Schedule

BSidesSLC Talk Schedule

BSidesSLC March 22, 2014 Directions

As of this posting, Track 1 has room for 150, Track 2 has room for 40

Time Track 1 Track 2
8:00-8:50Check-in, Meet'n'Greet
8:55Track 1: Welcome and announcements
9:00 Dmitry Dessiatnikov
Mobile Application and BYOD (Bring Your Own Device) Security Implications to Your Business
----------------------------
10:00Doktor Unicorn
Hardware Level Attacks
Joshua Skains
Private Cloud and Security
11:00∞d4rkm4tter∞
How I made people angry with Burp: Web app testing in real life
Jason Reverri
The SANS 20 Critical Security Controls and you.
12:00Lunch
1:00Danny Howerton
NGFW's And You
Jeffrey Doty
Basic maelware Analysis
2:00Lance Buttars
An introduction to back dooring operating systems for fun and trolling.
Sean Jackson
All the Sexy of the SSL
3:00Danny Howerton
Beginners Guide to the Dark Side of the Internet
Kenny Long
Intro to maelware analysis
4:00Adam Steed
Top 10 Mistakes Made With Using Microsoft As The Foundation Of Your Identity Access Management Systems
Dan Anderson
Hackers vs Auditors
5:00Jason Wood
The Winding Road to Penetration Testing and Consulting
----------------------------
5:55Track 1: Thank Yous and Goodbyes

Talks

9:00 Track 1 Mobile Application and BYOD (Bring Your Own Device) Security Implications to Your Business

Dmitry Dessiatnikov
The explosion of the mobile application market coupled with acceptance of "bring your own device" (BYOD) to enterprise environments comes with its unique security risks. While driven by a rise in productivity, convenience and overall user satisfaction BYOD increases the attack surface that most businesses are not prepared for. In this presentation we will cover the reasons for concern along with a demonstration of a remote compromise of an Android phone in a corporate environment. We will also discuss the OWASP top 10 mobile risks and demonstrate some common issues with a vulnerable iOS mobile application. A free tool will be shared with the audience that can assist with assessing their corporate BYOD environments. Finally, we will cover some mitigating controls and what can be done to address raised issues.
Return to top

10:00 Track 1 Hardware Level Attacks

Doktor Unicorn
A running computer program is not a mathematical abstraction, but a physical process taking place somewhere in the real world. This makes all programs and the devices they run on vulnerable to a variety of physical attacks that are often overlooked or dismissed as impractical. Sometimes they are unrealistic, but there are areas where such attacks are a primary concern, such as in the design of cryptoprocessors. This talk will provide an overview of the kinds of physical attacks, such as timing attacks, power analysis, compromising emanations (aka TEMPEST), hardware trojans, fault injection, and IC reversing, among others. And if all goes well, there will be a live demo or two.
Return to top

10:00 Track 2 Private Cloud and Security

Joshua Skains
In the cloud computing world, everyone is rushing to services like Amazon Web Services and Google Compute. Partly driven by DevOps ideologies, is it safe to do? How might Private Cloud (OpenStack) serve both masters, the developers that want more freedom and the IT departments that want more control?
Return to top

11:00 Track 1 How I made people angry with Burp: Web app testing in real life

∞d4rkm4tter∞
Come listen to the tail of how I caused some headaches for an unsuspecting web application company, discovered flaws in programming logic with their web application, and helped them understand their vulnerabilities while fighting the stereo-type of 'hackers are evil!' Yes this talk will be technical and cover things like Burp Suite and Curl.
Return to top

11:00 Track 2 The SANS 20 Critical Security Controls and you.

Jason Reverri
In today's world, to achieve true information security one must do more than just check a box for compliance. Business drivers and funding options are based on measurable results or satisfying regulatory obligations. Enter the SANS 20 Critical Security Controls for Effective Cyber Defense. The CSCs are a framework based around the philosophy that "offense must inform defense" with a focus on a list of the controls that would have the greatest impact in improving risk posture against real-world threats. By taking a holistic security approach, the CSCs provide an objective security model without limiting themselves to a single industry or dataset. Learn about the 20 controls and how to apply them in your environment.
Return to top

1:00 Track 1 NGFW's And You

Danny Howerton
Next Generation Firewalls (or NGFWs) are all the rage these days and its all you will hear about when looking to upgrade some of your networking infrastructure. I will give you the lowdown on what they are, how they work, how they differentiate from traditional firewalls, and what you need to know about rolling one out into your environment.
Return to top

1:00 Track 2 Basic maelware Analysis

Jeffrey Doty
You have maelware on your network/system. Do you freak out or go about your day? Basic maelware analysis isn't too difficult and can be done by most Sys Admins. This talk will walk you through how most maelware is distributed, how to look for it in your logs and how to determine the basic functionality of the maelware sample. The goal of this talk is to empower Sys admins with the skills to know what just happened on their network. Was this website that my user visited compromised? Did that user get infected with maelware? Is my firewall blocking the command and control traffic? Or is this something more serious that a professional maelware analyst needs to look at?
Return to top

2:00 Track 1 An introduction to back dooring operating systems for fun and trolling.

Lance Buttars
So you want to setup a back door? Have you ever wondered how it’s done and what you can do to detect back doors on your network and operating systems? Ever wanted to setup a back door to prank a friend?. This presentations will do just that. We will go over the basics of back doors using SSH, NET CAT, Meterpreter and embedding back doors into custom binaries along with the logistics of accessing them after they are in place.
Return to top

2:00 Track 2 All the Sexy of the SSL

Sean Jackson
We’ll be discussing the SSL handshake, and what’s really going on under the hood. You don’t need to bring your calculator, but it’s all math. We’ll talk about CAs, what kind of a target they are for hackers, what they do, why, and how, and we’ll discuss Moxie and his plans to overthrow the CA world. Then we’ll talk a little about how SSL can go wrong — SSL Proxies, BEAST, CRIME, BREACH. And then we’ll talk about what could be done to counter the NSA vacuuming up all our base. What could be more sexy than that?
Return to top

3:00 Track 1 Beginners Guide to the Dark Side of the Internet

Danny Howerton
We are living in a world where privacy is becoming a paramount concern to the general public and the need for staying anonymous online is starting to be come necessary. This is where Tor comes in. I will speak about how to setup Tor, access Tor, and find some of the most interesting Tor hidden services. I will also take you through bitcoin, what it is, and how to use it. Lastly we will take a look at some of the online black markets where you can literally buy anything you may want. Some of this material may be NSFW and not appropriate for small children.
Return to top

3:00 Track 2 Intro to maelware analysis

Kenny Long
An intro to windows behavioral maelware analysis. Where to get samples, how to setup an analysis environment that simulates internet services and observe changes made to the victim machine.
Return to top

4:00 Track 1 Top 10 Mistakes Made With Using Microsoft As The Foundation Of Your Identity Access Management Systems

Adam Steed
Every year we ask our Identity Access Managements Systems to do more and support more types of authentication for example SAML or Smart Cards. At the heart of the majority of organizations are Microsoft Products like Active Directory, Certificate Services, and ADFS. Over the years I have seen some very commonly made mistakes from very large organizations to very small ones. Understanding the top 10 list you will be surprised really how common these mistakes are made. A few of the items on the list are:
Why does my login randomly fail and the time server settings everyone forgets to make on Domain Controllers
Forgetting to get a registered OID for your PKI and how this means we all can't be friends
Overcoming your fear of ADSI edit and places in the AD Schema everyone forgets to cleanup over time
Not understanding the most important part of a PKI and hint it's not the certificate server it's a text file
Why can't we all just use SQL…the dangers and pitfalls of Virtualizing Microsoft IAM products that use JET databases
All those DNS directories that start with underscore and why you should actually go inside them
Return to top

4:00 Track 2 Hackers vs Auditors

Dan Anderson
Comparison and contrasting of the traits associated with auditors and hackers and the advantages for each to keep an eye on the other. Some amusing video clips and general audience engagement is encouraged.
Return to top

5:00 Track 1 The Winding Road to Penetration Testing and Consulting

Jason Wood
One of the questions that is frequently asked of penetration testers and security consultants is, "How did you get to doing that?" This is usually followed up with questions about how they can do the same thing. In this presentation, Jason will discuss his experience in becoming a penetration tester and what he's learned since then. There will be discussion about what the work is like, what's great about it, and what is not so great. This is an opportunity for the attendees to ask their questions and hear what it's like to be a security consultant.
Return to top


Bios

Dan Anderson

@Z0lt0n
Infosec Researcher. President of ISACA Utah Chapter, Vice President of FBI Infragard Salt Lake Chapter, Supporter of DC801Labs. CISO Spectra Consulting Group.
Return to top

∞d4rkm4tter∞

palshack.org @d4rkm4tter
Computer obey d4rkm4tter. Cloud obey d4rkm4tter. Wire obey d4rkm4tter.
Return to top

Lance Buttars

www.obscuritysystems.com @Lost_Nemus
Lance is a hobbyist security enthusiast at night and spends his days working in the payment card industry developing RESTFul API’s for bill pay using cash payments. Lance works with open source systems, is an avid Linux buff, and enjoys setting up and hardening Linux systems. Lance has over 11 years of experience working in information technology focusing on system administration and software development. Lance codes in PHP, Python, Java, C++, and C# and has written numerous applications throughout his life. Lance developed a love for security at Salt Lake Community College after being immersed into it by his professors. To better understand the world of security Lance started attending Defcon down in Las Vegas 6 years ago and once he completed his Bachelors Degree in Computer Science in 2012 from Weber State, He started furthering his education by attending Defcon 801 meetings. A year after joining the group he currently holds a position on the board of directors for 801 Labs, which is the corporation that runs the DC801 hackerspace located in downtown Salt Lake City.
Return to top

Dmitry Dessiatnikov

www.securityaim.com @SecurityAim
Dmitry Dessiatnikov, a veteran with over fifteen years of security experience, is the President of Security Aim, information security consulting company. Prior to Security Aim Dmitry was a Managing Principle Consultant on the Attack and Penetration Team of Accuvant LABS where he provided consulting services to large corporate clients. He offered ongoing thought leadership by developing methodologies and tools while serving the community as a leader of the Salt Lake City OWASP Chapter and on the Board of Directors of UtahSec. Before joining Accuvant, Dmitry was a Senior Security Consultant in the Security and Technology Solutions Practice at Ernst and Young, LLP where he was the leading penetration-testing specialist in the West Coast region. Dmitry presented at multiple security conferences and published white papers that appeared on the SANS "Top 25 Papers Viewed of All Time" list. He is a CISSP and holds Masters degree in Information Systems Management.
Return to top

Doktor Unicorn

@DoktorUnicorn
As the official unofficial mascot of DC801, Doktor Unicorn seeks to spread enthusiasm and awe about hacking to those around him. Kind of like a hacker version of Bill Nye. He is currently accepting new patients.
Return to top

Jeffrey Doty

http://bluecoat.com/security/security-blog @jeffreydoty
Jeffrey Doty is a maelware Analyst for Blue Coat Systems. Jeff spends his time tracking malicious actors and reverse engineering their maelware.
Return to top

Danny Howerton

dc801.org @metacortex
You've probably seen this guy around if you participate in the SLC security scene. As someone that never grew up, if he could, he would eat mac & cheese and drink fruit punch for every meal. Oh yeah, some security stuff in here and why he is qualified to speak at BSides-SLC.
Return to top

Sean Jackson

@ShunkyDave
Sean is a husband and father of five. In an earlier life, he was a PHP programmer, and he's also worn a QA hat. Sean has been a security engineer for the last three years, focusing on governance, risk management, and compliance. He's working on gaining more blinky-light experience and becoming a better pentester.
Return to top

Kenny Long

@ipnerds
Return to top

Jason Reverri

www.compunet.biz @nibb13
Husband, father, and infosec geek.
Return to top

Joshua Skains

@jskains LinkedIn
Having started with BBSs, and eventually a full ISP at the age of 13, I have worked with everything from Windows 3.51 to Slackware Linux, all the way to now Amazon Web Services and OpenStack. A senior Systems Engineer and Architect by trade, my passion for the IT industry now spans over 20+ years, depending on who you ask.
Return to top

Adam Steed

Working with hundreds of companies over the years Adam Steed has found common threads that we all can learn from. Being in the industry for over 15 years is just the right amount of time to see history repeat its self. Possessing a Masters in Information Technology and a CISSP creates just enough credibility in the industry to not be taken a complete fool at first glance (that comes later).
Return to top

Jason Wood

Jason Wood is a Principal Security Consultant with Secure Ideas and performs penetration testing for clients big and small. He has over a decade of systems administration and security experience with the Windows and UNIX/Linux operating systems. One of his current research projects is looking into security and privacy issues regarding the Xbox One and Xbox Live. Jason is an active speaker and has presented at a number of conferences such as MIRcon, Derbycon, Utah Open Source Conference, InfoSec World and others.
Return to top