Jayson E. Street is an author of the book “Dissecting the hack: The F0rb1dd3n Network” plus creator of the site http://dissectingthehack.com. He’s also spoken at DEFCON, DerbyCon, UCON & at several other ‘CONs & colleges on a variety of Information Security subjects.
His life story can be found on Google under “Jayson E. Street”. He’s a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.
This is a talk on perspectives. I step outside of mine to see hacking around the world though different views. We will explore how companies who publish reports help skew the global perspective. We will look at how people from different parts of the world see hacking/ information security from their own perspective. We will hear a few tales of what I saw through my perspective of a stranger in a foreign land. We will then explore a small slice of history of a few hackers to gain a better perspective of where we have been, where we are now and where we are heading. This talk was not only created to entertain and enlighten the conference attendees to take a step back and look at what they themselves are a part of. It was made for them to share with friends, family and coworkers. So people on the outside could get a better understanding of what a hacker truly is and why being one is such a great thing to be!
Justin Troutman (@justintroutman) is a cryptographer with research interests in authentication encryption, HUMINT and SIGINT techniques, and optimizing the user experience of cryptographic products. He has worked with entities such as Microsoft, Google, Duke University, IEEE, and USENIX.
Mackerel is a cryptographic app design and development framework based on the premise that real-world cryptography is not about cryptography at all; it’s about products. Because it’s about products, it’s about people, and the need for a holistic product design and development process that respects the roles of the people involved (cryptographers, developers, and consumers) by only asking them to make decisions that lie within their respective areas of understanding, and of which they understand the consequences. With user experience as a core focus, Mackerel aims to inspire products that consumers want, while affording them the cryptographic benefits they need. The Mackerel framework is evolving along with a new cross-disciplined area of research, dubbed CRUX, or “cryptography + user experience,” which aims to pave the way for UX-driven real-world cryptography.
Bill Gardner (@oncee) is an Assistant Professor at Marshall University where he teaches in the Digital Forensics and Information Assurance program. He is the coauthor of “Building an Information Security Awareness Program: Defending Against Social Engineering Hacks and Technical Threats” scheduled to be published on July 14, 2014. He is also the co-founder and an organizer of Hack3rcon based in Charleston, WV and past-president of the Appalachian Institute of Digital Evidence (AIDE) based in Huntington, WV.
Most organization’s Security Awareness Programs suck: they involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.
Ryan Linn is a Managing Consultant with Trustwave’s SpiderLabs who has a passion for making security knowledge accessible. In addition to being a columnist with the Ethical Hacker Network, Ryan has contributed to open source tools including Metasploit, Ettercap, and the Browser Exploitation Framework (BeEF).
You put your credit card in, I take your cash out. Point of Sale systems and Cash Machines are frequently targeted but rarely discussed. This talk will be a frank discussion about the types of attacks Trustwave has seen and executed against these types of machines, where these systems are vulnerable from physical attacks to network and trojan attacks, and how to proactively deal with the problems.
Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in Non-profit, Academia, and the corporate world as well as degrees in both Anthropology and International Studies. Research interests include the psychology, anthropology, and sociology of information security, threat actor profiling, and thinking about security as an ecology of complex systems.
When gathering open source data and transforming it into actionable intelligence, it is critical to recognize that humans are not objective observers. Conscious and unconscious assumptions drive analysts’ choices about which data to analyze and how much importance to ascribe to each resource. Furthermore, analysts’ personal conceptual frameworks about reality and how the world works can undermine the process of objectively translating data into intelligence. These implicit assumptions, otherwise known as cognitive biases, can lead to missed data, skewed intelligence, illogical conclusions, and poor decision making. In this presentation I will illustrate some of the cognitive biases relevant to OSINT and what can be done about them.
Jason Gillam is a Senior Security Consultant with Secure Ideas. He has over 15 years of industry experience in enterprise software solutions, system architecture, and application security. Jason has spent most of his career in technical leadership roles ranging from startups to fortune 100 companies and has learned the business acumen necessary to advise everyone from developers to senior executives on security and architecture.
Jason co-built and managed an award-winning ethical hacking program at one of the world’s largest financial institutions. He also provided numerous application security training and awareness briefings to a large internal technical audience and led the development of best practices code and documentation for the the same. Jason is especially passionate about integration of security best practices with the SDLC.
Jason holds his GIAC Web-Application Tester certification. He has spoken at several local security conferences, is the author of the open-source Burp CO2 project (a really cool Burp extension) and has contributed to several others projects including laudanum, mobisec, and lyinbank.com.
Portswigger’s Burp Suite is a very popular and flexible intercepting proxy tool among web application penetration testers. It can even be easily extended to perform functions that are not directly available in the tool. During this talk Jason will provide an overview of Burp Extender and its API. He will then demonstrate several extensions bundled in his Burp CO2 extension suite.
Jimmy Vo has coined the phrase “Roundhouse-as-a-Service” and will one day start a company that offers scalable, on demand, and multi-tenant roundhouse kicks. When he is not planning world domination, you can find him training Jiu Jitsu and Muay Thai. Fun fact: Jimmy Vo is a washed up amateur MMA fighter with an 0-1 record. When he’s not punching faces, he is working at a midwest consulting firm.
One vital component to becoming, and remaining, an effective information security professional is the continuous pursuit of knowledge. This pursuit can take many forms. Some examples are reading books, hacking things, hands on training, attending conferences, and learning from your peers. This talk focuses on learning from your peers. To do so, one must first connect with them. We will explore how personality types and influence methods can be used to build a peer network. I will also share my own experiences on building relationships via social media.
Why does this matter? Making friends with people within the industry will help share or gather knowledge from real practitioner and create opportunities to work on exciting projects to make the community better.
Tim Fowler (@roobixx) is a Network Engineer for Sabai Technology. By day he develops open source routing platforms but when not at work he is most likely capturing packets from unknown sources. He has over 7 years of experience breaking into and exploiting wireless Internet systems as well as practicing his social engineering skills. While not his full time job, Tim has a passion for InfoSec but also educating people about the risks and dangers that are present today.
Tim is a frequent speaker in the Linux community as an open source evangelist as well as local security conferences with his numerous wifi talks.
In a world of always connected devices, we are consuming more bandwidth than over, and most of that is happening over the air waves via wifi. Our reliance and demand for a constant stream of data being delivered to us is only getting worse but what is so bad about that?. If you are using wifi to then it could be BAD and much worse than you may have imagined.
This talks focuses on some of the weakness of the 802.11 specification and how those weakness can be used to gain access, capture critical data and completely take over systems with the aid of wifi. We will look at some current and emerging 802.11 wireless threats, as well as the tried and true ways that still work after many years and the tools/devices used to do so.
The sheer amount of data that we are broadcasting from our devices is astonishing but how someone can use even the simplest bit of data may change the way you function on when on wireless.
Do not have an arsenal of wireless attacks in your pentest kit??? Let me show you why you need to change that! It’s a gold mine out there!
Ron Parker (@scmunk) is the Senior Enterprise Security Architect for Unum, the leading group and individual disability insurance provider. Ron has decades of experience successfully designing and developing secure application and infrastructure solutions in a complex and regulated environment. He has worked to implement security process improvements through establishing security frameworks and integrating security by applying architecture practices. He is the architectural and technical lead for a large identity and access management solution, service and API security, enterprise authentication/authorization frameworks, and various other systems that are required to secure any company. Lately he has been forced to talk endlessly about cloud security. Ron is also a non-reluctant CISSP.
You may not always use cryptography, but when you do, make sure you use it correctly. The truth is that if you are a developer you can no longer avoid cryptography. In today’s environment you need to know how to make the right choices for the situation in order to deliver secure solutions.
This interactive and demo-filled talk will explain the basics of cryptography and expose the developer to a wide range of useful cryptographic methods.
Paul Coggin is an Internetwork Consulting Solutions Architect with Dynetics, Inc in Huntsville, Alabama. Paul is responsible for architecting and securing large complex tactical, critical infrastructure and service provider networks. Paul’s expertise includes tactical, service provider and ICS\SCADA network infrastructure hacker attacks and defenses as well as large complex network design and implementation. Paul’s experience includes leading network architecture reviews, vulnerability analysis and penetration testing engagements for critical infrastructure networks.
Paul is a frequent speaker on cyber security offense and defense issues related to service provider and critical infrastructure. He has presented at conferences around the world including DeepIntel, DerbyCon, BSides, Hacker Halted, COUNTERMEASURE, TakeDownCon, DeepSec, SCADA [in]Security and the DoD Cyber Crime Conference. Paul is a Cisco Systems Certified Instructor # 32230, Certified EC-Council Instructor and a certified SCADA security architect. He has a BS in Mathematics, an MS in Computer Information Systems and is currently pursuing an MS in Information Assurance and Security. In addition he holds a wide array of certifications from Cisco, EC Council, ISC^2 and others.
The telecommunications networks are one of our most important critical infrastructure assets. In fact all of the other critical infrastructure domains are dependent upon the telecommunications critical infrastructure for operation for example ICS\SCADA. In this talk we will discuss a quick overview of telecommunication architectures and operations for border gateway protocol (BGP) services with references to the recent BGP prefix hijacking attacks. The discussion will then pivot to how Multi-protocol Label Switch (MPLS) networks may be attacked in telecommunications networks. Could it be that the MPLS networks are being attacked similar to BGP? How would someone go about targeting MPLS networks? The MPLS discussion will provide an overview of MPLS VPN’s and MPLS traffic engineering architectures and operations including packet captures of label traffic for reference. Attack vectors for targeting MPLS networks will be addressed in addition to a couple new ideas for gathering intel from MPLS networks. Recommendations for monitoring and securing BGP and MPLS networks will be discussed as well.
Hank Leininger has been breaking stuff and building stuff for a while. While playing defense, he wrote the HAP-Linux kernel hardening patches in the late ’90′s, which have been a part of GRSecurity since the 2.4 kernel series. In 2004, Mr. Leininger co-founded KoreLogic, Inc, an expert security consulting practice. He does not have any interesting letters after his name.
The tl;dr of my talk is: Make enterprise passwords 5-6 orders of magnitude harder to crack. PathWell is both a new way of looking at password complexity, and the name of some tools we developed to audit and enforce passwords that are more difficult to crack.
First I will give some high-level overviews to give the audience some common ground and context: review traditional password cracking techniques (wordlists, mangling), and traditional enterprise defenses (length, complexity rules, rotation). However, those defense approaches have led users to predictable behavior, to which attackers have adapted. Meanwhile the rise of GPU power and slow adoption of stronger hash types have provided attackers with substantial advantages. I will then go through some case studies of enterprises where KoreLogic has cracked 95+% of all password hashes, and show how these trends are borne out in real-world examples.
Next I will introduce several new defensive techniques that would deprive attackers of these advantages, and then show how we have implemented each of them in the PathWell proof-of-concept. (This will actually be the longest single section of te talk.) KoreLogic runs the Crack Me If You Can password-cracking contest at DEFCON. In 2013′s contest, we included some password sets that implemented some of the PathWell enforcement options. I will review that data to show how effective they were. Lastly, I will discuss the next steps for the PathWell project.
Denny Deaton is a Manager with Gotham Digital Science (GDS), based in Charlotte, NC. He possesses over ten years of career experience working in the security industry and is a seasoned security professional with deep technical and business risk knowledge of web and mobile application security, system and network security, fraud detection and prevention, and physical security. Additionally, a vast knowledge of application development and software life cycle. Gotham Digital Science is an international security services company specializing in software security testing and consulting services in the web and mobile space. At Gotham Digital Science, Denny is responsible for delivery, quality assurance, training, managing security engineers and assisting clients with security-focused needs. GDS clients number among the largest financial services institutions and software development companies in the world.
Join us as we cover several recent security breaches, and provide insight around the impact and estimated costs of a breach. Our team will discuss trends from recent security breaches, first-hand knowledge and results from network security assessments that we’ve performed, along with many common pitfalls and mistakes made during network scanning and penetration testing that often lead to open gaps and security exposures. As we walk through our methodology, we’ll share some of our own tricks and secrets that ensure a thorough penetration test. The efficiencies gained with our approach leave more time for manual testing, evaluating the true risks of security issues discovered, and determining the best approach for closing gaps to secure your external perimeter.
surpherdave left his native home of Hawaii in pursuit of a job as a red teamer. Having secured said job, he moved to Charlotte where is works as a red team member for a large organization. His love of camping and the mountains is a perfect fit for he and his wife Brook, and looks forward to many more engagements with the security community on the East Coast.
Social Engineering is a timeless profession, practiced by many and perfected by some. Join me in exploring well known tactics as well as the newest generation of tools and techniques that you can leverage in testing organizations and helping to protect Social Engineers.