Kevin JohnsonI am a doctor Jim, not a Doctor: A Guide to Becoming a Security Consultant and What that Means
Thursday Opening Keynote
In this talk, Kevin Johnson of Secure Ideas will walk attendees through what it means to be a security consultant and how you can become one. He will provide various anecdotes, stories and skill building steps that can be used to grow your security skillset. This will work for people who want to become consultants, work on internal security teams or just want to know what those penetration testers they hired do!
Georgia WeidmanBurning the Enterprise with BYOD
Friday Opening Keynote
We’ve got Mobile Device Management, BYOD is not a risk for us!” “Our proxy filters all outbound traffic, no one is getting a shell out ever!” Companies are putting a lot of faith in these security mechanisms to stop the threats of mobile devices. In this talk we put those big claims to the test and look at ways to bypass security restrictions on and using mobile devices. For example, that proxy that stops all outbound traffic unless its in the Internet Explorer process authenticated against the domain? Why not just send your shell back to an exploited mobile device in the environment and have it pass the shell out via SMS? Demo gods will be tempted and all code will be released as modules for Smartphone Pentest Framework.
Chris Bissell???????, ?? ???????? -Trust but Verify
In this day and age you can’t trust everyone. The one person you do want to be able to trust is the person you are sharing your life with. It’s not like the old days where the only way people could “chat” was through a phone call. There is texting on cell phones, through Facebook and about 12 other different social sites. There are sites made for just being friends and many for being “friends”. Well, we are hackers. We are paranoid and curious by nature. So I had a feeling something was going on with my ex-wife. Damn me, I’m good at digging and Googling. With some free tools and the ability to guess passwords, I learned all of my ex-wives current dirty and past dirty secrets. So do you trust your girlfriend or boyfriend?
Did I mention I even took a forensic approach to her smartphone?
Jim ReddPutting Your Business On the Witness Stand
Security In the Age of Due Care
Living in this age of APTs when something bad happens to your company (and it will), how will it defend itself against both traditional lawsuits as well as the “Internet judge, jury, and brand executioner”? The concept I have found useful in working with business leaders is “due care.” On the witness stand will your company’s collective efforts in protecting information (especially customer information) measure up against “generally accepted standards of care”? Do you have to be at a level of “best practice,” or are “good enough” risk-based practices acceptable?
I will highlight some of the success I have had using this concept to help executives and my IT peers get their arms around IT security FUD, technical mumbo-jumbo to move Amway’s security practice forward.
Matthew ‘mandat0ry’ BryantHacking Giveaways, Contests, and Polls for Fun and Profit!
This presentation is about the wonders of hacking giveaways and polls and how it might be a lot easier than you might think. Almost all of the popular anti-bot measures used today to keep services from being abused are ineffective! See many large companies give out much more free product than they ever intended and how even those who aren’t computer “magicians” can find themselves winning it big. Many real world examples are given and you’ll be astounded at just how easy winning can be. We’ll be covering things such as beating CAPTCHAs, simulating thousands of undetectable entries, and how you can win a contest from your desk at home.
At the very least this talk will leave you inspired to “investigate” giveaways on your own. Congratulations on winning that random drawing again! What’s your secret? Winning yourself a car never seemed so easy!
Nicolas JacobGhost in the PowerShell: Becoming a Cyborg by Automating Security
As technology and society advances, we should seek to improve ourselves to match it. As attackers advance, so too should defenders. How do we reach past the limits of our humanity? How do we become something that is the epitome of efficiency? Automation. Automation allows us to transcend the limits of our humanity. The problem? What problem could there be in automation except deciding what to automate first (which is something that will soon be automated)? Well, how does one automate security? The talk is about the SANS Critical Controls and how they are more easily understood and implemented than some other versions of recommended security practices. This views the Controls from a more business perspective. Then it details how to go about advancing beyond the limits of humanity by using automation for the practice of implementing those controls in a network. For this presentation, it will be using PowerShell and how many of the controls were implemented and improved upon.
Includes Live Demo
Mike KempSecurity Counterknowledge
You are all doing it wrong.
This efficacious talk will examine why you are all doing it wrong, explode a few myths, and ensure that the speaker pretty much alienates the entire security industry. Also I will point out why the Manson family were a shining corporate example, and show off some new shiny toys.
– Guaranteed to be entertaining
Alex Chaveriat & Matthew SjoerdsmaEvery time I load your app… God kills a kitten
This talk is for those who want to advance from a builder to a hacker. What a programmer sees and what a hacker sees is often different. That is because programmers and hackers have different goals when exploring software.
While a programmer is trying to get the software to work, the hacker is trying to find ways of manipulating the programmer’s hard work to make the application work how he wants it to. For the programmer, this methodology produces working apps that fail time and time again. We will be leveraging examples from software, biometrics hardware, and physical security that kill kittens (well…) by showing this as “what does an engineer see?” versus “what does a hacker see?”
Includes live demos – Unreal Tournament, enterprise application, biometrics devices, & more!
Tom Richards and Justin HohnerDefensive OSINT: Getting Pwnd is Personal.
OSINT has been discussed in terms of offensive security but rarely of defensive. We will cover the basics of OSINT and discuss advanced tactics to keep up to date on the threats that are specific and relevant to you. We will include an approach that can be employed so defenders can create their own OSINT system to monitor for events that may affect their business or customers.
Mark KiktaPopping the Penguin: a beginner’s look at Linux persistence
Breaking in is half the battle. I’ve talked to so many people whose only objective is to try and break into systems. I get that. It’s awesome, the rush you get when you bring up that shell. But what then what? Ops hardening does not end at the outer shell. Once you’re in, you still have to navigate the maze of files, directories, and permissions that is the Linux file system. This discussion will cover log sanitization, rogue user accounts, utilizing simple netcat commands to create an open port, combining netcat with crontab to create access windows, utilizing /dev/tcp to create a reverse shell, obfuscation to avoid IDS/IPS, and providing examples of these commands at each step of the way. VERY basic previous Linux experience is a bonus but not required. If breaking in is half the battle, staying in wins the war.
Wyatt RoersmaCloud Incident Response
This talk is focused on presenting incident response (IR) techniques that will help mitigate risk and reduce intrusions in a cloud environment. I will present an overview of IR techniques that can be deployed using products inside Hyper-V 2008R2 and 2012 alongside GRR Incident Response Framework (, along with open source scripts which automate data collection in the IR process. This will include automated collection of memory and disk images from Hyper-V hosts using GRR and live memory analysis with Volatility and a Security Onion server (full PCAP logs) to pull data on a selected host for analysis as an all in one process with ONLY Open Source tools. br>
Silk“I’d DAP that…CI style” – Security Reporting Fixed
At GrrCon this year, we are releasing our new application. The DAP (Defect Analytics Portal) focuses on a quicker and easier method for analysts to create and distribute security reports, while providing a more intuitive and valuable security report for Developers, Executives, Managers, and Clients. We are going to talk about the elephant in the room, security reports…. not just security reports, but the overall problem with security reporting and the solution. We also plan to tackle all the problems and frustrations analysts face with creating security reports, while teaching higher-ups the value of properly utilizing security reports and vulnerability data in order to be able to continuously improve their organization’s security department.
The DAP is a portal-based reporting solution for information security professionals. In a matter of minutes, ANALYSTS can easily create assessment reports, which would otherwise take hours to produce. Report data is instantly and securely stored and available for DEVELOPERS to review open vulnerabilities and begin fixing the issues. MANAGERS can use the data to monitor and track security progress using powerful analytics, which are focused on continuous improvement, and EXECUTIVES can view scorecards and summaries in a clear, logical, and understandable format. Test more, write less and get the most out of your security data.
Duncan ManutsHacker History: This Stuff Matters
The field of infosec has become increasingly polarized around business profits, national security, privacy, and freedom. This polarization is a fallacy perpetuated by falsehoods, egos, and political agendas. If you don’t understand your past, you’ll never understand your future. It’s time for me to school the clueless on where this industry came from and how we got here.
Mark StanislavCore Linux Security: 0-Day Isn’t Everything
When discussion on hardening Linux systems occurs, usually someone will swear by a single feature or application to ‘save the day’. In reality, a mesh of complimentary technologies, most of which are built-in or easily installable on a Linux box, is the bestway to go. Defense in depth is more than marketing lingo, it’s a way of life for actual information security. Come see some of thetechnologies you may have ignored, never knew existed, or just weren’t fully leveraging in some helpful ways to add layered security to your next Linux deployment.
Joel CardellaBOHICA – Your users, your problem – How to get them to really understand why security is important
This presentation seeks to give tools and techniques to help techs and managers teach users about security awareness. This can be either through an organized program or can be through ad-hoc interactions. Deliverables will be:
Yaniv Miron aka Lament MCFuck 0-days, We Will Pwn U with Hardware Mofos
We gives you the ultimate hardware hacking kit.
Wanna pwn some banks? Wanna own big companies? You need some boost up.
We will show you that your current set of tools is not enough. You need to have some help from hardware, like 007.
We have bundled a set of hardware hacking tools that will assist you.
For example we will show you how to bypass typical corporate Windows 7 machines with Bitlocker encryption enabled, dump and extract goodies from memory, long range RFID tricks to copy ur CEOs proxcard, using hardware screenloggers (not the old crappy keyloggers – cuz everybody knows them and it’s lame) and more.
You have to be there – cuz we rock.
Includes 5 live demos of cool hardware equipment
Chris RobertsA funny thing happened on the way to Shetland….
Recently I found myself on a flying tin can for the best part of 11 hours….US to Shetland via Iceland…now, we’ve talked about and visited the subject of air safety in previous lectures…but only focused on a few of the attack vectors. To date little has changed in the industry to secure the platforms, so we’re going back to the plane with renewed interest and will work through a whole host of things you can amuse yourself with while flying along at 36,000 feet.
James PalazzoloThree Rivers
An interactive presentation discussion between speaker and audience with regards to architectural gaps in cyber intelligence.
Brett CunninghamForenics Challenge
You spent the last 2 tireless days working your way through the GrrCON DFIR challenge. You have that 100 meter stare because of the battle you have just been through. You ask yourself… What more could I have done? Was there anything that I missed? You then go back and recheck your analysis to make sure you have it right.
In this presentation I will walk through the challenge I created using the tools provided. As I go through the challenge I will answer those questions that were asked. Even if you did not participate in the challenge you will still benefit from attending this talk as I try to make all my challenges as realistic as possible. The methods used to solve this challenge can be the same methods used to respond to real world intrusions.
NinjaSl0thHack the Youth/Generations
In this presentation, I will be bridging the gap between security professionals and script kiddies. By not only sharing my own experiences, but also involving the audience, I will address key concepts as well as ideas on how to limit the spread of poorly educated hackers.
Whether a security professional, underground hacker, or just someone curions about security, you will obtain some insight on script kiddies and how to turn them into educated kiddies. It is time for a paradigm change, by hacking the generations.
Rockie BrockwayBusiness Adaptation or: How I Learned to Stop Worrying and Love the Internet’s Unclean Conflicts
The U.S’s last official declaration of war was signed in 1942, yet we have heavily invested ourselves in many major conflicts since, from Korea and Vietnam to Grenada and Somalia to Afghanistan and Iraq. Most of these “unclean conflicts” have suffered significantly in many ways, from popularity and political capital issues to loss of clout and global leadership. Following the breakup of the USSR, our technological innovations and superiority have bred a culture that scoffs and the thought of anyone seriously engaging our country in open, clean conflict. This mentality, to a very high degree, has filtered itself into the DNA of our industrial and corporate business infrastructure, defining how we expect the rest of the world to act and conduct business.This mindset filtered down into our Business DNA, and our innovative corporations that were and are pivotal in building up our national economy began thinking the same way. We are now finding ourselves lashing out with legislation in vain attempts to enforce levels of security controls to protect our national infrastructure. Which will most likely lead to attempts to enforce levels of controls over manufacturing, science, research, medical and other verticals.
Will any of these succeed? It is too early to tell. But the simple fact is this. If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the economy and nation as a whole, you have completely missed what was wrong to begin with. The internet is finally showing us what it can really do, and what that is, we as a nation, and therefore our dominant and innovative business leaders, are completely unprepared for. For the rest of the world, there is absolutely zero need for any semblance of any official clean conflicts, when the internet makes it so easy to conceal outright theft of data, be it millions of credit card numbers and passwords for profit or the theft of industrial intellectual property from a government contractor that thereby cuts a foreign adversary’s developmental gap for sophisticated weaponry by years. So, as a country that from high levels views things in black and white, yet has significant expertise in the unclean conflict, why are we losing this new unclean conflict, and how can we and our business strategies adapt accordingly?
Isaac JonesNetwork Security For Fun and Profit, Is Dead
It seems that every year in the field of network security, the year ahead is considered to be “Different” or important, but for all the wrong reasons. If 2012 is to be remembered for anything in security, it should be remembered as the year we realized that network security, as currently practiced by many organizations, is losing. This presentation will explore how we, as an industry have devolved into a “script kiddie” defense, the disciplines that are required to defend and respond to a network, various foolishness that businesses do in trying to defend their assets, and an exploration of the idea that “security” is now, the utterly wrong word for what we do. In addition, i’ll probably bag on boxes with shiny fronts and nice lights as well.
Philip PolstraPwnage from the Skies!
This presentation will introduce the AirDeck which is the latest extension to The Deck penetration testing and forensics program. The Deck made its US debut at GrrCON 2012. The Deck is a complete penetration testing and forensics Linux distribution that runs on the BeagleBoard family of small computer systems. Since its debut several modules have been released for The Deck. The 4Deck module provides USB write blocking for forensics work. The MeshDeck module allows an army of devices running The Deck and connected by 802.15.4 Xbee and/or Zigbee mesh networking to perform coordinated attacks from distances of up to a mile. The AirDeck represents the next evolutionary step to The Deck. The AirDeck is a flying wing which runs The Deck. The AirDeck is capable of vertical takeoffs and landings and can also be flown as an airplane. This allows a penetration tester to literally fly an attack device to the target organization and land somewhere where the device will go unnoticed (such as a roof). Full specifications and code for the AirDeck and other modules will be provided.
This will be the worldwide debut of the AirDeck platform.
David ‘HealWHans’ SchwartzbergZeus C&C for Tech Support
Inspired by Adam Johnson’s presentation at GrrCON 2011 titled “ZeuS – Inside Command and Control” on how to build a ZeuS bot Exploit Kit Command & Control. I thought it would be fun to use this newly gained knowledge to build a C&C in an effort to provide tech support for my family members. Have you been in that situation where everyone you know comes to you with their computer problems? Just because you have a knack for technology, people you know seem to think that you enjoy fixing all their problems, most self-inflicted. Welp, here’s your chance to help them and have some real fun. This mostly hand’s on demonstration will walk through setting up your very own C&C and configuring the basic settings to get you started. When ready to rock, you will learn how to fun while fixing their problems. Live malware will be used during this presentation so make sure you turn off your WiFi.
Includes live demos installing Zeus and it’s dependancies on BackTrack 5 R3. Showing how to manage a remote device with Zeus
Scott KnappModern Malware Review
This report looks at 3 months worth of malware collected by Palo Alto Networks’ WildFire from more than 1,000 customer sites. We focus our attention on the 26,000+ malware samples that were completely undetected by top AV vendors at the time the samples were found in customer networks. We analyzed these samples throughout the entire lifecycle of the malware including analysis of the infecting session, the malware behaviors observed by WildFire, as well as a next-generation firewall analysis of traffic generated by the malware itself. We used this data to identify key malware trends and indicators, and recommend actions customers can take to be more proactive in their fight against these threats.
James PlegerAutomated Malware Analysis on the Cheap
Over the last few years, there has been a great number of tools that have been released that help classify, alert and analyze malware. These types of tools coupled with the low cost of computing power allows hobbyists to now create fairly complex and capable malware analysis labs. In this presentation, we will talk about the open source, free solutions that can be used to create a cost effective malware analysis environment for personal or work use. We will also discuss how we can scale this type of environment to hundreds of thousands of samples
Chris HansenPwn the Fone: Automated Attacks Through Acoustic Analysis
Computer aided acoustic analysis can help you identify the song you are listening to, but did you know it can also help you compromise a phone system? VMS and PBX hacking belongs in your penetration testing arsenal. This talk aims to bring the sexy back to this largely overlooked source of reconnaissance. Discover unpublished telephone numbers, undocumented IVR features, voicemail passwords, and more, without ever picking up the phone.
Includes Live Demo
Chris BantaEstablishing a Vulnerability and Threat Management Program
With an ever evolving threat landscape, how does an organization safeguard and protect critical infrastructure and corporate assets. This session is designed for the security professional who is looking for solutions and methods to develop a stronger and more agile security operations program. In this discussion we will uncover 5 of the primary components needed to build and manage a successful VTM program
Arron Finnon aka f1nux aka The ‘Steven Seagal’ of IDS researchWhat’s ‘Context’ got to do with it!
There can be little doubt the world of NIDS/NIPS is a jargon rich world. At the risk of falling into the category of hyping a word, what’s ‘context’ got do with detection? Is ‘context’ about to become the next big buzzword in the vendor fight for even more money from organisations? Does it even mean anything in today’s ever increasing onslaught against infrastructure? Will it just become another despised hyberbole? The answer to all three questions, is probably!
However many of us involved with looking after detection systems understand the importance on context. It’s not that we need more data, we need more meaning! We need better understanding of what happens before, during, and after strange and unusual behaviour happens on our networks. We need the ‘context’ of what and why nd alert was triggered. The reality of it is we’re about to enter a world of vendors now selling ‘context’ products, when security professionals need the word the most!
This talk looks at the importance of context in detection however from a neutral, and sometimes cynical standpoint. Quite simply the aim of the talk is to highlight that if we don’t understand the importance of getting better context i detection, and we just let vendors use it as another sales pitch, we all lose out. In addition i intend to also discuss what organisations can do to obtain more meaning from the data they already have.
Alexander MuentzAre your security devices secure? Are they defensible?
Physical security devices (IP cameras, DVRs and access control devices are often attached to the same networks we’re trying to defend. Are they vulnerable themselves?
Is the evidence obtained and stored defensible in court?
In evaluating these devices for some of our clients, I noticed that simple things, like network security and forensically sound collection and storage were afterthoughts at best.
Many of these devices can be compromised, allowing an attacker to permanently disable the device, destroy evidence or use the device to attack other hosts on the network.
I plan to show vulnerabilities on a few devices we’ve evaluated, how to mitigate the risks and a few lessons to manufacturers on how to generate admissible evidence.
Thomas RichardsDancin’ With Dalvik
So you’ve reversed you’re first Android APK; now what? Java pseduocode is nice, but how do we modify the app? This is a crash course in reading and understanding Davlik opcodes. It will go through some basics then we will jump into a couple case studies to demonstrate some of the concepts. This talk should help testers who are interested in or do Android application assessments to better understand how to mess with the underlying code.
J Wolfgang GoerlichBeautiful Models
We need beautiful models. Models attract and hold your attention. They excite you. They prompt action. And action, excitement, and focus is exactly what is needed to defend IT. By models, of course, we mean threat models. Intricate and beautiful, a good threat model tells a story. It indicates what we are protecting and where the attacks may come from. Done right, modelling highlights both the strengths and weaknesses of our IT. It becomes a means for strengthening and focusing our efforts. We need beautiful models to see what is and what could be.
This session will explore threat modeling as part of the secure development lifecycle. A case study will be presented. The stories are real and only the names have been changed to protect the innocent. Beautiful Models answers the question: what is it that makes a threat model beautiful and actionable?
Christopher ElisanMalware Automation
Automation is key when it comes to production. The same is true for malware. Malware production has moved on from the traditional manual method to a more efficient automated assembly line. In this talk, I will take the audience on an over-the-shoulder look at how attackers automate malware production. Discussion will focus on the tools and methodologies the attackers use to produce thousands of malware on a daily basis. The talk will then conclude with a live demonstration of how malware is produced in an automated fashion.
Includes Live Demo
Nick PercocoThe Cavalry Isn’t Coming
We have some good news and some bad news. The good news is that security is now top of mind for the people of planet Earth. The bad news is that their security illiteracy has lead to very dangerous precedents and this is likely just the beginning. The reactionary stances taken by the hacker community has induced burnout and fatigue with many of us watching our own demise. We’re here to help us all hit rock bottom in the pursuit of something better. At some point the pain of maintaining inertia will exceed the pain of making changes, so it is time for some uncomfortable experimentation. While it may be overwhelming to think about, this is what we do. We hack systems. Finding flaws in the digital world comes naturally to us. We can and must do the same to the physical world; the media, governments, and lawmakers in order to survive the next decade. Let’s get started.
Scott ‘ secureholio’ Thomas50 Shades of Purple(teaming): Getting penetration testing into a conservative company
Getting paid to hack sounds pretty cool right? Unfortunately not all of us are cut out for the red team. We may not be happy being only blue team though. So maybe “Purple-team”?
For those of us feeling like we’re choking to death on ITIL stimulated change aversion, how can we show the value of a little corporate hacking or “Penetration Testing” outside of the compliance checkbox? This talk is one security professional’s journey of working in an environment where the sysadmin XKCD comic is all too true. Companies want availability and cringe at the thought of the security team hacking their systems, but want the same team to prevent the “bad guys” from doing it. Maybe they’re scared the security professional could succeed or just want to ignore the obvious. If you want to “Turn the Titanic” from this mindset, you’ll need a little bit of knowledge, a little social engineering, and of course, a little bit of help.
James ‘WolfFlight’ SiegelCCDC and Industry
In today’s business climate, having a certain amount of experience can certainly be more important than just having a degree or certification. For the full-time student, acquiring said experience can be difficult to say the least. CCDC competitions provide an environment in which the people involved get ‘real-life’ experience in how these systems work in situations that mimic ordinary business activity. It is aid that a CCDC team gets 6 months to a years experience in 8 hours.
I hope to bring to light some of my personal past experiences, talk about team dynamics, typical practice scenarios, and the rigor of a competition. I will then discuss how some of those experiences help provide me with valuable information, with regard to performing my actual duties as a systems administrator responsible for a large number of systems.
In addition, I hope to encourage others in the industry to do whatever they can to help support and organize more CCDC teams at schools around the country. Programs such as CCDC and the high school level competition Cyber-Patriot are going to help create the next generations of information security professionals.
My talk will have some very serious talk about lessons learned, and some humour about the agony of learning those lesson
Paul Cochran & Toni BuhrkeThe Science of Security Automation
Continuous monitoring has become a buzz term that means many different things to many different people. Yet everyone would agree that continuous monitoring and compliance starts with visibility. Whether you are monitoring a global class enterprise or a single set of systems that make up a primary application, visibility is paramount. In this session, we’ll go over the steps to achieving complete visibility and then take it to the next level by implementing automatic remediation for access and threats based on your corporate policies.
Kellman MeghuWeaponized Security
Imagine having access to an amazing technology, that makes searching patterns of data in the network very simple. Then imagine implementing that technology on an open wifi and seeing what you find. This talk discusses how a tool to secure people can be turned against them, and the results of random people, leaking data about their computers, and themselves. PLEASE NOTE: This presentation contains content from a free wifi connection that the users did agree to full release of information in exchange for service, in so much as they clicked accept on a captive portal to get online. You can’t say we didn’t try to warn them. The data extracted from this network in no way reflects the thoughts, feelings or attitudes of the presenter, and some of it may be offensive in nature. Who knows, maybe you are even in this presentation yourself, have you ever used ‘free’ wifi?
Matt DeanBuilding Risk Visibility into Your Firewall Management Process
Firewall deployments in large organizations can easily get out of control – and become rife with unnecessary risk. Inappropriate access is granted readily. Constant change complicates policy implementation. A real-time, enterprise-wide picture of network security posture is a distant dream.
Only by automating tedious manual processes at the operations, management and compliance levels of the organization can security teams regain control and better protect their information. This requires consolidated, real-time data of the security infrastructure and a scalable, distributed solution that provides fast, flexible analysis and reporting.
This presentation provides pragmatic advice on new technologies that will put hours back into each day, including how to:
- Visualize the overall risk posture so management can understand security effectiveness
- Simplify operations by understand security device configurations of multiple firewall vendors
- Continuously monitor critical data to ensure compliance daily, not annually
- Tune discovered access paths to reachable, vulnerable assets so patching is not needed
Jared DeMottIs Auditing C/C++ Different Nowadays
C/C++ has been around for a long time. As you may know, it has issues; lots of them. And we can’t be rid of it; it’s still being used all the time in the creation of new software. But over time, have we gotten better at writing and auditing it? Have the bug types changed? We’ll look at a bunch of code in answering those questions throughout the talk. I hope you’ll join me.
atlas 0f d00mTBA
More info TBA
Chris SilversWe Don’t Need no Stinkin’ Status!
A (hypothetical) discussion of techniques to travel like a movie star, well, ok, like someone with diamond status, without actually having the status. From boarding early to getting an exit row seat and even extra snacks, this presentation will expose vulnerabilities in airport and airline procedures meant to separate those with status from those without. Included in the presentation are real situations that may or may not have occurred, depending on the audiences affiliation with law enforcement or the airline industry. (j/k)
Derek MilroyEnterprise Vulnerability Management (Assessing, Implementing, and Maintaining)
This presentation is a detailed how-to for assessing, implementing, and maintaining a Vulnerability Management Program. It will also touch a bit on patch and configuration management as they are both remediation’s that typically result from running Vulnerability Management efforts. This presentation is not based on theory. It is based on experience in literally dozens of environments, some that were scanning over 90,000 live hosts per month. The presentation will also cover methods for working with systems administrators and application owners to get processes in place that are sustainable and will produce results. In addition, metrics and score-carding will be discussed with a focus on measuring what needs to be done and what work has been done.
Brad WilkersonDeveloping Successful InfoSec Professionals from C Students
I Hate C’s….as grades. I hated receiving them, I hate giving them. In this talk I will discuss the other C’s in relation to developing successful InfoSec professionals from an educational perspective and experience. These other C’s related to these successful students are things such as: Community, Curriculum, Competency….and CTF’s
Aditya Gupta and Subho HalderThe Droid Exploitation Saga – All Over Again!
A lot has already been talked about Android malwares, botnets, fake legitimate applications and what not in android. In this presentation, we would uncover new attack methodologies on Android platform. We would also be talking about Android Framework for Exploitation, a framework (completely open-source) which we have developed and released few months back, and which has got an amazing response from the security community. We will talk about how to find vulnerabilities in Android applications, the hackers way. Also, we would show a demo on how to do mass vulnerability hunting in Android applications, using the framework, with a new feature which will be released in Grrcon. Also, we will be discussing security risks associate with BYOD in enterprises. At the end, we would be talking about how to find new vulnerabilities in Android platform (not apps), and a brief overview on how to quickly do ARM based exploitation on Android. It will be a tight presentation, both with demos as well as the concepts underlying it.
Includes live demos as well as a new tool release, and disclosing of vulnerabilities in 3 popular Android applications
Tom ClareThreat Defenses: Before, During and After
Protection from malware, advanced threats and data theft requires continuous threat defenses before, during and after the point of click. At each stage of the advanced threat life cycle, important defense architectures and processes must be deployed for maximum detection, protection and forensic analysis.
This presentation outlines advanced threat stages and explains how protection in early stages can quickly block attacks, and how real-time, inline threat analysis protects against threats, data loss and data theft at the point of click. Plus learn how sandboxing and call-home analysis identifies threats after the click. Combined, security administrators and teams are better armed to protect users, data and resources.
Learn how threat defenses have evolved to include:
- Global threat awareness, telemetry and analytics to protect before the point of click.
- Inline, real-time defenses for point-of-click protection against threats and data theft.
- Advanced threat dashboards providing forensic reporting on what data is being targeted, who is targeting it, how it is being attacked, and from where.
- Sandboxing of malware and traffic analysis to identify and protect after the click.
- Equal protection from both web and email attacks for office workers and remote workers.
Sean WciselFuturama vs. Roman Gods: Real-World Hostname Popularity
A quarter-million DNS queries later; what can be learned from brute force hostname discovery. Which TV shows, movies, and comics are the most popular options for server-naming schemas? How popular is anime in corporate IT? This discussion will examine the unexpected trends that can be found in the world of DNS naming schemes, as well as the potential security implications of dictionary-based subdomain harvesting.
Josh ‘FuzzyNop’ Schwartz & Matt ‘HastiSec’ HastingsMaking Attacks Go Backwards
Imagine a pentest where there is no scope, no time restraints, and no budget. How would you do it? Would you write your own tools? Would you get detected? And if you did would they know what you stole and what was owned? As time went on, would you get lazy?
It sounds like a dream gig for most pentesters out there and lucky for some threat actors, this is the 9 to 5 job. By now we shouldn’t have to mention the advanced persistent buzzword for you to know what we are talking about. Targeted threat actors are people too, they make mistakes, their judgement is bad sometimes, they get lazy, and sometimes their skills are bad and they should feel bad.
In this talk we will cover how attacker tactics can leave behind obvious evidence, how their tools and can be identified and analyzed quickly, and how the human side of every attacker can lead to some great lulz. Attendees should leave armed with a variety of examples from the trenches of incident response and malware analysis that will give them an edge against the less advanced of advanced attackers. Key takeaways will include tips and tricks for identifying and reverse engineering malware and utilities used in targeted attacks as well as the forensic evidence they leave behind.
Includes Live Demo
Keir AsherOutside the box: A discussion around alternative security approaches
Crime pays and is always an economic game. More and more deception strategies are used by hackers to exploit organizations all over the world. Come see how methods of intruder identification are evolving and what IT can due to improve its performance in identifying criminals.
AntiTreeBringing Hackers Back Into The Intel Business with OSINT
As hackers, we’re supposed to have a decent background in passive recon – OSINT – doxing – intelligence – or whatever you call it, but the truth is that in comparison to intelligence organizations, we are way behind. This talk is not for people that are just looking for the tools we use for OSINT; it’s the two trains of the hacker community and the intelligence community slamming into each other at high speed. We will discuss the problems of OSINT, how we can fix it, tools and projects that will help, and get hackers back into the intel business.
prajwal panchmahalkarMatriux Leandros – An Open Source Penetration Testing and Forensic Distribution
Matriux is the first full-fledged Debian-based security distribution designed for penetration testing and forensic investigations. Although it is primarily designed for security enthusiasts and professionals, it can also be used by any Linux user as a desktop system for day-to-day computing. Besides standard Debian software the Matriux Arsenal contains a huge collection of more than 350 most powerful and versatile security and penetration testing tools with around 20-50 more tools being added every release cycle of 6 months. Matriux comes with a custom-built Linux kernel to provide better performance and higher support for hardware to work even with a Pentium IV and 512 MB RAM comfortably. Matriux was first released in 2009 under code name “lithium” and then followed by versions like “xenon” based on Ubuntu and then Matriux “Krypton” in 2011 where we moved our system to Debian. Other versions followed for Matriux “Krypton” with v1.2 and then Ec-Centric in 2012. This year we are working releasing Matriux “Leandros” which is currently in beta testing and a major revamp over the existing system. Matriux arsenal is divided into sections with a broader classification of tools for Reconnaissance, Scanning, Attack Tools, Frameworks, Radio (Wireless), Digital Forensics, Debuggers, Tracers, Fuzzers and other miscellaneous tool providing a wider approach over the steps followed for a complete penetration testing and forensic scenario. Although there are were many questions raised regarding why there is a need for another security distribution while there is already one. And we believed and followed the free spirit of Linux in making one. We always tried to stay updated with the tool and hardware support and so include the latest tools and compile a custom kernel to stay abreast with the latest technologies in the field of information security.
Matriux is also designed to run from a Live environment like a CD/ DVD or USB stick which can be helpful in computer forensics and data recovery for forensic analysis, investigations and retrievals not only from Physical Hard drives but also from Solid state drives and NAND flashes used in smart phones like Android and iPhone. With Matriux we also support and work with the projects and tools that have been discontinued over time and also keep track with the latest tools and applications that have been developed and presented in the recent conferences.
Gavin ‘Jac0byterebel’ EwanA criminal’s guide to all things socialy
Jac0byterebel is not your typical social engineering presenter. Out goes the snake oil sale of analysing the minutia of pop psychology and trying to squeeze out real answers to the questions asked during a real social engineering attack. In comes hard hitting accounts of social engineering attacks drawn from real sources but anonymised to protect the pwned.
Deano, the ‘hypothetical’ bad-guy, has hacked and social engineered his way to cash in his pocket and no cash in your pocket, creating havoc along the way. But what if Deano, a criminal social engineer, really upped his game?
This talk will see Deano up the stakes and deliver the kind of aggressive attack you have all lived in fear of. No longer a phone call to get your credentials, or a rogue e-mail to direct you to a fake website, this time its personal and Deano is looking to do you REAL damage.
Drawing on real data from anonymised sources, from the account given of this attack, attendees of the talk will see that a real social engineer doesn’t once pick up a psychology textbook. Deano will instead pose you a question -
“What if Joe Bloggs on the street had access to the kind of skills and instructions to destroy all my data?”
When you’ve recovered from that question, ask yourself this -
“What if Deano could destroy my business without anyone realising it had been attacked?”
Live in fear of Hactivism? You won’t sleep at night after meeting Deano.
If you want an hour of being told that ‘looking to the right makes you easier to social engineer’, go to another talk. If you want to see how the real bad guy operates, and talk about how to defend against him, then I look forward to seeing you there..
Matt ‘The Streaker’ JohnsonShattering the Glass: Crafting Post Exploitation Tools with PowerShell
ou have achieved your first goal. Shell on a Windows machine. Good. Now the real work is about to start. Where do you go from here? Time to see where we can go and what we can do. PowerShell should be your first place to go. Now included on every Windows machine in the environment this is now the perfect tool for post exploitation. In this talk I will discuss how you can easily use PowerShell to craft tools as part of your post exploitation process that can be reused everywhere with ease. From simple enumeration to data ex-filtration and command and control this talk will dive deep into PowerShell and have you leaving a better infosec pro.
Includes Live Demo
*Presentations are subject to change at anytime.