Lectures

The content brought forth...

Listed below are the lectures selected for presentation with full information.

If you are interested in speaking at InfoSec Southwest, please see our Call for Papers.

Keynote

Zane Lackey

Founder/CSO, Signal Sciences
Internet Bug Bounty
Open Technology Fund

Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:

• Practical advice for building and scaling modern AppSec and NetSec programs
• Lessons learned for organizations seeking to launch a bug bounty program
• How to run realistic attack simulations and learn the signals of compromise in your environment

About Zane Lackey

Zane Lackey is the Founder/CSO at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners.

He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, QCon, and has given invited lectures at NYU, UC Davis, and Reykjavik University.

He is a contributing author of Mobile Application Security (McGraw-Hill), a co-author of Hacking Exposed: Web 2.0 (McGraw-Hill), and a contributing author/technical editor of Hacking VoIP (No Starch Press). He holds a Bachelor of Arts in Economics with a minor in Computer Science from the University of California, Davis.

Lectures

Scott Behrens and Andy Hoernecke

Netflix

Trapping Hacks With Ensnare

Several methods exist for protecting applications from attackers outside of secure coding practices. Most of these, however, require piling on extra layers of security in the form of web application firewalls (WAFs), web server modules, or complex middleware. In this talk we discuss a different approach: self-defending applications.

Ensnare, a easy to install Ruby Gem, takes these concepts and moves them from the web server, middleware, and external devices into the application itself. This helps eliminate unnecessary hops and network latency while also increasing the intelligence that can be applied to the rulesets and responses. By residing in the application layer, Ensnare can take advantage of full knowledge of a user's actions and history in order to detect malicious behavior, and produce a much wider range of potential responses in order to block, confuse, or redirect the attacker. Ensnare is extensively customizable and allows the creation of traps and responses that are relevant to the specific application being protected.

In this talk we will walkthrough the concept and design of the Ensnare framework. We will also show a demonstration that show exactly how Ensnare can be used and customized to provide a unique protection against web application security threats.

About Scott and Andy

Scott Behrens and Andy Hoernecke are both security evangelists at Netflix focusing on application security engineering as part of the Cloud Security team. Scott loves security research and has previously spoken at DEF CON, Derbycon, Shakacon, Chicago B-sides, and a handful of other security conferences. Prior to Netflix, Andy built the application security program for a Fortune 100 retailer, and taught web application security to grad students at DePaul University.

About Netflix

Netflix is the world's leading Internet television network with over 40 million members in 41 countries enjoying more than one billion hours of TV shows and movies per month, including original series. The Cloud Security team works with engineering, IT, legal, and other stakeholders to help ensure the secure design, implementation, and operation of Netflix's cloud deployment and overall application environment.

Sergey Bratus and Travis Goodspeed

DemystiPHYing 802.15.4 Digital Radio; or, How to Weaponize Fingerprinting for Packet-in-Packet Mitigation Bypasses

The PHY layer of digital radio is commonly viewed as a black box that takes logical frames on one side of a radio connection and magically pops them out on the other (or doesn't, if control sums don't match). The internals of the black box are shrouded in mystery and magic. Antennas, modulation, and error correction are somehow involved, but they seem to exist in a different dimension that cannot be manipulated digitally at byte-level like call stacks, binaries, or parser bugs. For those of us who can't design radio circuits, it seems to be at best a minecraft game of GnuRadio blocks.

But in reality this just ain't so. The PHY in fact contains several digital layers and mechanisms, which can be manipulated without software-defined radio. We will demystify these mechanisms for the 802.15.4 PHY and will show them in action for sending arbitrary bytes and frames through the air without a software radio, sending frames that aren't heard by WIDS but heard by targets if they use different radio chips, "borrowing" error-correction logic to bypass defenses, and fingerprinting chipset families. Orson Welles may have beat us to the Packet-in-packet technique, but he has nothing on our one-eighth-of-a-nybble mitigation bypass and make-your-own-packet cut-out paper games!

About Sergey and Travis

Travis Goodspeed is a Southern Appalachian neighbor with a bit of an obsession for the MSP430 microcontroller. Sergey Bratus is a North Appalachian neighbor and a Research Assistant Professor at Dartmouth College. Together, they accidentally broke the OSI Model with Packet-in-Packet, a PHY-layer exploit for remote frame injection portable to most digital radios, and continue to work on demystifying PHY for neighbors far and wide.

Jessey Bullock and Kevin Dunn

iSEC Partners

Adventures in Pentester Recruitment - Judging Weak Sauce from Fu in the Age of Experts

In this lecture we will discuss our ongoing efforts in trying to answer one simple question - "are they any good?" When hiring a new member of staff in any profession the decision is fraught with pitfalls. But how do you hire a good Security Consultant? Consultants are by nature excellent talkers, making understanding their ability during an interview tricky. Do they really know that or are they just convincing based on what they've studied before coming to the interview? Conversely, some of the most technically gifted people have the reverse problem - they can't articulate themselves well enough to sell it at the interview. Did we pass up a genius because we couldn't understand them on interview day? For our team in Austin we wanted to really test people, allowing for maximum confidence going into the hiring decision. To us that meant hands-on- challenges that reflect the actual work that we do. Can they do it or can't they? Join us for this session and we'll show you what we learned with our challenges, the patterns we could see and the surprises we had along the way!

About Jesse and Kevin

Jessey is a Security Consultant for NCC, performing technical security assessments for clients across multiple industry sectors including Healthcare, Education, and Security. Coming from this varied background Jessey has a deep understanding of application security, operating systems internals, networking protocols together with practical experience of managing and deploying enterprise-level products and appliances. In a previous life, Jessey worked as a consultant for a multinational security company specializing in NIST CAVP, FIPS, and CC certification processes.

Mr. Dunn is the GM of US Security Consultancy for NCC & Technical Director for iSEC Partners in Austin, TX. Kevin has been a professional security consultant for over 12 years, working on diverse projects and challenging technologies for the world's largest and most demanding companies. His current responsibilities include delivering security consultancy while managing a talented highly technical team of Pentesters. Kevin works closely with Fortune 100 companies, covering Oil & Gas, Finance and Software sectors, developing strategic security assessment and advisory services for NCC Group brands from his office base of operations in Austin.

About iSEC Partners

Company or Organization Bio: iSEC Partners is a proven full-service security firm that provides penetration testing, secure systems development, security education and software design verification. Our security assessments leverage our extensive knowledge of current security vulnerabilities, penetration techniques and software development best practices to enable customers to secure their applications against ever-present threats on the Internet. iSEC Partners has been part of information assurance company NCC Group since October 2010. As part of the world's largest security testing team, we offer unrivaled security expertise & experience and a geographic reach few can match.

Daniel "unicornFurnace" Crowley

Trustwave SpiderLabs

How to Save the Environment, or; Why Nobody Takes your Security Advice

Some security advice is bad, not because it doesn't fix the problem it's aimed at fixing, but because following the advice isn't actually reasonable. This talk will demonstrate through various pieces of advice on how to reduce your environmental impact how perfectly effective solutions to security problems can be mostly to completely useless in the real world.

For instance, one way to reduce your impact on the ozone layer and on petroleum consumption is to walk to work instead of drive. This will save you money and help the environment, but if you live 20 miles from where you work, this is not a practical solution.

This talk aims to help technical-minded people understand that there's more to fixing a security problem than just addressing the technical issues and to improve the adoption of good security practices by providing more practical guidance to non-technical folk.

About Daniel Crowley

Daniel (aka "unicornFurnace") is a Senior Security Consultant for Trustwave's SpiderLabs team. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie. Daniel also holds the title of Baron in the micronation of Sealand.

About Trustwave SpiderLabs

SpiderLabs is Trustwave's elite security team focused on application security, incident response, penetration testing, physical security and security research including anti-malware and threat intelligence.

Joshua J. "jduck" Drake

Accuvant LABS

Researching Android Device Security with the Help of a Droid Army

In the last few years, Android has become the world's leading smart phone operating system. Unfortunately, the diversity and sheer number of devices in the ecosystem represent a significant challenge to security researchers. Primarily, auditing and exploit development efforts are less effective when focusing on a single device because each device is like a snowflake: unique.

This presentation centers around the speaker's approach to dealing with the Android diversity problem, which is often called "fragmentation". To deal with the issue, Joshua created a heterogeneous cluster of Android devices. By examining and testing against multiple devices, you can discover similarities and differences between devices or families of devices. Such a cluster also enables quickly testing research findings or extracting specific information from each device.

When you leave this presentation, you will understand why the diversity problem exists and how to tackle it by creating a cluster of your own. Joshua will show you how to build such a cluster, provide a set of tools to manage one, and show you all the ways to leverage it to be more successful in your auditing and exploit development tasks.

About Josh

Joshua J. Drake is a Director of Research Science at Accuvant LABS and lead author of the Android Hacker's Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities. He has over 10 years of experience auditing and exploiting a wide range of application and operating system software with a focus on Android since early 2012. In prior roles, he served at Metasploit and VeriSign's iDefense Labs. Joshua previously spoke at BlackHat, RSA, CanSecWest, REcon, Ruxcon/Breakpoint, Toorcon, and DerbyCon. Other notable accomplishments include exploiting Oracle's JVM for a win at Pwn2Own 2013, successfully compromising the Android browser via NFC with Georg Wicherski at BlackHat USA 2012, and winning the DefCon 18 CTF with the ACME Pharm team in 2010.

About Accuvant LABS

Accuvant LABS is the largest and most skilled team of information security professionals in the world. Each of our 250+ leading security experts is committed to performing research, developing solutions and working with clients - and one another - to solve specific security problems as well as those of the industry at large. The team is comprised of respected information security veterans, established thought leaders, sought out speakers and published authors. Extensive experience, technical prowess and practical research converge at Accuvant LABS, bringing you superior results and value.

Eric Michaud

CEO, Rift Recon

Director of Hardware Curation, ExploitHub

Thwarting Evil Maid Attacks

Increasingly, users and their computing hardware are exposed a range of software and hardware attacks, ranging from disk imaging to hardware keylogger installation and beyond. Existing methods are inadequate to fully protect users, particularly from covert physical hardware modifications in the "evil maid" scenario, and yet are very inconvenient. Victims include governments and corporations traveling internationally (e.g. China), anti-government activists in places like Syria, and anyone who is a target of a motivated attacker who can gain physical access.

Physically Unclonable Functions, combined with a trusted mobile device and a network service, can be used to mitigate these risks. We present a novel open-source mobile client and network service which can protect arbitrary hardware from many forms of covert modification and attack, and which when integrated with software, firmware, and policy defenses, can provide greater protection to users and limit potential attack surface. We'll also be showing video of an unreleased tool to the public utilized by surveillance teams.

About Eric

Founder and CEO of Rift Recon and Director of Hardware Curation at ExploitHub, Michaud has advised on physical security, lockpicking, and hackerspaces for over a decade. He is a professional physical security advisor; an R&D, test and analysis expert; and specializes in forecast and strategy. Michaud started HacDC and Pumping Station: One, is the author of the How To Start A Hackerspace Series, and advises hackerspaces – bringing the movement to over 900 locations worldwide.

About Rift Recon

About ExploitHub

ExploitHub is the first legitimate marketplace for validated, non-zero-day exploits. Recently expanding into "Hardware Exploits", the marketplace now supports the market and sale of physical devices.

Josiah Hagen and Brandon Niemczyk

HP DVLabs TippingPoint Research Group

Network Threat Detection via Machine Learning

A walk through some of the challenges and solutions to utilizing machine learning for network security and a sample use case of detecting infected hosts by monitoring DNS behaviours.

About Josiah and Brandon

Josiah is a security researcher with HP TippingPoint DVLabs Research Group. He has a BA in Mathematics and Computer Science from Oberlin College and 15 years of professional software development experience. Josiah has 7 years in the AI field, with work focused on graph theory, search, and deductive inference on large knowledge bases. Subsequent work in AI included applying machine learning techniques identifying failure modes in email traffic. He has additional experience in systems development, including clustered NAS/SAN development and integrated control systems. Current interests include clustering, classifying and understanding network traffic, factoring numbers, and reversing control systems.

Brandon Niemczyk was born in Chicago. He has been writing code since he was a child with his first 386 modifying the QBASIC game gorillas.bas. Later moving on to write GIS software in Orlando, FL and then wandered into information security after a brief stint writing accounting software. His interests are machine learning, mathematics, motorcycles, games, reverse engineering, and family.

About HP DVLabs TippingPoint Research Group

Network security is only as effective as the security intelligence that powers it. The HP TippingPoint Digital Vaccine (DVLabs) team focuses on advanced threat research to secure enterprise networks, business critical data, and application vulnerabilities, helping customers reduce their risk and enhance their security investment. HP TippingPoint DVLabs is a recognized leader in vulnerability research, and exploit analysis.

Brandon Perry

i r web app hacking (and so can you!)

i r web app hacking (and so can you!) will cover Brandon's experiences and learnings over the past few years while focusing on hacking and securing a wide variety of web applications and stacks. Including code examples, and real world vulns with demos written is C# and ruby.

About Brandon

Brandon is a long-time Metasploit contributor with a focus on web application security. When not writing Ruby, he is writing C#.

Adam Pridgen

Reversing Java Malware with Radare

The primary focus of this talk is to introduce new features added to the Radare reverse engineering framework. These features include Java class file analysis and a variety of small features that help support triage and detailed file analysis. The talk will use examples and commands that can be used by analysts to quickly find answers when analysing malicious Java class files.

About Adam Pridgen

Adam is an independent information security consultant, who is pursuing his PhD in Computer Science under the supervision of Dr. Dan Wallach at Rice University. He is also an active contributor to the radare reverse engineering framework, where he has contributed support for analyzing Java class files along with several other features. Adam began his information security career in U.S. Army as an Infantryman after which he went on to complete a B.S. in Electrical Engineering and an M.S. in Engineering at the University of Texas. Prior to returning graduate school at Rice, Adam was responsible for helping to build internal security testing standards and guidelines, developing tools, and executing engagements at Praetorian. Adam consults on a wide range of topics that including code reviews, threat modeling, and software penetration testing. Additionally, he has also presented on a wide range of information security topics as a lecturer and instructor in public, private, and academic settings.

Rick "Minga" Redman

KoreLogic

Password Topology Histogram Wear-Leveling, a.k.a. PathWell

PathWell is a novel approach to enforcing password complexity, designed to thwart modern cracking tools and approaches while retaining compatibility with existing enterprise authentication systems and password stores.

Recent trends in password cracking, such as the Hashcat suite's mask modes, focus on common password "shapes" or topologies, such as "start with an uppercase letter, then several lowercase letters, then several digits" -> "?u?l?l?l?l?l?d?d". We find that topology use is so skewed, that by exhausting the 1-5 most common topologies (out of tens of thousands to millions of possible topologies) will result in 25+% of all passwords cracking for a typical enterprise network.

PathWell is a way to audit and/or enforce topology uniqueness across an enterprise. This greatly reduces the attacker's success rate when cracking passwords, and increases their work factor to crack any sizable percentage.

The concepts apply to both medium-weak hash types, extending the effective lifespan of deployed systems, and also to systems using stronger hash types, making them even more resistant to cracking.

About Rick

Rick Redman (Minga) has been performing penetration tests for 14 years. Additionally, he is a password researcher and is a "well known" public speaker on password leaks, password cracking, etc. Additionally, Rick runs the "Crack Me If You Can" password cracking contest at DEFCON every year.

About KoreLogic

KoreLogic is a founder-owned and -operated, insured, and trusted company that has a proven track record of providing security services from Fortune 500, to small to mid-sized companies, the U.S. Government and the Department of Defense. We are a highly skilled team of senior security consultants with an average of 20+ years doing by-hand security assessments for the most sensitive, and important systems and networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community.

Mike Sconzo and Brian Wylie

Click Security

Is there a Pony in that Pile of Shit?

Our presentation discusses the importance of incorporating statistics, data analysis and graph algorithms into the incident response and forensics toolbox. Most datasets are opaque 'piles' and the challenge is often about quickly understanding what you have and how it can be leveraged for a particular set of use cases. We'll present a simple set of python modules that allow quick data analysis of log files and PE files with a set of statistical and machine learning techniques. The presentation will be focused on the practical usage of the analytic techniques and not the formal mathematical underpinnings. All code and datasets covered in the presentation will be provided through our public github 'data_hacking' repository (http://clicksecurity.github.io/data_hacking).

About Mike and Brian

Mike Sconzo has been around the Security Industry for quite some time, and really enjoys looking at network traffic. He has recently been using various data analysis techniques to look security related data in a new light where before he'd just use a hex editor.

Brian Wylie's interests are data analysis, machine learning and information visualization. Current projects include a breadth of work applying data analysis to security problems and he's spearheading the open-source github data_hacking project that publishes various data analysis techniques on security data. Brian's Erdo?s number is 3; he enjoys hiking, model rockets, and computer gaming.

About Click Security

Click Security's Security Analytics platform provides a technology stack that aims to provide alert contextualization, detection of missed attack activity and the ability to hunt the unknown.

Robert Wood

Senior Security Consultant, Cigital

Next Generation Red Teaming

Too often organizations conduct assessments within a vacuum: physical, network, social, or application-layer. Attackers do not confine themselves similarly and avail themselves of whatever combination of techniques most effectively achieves their desired impact. Red team assessments aim to simulate these attacks more realistically and identify risk through composite, cross-domain attack vectors. This talk will cover several shortcomings with the current "model" of red teaming across the industry and how we can more effectively incorporate the application-specific attack surface into a red team effort. War stories will also be shared to show the effectiveness of application-centric composite attacks in this new approach.

About Robert Wood

Robert Wood is a Senior Security Consultant and the Red Team Practice Director at Cigital. Robert has worked with a number of clients spanning from Fortune 100 financial institutions, hospitals, defense contractors, all the way to gaming companies, providing services at every stage in the SDLC, including developing software security programs. Prior to Cigital, Robert worked for Secure Network Technologies where he developed the mobile forensic investigation practice and focused his penetration testing efforts on a variety of red team assessments.

About Cigital

Cigital is the world's largest specialized software security consulting firm. The primary focus at Cigital is to help our client's build security into their software development life cycle through security activities at each phase, including architecture analysis and design review, threat modeling, static analysis, penetration testing, and red teaming in a production environment. Cigital has deep experience in testing software running in all operating environments, including but not limited to web, cloud SAAS deployments, mobile, embedded devices, and video game consoles.