Lesley Carhart -- Together, We Could Land a Plane: Our Unconventional Community as our Strength
Most of us have an ideal stereotype of a "great hacker" in our minds - somebody who started young, made it big, and has a superior set of skills in every niche. In reality, that's not what what the vast majority of us look like. It's time for us to stop feeling ashamed of our lives before we were professional hackers, as well as our hobbies we believe are unrelated to the field. In reality, our wide range of expertise and experiences is fundamental to solving the huge challenges we will face through 2017 and beyond. This collaborative keynote will help you find ways to apply your non-infosec skills, education, and hobbies to tackling the seemingly impossible problems many of us fear to face. You will leave inspired with new ideas for your own infosec talk, blog, podcast, or research project.
James Dickenson and Chris Tilley -- Network Security Monitoring Product Evaluation
Selection of a network security monitoring (NSM) product can be a difficult process and proper instrumentation is critical to the success of a SOC. The security world is in no short supply of vendors or solutions. However, the challenge remains determining which of the handful data points can be used reliably to make a procurement decision. We will share hard earned lessons from our experiences analyzing product reviews, validating performance claims, and field testing to validate implementations and real world performance. We will explain the framework we developed for evaluating performance criteria and describe the lab we built to execute tests in a controlled repeatable manner. We will then discuss how to distill test results into a concise report which aids in selecting a product that satisfies your prioritized requirements. In short what it takes to build a holistic and comprehensive view of the strengths and weaknesses of any IDS, SIEM, and other device you might be trying to evaluate.
JC -- Facing the Kobayashi Maru: Incident Response Tabletop Exercises
Multiple compliance frameworks require testing your Incident Response Plan. Unfortunately, that is usually the extent of their guidance. Tabletop Exercises have quickly become a very popular method of evaluating Incident Response Plans. During this discussion, JC will explain the Tabletop Exercise process including designing, conducting, and reporting. JC will also discuss which organizations will benefit most from a Tabletop Exercise and other methods of testing for both more and less mature organizations.
Sn0ww -- Going Past the Wire: Leveraging Social Engineering in Physical Security Assessments
Many organizations have started understanding the value they can get with a physical security assessment. However, after having one performed, they are left with a network penetration test report. Unfortunately, many consulting firms do not know how to go past the wire and evaluate the physical security of an organization including their employees. During this talk, Stephanie will discuss the methodology she utilizes at Snowfensive when performing a physical security assessment. This method covers everything from OSINT and on-site reconnaissance, crafting pretexts, multiple attack vectors, and tips and tricks.
This talk has been designed for both red and blue team members. For red team members, they will be able to take away ideas and attack vectors to provide a more valuable service for their clients. Blue team members will be able to take away a better understanding of what a physical security assessment is, what should be included in the scope and ideas of what they could look for internally to secure before having an outside firm conduct an assessment. This talk is designed to appeal to multiple skill levels ranging from junior to manager.
Adam Englander -- Biometrics: Fantastic Failure Point of the Future
Biometrics is all the rage. It has been touted as the best of all possible authentication methods. Very soon, your customers and standards boards will be requiring you implement some sort of biometric factor for authentication. Before you head down that road, you need to know the pitfalls to avoid before becoming the next big breach in the news. The very nature of biometrics requires special handling and forethought. Learn how biometric authentication is performed and how to safely secure biometrics to protect your users and future-proof your authentication.
Thomas Elegante -- InfoSec Parenting
As our children grow, their curiosity and understanding of the world grow with them. When our children come of age, they question everything we do and no longer accept "no" as an answer. Much like our children, our business partners are also growing. Today's typical employee is exposed to technology at home and at work. Gone are the days when employees have no knowledge of technology. And, because of this, the business no longer accepts "no" as an answer when it relates to security issues. This opportunity means that we must correctly access the risk of security gaps and communicate this risk to the business in means they will understand. Doing so will help us forge a better relationship with our business partners, serve their needs better, and provide better security for our organizations.
Adam Fisher -- Man in the Cloud Attack
"Man in the Cloud" (MITC) attacks rely on common file synchronization services (such as GoogleDrive and Dropbox) as their infrastructure for command and control (C&C), data exfiltration,and remote access. Without using any exploits, we show how simple re-configuration of these services can turn them into a devastating attack tool that is not easily detected by common security measures.
Waylon Grange -- Hadouken! Exploiting Street Fighter V to gain ring0
In late 2016 Capcom released an update for their PC game Street Fighter V. The update included a new anti-cheating mechanism implemented as a kernel driver. However instead of improving security of the system it instead weakened it. We'll look at how this driver works and create a combo move that will KO the system and grant us ring0 access.
James Habben -- USB Device Analysis
You already know that USB devices present a danger of infection to users, but how do you determine the level of risk? To make things harder, there are advanced USB devices and OS exploits that can infect even your examiner workstation if you don't take the appropriate precautions. I will walk you through an investigative methodology to both discover the threat quickly, and protect your assets in the process.
RuShan -- NIST Risk Management Framework and why it should be utilized
Will talk about the NIST Risk Management Framework (RMF) and why it should be used when developing new security strategies. RMF is what the Government is trying to standardize to and it provides many benefits to industry. Provide a basis on what is available and how to start understanding the benefits of a risk based analysis.
Tiberius Hefflin -- De Falsis Deis: Social Contracts
Social engineering; it's a little more common and complicated than you might think. Wherever people live and work together, a social contract is formed. First theorized by Socrates and further expanded by Tom Hobbes, John Locke and Jean-Jacques Rousseau, this system is so fundamental most people take part in it unwittingly. Social hackers can use this to their advantage - and by breaking the social contract, we are all left vulnerable to attack. In this talk I will discuss how social contracts develop and how hackers use this natural human behavior against their targets.
Tiberius Hefflin -- Tales from the Crypt-ology
Delve into some of the cryptography world's unsolved mysteries - learn why they're so hard to crack, some of the fascinating history behind them, and the open source tools being developed in an effort to solve them.
Christopher D Hopkins -- NMAP 101
An introduction to the popular network scanner NMAP. We'll go through host and service discovery using different types of scans, using the NMAP Scripting Engine (NSE), and even write a simple script of our own.
Danny Howerton -- Introduction to Malware Analysis
This workshop will not be for grizzled malware analysts. This workshop is intended for those who are new to malware analysis or have a very limited exposure to it. I will cover everything you need to start analyzing malware without learning how to reverse engineer binaries. I will cover, setting up a safe sandbox environment, detonating samples, identifying malware families, and collect IOC's, and gathering as much information you can about a sample that you may come across.
Current Working Outline:
  • Types of malware commonly seen today
    • Web based
      • Malicious websites that point to Exploit Kits
        • iframes
        • javascript
        • java/flash objects
      • File based
        • Binary executables
        • Microsoft Office Documents
        • Visual Basic Scripts
        • javascript files
        • wsf files
  • Setting up a Sandbox Environment
    • Setting up VPN access for your sandbox
    • Installing and using tools for dynamic analysis
    • Staying safe
      • Handling of samples
      • Routing all VPN access through VPN
      • VM Snapshots
    • Static analysis of samples
      • Strings
      • Script extraction
      • Script obfuscation
    • Dynamic Analysis
      • Watching behavior of sample detonation
        • Process Hacker 2
          • Child Process Spawning
          • Process Migration
          • Process Memory Dumping
            • Strings
          • Fiddler 2
            • HTTPS inspection
          • Wireshark
          • RegShot
    • Malware family identification
      • Understanding family behaviors
      • Memory Dump
        • Strings in memory
        • Volatility
      • C2 communication methods
    • Tying it all together
      • Building IOCs from all the information we gathered from our analysis
    • If there is time, a peek into Cuckoo, automated Dynamic Analysis
Jake Jones, Colin Jackson, Nate Smith, Michael Whiteley -- Intro to crypto Challenges and BSidesSLC 2016 Coin walkthrough
This will be a quick intro to crypto coins following by a hands-on walkthrough of the BSidesSLC 2016 coin. Each stage will have 15-30 minutes to work on (individually or as a team). Afterwards, we’ll reveal the walkthrough for that stage. Later stages can be longer than 30 minutes depending.
We’ll have emails and files from 74rkus that we’ll send to teams upon completion of the stages to speed it along. During reveals, we’ll have recorded screen captures showing to show solutions (and avoid demo fail). Bottom line students will get insight on how to approach crypto challenges.
Daniel Jeffrey -- Security and Ops in Startups
In a startup, security and operations discipline can be easy to put off until later. This talk will look at how adding concepts like change control, testing, regular patch management and centralized logging, common in regulated environments, can be implemented efficiently. In any web services startup, these processes can help rather than hinder productivity, both in terms of stabilty and security.
Haydn Johnson & Lee Kagan -- Planning a Purple Team exercise - the what why and how
Purple Teaming is the idea of using a Red Team exercise with clear training objectives for the Blue Team.
Great exercises should not just be focused on testing a product, they should also test your active Blue Team members and their skills. But how does one start to think about a Purple Team exercise, how does one go about running one and what does it look like?
In this talk we will explain what, why and how, to plan an effective purple team exercise and give some examples. Most enterprise networks are Windows heavy so examples will heavily lean on this.
Testing Assumptions, gaps, blind spots is what being proactive is all about. This talk is both for the console folks and non-console folks.
J0N J4RV1S -- The Surveillance Capitalism Will Continue Until Moral Improves
The War on Privacy is ongoing and it is escalating. Invasions into your privacy have become sneakier, highly automated, difficult to avoid and increasingly convoluted to opt-out from. Content platforms and advertising networks are actively seeking and developing new technologies to collect and correlate the physical identities, movement, characteristics, and Internet activity of consumers.
Skip this talk if youre already familiar with and prepared to defend against:
- Instant facial recognition & correlation at scale
- Geo-fenced content delivery
- Retailer & municipal WiFi tracking
- Unblockable browser fingerprinting
- Cross-device ultrasound beaconing
- Inescapable data brokers
Data poisoning and obfuscation may be our only chance for survival. Come with me - what I will show you is only the shore on a continent of horror.
J0N J4RV1S -- Your political campaign needs a CISO
Let's step outside the political rhetoric and partisanship battleground of the 2016 POTUS campaign and take a 'lessons learned' walk through the many InfoSec-related events that occurred along the way.
Although the DNC hacks dominated the cyber news there were many smaller incidents that deserve to be recognized and considered through the lens of a security team doing an after-action report.
Future candidates for major political positions now need to hire someone to worry over email servers, OSINT, disinformation, data mining, database security, spear-phishing, website security, protecting PII, and whether your mistakes will fuel an escalation of cyber war.
J0N J4RV1S -- Want to reclaim your online privacy? Let's do a data detox together!
Do you feel like your digital self is slipping out of control? Have you let yourself install too many apps, clicked "I agree" a few too many times, lost track of how many accounts you've created? Perhaps you feel you're not as in control of your digital life as you'd like to be. Don't despair! This data detox is designed just for you. By the end of this workshop you'll be well on your way to a healthier and more in-control digital self. This workshop features an accelerated and enhanced version of the 8-Day Data Detox Kit, originally produced by Tactical Tech and Mozilla. The instructor will walk participants through the guide and supplement the kit's instructions with real-world examples and additional actions to take. Participants will receive a paper copy of the kit along with printouts of supplemental information and links. Participants are expected to bring their own devices and have a beginner to intermediate skill level with browsing the Internet and using and configuring their device.
Rob Jorgensen -- I still haven't found what I'm looking for: Employer needs vs professionals goals
This talk is the result of surveys and discussions with local Utah employers of info/data/cyber security professionals and the professionals themselves. The survey focuses on identifying the skill gaps and employers most desired traits along with an analysis of current and prospective security professionals' goals.
Rob Jorgensen -- Wireshark Crash Course for Beginners
This is a basic workshop for people who are unfamiliar or uncomfortable with packet analysis to "learn by doing." as we analyze a variety of captures. Topics will include understanding how network models relate to Wireshark decoding, common protocols, analysis tools, and extracting information from packet captures.
Sridhar Karnam -- How to build a SOC for mid-sized companies?
It’s the SOC, stupid! That’s what you need to combat the modern cyber threats and attacks. A SOC is what most large enterprises use to protect their environment and it involves a combination of people, process and technology. It is perceived to be a costly and complex. However, if you are a mid-sized company with limited budget and limited resources, you are fighting the same advanced threats. How would you build a SOC and run it like the Fortune 500 companies do on a limited budget?
Dave Kennedy -- A Continually Changing Industry: INFOSEC
The industry is under continual change with new technologies, methods of attack, and defensive strategies being formed. Companies are still struggling on how to tackle the phishing issues and exposures to their enterprise without any sign of slowing. As defenders or attackers, we need to have a mutual understanding of each other and the methods that are used. This talk dives into both offensive and defensive methods that are highly successful in attacking and defending enterprises. In addition, how as an industry do we handle changes, keep up with techniques, and continue to raise the bar on making it more difficult for hackers.
Bryce Kunz -- Pwned Cloud Society: Exploiting and Expanding Access within Azure & AWS
With more companies rapidly leveraging cloud providers for services, how do we more effectively exploit and expand access within these cloud-based environments?
This session will help you hit the ground running with your next security assessment by demonstrating common weakness and misconfigurations I have seen in real world AWS and Azure implementations. This includes leveraging undocumented features to expand access, pivoting from the compute layer to cloud management interfaces, and manipulating logging to cover your tracks.
Never fear, I will also show you some of the latest techniques on how organizations can better secure information systems within Azure & AWS by leveraging both standard cloud hardening techniques as well as implementing some unique and unconventional detection techniques.

Cloud: it's a privilege, not a right.
Matt Krieger and Kasim Esmail -- Remembering how we got here: Integrating defense-in-depth into DevOps culture
We are living in the age of the App where the term "low-level" likely refers to APIs instead of networks. In the world where public cloud is becoming the default, it's easy to forget how we got to a place where network access and availability is a given and you can build a successful startup without ever plugging in a server (or knowing what actually plugs in to a server for that matter). As organizations continue to adapt to this rapidly changing environment, a myriad of technology solutions create a complex support environment. We will discuss the intersection between DevOps culture and defense-in-depth from the infrastructure automation perspective, addressing common security concerns and mitigating approaches. Throughout the talk we keep in mind that customers and developers alike are all end-users of the complex systems we build and maintain.
David Moore -- The Aftermath of a Fuzz Run: What to do about those crashes?
Fuzzing is a highly effective means of finding security vulnerabilities - new, easy to use and highly effective fuzzers such as American Fuzzy Lop and libFuzzer have driven its increased popularity. Once a fuzz run has found cases that crash the target application, each must be reduced, triaged and the root cause found to enable a fix. In this presentation, David Moore will describe tools, tactics and techniques for performing post fuzz run analysis on the resulting crashes with the goal of fixing the vulnerabilities.
The first section of the talk will introduce/review fuzz testing and memory corruption bugs. Then a complete crash triage/root cause analysis workflow will be outlined including the use of corpus and test case minimizers, debuggers and reverse debuggers and automated memory analysis and crash triage tools such as Valgrind memcheck, Crashwalk, and Address Sanitizer. Finally, examples of memory corruption bugs of varying degrees of exploitability will be presented.
This talk is suitable for anyone with some C programming experience and an interest in using fuzzers to find security vulnerabilities. Attendees will learn how to effectively analyze, triage and fix crashing cases.
John Overbaugh -- I want to help with application security, but I'm not a developer
Application security is a team-wide activity and, even if you aren't a software developer, you can contribute. We'll cover several ways someone with a passion for security can help teams improve overall security, including threat modeling, security and privacy reviews, incident response planning, and other activities.
John Overbaugh -- Threat Modeling 101: Hands On
The Microsoft threat modeling tool has been available since 2013, yet few people understand how to conduct an effective threat model (and follow-up on findings). In this talk, we will perform an actual threat model and I will demonstrate the features and weaknesses of the latest release of Microsoft's threat modeling tool.
Parasaran Raman -- On-Demand Outlier Detection [OD^2] to Optimize Threat Analytics
Detecting outliers/anomalies are essential for querying and pivoting for malicious/unauthorized activity in the network. More often than not, organizations incorporate multiple levels of security using various products available to them to protect and defend their endpoints and network against cyber threats. Signals about potential threats are therefore derived from different sources.
The primary challenge to detecting outliers in a highly multidimensional space is the "curse-of-dimensionality". We collect over 4000 network atttributes and this results in the data looking very similar to each other in the original embedded vector space, rendering outlier algorithms ineffective. Attackers often maquerade the attack vectors to look like benign traffic and often the "tell" is in one or few of the network attributes. The significance of these smaller set of features is often lost when looking for outliers in the high-dimensional space.
In this talk, we will discuss a first-of-its-kind approach in the security industry to use minimal signals about malicious activity from different sources to learn new anomalous activity on demand. We will discuss various subspace clustering methods to determine appropriate subspaces where the outliers become "pronounced". We will also discuss ways to generate explanations for the outliers in this space, without which it is hard to validate and interpret outlier predictions.
User feedback is highly critical in on-demand learning systems both to course-correct the learning algorithm and to validate the predictions. In the last part of the talk, we will focus on effective user-feedback mechanisms to strengthen on-demand learning, by building dashboards for efficient data projection and visualization of the outliers.
nibb13 -- Green Eggs and Hacks
Do you like to go to DEF CON?
Would you like to take your kids?
Yes I love to go to DEF CON,
but it is no place for kids!
I would say you might be wrong,
maybe you can take the kids along.
Learning and playing is such fun.
Taking kids to DEF CON can be done.
Picking locks and the SE CTF,
meeting new friends and the EFF!
The next generation, watch it grow.
DEF CON! Oh, the places you'll go!
Bri Rolston -- If System = ICS, Then Pwn4g3 > Root
Got root? Great. Got physics? No? Defender wins.
Total pwn4g3 of an Industrial Control System (ICS) requires more than rooting a system. Successful attacks require 2 payloads, one to control the technology and one to control the process.
ICS attacks are therefore more complex attack strategies, different tool kits, and more time to implement. They also lead to more mistakes. (Hacker foo and practical physics rarely play well together the first time they meet!)
What happens when mistakes are made during an ICS attack?
*Physical changes to closely monitored processes
*Repeated errors interrupting normal automation operations
*An unusual occurrence of defensive advantage

Let's talk about how ICS attacks are planned, common signs attackers are developing the physics payload, and how to defend the process.
Gabriel Ryan -- Beyond Wardriving: Tracking Human Beings with RF Technology
In this talk we'll explore the use of RF technology to track human beings, with a focus on handheld devices. We'll discuss strange and often terrifying methods of mapping wireless communication to human behavior, from packet sniffing trashcans to retail devices that monitor your movements and customer satisfaction. You may even notice some startling overlaps between the techniques used by law enforcement and data driven marketing agencies. Finally, we'll demonstrate implications of this technology within a physical security context. You may ask yourself by the end of this talk: what are we but our metadata?
Gabriel Ryan -- Advanced Wireless Attacks Against Enterprise Networks
This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and perform replay attacks to gain administrative control over an Active Directory environment. External wireless adapters and preconfigured live USBs will be provided to all workshop attendees, and material learned in the lectures will be practiced within a realistic lab environment.
Areas of focus include:
  • Wireless reconnaissance and target identification within a red team environment
  • Attacking and gaining entry to WPA2-EAP wireless networks
  • Bypassing network access controls (agent and agentless)
  • Firewall and IDS evasion
  • MITM and SMB Relay Attacks
  • Downgrading modern SSL implementations using partial HSTS bypasses
Jessica Ryan -- Practical Web Application Exploitation
This is a hands-on practical workshop in which you will be attacking old vulnerable versions of popular web applications. This workshop will teach you the thought process and practical skills necessary to begin performing web application security assessments at a professional level. You will be taught how to efficiently identify, exploit, and document several of the most prevalent web vulnerabilities. We will also learn how these vulnerabilities can be remediated. We will delve into topics such as: SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and External Entity Injection (XXE). We’ll also briefly cover parameter manipulation, functional access control, and filter evasion.
This workshop is aimed at beginners with a background in technology. If you can install a virtual machine on your computer, know a few Linux shell commands, and have some exposure to technologies such as PHP and MySQL, then you’re the perfect candidate. If you’ve already started delving into web exploits and simply want to learn how to work more efficiently, even better (but not a requirement!). If you haven’t done any of the previous this workshop will have a bit of a learning curve, and may require some independent study beforehand.
Jerry Smith -- PRIVACY AND SECURITY WHICH COMES FIRST? OR HOW DO I TALK TO MY INFORMATION SECURITY GROUP ABOUT GETTING PRIVACY INTO THE CONVERSATION.
Privacy and Information Security both share the control space, the question is how are controls implemented to meet regulatory requirements for both control areas. This presentation will deal with the issue of Privacy and Information Security and the misconception that the two are one in the same and the same controls can be used to meet regulatory requirements for both areas. My perspective is from the healthcare arena and patient perspective with regulations where we deal with the privacy and the security rules. What I am trying to do is get the recognition that we are talking about an apples and oranges situation and we need to treat the two as very different control perspectives. My focus will be on Privacy and hopefully I can get you to add it to your Information Security Team and ITS Teams awareness and get them to understand the differences between Privacy and Information Security. I want to provide you with some talking points that I hope will allow you to open that dialog and get a seat at the table and allow them to understand the critical nature of Privacy and the differences between Privacy and Information Security.
Nathan Smith and Brian Hadfield -- I've Upped My Attitude, So Up Yours! (How to maintain a positive outlook as a security professional)
As infosec professionals we often are perceived as negative and unwilling to budge from our point of view. This talk will discuss some ideas on how to work within other teams, social engineering at times, and how to overcome some of those misconceptions.
Adam Steed -- Adaptive Authentication: Smarter Logins Require Smarter Malware
Many websites are moving away from the use of Captcha and Multi Factor Authentication to using Adaptive Authentication. We will look at how Adaptive Authentication works and what information an attacker would need to defeat this type of authentication.
Chad Tilbury -- Windows Credential Attacks, Mitigation, and Defense
Windows credentials are arguably the largest vulnerability affecting the modern enterprise. Credential harvesting is goal number one post-exploitation, and hence it provides an appealing funnel point for identifying attacks early in the kill chain. Unfortunately, credentials are diverse and numerous in Windows, and so are the attacks. With significant credential theft mitigations released in Win8.1, Win10 and Server 2012/2016, both red and blue teams require an enhanced understanding of Windows credentials. Red teamers may suddenly find their favorite techniques obsolete, while the blue team needs to take advantage of available mitigation techniques as soon as possible. Credential types, attack tools, and mitigation will all be discussed, giving insight into both sides of the equation.
Jason Wood -- Get Started Writing Nmap Scripts
Ever look at an Nmap NSE script and think, "one day I should learn to write one of these"? If so, today is your lucky day! This presentation is all about how to get started writing NSE scripts. We will cover an overview of Nmaps scripting engine, look at the basics of Lua, the core requirements of an NSE script and then move into writing a few of simple scripts. This presentations goal is to get you familiar enough with Nmap scripting to start writing your own scripts for problems you have at work. So lets dive in and get started!
Robert Wood -- Red Teaming the Board
Red teaming as an infosec practice has centered lately around showy exploits, social engineering, and ski-mask style hacking. This is just the tip of the iceberg, to better align security teams with what business leaders need, we need to get back to our adversarial roots by focusing on a broader spectrum of threats, how businesses can be harmed, and how to uncover them from a process perspective. This talk will focus on how and where we as security practitioners can apply red teaming techniques in the corporate environment, going beyond the same old live fire hacking exercises with war games, business process reviews, and competitor/market analysis. The goal of this talk is to empower security teams to better align themselves with not only IT and engineering departments, but the core business objectives and directives in place at their respective organizations.