AutoRepeater: Automated HTTP Request Repeating With Burp Suite
Justin Moore
Length: 50 Minutes
Location: Track 1 at 1600
Talk Description: Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
Bio: Justin Moore works for NCC Group as a Senior Security Consultant. He hacks things and does stuff, sometimes it’s the other way around.
BinDbg: Easy Windows Debugging for Binary Ninja
Dave Kukfa
Length: 20 Minutes
Location: Track 3 at 1430
Talk Description: IDA Pro -- the "gold standard" of binary analysis tools -- is very good at what it does, but it comes with a hefty price tag that is usually only justifiable to professional reverse engineers. Several alternatives have begun to challenge the status quo of reversing tools, including Binary Ninja: a powerful, affordable static-analysis tool. While I attempted to convert to using Binary Ninja, I often missed the fusion of static and dynamic analyses that IDA provided, and existing Binary Ninja debugger integrations were not designed with Windows users in mind. So, I wrote a plugin that syncs WinDbg to Binary Ninja to combine Binary Ninja's static analysis features (such as the disassembly graph and the IL) with the power of dynamic analysis (such as virtual function table resolution and knowing the outcome of branch instructions).
Bio: Dave Kukfa is a hobbyist reverse engineer by night and a security engineer focusing on corporate security by day. He graduated with a B.S. in Computing Security from RIT in 2017 and currently lives in the San Francisco Bay Area. You can find him on Twitter @kukfa_ and on his blog at https://kukfa.co.
Building the Panopticon: Centralized Logging and Alerting With Free Tools
Matthew Gracie
Length: 50 Minutes
Location: Track 2 at 900
Talk Description: The goal of Jeremy Bentham's Panopticon was to allow a single watchman to observe everything going on in a large building. This is similar to what threat hunters and blue teamers want - a single point to observe all the potentially malicious activities happening on a network. This talk presents one toolset that can provide this visibility using a mixture of no-cost and open source tools deployed on commodity hardware.
Bio: Matthew Gracie has over a decade's experience in information security, working to defend networks in higher education, manufacturing, and financial services. He currently works as a Security Analyst for AIX Group, a Hanover Insurance company. He enjoys good beer, mountain bikes, Debian-based Linux distributions, and college hockey, and can be found on Twitter as @InfosecGoon.
Civic and Humanitarian Open Source
Timothy Duffy
Length: 20 Minutes
Location: Track 3 at 1400
Talk Description: This presentation will include existing projects in Rochester and other Cities around the nation, as well as resources for getting involved with Civic Hacking projects and the Free and Open Source community.
Bio: Timothy Duffy is a Computer Engineer by day, and Civic Hacker by night. His passion for Free and Open Source Software (FOSS) and Civic Engagement, he has led him to be involved with dozens of Civic Hacking projects.
Detect Me If You Can
Ben Ten
Length: 50 Minutes
Location: Track 1 at 900
Talk Description: As long as there is a "Patch Tuesday", and software has bugs, there will always be an attack vector to which defensive controls are unable to defend. This is because most defensive strategies have focused on stopping attacks at their initial vector. In this talk, I will go over how I attack and bypass most deflection controls and go under the detection radar. I will then highlight the areas where defenders can begin to build a detection defense which will identify attacker behavior regardless of the initial vector. I will run through attacks I have used, which bypass several deflective controls, and show you how you can create detection controls to detect me; that is, if you can.
Bio: Ben Ten is a Senior Security Consultant with TrustedSec doing penetration testing and consulting. He has spent over 15 years doing Application & Web Development; Security Implementation, Consulting, & Training; Federal Regulation and Compliance oversight in relation to Information Technology (HIPAA, HITECH, PCI); and managing a team of developers and IT professionals. He is creator of the PoshSec Framework and works with the PoshSec development team. He has spoken at several conferences over the past 5 years including ShowMeCon, DerbyCon, BSides Chicago/Raleigh/Dallas Fort Worth, HackCon Norway, and more.
Ducky-in-the-middle: Injecting keystrokes into plaintext protocols
Esteban Rodriguez
Length: 20 Minutes
Location: Track 3 at 930
Talk Description: This talk will cover the basics of protocol analysis using Wireshark and lead into analyzing two custom application protocols used for extending the mouse and keyboard of a remote system. The two applications covered are HippoRemote, and iOS app to use a iPhone as a trackpad and keyboard, and Synergy, an application to allow for control of multiple operating systems with one mouse and keyboard. By performing a MITM attack, an attacker can abuse this protocols to send keystokes to a remote machine to gain remote code execution similar to a USB rubber ducky attack. The talk will also discuss mitigations and open source code will be provided for exploitation.
Bio: I am a Security Consultant at Coalfire Labs. I primarily perform network and web application penetration testing. I worked previously at Apple Inc performing intrusion analysis and incident response. Outside of work I blog at n00py.io and perform independent security research. I have authored multiple penetration testing tools and have presented at Bsides Puerto Rico covering penetration testing techniques.
Easily Deploying and Optimizing Open Source Web Application Firewalls
Chaim Sanders
Length: 20 Minutes
Location: Track 3 at 900
Talk Description: It’s been over a decade since the initial release of the OWASP Core Rule Set (CRS), a set of open source web application security controls written in the ModSecurity SecRules language. In that time, CRS has become the defacto standard for various WAFs and expanded capabilities to cover everything from basic UTF-7 XSS to Java Deserialization and everything in between. In this talk we’ll discuss how both traditional and modern web environments deploys CRS, the features of upcoming releases, and how to deal with common issues that may be encountered.
Bio: Chaim is the Security Lead at ZeroFOX, which provides comprehensive social media protection for enterprises. Outside of ZeroFOX he teaches for the computing security department at the Rochester Institute of Technology. His areas of interest include web security with a focus on defensive web technologies. Chaim contributes to several Open Source projects including ModSecurity and OWASP Core Rule Set, where he serves as the project leader.
How the Cookie Crumbles: Modern HTTP State Persistence
Chaim Sanders
Length: 50 Minutes
Location: Track 1 at 1000
Talk Description: In this talk, we review known attacks fundamental to the design of cookies and mitigation strategies. Additionally, we compare how various browsers and libraries handle cookies and the security implications that follow. Lastly, we investigate new technologies that are vying to replace cookies and how they might be used to effectively solve the issue of storing state information on the client-side.
Bio: Chaim is the Security Lead at ZeroFOX, which provides comprehensive social media protection for enterprises. Outside of ZeroFOX he teaches for the computing security department at the Rochester Institute of Technology. His areas of interest include web security with a focus on defensive web technologies. Chaim contributes to several Open Source projects including ModSecurity and OWASP Core Rule Set, where he serves as the project leader.
How to "hack" point of sale systems
Forrest Fuqua
Length: 20 Minutes
Location: Track 3 at 1500
Talk Description: The look into the unknown world of Restaurant Point of Sale systems and how insecure they are.
Bio: Currently is a IT Security Auditor, worked as nation wide point of sale support specialist for several years working on a wide range of point of sale systems and how they where maintained and secured
IoT 4n6: The Growing Impact of the Internet of Things on Digital Forensics
Jessica Hyde
Length: 50 Minutes
Location: Track 1 at 1400
Talk Description: Gartner predicts that by 2020 there will be more than 20 billion connected "things," not including smartphones, in the world. That's 20 billion things collecting data, 20 billion potential "technological witnesses. How does this impact forensics and investigations? How can you create an investigative hierarchy to ensure your time is properly spent investigating these devices, their apps, and the cloud or other areas where IoT might store data? How do you determine what's relevant and help investigators or operational personnel to see where the data fits into the larger context of their efforts?
Bio: Jessica Hyde has experience performing computer and mobile device forensics in both the commercial and government sectors. Jessica has 14 years’ technical experience and holds an MS in Computer Forensics from George Mason University. She is the Director of Forensics for Magnet Forensics (USA) and an Adjunct Professor at George Mason University where she teaches Mobile Forensics.
IoT Botnet Detection System using Machine Learning
Jonathan Myers
Length: 20 Minutes
Location: Track 3 at 1330
Talk Description: IoT Botnets recently became a destructive weapon against the internet domain, most notably Marai and the up and coming Reaper botnet. Our research focuses on determining which features are most relevant in detecting botnet activity and designing a machine learning infrastructure to detect anomalies. Our talk will provide a high level overview of our system which features a method for dynamically generating profiles about known device traffic and signatures for anomaly detection.
Bio: Jonathan Myers is currently pursuing his Bachelors of Science in Computing Security while also working as a Research Assistant at the Rochester Institute of Technology. His areas of interest include binary exploitation, web application security, and security tool development. Jonathan is also an active member of the Security Practices and Research Student Association at the Rochester Institute of Technology.
IoT Devices - And why they desperately need help.
Issa Hafiri and Christian Halbert
Length: 20 Minutes
Location: Track 3 at 1300
Talk Description: The security of IoT devices has been a trending topic ever since the term itself was first coined. The correlation between IoT and cyber insecurity intensified after a number of major incidents that specifically targeted these devices. This talk covers a penetration test that we performed on a number of surveillance cameras which we randomly purchased on amazon. We will cover the entire process from the moment the product was received, to developing exploitation scripts.
Bio: Christian Halbert - Computing Security BS student from Hunt, NY. Applied Research Assistant for the RIT SAFE Lab and IoT enthusiast. Issa Hafiri - Computing Security MS student from Bethlehem, Palestine. Applied Research Assistant for the RIT SAFE Lab and Penetration Tester.
Keynote
Matt Mitchell
Length: 50 Minutes
Location: Track 1 at 1100
Talk Description:
Bio: Matt Mitchell is a hacker, security researcher, operational security trainer, and data journalist who founded & leads CryptoHarlem ( https://twitter.com/cryptoHarlem ), impromptu workshops teaching basic cryptography tools to the predominately African American community in upper Manhattan. Matt trains journalists as an independent trainer for Global Journalist Security) in digital safety &security. Matt spends his time training activists in operational and information security. His personal work focuses on marginalized, aggressively monitored, over-policed populations in the United States. Currently he is a 2016 Mozilla Foundation / Ford Foundation Open Web Fellow, embedded at Color of Change a civil rights / social justice organization. Matt is an Internet Freedom Festival 2016 Fellow, a New America 2016 CyberSecurity Initiative Fellow, an Institute For The Future “Future For Good” Fellow, and an advisor to the Open Technology Fund). He worked as a data journalist at The New York Times and a developer at CNN, Time Inc, NewsOne/InteractiveOne/TVOne/RadioOne, AOL/Huffington Post, & Essence Magazine.
Learn How to Expect the Unexpected: Unusual & Unexpected Findings in Incident Response
Adam Dean
Length: 50 Minutes
Location: Track 2 at 1000
Talk Description: The pace of databreaches has reached epic proportions. Organizations large and small, in every industry are falling victim to hackers, hacktivists and nation states. Incident Response is a dynamic process where the unsuspected often becomes the root cause. From insider threats to unauthorized access with a bit of extortion, it isn’t always what it seems. Take a walk with us down some seemingly normal paths that lead to the unexpected. Real security incidents, unusual situations.
Bio: Adam Dean is a Security Specialist with GreyCastle Security and Practice Manager of Incident Response. Adam has over 4 years of proactive and reactive incident response experience in a wide range of industries, including healthcare, higher education, critical infrastructure, and other prominent industries. Adam consults with clients who are experiencing security incidents ranging from malicious infections to data breaches. Adam is a graduate of the University of Advancing Technology with a Bachelor’s degree in Technology Forensics.
Lightning Talks
You!
Length: 50 Minutes
Location: Track 3 at 1530
Open source SAST and DAST tools for web app pen testing
Drew Kirkpatrick
Length: 50 Minutes
Location: Track 2 at 1500
Talk Description: This session will discuss how web application penetration testers can improve their white box testing using two new open source tools, funded by the Department of Homeland Security. The Attack Surface Detector tool performs static code analysis to detect hidden endpoints and parameters and pulls them into Burp Suite and OWASP ZAP attack surface. The second tool, OWASP Code Pulse, instruments the web application server bytecode to provide real-time code coverage to help identify gaps in testing, help tune and compare testing tools, as well as provide a useful metric for communicating testing activities.
Bio: Drew has over fifteen years of experience designing and building complex systems including application security tools, network management, cyber curriculum development, and transit and aerospace systems. He works to improve information security and software assurance by applying computer science, ethical hacking, and human factors knowledge to build novel systems to meet complex needs. Before joining Secure Decisions as a Security Researcher, Drew was a Senior Computer Scientist in the U.S. Navy Human-Computer Interaction (HCI) Laboratory. He is a certified GWAPT and OSCP, and a member of the GIAC Advisory Board. He received his B.A. in Psychology and Economics from St. Mary’s College of Maryland, and Master’s degrees in Computer Science and Computer Information Systems from Florida Institute of Technology.
Pentesting DevOps: Attacking Containers and Container Orchestration
Mark Manning
Length: 50 Minutes
Location: Track 1 at 1500
Talk Description: Monolithic applications are a thing of the past but our job as security professionals is to review them from a security perspective. This talk will review container technologies (e.g. Docker, LXC) as well as container orchestration technologies (e.g. Kubernetes, Marathon). We will cover new container-centric OS's like CoreOS and what security implications exist for each. What is their threat model? What does a "pen test" against these technologies really mean? We'll include real-world exploit scenarios we've seen in client environments.
Bio: Mark Manning is a Principal Security Consultant with NCC Group with a focus on enterprise devops and container technologies. He has worked with numerous clients on Docker, Mesos, Rancher, CoreOS, Kubernetes, and other container-related technologies. He's performed penetration tests to breakout from container to host, architecture review of devops and container orchestration systems, and research on container technologies. Mark also works on mobile applications, general application security, and security reviews of privacy and pseudonymity technologies like Tor. He also is a BSidesROC and Rochester 2600 organizer.
Red and Blue Ping Pong
Lee Kagan
Length: 50 Minutes
Location: Track 2 at 1400
Talk Description: This talk will demonstrate a defender and attacker playing a game of whack-a-mole using “living off the land” approaches both defensively and offensively. The talk will demonstrate how free Microsoft tools and other OSS can be used to build a robust defensive framework capable of detecting new and stealthy attacks.
Bio: Lee Kagan is an offensive security professional with almost a decade in IT and InfoSec. Penetration tester, red teamer and currently lead for RedBlack Security’s Rogue Team specializing in threat and adversary emulation in Toronto, Canada. Lee’s focus on the team and in practice is offensive infrastructure support, post-exploitation of Windows and Active Directory environments, PowerShell and C# weaponization. Anton Ovrutsky is a Senior Security Analyst in the insurance industry, interested in the intersection of offensive and defensive security techniques. Anton’s focus is currently on SIEM tuning and effective use of logs to catch malicious activity. Anton has been in the security industry for six years and holds an OSCP, OSCE and CISSP.
Rise of the Miners
Josh Grunzweig
Length: 50 Minutes
Location: Track 2 at 1300
Talk Description: Over the past year, we've witnessed a shift in malware used by both the common criminal, and targeted actor alike. While ransomware was the bell of the ball in the past, it has been replaced with the up and coming cryptocurrency miner. This talk will explore the trends witnessed in the past year as they pertain to the rise in popularity of cryptocurrency miners being used and deployed by criminals. We'll talk about how and why this transition has occurred, as well as a number of interesting case studies about how this malware winds up on a victim's machine. Finally, we'll also discuss the most popular cryptocurrencies being mined today, and strategies you can take to mitigate this threat.
Bio: Josh Grunzweig is a Principal Malware Researcher with Unit 42, the threat intelligence team within Palo Alto Networks. His specialties include reverse-engineering various malware families, dabbling in Python scripting, and he has even been known to thwart ransomware and find vulnerabilities in malware panels from time to time. He has historically focused on financially-motivated malware, such as point of sale malware, ransomware, and banking Trojans, however, these days he pretty much looks at most malware-based threats. His previous work has included various areas within the information technology industry, including penetration testing, network administration, and systems administration. He graduated from the Rochester Institute of Technology with a BS in Applied Networking and Systems Administration.
Sentry or: How I Learned to Stop Worrying and Delete My Accounts
Michael West
Length: 20 Minutes
Location: Track 3 at 1030
Talk Description: With social media, anyone can become "incidentally infamous" in minutes. Your tweet could go viral, your gif could get posted by a president, or the media could single you out because they think you made Bitcoin. This happens to hackers too, @MalwareTechBlog was arrested after DEF CON 2017 and certain media started doxing him and painting him as a spendthrift criminal based on his Twitter posts. Rather than become a social media hermit to prevent this, just set up a Sentry. This talk will present Sentry, an automated cross-platform application that will silently watch your social media for trigger words and unusual behaviors before springing into action. In minutes Sentry can lock your Twitter account, delete your Reddit comments, disable your websites, and a whole host of other actions to keep attention away in high visibility, low-privacy situations. Released under the MIT license and easily extensible, virtually any site and any API can be scripted with a bit of C#.
Bio: Michael West, aka T3h Ub3r K1tten, is a Technical Advisor at CyberArk who likes cats and is addicted to Twitter. His homelab has over 640 kilobytes of RAM. Michael presents regularly at Dallas Hackers Association and enjoys combining his software dev background with infosec to build tools for others. His interests include OSINT, amateur radio, and scanning long barcodes on the beach.
Top SIEM Rules You Should Implement Today
Julian Pileggi
Length: 50 Minutes
Location: Track 2 at 1600
Talk Description: Developing and maintaining an effective SIEM often takes a small army, and can be quite vexatious. In this talk, the audience will be presented with a compilation of the best and most effective SIEM use cases. Gone are the days of noisy, false positive prone alerts – this talk is focused on high accuracy use cases only! We will tie these use cases back to activities performed by threat actors and red teams alike. This talk will be of interest to SOC analysts, security engineers and SIEM content developers.
Bio: Julian Pileggi is a Principal Incident Response Consultant at Mandiant, based in Toronto, Canada. His areas of expertise include enterprise incident response, digital forensics, threat hunting and security operations center team development. Prior to his employment at Mandiant, Julian worked at a large financial institution as a key member of their SOC team, helping to develop it into an industry leader in Canada.
Turning Domain Data into Domain Intelligence
Chris Partridge
Length: 50 Minutes
Location: Track 1 at 1300
Talk Description: DNS is a locked system - you can’t model the domain space at scale unless you get an AXFR from every authoritative nameserver there is, but you might be able to get a good model going if you attempted to discover and resolve all FQDNs. So, we’ll do the latter! dnstrace is a volunteer-supported, free suite of software that harvests, analyzes, and visualizes the relationships between domains so we can finally turn “domain information” into “domain intelligence” for everyone. Ever wanted to generate better domain reputation so grandma doesn’t get sent to the 200th .ru domain registered today that serves Flash malware? Or wanted to evaluate patterns in cybercrime at a global scale using domain data? Through big data and careful analysis, we can push the security envelope until we’re ahead of the curve for the first time since Creeper.
Bio: Chris “tweedge” Partridge is a 3rd year student working on his Bachelor's in the Computing Security major at RIT, Black Hat 2017 alum, and BSidesROC regular. He’s extremely passionate about making sure he doesn’t have to take any more 11pm phone calls from his family about their computers being infected, and has been putting a disproportionate amount of time into making that happen. He believes that writing and enhancing security technologies coupled with better security education can change people from “easy targets” to “not worth it.” As the core author of dnstrace, he’s starting to bring those dreams to life, one caffeine-fueled music-blasting coding-session at a time.
Virtualization Based Security Strengths and Weaknesses
Anthony DiDonato
Length: 20 Minutes
Location: Track 3 at 1000
Talk Description: During this short discussion and demo session we will review the topic of Virtualization Based Security ("VBS"). We will also review the need for it and review the currently available solutions. This discussion will focus on the strengths and weakness of the existing commercially available solutions from Microsoft and Bromium, including some known exploits. The discussion will be "demonstration heavy" and light on slides. We will be demonstrating common credential theft attacks, malicious download attacks, including ransomware and effective mitigation tactics.
Bio: . ("CDA"). He has designed and delivered secure platforms for many Fortune 500 customers, hardware & software vendors, and government agencies over the past twenty (20) years. His experience includes the design, delivery and support of the following solutions: disaster recovery("DR"), multi ("MFA") and two-factor ("2FA") authentication systems, biometrics authentication, anti-virus/malware, reverse engineering, malware analysis, incident response ("IR"), application white and black listing, virtualization-based security("VBS"), and endpoint detection and response ("EDR").