Nation, we must greatly improve our ability to handle the growing prevalence and risks of the IoT within our homes, the varying levels of government, industry, and academia. We must prevent our adversaries from harnessing the power of our IoT devices to attack critical infrastructure. 

 

Alek Rollyson (@0x2623)

Automating Event Log Production and Testing for SIEM Detection

 

When handling a large amount of detection input with limited resources, automation and proper reproducible testing is key to staying on top of the pile of signature fodder that keeps heading your way each and every day. One of the biggest struggles with nimble SIEM detection development is quickly and easily producing event logs to use as positive and negative test cases for detection content. In this session I'll talk about how our team’s testing methodology works, how our techniques could be applied generically to any SIEM, and the tools we have developed (two of which we'll be releasing to all of you) to facilitate event log production in the land of “Logs or it didn’t happen”.

 

Ernest "Cozy Panda" Wong

The Next Big Idea for Cyber Innovations--A Framework to Drastically Improve Cyber Defense (and Offense) Capabilities

 

Innovation is critical to improvements within our society and is a key component in the cyber domain. The growth of the Internet means that the tools for operating in cyberspace are constantly evolving. It has often been said, however, that the only innovation regarding cyber warfare is in offensive cyber operations. So where is the innovation for the defense? To defend cyberspace against our adversaries, is there sufficient defensive innovation taking place? And if such innovation is indeed happening, why does it seem as though attackers always seem to be several steps ahead of defenders? This presentation begins with an examination of four distinct types of innovation—breakthrough, disruptive, incremental, and sustaining. 

 

Monica Jain (@mjainstanford) 

Removing haystacks to find needles - playing to our strengths

 

We all have been fighting the cyber war with SIEMs to detect all the known attacks. In reality, the attack landscape is changing everyday and we cannot predict all possible attacks ahead of time. As security experts we know our environment better than any attacker out there. We cannot ever possibly know all the bad things that have crawled into our environment, however, we certainly know about all known good things in our environment. Come learn about how we can put that knowledge into play and change the game from finding the ‘Needle in A HayStack’ to ‘Removing Haystacks to Find Needles’ with some real world customer case studies.

 

Sponsors:

 

Diamond Sponsors 

 

 


  

Gold Sponsors 

 

 

 

 

    

 

                       

 

 

         

 

 

 

Silver Sponsors  

          

 

 

       

 

           

 

 

Bronze Sponsors

 

   

 

Basic Support

 

 

 

 

Our In-Kind Sponsors, providing us with contest prizes, and raffle give-away's.

 

           

 

 

 

     

 

  

Event Recording:

 

 

 

Events:

 

Lock Picking Village

 

 

 

FALE (@lockFALE) came together around a common idea of general curiosity and persuasion of the public’s “right to know”. Formally founded in early 2010, the individuals involved in the initial organization already had a history in and love for the practice of locksport and of having a better understanding of the mechanisms we rely on so heavily to keep us secure. Beginning with four members meeting monthly, we have quickly progressed to bi-monthly meetings. We talk locks, picks, general security and a smattering of other topics when meeting, all towards the end of a better knowledge of and ability to communicate the effectiveness (or lack thereof) of so many security measures in place in current society. We hope that through these conversations and our efforts publicly we will help to educate the larger community on the proper use and understanding of locks and security measures encountered daily.

 

NetWars: CyberCity

 

 

NetWars CyberCity, is designed to teach warriors and infosec pros that cyber action can have significant kinetic impact in the physical world. As computer technology, networks, and industrial control systems permeate nearly every aspect of modern life, military, government, and commercial organizations are realizing an increasing need for skilled defenders of critical infrastructures. We engineered and built CyberCity to help organizations grow these capabilities in their teams.

 

CyberCity is a 1:87 scale miniaturized physical city that features SCADA-controlled electrical power distribution, as well as water, transit, hospital, bank, retail, and residential infrastructures. CyberCity engages participants to defend the city's components from terrorist cyber attacks, as well as to utilize offensive tactics to retake or maintain control of critical assets.

 

Read more HERE


Organizers:

 

  • Doug Burks | @dougburks
  • Mark Baggett | @markbaggett
  • Lawrence Abrams | @vpnpoker 
  • Mike McDargh | @mmcdargh
  • Phil Plantamura | @philplantamura
  • Joanne Sexton 
  • Ron Martin

 

 

Building "muscle memory" with Rekall

Comments (0)

You don't have permission to comment on this page.