Keynotes (50 Minute)
- Robert Graham - "Attack of the Clichés"
- Abstract: Increasingly, it appears that infosec professionals are being abducted by aliens and replaced with Markov chain bots -- programs that simply string together stock phrases. Consider that person on the other end of the long conference call, trying to justify another layer of anti-virus, because "defense in depth". How do we know it's an actual person? They haven't said anything original in the 30 minutes they've been talking. Indeed, where do these clichés even come from? Who was the first to apply "defense in depth" to infosec in the first place? What does it even mean? This iconoclastic talk explores these clichés, not debating whether they are right or wrong, but how they've lost all meaning. The goal is to prove we are humans, able to discuss a concept without resorting to these clichés.
- Bio: Created:[BlackICE,IPS,sidejacking,masscan]. Doing:[blog,code,cyber-rights,Internet-scanning]. Unethical coder, according to the EFF.
- Cyber Squirrel 1 - "35 Years of Cyberwar: The Squirrels are Winning"
- Abstract: Despite years and years of rhetoric concerning the weaknesses in the electronic defenses of the power grid there has yet to be one long term power outage directly caused by a cyber attack. Policy makers are routinely warning about the risk to the electric grid and yet there are no confirmed power outages caused by a cyber attack. While cyber attacks have not yet taken out the power squirrels have, hundreds of times a year. This talk will examine previous claims of infrastructure cyber attacks such as the Brazil blackout, Turkish pipeline explosion, German steel plant blast furnace and the recent power outage in the Ukraine among others. We will also examine decades of confirmed attacks by squirrels, birds, snakes, and other animals. We will breakdown our meticulously gathered data of cyber squirrel attacks by country, number of people impacted and length of outages and compare that with the same data caused by cyber attack. #cyberwar4ever
- Bio: Chief Intelligence Minister for the Cyber Squirrel militia
- Jon Oberheide && Michael Hanley - "Extrapolating from Billions of Access Security Events"
- Abstract: At Duo, we see billions of authentication and access events each year from tens of thousands of customers across diverse user and device populations. "BIG DATA", or whatever the cool kids are calling it these days. We'd like to share some of that data with you, since tiny hard-to-read graphs and pie charts make for super compelling presentations. Spoiler alert: Everything is broken and vulnerable. But we'll keep our glasses half full and opine on how we, as an industry and practitioners, can and should be doing better. The future of security is bright...but it's still five years of breach headlines away.
- Bio: jono = cto @ duo, mhanley = labs @ duo
FULL Length (50 Minute)
- Vyrus - “Crimewave 101“
- Abstract: What is “crimeware”? Crimeware is software designed exclusively to commit crime. Usually (but not always), crimeware is written using very poor “best practices”, and yet, is typically highly effective against its intended targets (despite the efforts of “information security professionals”). Why? Because most “Information security professionals” are not tasked with preventing the types of crime that most crimeware is designed to commit. Most crimeware is designed to commit theft (usually of money), and most theft is not done by exotic criminals with fancy gadgets and well funded backers or look like anything out an Oceans 11 scene. Most crime is done by desperate and or opportunistic people in order to acquire wealth as fast as possible. Which is why it usually is done with a crow bar and a ski mask rather than some lockpicks, a proxmark, or a laptop. Within this nexus between the reality of crime and the ill compared seductiveness of “espionage” is where our story “and this presentation” begins…
- Bio: Vyrus is some guy who for some unholy reason enjoys researching the efficacies of subjectively elegant crime (hypothetical or otherwise). Since the only method of conducting research on crime from a first hand perspective is to commit crime(s), he does not admit to ever having been directly or indirectly involved in the commitment of such crimes, or, associating with any known criminals. And since the only people who DO admit to such things are either now or have at one time been found guilty by a criminal justice system, he advises you to not trust anything anybody has to say on the matter who chooses to discuss such things without provocation (including himself) and instead compare his presented research to that of your own material (should you so allegedly choose to do so).
- Daniel "unicornFurnace" Crowley - "Cleaning up Magical Crypto Fairy Dust with Cryptanalib and FeatherDuster "
- Abstract: The gap between academic development of cryptanalysis techniques and their practical application is wide. The application security community was in awe in 2010 when Duong and Rizzo were able to apply Vaudenay's 2002 padding oracle attack technique to not one but three major frameworks, ASP.NET, Ruby on Rails, and Java Server Faces. There are various tools being developed for certain applications of these attacks, but they tend to implement at most a handful of different attacks. One of the difficulties is that flawed cryptography can exist in lots of different kinds of technologies; cryptography can exist in pretty much any place normal data can! As a result, performing practical cryptographic attacks often requires writing your own custom tool. This can be beyond the scope of a pen test due to time restrictions. It may also be beyond the skill of a tester to implement a given attack.
Enter Cryptanalib: A library implementing various crypto attacks to make writing crypto attack tools easier! But how do you use it if you can't write code?
Enter FeatherDuster: A modular, wizard-like interface to make using cryptanalib as simple as possible, sometimes even requiring the user to write no code whatsoever!
This talk will discuss some common cryptographic mistakes and show how to use Cryptanalib and FeatherDuster to exploit them.
- Bio: Daniel works in infosec since 2004, is the author of the Magical Code Injection Rainbow, and denies all allegations of unicorn smuggling.
- Natalie Vanatta - "ARRR Maties! A map to the legal hack-back"
- Abstract: Defense of the nation (and by extension its citizens) is the only task that the Constitution tells the federal government that it must do. All other powers are just authorizations that the government can choose to use. But, what happens when the government is ill-equipped to handle the defense? Today, we are bombarded by both nation-state and non-state actors operating within cyberspace with the goal to steal our property, harm our livelihoods, and destroy our way of life. In the early days of the nation, we faced a similar dilemma on the high seas which resulted in the issuance of letters of marquis and reprisal to private citizens and corporations. At the time, our government could not field and maintain a naval force that could defend the nation and its citizens. This talk will draw parallels between the nation’s situation then and our situation today with respect to cyber security. Utilizing legal statues and lessons learned over the last two hundred years, I will propose a methodology that enables private groups to petition for the right to become privateers and “hack back” their foreign attackers.
- Bio: Natalie Vanatta is an Army Cyber Officer currently exploring the cybersecurity challenges facing the Army 5-10 years in the future.
- Nick Espinoza && Zach Flom - "OPSEC on the Darkweb: The good, the bad and the ugly"
- Abstract: Recorded Future analysts have analyzed how the dark web (TOR) is being used for the good, the bad, and the ugly.
We focus on a few use cases:
*Threat actors and their poor OPSEC across open/deep/dark web
*Specific market places and poor obfuscation and configuration of services
*Uniquely identifying data points for hidden services
*How and where hidden sites/services are commonly flagged on the open Web
*A discussion of what might be a good use of TOR (social dissent), bad (child exploitation), and ugly (focus on data around terror support networks)
We leverage open source collections and analysis tools, custom network scanning tools, and private sources in our research.
- Bio: NJE and Zach Flom are Threat Intelligence Analysts at Recorded Future. Flom and Espinoza have supported the DoD and IC as analysts.
- Robert Lei - "Privacy's Past, Present and Future"
- Abstract: I believe in privacy not paranoia. Come join me on an adventure through the history of privacy violations and legal/illegal abuses in the United States over the past few hundred years. Let us reflect on current topics of privacy abuses and make some educated guesses on the potential future of privacy and the concept of privacy throughout the world.
- Bio: Robert hails from California and has been a part of the infosec scene since 2000, he loves privacy, security, and good beer.
- Jonathan Lampe - "Hack All the Candidates"
- Abstract: For the past 18 months, Jonathan Lampe has been explaining how IT security professionals can use their skills to get a idea of how secure another party is - without actually hacking them.
With the 2016 presidential campaign in full swing, Lampe applied these techniques to the web sites of 17 different candidates and came away with some surprising results, including the fact that most of the candidates he surveyed published a full list of all their usernames!
This presentation dives into the technical details of Lampe's analysis and allows attendees to discuss where they would draw the line between ""observing very closely"" and outright hacking.
A live demonstration of typical candidate site reconnaissance is expected as we look at the current security profile of candidates today.
- Bio: Lampe has been in software and IT security since 2001. He runs Security Awareness for the InfoSec Institute and is a frequent author.
- Daniel Liber - "Security ResPWNses - Do and Donts of security disclosures"
- Abstract: In the modern era, breaches have become (unfortunately) a matter of daily news. The recent events show that the probability of becomes higher and higher, as the attacks are becoming more sophisticated and targeted. Unfortunately, the incident response processes are still focused on IT and network breaches rather than looking at the entire range of security incidents that grew rapidly with the introduction of new technologies, concepts and platform.
In this lecture we will go over the classification of 'new era' security breaches and try to understand better how they differ from classic ones, along with analyzing the current frameworks of handling them (and pointing out the obvious gaps). Also, we will cover examples from the past year regarding bad practices of incident responses and learn the basic concepts that should be covered in the 'customer facing' incident response.
Lastly, we will offer some guidance on what tools are available for lightweight operational incident response and how can one utilize them in order to improve the reply and act for each incident or disclosure.
- Bio: Security manager/researcher, community enthusiast, curious by nature and spends most of his time learning what else can go wrong.
- Jordan Rogers && Guillaume Ross - "Real solutions from real incidents: save money and your job!"
- Abstract: This talk will cover scenarios from real incidents and how simple solutions that are very cost effective can be used to prevent them from occurring.
* A scenario based on real incidents will be presented.
* The typical state of security in enterprise will be presented.
* Specific gaps that allowed the incident to occur and for data to be exfiltrated will be scrutinized.
For each observation, a review of how enterprises are protecting themselves, successfully or not, as well as what
can be done to potentially prevent the incident from occurring in the first place will be performed.
The presentation will conclude with a discussion on the importance of incident response lessons learned being leveraged to further guide decisions related to security program development.
- Bio: Jordan and Guillaume are senior consultants at Rapid7.
Guillaume focuses on security programs, and Jordan on incident response.
- Joel Sandin - "The Complete ESP8266 Psionics Handbook"
- Abstract: The ESP8266 SoC has fast become a hugely popular platform for developing IoT applications. The reasons for this are obvious: it's affordable, provides wireless connectivity, comes in a small form factor, and includes a fully-featured Tensilica lx106 core onboard powerful enough to run fully-featured embedded operating systems. The manufacturer, Espressif, also provides an SDK, a port of FreeRTOS, and a cloud-backed IOT platform for embedded devices. A new generation of developers are flocking to the ESP8266 and being introduced to C and systems programming in the process. But few realize that beneath the veneer of accessibility lurks a Pandora's box of perils straight out of the 90s...
This talk will focus on exploiting memory corruption vulnerabilities for platforms hosted on the ESP8266. We will provide an overview of the Tensilica lx106 core, cover testing and development workflow, and use real bugs to motivate a discussion of internals of multiple platforms including the Espressif IOT Platform based on FreeRTOS and NodeMCU firmware core. This research is based on experience code reviewing, fuzzing, and developing attacks against both vendor SDKs and open-source libraries for this hardware.
Attendees will understand the risks facing users of this new class of devices. Pentesters will learn how to review applications built for this hardware platform and determine the impact of bugs they identify. Defensive security practitioners will get an inside look at attacks against software written for the ESP8266.
- Bio: Joel works as an independent security researcher and has recently focused on security in embedded systems.
TURBO Talks (25 Minute)
- Devin Lundberg - "Knox: Dealing with Secrets at Scale"
- Abstract: Key management is a fundamental piece of security infrastructure. As companies scale, the number of different API secrets, cryptographic keys, passwords, and other secrets values grow at an increased rate. These secrets need to be stored in a way that provides confidentiality and integrity, and that developers can understand and use. Additionally, in any organization, potential breaches will happen and secrets will need to be changed and rotated, but mechanisms for supporting proper cryptographic rotation (such as that built into keyczar) are unsupported. Knox is the first open source project that combines these two important pieces of functionality into one system. It also provides strong operationability, as well as ease of use for developers. During the presentation we will compare to existing solutions for storing keys/secrets including Vault and Keywhiz.
Knox is a service built by and used at Pinterest. Knox provides confidentiality and integrity for secrets and fits into a micro service systems architecture. It also provides important best practices for handling failure such as rotation capabilities for all keys and better operationability features. Knox will be open-sourced in early 2016.
- Bio: Application Security Engineer @ Pinterest. Previously researched aircraft security @ UCSD. Contributor to keyczar.
- octalpus (Jesika McEvoy) - "Overcoming Imposter Syndrome (even if you’re totally faking it)"
- Abstract: Imposter Syndrome has been oft discussed in the context of gender or other minorities and mentoring, but these discussions have left out the greater truth – nearly everyone in the infosec community experiences this phenomenon. This talk is designed to approach the topic from a broader perspective. It will contain tips on not only overcoming this ourselves, but how to use this confidence to be a mentor and role model to others.
This talk highlights the challenge current and emerging researchers encounter – feeling supported in pursuing a research path and speaking authoritatively when the cutting edge nature of infosec is counterproductive to building confidence in your own expertise. If we want to continue to be a research-focused community, we need to address some of the underlying issues that are contributing to the stagnation and drain of the brain trust.
- Bio: Ninja, brewer, snowboarder, noiser, and an expert at faking expertise.
- Chris Carlis - "Securitygenic: Fighting User Apathy and Indifference"
- Abstract: We, as information security professionals, are not good at convincing people to care about information security.
We may be passionate, intelligent, and dedicated in the pursuit of defending our organizations but, when it comes to motivating our co-workers to employ even the most basic of security measures, our efforts often fall flat.
Motivating people is a problem that often does not align well with our core skillsets. Yet, as attackers today look to compromise organizations, social engineering attacks against employees are an increasingly attractive option. Ranging from remote and impersonal to in local, personal interaction, these attacks rely upon our users making bad security decisions.
We, as defenders, deploy numerous technical countermeasures in an effort to remove the responsibility of security from the user. These systems are often both expensive and easily bypassed. Additionally, user security training is mandated but easily misses the mark and can lack real lasting effectiveness. We must continue to look for additional solutions to strengthen the weak end-user link in our defenses.
In this talk we look at a expanding our usual methods of user education and leveraging non-conventional resources to amplify and increase the lasting effectiveness of information security training. Enlisting the help of individuals with the training, experience, and understanding in what is needed to motivate a largely apathetic base into incorporating better security behavior into their everyday lives.
Our information security programs need Marketing.
We will discuss some the benefits of incorporating marketing into your security program. We will cover some of the political, business, and interpersonal challenges that may arise and strategies for overcoming them. Finally we will discuss methods of popularizing this practice outside out individual organizations.
- Bio: Chris Carlis, a Dell SecureWorks Red Team member, enjoys grassroots InfoSec communities & investigating finer points of Impostor Syndrome.
- Rob Weiss && John Eberhardt - "Playing with Pictures: Adult Coloring on the Internet"
- Abstract: We approach analytics as an extension of the human brain, rather than trying to make the analytics behave more like a human. We want to “see” abstract data and open the way to gamification of network operations, such as the crowdsourcing network defense. At THOTCON 0x6 we provided a discussion and demo of our immersive network data visualization concept with five open-source components: i) an open source sensor, ii) an open source streaming ingest engine, iii) a curation layer that uses a pluggable Python library, iv) a construct that creates a visual language of networking to interface the platform and other services, and v) a set of visualizations that provide immersive, intuitive visuals of the data.
Since THOTCON 0x6, we have focused on developing the analytics, visualization library, sensor tools, and the user framework to make the system simpler, easier to deploy, and easier to play with and use the tools. For THOTCON 0x7, we want to provide an update presentation and demonstration of the system, but also want a live alpha demo running throughout the Con on live data that attendees can play with (so, if possible, we would like to present early). We will present and demo:
1. An overview of our approach, conceptual and physical architecture
2. We would like to either sensor a specific address space of the THOTCON 0x7 OPEN network, or set up a separate wireless network (with full disclosure) and provide tool access so that we can demonstrate the system live throughout the con. We would like to set up: a. Network sensors (either on THOTCON 0x7 OPEN network or a network we set up), b. The streaming, curation, and visual language engines, c. Monitors that will allow con attendees to see live data visualizations, and the ability to create their own traffic on the network and see what it does to the visualizations
3. We would demo the platform live in our talk and then be around to help folks play with it
- Bio: Rob Weiss is a senior systems engineer with 24+ years experience; John Eberhardt is a Data Scientist with 20+ years experience.
- JP Smith && Eric Hennenfent - "Turning Credential Harvesting Into Credential Clearcutting: Phishing 2FA Systems"
- Abstract: Two-factor authentication is being touted by many as the "next big thing" in security, and as such is increasingly being adopted by enterprises. Of course, as with any highly-hyped security technology, there exist numerous flaws, and even the most mature implementations can be bypassed. The first half of this talk goes over the design, implementation, and effectiveness of a credential harvester the authors built that steals both username-password pairs and two-factor authentication tokens. The second half focuses on practically mitigating attacks like these, and provides suggestions and guidance for people currently rolling out two-factor authentication to avoid and detect this kind of attack in their environments.
- Bio: JP and Eric are hackers at UIUC who enjoy programming things. If their combined exploits fit in 140 characters, they'd be pretty sad
- Jibran Ilyas - "Prime Time Cyber Heists – Reporting from the Trenches!"
- Abstract: In this era of Advanced Persistent Threats (APT), organizations have increased spending on IT security, but for the most part, it has not proven to be fully effective against sophisticated attacks. In the recent past, we have witnessed large data breaches at major companies causing the loss of Intellectual Property or consumer PII (Personally Identifiable Information). As the Security Program matures for high profile companies, the motivated attackers also adjust their Techniques, Tactics and Procedures (TTPs) for the perfect heist. This session will contain a case study of a data breach where attackers didn’t find the need of malware for persistent communication channel, and used WMI and Powershell to carry out a successful data extraction mission. The lessons learned from the trenches as the lead investigator of several high profile breaches will be shared in this session, which shall result in actionable takeaways to improve the security posture and response capabilities of your organization. A live demo will also be shown to illustrate the new age attacks.
- Bio: Jibran Ilyas is a Director of Global Incident Response at Stroz Friedberg. He leads the development of Threat Hunting capabilities, mainly the hunt for Advanced Persistent Threats (APT) and Point of Sale (POS) adversaries. He contributes to the innovation in incident response methodology and the development of in-house tools to improve efficiency. He serves as one of the firm’s investigative leads for high profile data breaches and leverages the experience in the field to the benefit of organizations seeking proactive risk assessments. Jibran is also an Adjunct Faculty at Northwestern University teaching their first ever Digital Forensics course.
- Paul Vann - "Cyber Vulnerabilities of America's Pipe Lines"
- Abstract: This is Paul Vann(the younger one from Schmoocon) and I just wanted to let you know that I have decided my topic for Thot Con. My topic will be the Cyber Vulnerabilities of America's Pipe Lines. I will be talking about the vulnerabilities in the pipe line systems and how unethical hackers are attacking them. I will also be explaining what the potential hacker could do the system and how he could affect it. I am going to have my grandpa who has worked in the pipe line and gas system his whole life explain how the pipe line system's technology has evolved, and I can use this information to explain to the audience how over the years the pipe line system has become more susceptible to cyber attack. I hope this is a topic you will decide is worth sharing at Thot Con and would love to get any feedback back.
- Bio: Son of a security guy
- David Bryan - “You sunk my battleship!”
- Abstract: This talk will cover breaking out of a Docker container, and other fun things that you can do to crack a docker instance, and the VM that the docker instance is running on.
- Bio: David Bryan has been in the information security industry for over 16 years. He has presented research at Black Hat, DEF CON, THOTCON, and many others. David also volunteers at DEF CON, supports the local DC612 Group, and is part of the board for Thotcon (a hackers conference based in Chicago). When he's not working, he is building a local WirelessISP, welding, biking, gardening, or enjoying a beer.
- metacortex - "Don't be stupd on GitHub"
- Abstract: You may be surprised (you probably shouldn't) at all of the sensitive information people put on GitHub. If you look, you can find everything from database passwords, RSA private keys, and even unix shadow files. Not only will I show you how to find all this awesome data but I will show you how to harvest as much of it as possible as well as some password analysis on the passwords that were found.
- Bio: Currently a native of SLC and founder of the 801 Labs hacker space as well as responsible for reviving the local DEF CON group, DC801.
- Ronnie Flathers - "Abusing Linux Trust Relationships: Authentication Back Alleys and Forgotten Features"
- Abstract: Passwords are weak, and generally speaking, the less a company relies on them, the better. Instead of using password authentication for multiple services and sending passwords (or hashes) all over the network, companies have started trying to adopt more password-less authentication mechanisms to secure their infrastructure. From SSH bastion hosts to Kerberos and 2FA, there are many controls that attempt to limit attacker mobility in the event that a single account or password is compromised. This session will be a ""walking tour"" of bypass techniques that allow a small compromise to pivot widely and undetectably across a network using and abusing built in authentication features and common tools.
Starting with a simple compromise of an unprivileged account (e.g. through phishing), this session will discuss techniques that pentesters and attackers use to gain footholds in networks and abuse trust relationships in shared computing resources and ""jumphosts"". The session will demo common tricks to elevate privileges, impersonate other users, steal additional credentials, and pivot around networks using SSH. The presentation will culminate with a discussion of 2FA for SSH access, and how compromises elsewhere in a network can be exploited to completely bypass it. Since these tricks and techniques utilize only built-in Linux commands, they are extremely difficult to detect as they look like normal usage.
The demo environment will mimic a segmented network that uses Kerberos and two-factor authentication on SSH jump hosts. It is based entirely off real-world experiences and setups that pentesters from Cisco and Neohapsis have encountered.
- Bio: Ronnie is a Sr. Security Consultant with Cisco Advisory Services (formally Neohapsis) where he gets paid to break into networks and apps.
- Andrew Hoog - "Improving mobile security with forensics, app analysis and big data"
- Abstract: The velocity of change in the mobile ecosystem requires a new techniques to secure mobile devices. This talk will explain how we can address this challenge by combining global data from mobile devices and app store metadata with static, forensic and dynamic app analysis to create a powerful, data-centric approach to mobile security.
- Bio: Andrew Hoog is a mobile security researcher, expert witness and the CEO and co-founder of NowSecure.
- John Bambenek - "Corporate Espionage Without the Hassle of Committing Felonies"
- Abstract: Pentesters and corporate spies alike have a desire to get their hands on the secret information of their corporate targets. Normally this involves recruiting and turning insiders, social engineering or intrusions into corporate networks. The reality is that a good deal of information is already lying around in the open available for the taking if the hunter knows where to look.
This talk will highlight new techniques of passively mining security data (such as repositories like VirusTotal) to uncover sensitive documents, private encryption keys, security configurations and proprietary code on the target. As an example, by running a simple yara rule it was trivial to retrieve over 10,000 private ssh keys. This talk will cover the hunting techniques to retrieve this data as well as sensitive documents that can be immediately weaponized for a penetration test or for monitoring competitors.
- Bio: John Bambenek is a Sr. Threat Analyst at Fidelis Cybersecurity and runs several private intelligence groups.
- Vaagn Toukharian - "Social Untrust"
- Abstract: Value of the information is stressed enough in concerns of the modern technocrat society. Information sometimes is equal to money, or there is some indirect connection between these to elements. The talk is going to talk about the new type of value that information can represent and aspects of loss or alterations of that information.
New types of values are those that just appeared with technology and may not be connected to real vales, e.g. ePride, eFitness, eEducation.
Let's take one example ePride. An online community based service (Strava.com) that is used by cyclist or other endurance athletes to show-of their achievements, is quite popular and has user base that spends tremendous time and resources to just achieve specific fitness goals on the site. New type of danger is the user data alteration that is possible to systems like Strava. Sites like DigitalEpo are examples of the new hackery that is happening. We have a concept of an even better tool for that purpose, which makes you the king of the mountain on hill of your choice, instantly.
People are faking virtual achievements that may eventually destroy the value of the system overall.
The talk is going to present an analysis of other eValue systems, and the dangers those face.
- Bio: Principal Engineer for Qualys's Web Application Scanner. He also helps to run OWASP Armenia chapter.
- grecs - "Deploying a Shadow Threat Intel Capability: Understanding YOUR Adversaries without Expensive Security Tools"
- Abstract: In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
- Bio: grecs has two decades of industry experience, undergraduate & graduate engineering degrees, and a really well known security certification.
- Benjamin Brown - "Mo Money Mo Problems: The Clean(ish) Cashout"
- Abstract: The hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the klink. With more and more focus on identifying and stopping credit card fraud cybercrooks are diversifying their methods for cashing out. While criminals can, and do, sell whole and bundled online retailer accounts, credit card data, and fullz, I want to look at how they get their grubby paws on that cold hard cash. Lets dig into the tools, techniques, and procedures used by this new generation of e-launderers and cyber hustlers.
Understanding the lifecycle of a financially motivated cybercrime is an important part of successfully and efficiently defending against them. When we have insight into the tools, techniques, procedures, motivations, methods, and ecosystems driving these attacks we are afforded the opportunity to build defense in depth that specifically targets the weaknesses and load-bearing assumptions of the attackers. This talk is not a general hand-waving at the topic of ""cybercrime"", but instead an in-depth exposition showing currently active tools and methods, non-public case study information, and defense tactics that are actively and successfully being employed right now.
- Bio: Benjamin currently computers on the darknets and holds like at least 7 darkwebz.
- Parker Schmitt, Matt Dyas & John Valin - "A Major New Trend in the Enterprise is Whitelisted Proxies"
- Abstract: Enterprises (and by enterprise we mean large companies, not java) love their perimeter because, well, let’s face it, everything’s broken inside. However they still want their employees to have internet access as it is critical but they have a flat network. The current trend is whitelisting all traffic and doing an SSL Man-In-The-Middle. Our goal is to show that that does absolutely nothing by exfilling through commonly whitelisted platforms and using steganography to hide all the data. We have written tools that allow covert communication through youtube and twitter to establish a reverse shell. Using the steganography from the exfil toolkit (which will be released under the GPL) we will incorporate steganography into youtube comments so that even with ssl decryption it just looks like a drunk youtube commenter. With twitter there is text stego but also images can contain steganography. We will also discuss polymorphism in stego algorithms to evade heuristics.
- Bio: Matthew is a student at the Illinois Math and Science Academy. He likes red-teaming and participating in CTFs, and he has somehow managed to stay out of trouble so far. In addition to breaking things, he likes making things that fly as well. John enjoys Security and is currently studying at Illinois Mathematics and Science Academy. When he gets free time from the academic rigour of IMSA, his other interests include triathlons, building and flying drones, the drums and video games. Parker was the guy who nearly hit you with a drone at thotcon for the past couple years. He also likes fun ways to defeat blinky boxes.
- Anita Nikolich - "Cybersecurity Research: Pushing the Boundaries"
- Abstract: The National Science Foundation (NSF) funds $70M annually across all cybersecurity research areas, including cryptography, cybereconomics, anti censorship, vehicle security, digital currency, privacy, dark web analytics and many more. We look for radically novel approaches to security problems and never know what the results of the research may look like. Some of the recent interesting projects include: analyzing online anonymous marketplaces in the wake of Silk Road; enhancing anonymity networks against pervasive attacks and identifying insider threats at financial institutions. This talk will give a brief overview of the NSF Secure and Trustworthy Cyberspace (SaTC) program and present some of the more interesting research results we’ve seen.
- Bio: Anita Nikolich is Program Director for Cybersecurity in the Division of Advanced Cyberinfrastructure at the National Science Foundation (NSF).
Prior to her work at the NSF she served as the Executive Director of Infrastructure at the University of Chicago. Past assignments include positions in networking and security at Aon, Worldcom and the U.S. Marine Corps.
- Alex Pinto - "Sharing is Caring: Understanding and measuring Threat Intelligence Sharing Effectiveness"
- Abstract: For the last 18 months, MLSec Project and Niddel collected threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. In this talk, we have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps. We propose a new set of metrics on the same vein as TIQ-test to help you understand what does a "healthy" threat intelligence sharing community looks like, and how to improve the ones you may be a part of today! We will be conducting this analysis with usage data from some high-profile threat intelligence platforms and sharing communities.
- Bio: Alex Pinto is the Chief Data Scientist of Niddel and MLSec Project, doing data science in infosec to automate our work and even the odds.