Cryptocurrencies & Anonymity: The Good, The Bad & The Future
Cryptocurrencies are seeing an enormous uptick in use. While much of that use shows through the media as illicit or crime oriented, cryptocurrencies are seeing widespread legitimate use for transfers without the wiring fees, gifts, remittances, basic retail transactions, and as an alternative to an unstable fiat currency (think Argentina, South Africa, Brazil, Myanmar, Malaysia, and Indonesia). So much business is being done via cryptocurrency that the United States IRS just served a "John Doe" summons to Coinbase (currently the largest cryptocurrency exchange) requesting the identities of United States Coinbase customers who transferred any convertible virtual currency from 2013 to 2015 to ensure proper reporting and compliance under U.S. tax law. In this talk I will explain what cryptocurrencies are and what related blockchains are. I’ll then give an overview of the current markets and valuations as well as the up and comers. With that foundation we can look at the erroneous claims of cryptocurrency “anonymity” and reveal how open transaction ledgers work. I will continue with current research, tools, and techniques for forensic cryptocurrency transaction analysis. We’ll then turn to techniques transactors use to further obfuscate their transaction trail and what the weaknesses of those techniques are. Finally, we’ll look at the current innovations targeting cryptocurrency privacy concerns, how they work, and what challenges they face.
Benjamin Brown currently works on darknet research, threat intelligence, incident response, adversarial resilience, and systems architecture safety review at Akamai Technologies. He has experience in the non-profit, academic, and corporate worlds as well as degrees in both Anthropology and International Studies. Research interests include darknet and deepweb ethnographic studies, novel and side-channel attack vectors, radio systems, the psychology and anthropology of information security, and thinking about security as an ecology of complex systems.
Doomsday Preppers: Fortifying Your Red Team Infrastructure Presenters
Steve Borosh, Jeff Dimmock
The sky is falling! Nation state 0days are up for auction, blue teams are hacking back, Red Team infrastructure is being pwned. Pandemonium! It’s time to hunker down and strengthen your Red Team infrastructure. In this talk we’ll discuss tactics for Red Teams to reduce the risk of getting your infrastructure shutdown. We cover traffic bending with mod_rewrite, C2 redirection, and counter-recon techniques. Don’t worry Blues, we provide detection and mitigation methods to protect your bunker-- or organization.
Steve Borosh (@424f424f) is a long-time security enthusiast, prior U.S. Army Infantry Combat Veteran, and private security contractor. Currently working as a Penetration Tester, Red Teamer, and Instructor with Veris Group’s Adaptive Threat Division, Steve enjoys bug hunting, building useful security tools and teaching. Steve has presented at Hack Miami (x2), HackFest D.C., and BSidesLV.
Jeff Dimmock (@bluscreenofjeff) is a pentester/red-teamer for Veris Group's Adaptive Threat Division. He has performed penetration tests and red team engagements for a number of large organizations. Jeff has a passion for social engineering and offensive tradecraft development.
Cyber Resilience: what is it and why should I care?
With the increase in breaches and other security incidents, a new concept is come to the fore: “cyber resilience”. Some tout is as the next step in cyber security. What is it, and why should the information security professional care? Cyber resilience goes beyond just preventing and then responding to incidents, but looks at how organizations can be prevent, detect, and recovery from the impact of incidents by working to make systems more resilient to impacts. This is not just recovery. We will look at the model for cyber resilience: Resilia, from the group that oversees ITIL and other standards, as well as the work going on here in the US with the Global Forum to Advance Cyber Resilience and others.
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, ISSA Fellow, has been involved with IT for over 20 years, more than half in information security. Moving from a security admin to a global security architect, he has been working for the last few of years as an IT security consultant working with clients to implement information security management systems as well as performing security risk assessments, gap analysis, and developing policies and procedures. His research interests include IT/Security frameworks and compliance, the Internet of Things, and mobile device security.
Creating a security tool in 30 minutes .Come learn how to create and bootstrap your security tool idea with the creator of things
In this presentation Jason will start with a brief overview of proven problem solving techniques to identify a problem. He will then begin the process of creating a potentially profitable solution in 30 minutes. Python, a popular scripting language, will be used to demonstrate how powerful this tool is to create a proof of concept. This presentation will provide a walk-thru of a real life example of a security tool idea being created. The audience can engage in this interactive presentation as they begin their transformation into a creator of things.
Jason Bunch is the Founder and CEO of ThoughtSplosion, a technology company in the heart of Downtown Miami. Previously, Jason worked as CTO of Vijilan Security, a Fort Lauderdale based Security Company. At Vijilan, Jason oversaw all operations and led the vision for product development. He also has spent over ten years in the financial industry, including more than three years as a hacker for Citigroup protecting the world’s largest financial services network. Jason is a passionate, enthusiastic, and goal driven visionary. Being a natural leader with a wealth of knowledge in the technology and security industry, he encourages people around him to tap into their greatest potential enabling them to create awesome technology. By the end of the presentation, one will see how ideas come to life and will walk away inspired to create the next big security tool!
Interactive Offense and Incident Response
Joe Partlow / Jonathan Echavarria
Join us as we walk through a real-world threat scenario as we play out both the offense and defense roles. If you are currently doing one or the other, this is the perfect opportunity to see how the other side thinks, counters and how they react after each escalation point. Audience participation is encouraged!
Jonathan Echavarria works as a Red Team Operator for ReliaQuest, an IT Security Services company based out of Tampa, Florida. His areas of interest focus on stealthy offensive operations, malware and exploit development.
Joe Partlow is the CTO of ReliaQuest, a leading Information Security services provider. Joe currently overseas all new research and development efforts, new product initiatives as well as all infrastructure, internal corporate security and compliance. Joe has been involved with Infosec in some capacity or role for over 20 years, mostly on the defensive side but always impressed by offensive tactics. Current projects and interests include forensics, threat intelligence, security metrics & automation, red/purple teaming and artificial intelligence.
Don’t Get Caught Em-bed:Finding and Preventing Vulns at its Lowest Level
It's no secret that embedded systems surround and control our daily lives. Embedded device and system manufactures have long prioritized code quality and/or user experience over application security. As devices become more interconnected to each other, it is becoming apparent that change is needed throughout the industry. Utilizing millions of vulnerable embedded devices, we have witnessed some of the worlds largest DDoS attacks in 2016 as a result of neglecting fundamental secure coding principles. Join me as we discuss common embedded application security threats.
Aaron Guzman is a Principal Security Consultant from the Los Angeles area with expertise in web application security, mobile application security, and embedded security. He has previously worked with established tech companies such as Belkin, Linksys, Symantec and Dell, breaking code and architecting infrastructures. With Aaron’s years of experience, he has given a number of presentations at various conferences ranging from DEFCON and OWASP’s Appsec USA, to developer code camps around the world. Furthermore, Aaron is a Chapter leader for the Open Web Application Security Project (OWASP) Los Angeles, Cloud Security Alliance SoCal (CSA SoCal), and a Technical Editor for Packt Publishing. He has contributed to many IoT security guidance publications from CSA, OWASP, Prpl, and others. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. You can follow Aaron’s latest research on twitter at @scriptingxss controls, and best practices.
The rise of security assistants over security audit services
Mobile applications have not only become daily things of our lives, but they have also become a part of XXI culture. Corporate IT and security professionals have same needs with typical customers who manage personal information only. To understand a security, users should keep in mind what happens with their OS, applications, and its data and divide risks into vulnerability and privacy group. The first group refers to actions that break either application or OS. It usually designed to rare involve any user actions to break security mechanisms and get access to user data. The second group refers to privacy issues and describes cases when data stored or transmitted insecurely. Developers ignore the data protection until they faced something or someone who makes them implement a protection, as it should be designed. Developer's privacy policies describe how much every developer cares about data, protect everything and assure users his app provides 100% guarantees. Many security companies develop their risky applications to show customers how much good their data protected. They use (or develop their own) automatic scanners to analyze application code and provide an auto-generated report. Anyway, no one of them can clearly say what data items protected and how bad that protection is. In other words, should user worry about non-protected HTTP connection if he does not know what data transferred over it? The downloading news might be acceptable; transmitting device information, geolocation data and credentials over the network in plaintext is not acceptable. Same to out-of-date OS. Is previous version so bad to worry to rush into an update or not? How was many user data items consumed by 3rd party services like Google/Flurry analytics? The last question is usually how much money user data does worth? The cheapest software costs less than $50; the average one does in 10 times more and forensics software costs over thousand dollars up to $20,000 that gives access to thousand devices and million data items. The saddest part of this story is 'Speed-to-market' idea that helps them to grab data from thousand applications improperly protected, especially, if customers use same data among more than one applications and have at least one bad protected the application. More same data shared between applications and more applications you use, the higher risk of data leakage customers obtains eventually. A new set of security challenges has been already raised. To answer this, we have been examining many applications to have the opportunity make results widely useful and available for IT and security professionals as well as non-technical customers to stay informed about app insecurity. The goal is integrating and introducing security, data privacy compliance to mobile application development and management. It helps to educate customers with useful security & privacy behavior mindset. Spreading information in different ways such as bulletins, EMM integrated monitoring service, or simple reports is a way to solve insecurity issues and help to reduce risks when using mobile applications.
Yury Chemerkin has ten years of experience in information security. He is multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance. He published many papers on mobile and cloud security, regularly appears at conferences such as CyberCrimeForum, HackerHalted, DefCamp, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence-Sec, InfoSec NetSysAdmins, etc.
cookieMOnstruo: hijacking the social login
Martin von Knobloch (Kl8mour)
With this talk, we want to revive the interest in the largely ignored method of web application account compromise through cookie stealing, by introducing a new powershell module "CookieMonstruo", which aims to be the default post-exploitation tool for session hijacking. Through the use of this tool we will show the implications of lax session management controls in web applications, especially the ones providing a social login functionality. What are the possibilities after session hijacking has been achieved? Password reset? Account compromised? Money transferred? By the end, we should convince you that cookies can sometimes be a more interesting loot than passwords.
Martin von Knobloch is a Senior Security Consultant at FortConsult (Part of NCCGroup), Denmark. Apart from his role as a pentester and security advisor, he enjoys evangelizing the regular citizens about what a dangerous place the Internet can be, while advising them how to engage in safe IT security practices. Tired of the getting the usual question that immediately follows after introducing himself as a white-hat hacker: “Oh, does that mean that you can hack my [insert social media site/e-mail provider/etc.]?”, he decided to embark on a journey of discovering a practical hacker’s approach to achieving this goal.
Going beyond a breach or initial damage, let’s examine the minds of the hackers. What drives them to succeed, what makes them fail? It is a difficult task to understand internal motivations of a hacker, beyond the obvious, and rarely anyone tries. The practical approach shows opposite, understanding hacker’s thinking may lead to a reversal of their ill gains. Using practical examples from the largest breaches of today, we will get inside the hackers’ mind and find out how to stop them.
Alex Holden is the founder and CISO of Hold Security. Holden is credited with the discovery of many high-profile breaches including Adobe Systems, initial vendor breach that led to the discovery of the JPMorgan Chase breach, and the independent discovery of the Target breach. Considered one of the leading security experts, he regularly voices his professional opinion in mainstream media.
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto / Joseph Zadeh
This presentation will focus on the use of machine learning techniques and analytics to detect compromise of perimeter assets via webshell. Presenters will go over how unpatched, forgotten & even party web servers can serve as unexpected door openers and provide attackers with a pathway inside the perimeter. What are webshells? What are the most common webshells used? Why use a webshell?. What recent exploitation campaigns have used webshells? .Presenters will also show how by using ML algorithms and analytics it is possible to detect web server exploit chains, and react faster and prepare for these type of attacks.
Rod Soto has over 15 years of experience in information technology and security. He is a security researcher and secretary of the board of Hackmiami %27.He has spoken at ISSA, ISC2, OWASP, DEFCON, BlackHat, RSA, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 BlackHat Las vegas CTF competition and is the founder and lead developer of the Kommand && KonTroll competitive hacking Tournament series.
Joseph Zadeh studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEFCON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanentes first Cyber Security R&D team.
"-ExecutionPolicy Bypass" Living off the land with Powershell and WMI
Evan Wagner (Haxhatlon)
Multi staged exploitation techniques using Powershell. Presentation will go over capabilities to subvert execution restrictions, credential stealing, reconnaissance, passing tickets, setting up persistence and at the end presenter will show a C2 that uses only powershell to issue and setup encrypted tunnels to issue commands and remotely control machines in real time over different types of DNS queries.
Evan Wagner has been in the web development industry since the mid-late 90s. He got his start when he would go to the library on Howard AFB, in Republic of Panama, to upload his websites, via floppy disc, to Geocities. He purchased his first domain name (Webmastersland.com) in 1999 and started his hosting company in 2000. It was about that time he became a Linux breakfast cereal kid, installing Linux on everything and taking on any tasks he could to prove to people the power of Linux. After years of this he found himself in positions of increasing responsibility. Just to name a few: DBA for Florida Cancer Specialists ($1Bn+ yearly revenue), Various DevOps roles, Networking roles (BGP,SS7), International SMS/MMS communication engineering (tracing messages from handset to handset as well as deploying solutions to carriers) at Interop Technologies, Sr. Software Architect and currently Systems Software Engineer within Security Engineering at Akamai Technologies.
An introduction on how to effectively create and distribute broadcast content including audio, video, and radio programming, with a special focus on technical subjects such as coding and hacking demos, electronic projects, and just plain fun.
Tom Morris has been a mostly self taught radio engineer and electronics technician for over two decades, working with microcontrollers, entertainment systems, audio production, broadcast and radio systems. He started out building relay logic controls for pump systems at the age of 7 and somehow arrived at building and maintaining radio broadcast systems via a wild ride past way too many blown electrolytic capacitors.
Oauth Nightmares Abstract OAuth Nightmares
Yashvier Kosaraju / Hariram Balasundaram
OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.
Yashvier Kosaraju: Yash is a security enthusiast and is currently working as a Security Engineer with Box where he is responsible for securing Box's applications on all fronts. Prior to Box, Yash was a Security Consultant with iSEC Partners where he performed security engagements for top technology firms in the Silicon Valley. He has previouslyspoken at BSides 2016. He holds a Masters degree in Security Informatics from Johns Hopkins University.
Hariram Balasundaram: Hari has been hacking applications and networks since 6 years. He has previously worked at EY's Advanced Security Center and performed attack and penetration assessments for Fortune 500 companies across US and Canada. At his current gig, he is responsible for Security Assurance at Box, identifying vulnerabilities that may impact Box'sapplications and infrastructure and more importantly - help fix them.
Repurposing Adversarial Tradecraft
Today’s threat surface is defined by the actors that develop and employ advanced adversarial techniques. These techniques directly affect how red team and pen test engagements are conducted to an extent. This talk will dive into mechanics and tool development of these TTPs (Tactics, Techniques and Procedures). Using multiple languages I will cover a few implementations I have developed directly to help aid engagements, as well as how we can relate them to practical red team engagement scenarios to help deliver effective tests to our customers. We will also cover the tradecraft that can be gleaned from these actors, and how we can implement this into how we operate as red teams and testers.
Alex Rymdeko-Harvey (@killswitch_gui) is a previous U.S. Army Soldier who recently transitioned and currently works on the Sony Global Threat Emulation team as a Red Teamer. Alex focus is on adversarial emulation and TTP creation to drive modern day engagements. Alex has a wide range of skills and experience from offensive to defensive operations taking place in today's modern environments.
Abusing “Accepted Risk” With 3rd Party Command and Control
Justin Warner / Jon Perez
In mature networks, defenders stand guard utilizing strong boundary defenses to protect users, detect adversaries, and prevent compromise. However, within these boundary walls exists gaping holes for seemingly innocent services - the unideal result of practical use. While some adversaries are stopped at the boundary, many threat actors have risen to the occasion bringing new capabilities that work to evade current defenses by utilizing innocent 3rd party services as an obfuscation layer. This layer, made up of services like Dropbox, Google Apps, Twitter and more, has allowed actors to blend in with the “accepted risk” that so many organizations rubber stamp. This talk will analyze the threat landscape surrounding 3rd party command and control vectors to show the tactics and techniques used in real world malware samples. Next, the talk will transition to demonstrate to the audience how simple it can be to implement these attacks while providing sample snippets of code and demos of the techniques as well as possible detections. Using the techniques in this talk, red team members will be armed to replicate these threats and expose their blue team counterparts to methods being actively used. Additionally, blue team members will be called to action and introduced to heuristic based analysis of these malicious 3rd party activities.
Justin Warner (@sixdub) is a hacker and researcher with experience in offensive and defensive roles. Justin is an Air Force Academy graduate and former USAF Cyber Ops officer. As a red team lead, he gained experience targeting Fortune 100 corporations as well as federal, state, and local government organizations. Justin has a passion for threat research, reverse engineering, threat replication development and red team operations. He is a cofounder of the PowerShell Empire project, actively develops on numerous open source projects and has spoken at several conferences including CarolinaCon, BSidesLV and several other BSides events.
Jon Perez is a security research engineer focused on network defense. He got is start in information security as a tinkerer and student then worked as a cyber operations specialist in the Army. In his free time, Jon likes to analyze malware, investigate network traffic, and develop tools to help find bad things.
Hacks and Crafts: Improvised Physical Security Tools for Improvised Situations
Ever start unpacking your kit on a physical security assessment and then you realize you left your under door tool at home? This talk will teach you how to head into the hardware store and make whatever tools you need. I'll demonstrate live on stage how to build several physical security tools on the fly!
Jeff is a penetration tester at NTT Security. He started his career working in regular old IT and quickly fell in love with security. Jeff is involved in the local community from giving talks at local events,teaching lockpicking monthly at Tampa Hackerspace and serving on the board at Bsides Orlando. He also enjoys brewing and drinking snobby craft beer like a hipster.
Hardware Hacks with MCU Boards
In this half hour, we'll take a whirlwind tour of current microcontroller unit (MCU) hardware platforms and consider how they relate to next generation network hacks as well as attack and defense of MCU derived embedded systems. We'll observe several demonstrations using milliwatt grade low power embedded systems and serial communications (possibly including controller area network or CAN.) Examining several human serving use cases, we'll review machine to machine communications and IoT relevant messaging for tips on IP and non IP defense strategy. Finally we'll prototype design an embedded battery operated appliance using our knowledge of MCU technology.
Michael Schloh von Bennewitz is a computer scientist specializing in network engineering, embedded design, and mobile platform development. He speaks four languages fluently and presents at research events every year, and has presented for groups including Black Hat, CCC, Cable & Wireless, Mobile World Congress, Linux Foundation, Nokia, Ubuntu, and Droidcon. Michael's IoT knowledge profits from years of work at telecoms and relationships with industry leaders. He is an Intel innovator, Samsung partner, and Mozilla contributor with the mandate to promote IoT technology.
The Ransomware and IoT Threat
We have seen a rise in Ransomware attacks in the past year. While we are recovering from these attacks a new wave of DDoS attacks using IoT devices suddenly thrust into the limelight. In this talk, I will discuss all the stages of a ransomware attack and also shed light on how IoT are used in DDoS attacks. Then I will discuss how a combination of Ransomware and IoT attacks can be dangerous.
Christopher Elisan, Principal Malware Scientist at RSA, is a seasoned reverse engineer and malware researcher. His long history of digital threat and malware expertise, reversing, research and product development started at Trend Micro as one of the pioneers of TrendLabs where he honed his skills in malware reversing. He then built F-Secure’s Asia R&D where he spearheaded projects in vulnerability discovery, web security and mobile security. After F-Secure, he joined Damballa as their resident malware subject matter expert and reverse engineer. He speaks at conferences around the world and frequently provides expert opinion about malware, botnets and advance persistent threats for leading industry and mainstream publications. Elisan’s published works include Hacking Exposed: Malware and Rootkits 2ed.
Hacking the Federal Aviation Administration
William M. Nett
Radar or RAdio Direction And Ranging is an object-detection system that uses radio waves to
determine the range, angle, or velocity of objects, most commonly used in aviation. It is
becoming obsolete with the advent and requirement / implementation of ADS-B or Automatic
Dependent Surveillance – Broadcast system by the FAA due to ADS-B being more accurate,
but is it safe?
In this talk we will explore and demonstrate the discrepancies, weaknesses, and inherent
flaws of the ADS-B system through the use of SDR or otherwise known as Software Defined
ADS-B is inherently insecure as it has no levels of cryptography, authentication, or
proper identification. We will be demonstrating a live ADS-B capture stream to demonstrate
We can examine, dissect, and decode data streams which are currently being broadcast by
all major airlines and even some government aircraft which can yield a great deal of SIGINT
or Signal Intelligence.
Speaker is a former military service member with Naval Aviation experience on F-14
Tomcats, C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance
and Reconnaissance) as well as a former private pilot and computer geek with experience in