Keynote: Hacker Rights

Sixty percent of hackers don’t submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and companies misdirected policies. This fear is based on socially constructed beliefs. This talk dives into the brain's response to fear while focusing on increasing public awareness in order to bring legislation that supports ethical hackers, ending black hoodie and ski mask imagery, and encourage organizations to support bilateral trust within their policies.


Track 1: But Wait, I Still Want a Job

As if finding a job wasn't challenging enough, now we have to do it virtually. Lets discuss the new obstacles candidates face, as well as the ones we've always faces. For a living I find people to fill open jobs, but what I really enjoy and will attempt through this talk, is helping the candidates land where they belong. Now we face: Tech challenges, how to present and interact virtually, crazy distractions, you name it. We will also cover the classic candidate struggles: searching, resumes, interviews and negotiations.

10:30 - 11:30

Track 2: Resource Smart Detection with YARA and osquery

Traditional filehash malware detection is relatively easy to circumvent as threat actors easily morph code to create "new" variants, rendering old IOC's useless. YARA, uses a different approach. Its rules match to small segments of code within the malware, making traditional morphing techniques ineffective. The challenge can be knowing which files to scan with YARA, as scanning everything can be expensive. This is where osquery comes in, it can tell us exactly which files have been executed, and therefore which files to scan. Even if a file has not been executed, osquery can use an alternative approach - creating whitelists from golden images - to identify unrecognized binaries.

10:30 - 11:30

Track 3: Static Analysis of Infrastructure Code

Planning, provisioning, and changing infrastructure are becoming vital to rapid cloud application development. Incorporating infrastructure-as-code into software development promotes transparency and immutability and helps prevent bad configurations upstream. Just like application security, Infrastructure code can be continuously scanned for vulnerabilities and misconfigs. In this session, we cover a simple method to write, test, and maintain infrastructure frameworks like Cloudformation, Terraform and Kubernetes at scale using policy-as-code . We will go over open source projects that analyze those codes and will try to measure it's impact on an organizatinon using the OSS project: https://github.com/bridgecrewio/checkov/

11:00 - 11:30

Track 1: Cultivating the Investigative Mindset: Improving critical thinking skills needed for starting or furthering a career in cyber security

The cybersecurity field is booming, with demand of cybersecurity professionals far outpacing supply. This talent shortage has created an industry where pay is high and the options for job seekers are plentiful. However, while job opportunities abound employers have set a high bar for applicants. In this ever-changing world of cybersecurity where the threat actors and threat vectors are constantly changing, as are the threats themselves - the ability to look at each event objectively and not just ask ‘how’ but understand the ‘why’ will get to the root of the cause – this is the game changing skill for cybersecurity experts.

11:00 - 11:30

Village Track: Patient Zero Day

Patients turn to social media when the healthcare system does not meet their needs. The problem is: most of this "patient engagement" happens on social media platforms focused on monetizing user data, in ways that cause real harm to vulnerable populations. According to a recent study by Hopelabs, 51% of young adults say they have tried to find people online with health concerns similar to their own. What does this mean when health data can be weaponized? This talk explores threat models for vulnerable patient communities, and will share examples of OSINT techniques that show the problems of medical misinformation.

11:30 - 12:30

Track 1: Looks (and dogs) can be deceiving: student on student manipulation

This presentation examines a social engineering project that was implemented by an undergraduate student in the summer of 2019 at Temple University. The social engineering project utilized the social engineering tactic of pretexting in order to determine how susceptible college students are in disclosing information that is often used for online passwords or security questions. This presentation discusses each pretext and the corresponding psychological principles of persuasion to convince the college students to complete the survey, including reciprocity and the natural inclination to help. Additionally, the presentation outlines the response rates of each question compared among each of the four pretexts and examines the findings from the post-disclosure interviews.

11:30 - 12:30

Track 2: The Pentester Blueprint: A Guide to Becoming a Pentester

Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.

11:30 - 12:30

Track 3: Bug hunting in firmware and hardware at scale: Tools, tips, and some real vulnerabilities

Finding vulnerabilities in embedded device firmware and hardware has historically been a slow and laborious process requiring security researchers to drink too much coffee while staring at a disassembler. While we will not attempt to solve the coffee problem, there are now tools and techniques to help those either new to embedded systems or those trying to scale up their bug finding to help automate vulnerability identification in firmware and hardware.

In this talk, we will provide an introduction to embedded bug classes and where they are most often seen. We will show today’s most common methods to find these bugs and why they are inadequate for today’s necessary scale. We will demonstrate some of the best uses of open source tools for finding firmware vulnerabilities and then demonstrate the types of vulnerabilities that can be found in an automated fashion. We will do the same for basic hardware vulnerabilities, and show a new open source tool to assist with debug port glitching to gain a shell on a device. Example targets will include routers, IP cameras, and others.

11:30 - 11:50

Village Track: A Perspective To Understand Malware

There's no earthly way of knowing which direction we are going. There's no knowing where we're rowing, or which way the river's flowing. Is it raining? is it snowing? is a hurricane a-blowing? Not a speck of light is showing, so the danger must be growing, AND THEY'RE CERTAINLY NOT SHOWING ANY SIGNS THAT THEY ARE SLOWING!!! - Willy Wonka

1:00 - 2:00

Track 1: The Role of Social Science in Cybersecurity Research and Education

In an era where big data, machine learning algorithms, and simulations are used to understand cyberadversaries, is there room for qualitative or 'thick' data? This talk shares a social scientist’s perspective on the relevance of thick data in understanding the ‘how’ and ‘why’ of adversarial behavior, movement, decision-making, adaptation to disruptions, and group dynamics. More specifically, it highlights potential for symbiotic relationships between social science methodologies, such as observations and focus groups, and technical methodologies, such as time series analysis, social network analysis, and machine learning and prediction.

The talk will then share how social science students must be trained via discipline-specific education to effectively engage in the cybersecurity discourse. It details specific educational efforts via gamification and social engineering course projects that not only cater to social science students, but also technical students, and how these efforts help break silos to foster multidisciplinary dialog.

1:00 - 2:00

Track 2: Digital Separation: Reclaiming your data, post-relationship and implementing risk-based OPSEC

This talk is completely centered on you. What is your risk profile? What data security would you have to consider if you were to end a relationship? How do you anticipate, prevent, and respond to threats?

Personal risk management includes: ensuring personal safety, protecting personal privacy, feeling in control, transitioning to independence, removal of access, mitigating / minimizing threats, monitoring for intrusion attempts, & responding to intrusions.

1:00 - 2:00

Track 3: Offensive Embedded Exploitation : Getting hands dirty with IOT/Embedded Device Security Testing

The world is moving towards smart culture everything nowadays is smart, and mostly all are those smart devices are basically embedded devices with internet connectivity or some provision to connect with the internet. Since these devices are booming in market this also tempting lots of people/groups for hacking.

In this 1 hour talk we will discuss how to test the embedded/IoT devices, it would give you a methodology for assessment, how to perform firmware analysis, identifying vulnerable components, basic approach for reverse engineering the binaries to discover potential remote code execution, memory corruption vulnerabilities by looking for native vulnerable functions in C or bad implementation of functions like System, popen, pclose etc. After conducting static analysis,firmware analysis we will move towards dynamic testing approach which include web application testing, Underlying OS security testing, identifying vulnerabilities and misconfiguration in device. At last we will move towards fuzzing the device via web application parameters and installing appropriate debugger on device to identify memory corruption vulnerabilities.

2:00 - 3:00

Track 1: Cyber Deterrence and Adversary Management: A Decade of Lessons Learned

Traditional approaches to Computer Network Defense (CND) are feudalistic in nature; defense in depth assumes that there will be some layer of your network at which you can stop your adversary. The reality of the Advanced Persistent Threat is that they will find a way onto your network if so ordered. Organizations that are targeted by APTs (-- which is to say, y’know, organizations) need a different CND paradigm in order to regain the homefield advantage and drive up the cost for those who wish to attack them. Cyber deception offers us an avenue to observe and study our adversary. By leaving an intentional vulnerability as a path-of-least-resistance for our adversaries, we can guide them into an instrumented or deception network. By allowing our adversaries to operate, we can elicit their tools, techniques, and procedures. By understanding what interests our adversaries, we can discern with confidence their goals. By poisoning the information they steal, we can control their intel streams. MITRE has been researching cyber deception for over a decade. We have run experiments, had many successes (and failures), and learned gads about how deception can be used to manage and deter our adversaries—and yours.

2:00 - 3:00

Track 2: Pushing the SOC left to Achieve Nash Equilibrium

As a defender we've seen the landscape change over the last few years. A shift to cloud, better endpoint detection capabilities, and overall acceptance of leveraging threat intelligence. All these items are advantages for SOC personnel, but how are we incorporating application security? The idea of "shifting left" is based upon secure SDLC, but how do we build detection, response, and monitoring of applications into the SOC? The normal gambit of next-generations firewalls and antivirus products aren't applicable as applications differ from build to build. This talk will focus on building out capabilities to help defenders identify attacks against the application, build detection mechanisms and how to leverage this information for triage.

2:00 - 3:00

Track 3: Hash-Tag, You're It! Exploiting Domain Name Collision

Domain name collision is not a new problem; it is likely as old as the domain name system itself. The problem occurs when a request intended for a private, internal domain name – a request that should only be resolved by an internal DNS server – is inadvertently resolved by a public DNS server. Thus, the request, and the data traveling with that request, is sent to a public domain, rather than the private domain it was intended for.

Domain name collision has been regarded as a relatively low-risk problem, mainly due to the assumption that the likelihood of being impacted at all by domain name collision is quite low. we will walk through out s research which proves the opposite, and is intended to illustrate exactly how and why domain name collision occurs, how to protect oneself from its exploitation, and how much of a risk this decades-old problem truly is.

2:00 - 3:00

Village Track: Bobby Pins, More Effective Than Lockpicks?

When should you not have picks in your pocket? Answer, never... but

This course will present to the novice and the less prepared suggestions for improvising lockpicks when the proper tools are not on hand as well as techniques of bypass that are more effective than trying to pick a lock especially when you don't have the proper tools on hand. This class is ideal for our current situation!

3:00 - 4:00

Track 1: Everyone Can Play! Building CTFs To Teach Non-Security Folks

Most security practitioners are aware of the learning and fun that comes from participating in Capture the Flag competitions. Racing against other teams, solving brain-twisting challenges and seeing new ways to compromise systems teaches and entertains. CTFs are also a great tool to give non-security folks a hands on understanding of how security vulnerabilities enable criminal activities, reduce user privacy and degrade system reliability.

In this session you will learn to build interesting, educational and easy to use Capture the Flag events targeted at developers and other technical, non-security, users. We will cover specific considerations for each audience you target, how to create interesting (yet solvable) challenges, and how to make the overall experience friction free for the participants. You will also learn tools and techniques to create easily repeatable, consistent events with minimal work.

3:00 - 4:00

Track 2: So, you want to be a CISO. But do you really?

It seems like everyone wants to be a CISO. And why not? They are in the spotlight, the pay appears to be great, and the role is at the top of the infosec pyramid. The reality doesn't always match appearances. This session will discuss what the role is and isn't, how to decide if it is the right role for you, how to get the gig, and what to do if you decide it is not a good fit. The talk is meant for anyone considering being a CISO, not sure what to do next, and looking for some real-world advice from a CISO.

3:00 - 4:00

Track 3: Forgot Password - Finding Missing People Using Login and Password Reset

Open Source Intelligence (OSINT) is very helpful in finding missing persons. Login and password reset functions leak a lot of information but they have been underutilized in this field. Examples come from major sites including social media, financial services, eCommerce, telecommunications and technology providers, leaking masked emails and phone numbers, usernames, names and employers, all of which can be findings or pivot points. Even knowing what site a person participates in can yield great insights because it can provide a new lead and opens the door for getting information via legal process. Attendees will get access to a freshly compiled collection of over 300 sites that leak useful information for online investigators, social engineers and penetration testers. Defenders will walk away with helpful tips on how to design secure login, password reset, and signup functionality.

3:00 - 3:30

Village Track: Operational Intelligence in a Corporate Environment

Ways to improve your Operational intelligence skills in a practically applicable manner while gain actionable information. We will demonstrate various OSINT Tools, and how to leverage relationships within organizations to gain information.

These skills can be applied to

  • Manage MSPs

  • Improve efficiency in testing

  • Improve efficiency in forensics

  • Help achieve career goals

  • Quickly identify gaps in the security landscape

3:30 - 4:00

Village Track: Attack Vectors in Evolving Power Systems

"Distributed Energy Resources (DERs) are changing how the grid functions as consumers are integrating more IoT (including high wattage) devices and systems. This session provides an in depth discussion of how these two factors can be targeted/leveraged in tandem to cause the “worst bad” attack scenario.

In the past decade, adoption of DERs, such as solar power, have significantly increased in the United States. These DERs have begun to fundamentally alter the fabric of the national power grid, which previously remained largely unchanged since its original creation. In addition to creating new operational challenges, the addition of DERs also presents new benefits and challenges to protecting the grid from a diverse array of cyber threats. As threat actors increasingly target critical infrastructure, and energy assets specifically, it is vital to understand how emerging technologies are altering the threat landscape of power systems.

Firstly, distributed renewables may offer key benefits to maintaining localized power integrity and stabilization during short-term malicious events. When deployed as part of a larger aggregated system, DERs possess the potential to offer crucial resiliency resources during incidents affecting centralized power assets. For instance, photovoltaic (PV) systems, commonly referred to simply as solar, may provide important contingency options for maintaining the integrity of system frequency during events affecting generation and transmission systems.

However, threat actors may also leverage DER characteristics which increase system fragility to imbalances in generation and demand. High regional penetration of DERs can cause high system variability, lower system inertia, and decreased dispatch control. When combined, these factors adversely affect grid controller’s ability to respond to unforeseen fluctuations in generation and demand. Threat actors capable of procuring botnets of high consumption devices may leverage these factors in high penetration regions in an attempt to degrade and disrupt service to consumers. The coordination of a high wattage IoT load manipulation in coordination with peak load times in such a region could result in power disruptions."

4:00 - 5:00

Track 1: Red, Blue, EQ

Cybersecurity is a people centric discipline. We work in teams, communicate with a broad audience, make decisions during high pressure events and attackers depend on people’s emotions to initiate compromises. Cybersecurity professionals can enhance cyber defenses as well as advance their careers, becoming stronger leaders and influencers within their organizations by increasing their Emotional Intelligence. This talk will cover the basic framework of strong EQ skills and how these skills will enhance your professional career and overall approach to cyber resiliency.

4:00 - 5:00

Track 2: Outbreak! Virus vs. Virus: How We Can Apply Current Legislation and Handling of the COVID-19 Pandemic to the Spread of Malware

nCoV-19, the novel coronavirus, struck the world nearing the end of 2019 and is far from reaching its peak. Genetically related to SARS, it has been exhibiting a staggering spread rate due to asymptomatic viral shed. In the current age of almost worldwide quarantine and required isolation, unprecedented media frenzy has covered every stage of the outbreak and the subsequent response. This, in turn, has exposed a transparent planning and response model for analysis. The aim of this research was to study the manner in which a pandemic virus spreads in comparison to many of the malware campaigns we see and what the respective response frameworks look like. By investigating patterns, vectors, epidemiologic data, and casualties, the similarities between pandemic spread and the spread of malware can be drawn and compared. Building on both experiential and regulatory research, this talk asks what we can learn from the nCoV-19 and prior pandemic responses, and how the tactics observed in the ongoing pandemic can lend themselves to more effective cyber incident response & mitigation.

4:00 - 5:00

Track 3: Don’t end up with a pencil: Tips for shopping for pen tests

As a blue team, penetration tests are a critical part of your security program and finding a pen test company that can meet your needs is paramount. Unfortunately, there is no manual for hiring a pen tester. Sometimes you need to learn from mistakes and successes.

This presentation will go over the experience of a penetration test from the customer’s perspective. You’ll hear stories of tests that were good, bad, and ugly. First, you need to determine what your goals are to pick the right kind of assessment. Then you can start looking at vendors. Asking some of the right questions beforehand can really set the stage for success. Contracts, scoping, and documentation can be a pain, but they are important. We will go over the things you want to cover. Afterward comes the report. What should you do if there are lots of findings? What if there aren’t any? We will cover answers to these and more to help make sure when you buy a pen test, you don’t end up with a pencil.

4:00 - 4:30

Village Track: What Stickers, Donuts, and Listening Can Do for Your ICS Security Program: There is no blinking box coming to save defenders of Industrial Control Systems

Relying on technical controls alone to secure legacy technologies that have been in place since many defenders were in diapers is a dangerous, not to mention expensive, game to play. But what if someone told you that the path to building and sustaining a robust ICS security program involved donuts, stickers, and relationships? This talk is for those that want to develop the partnerships that will help them reduce risk and forge the partnerships that will be required if you ever experience an ICS incident. Attendees of this talk should leave with some specific, immediate, and budget friendly initiatives that can take their ICS security program to the next level.

4:30 - 5:00

Village Track: Introduction to Lockpicking

Ever wondered how that lock on your door works? The one on your bike? Looking for a new at home hobby? Come learn how to picks from home! We will teach about how locks work and how to pick them in addition to giving you some pointers on how to stay out of trouble.

5:00 - 6:00

Track 1: My Journey through Tech with ADHD

My diagnosis was a breakthrough. I couldn't focus, I was distracted and felt I wasn't doing my best work. Then I found out that I have Attention Deficit Hyperactivity Disorder (ADHD). In this talk, I'll explain the symptoms I had, how I got diagnosed, what it means to have ADHD and some of the things I've been doing to work with it.

5:00 - 6:00

Track 2: AWS Security: Easy Wins and Enterprise Scale

Cloud computing continues its rampant growth, and AWS maintains its lead as the predominant platform. Since the last BSidesBoston in 2017, AWS adoption has gone from 57% to 76% of enterprises (Per RigthScale/Flexera State of the Cloud 2017/2020). Whether your organization has two feet firmly in the cloud, is dipping a toe in the water, or you personally are wondering "where do I even start," it's important to learn to adjust security to cloud environments.

This talk will look at two ends of the spectrum. First, we'll go through the easy wins that almost any one or any organization can identify and apply. Then, we'll pivot to look as the the big picture security problems to consider as either your security maturity or AWS usage grows. We won't be able to go deep into all the weeds of the topic, but instead we'll provide the essential information, and pointers for next steps. No matter the size, complexity, or sophistication of your AWS environment, you should walk away with an idea of where to look for your next actionable improvements.

5:00 - 6:00

Track 3: The Delicate Art of Tuning Security Tools for DevSecOps

Today, developers are exponentially increasing their rate of code deployment to keep with the pace of management's expectations. With the advent of DevSecOps and security tooling that promises 100% code coverage, a secure software development lifecycle requires constant tuning to operate at this increased pace. Along with the constant improvements to the SDL, the tooling needs to match. The "set it and forget it" expectations need to change.

Each project type has its own nuances which include the usual suspects: the seasoned, mid-aughts legacy codebase with a monolithic deployment model; the early teens separation of concerns deployment model; the modern and lean microservice and serverless architectures; the modern JavaScript user interface. Unsurprisingly, each of these differing types also leverage different frameworks and programming languages, and as larger companies seek new talent, these codebases and deployment models sprawl to cover legacy and modern techniques. What is the AppSec Engineer to do?

This presentation explores the patterns to a successful DevSecOps pipeline, identifies key questions to ask during the project onboarding process, tears down the misconceptions of traditional DevOps, and helps identify anti-patterns that will present themselves during the implementation of the pipeline. Each of the usual suspects will be explored, and tips will be included to address each style. At the end of this session, we will learn how to better adapt to the ever-evolving state of development and the DevSecOps pipelines at our companies.