“Minority Report 2016: The Future is Now”
The movie Minority Report is predicated on a technology that can predict crime before it occurs. This session will examine the efficacy of a similar predictive technology, that has application in the human, cyber and physical domains. By examining chat rooms, forums, onion sites, social media accounts and pin pointing the attacker’s location, the when, how and where of potential attacks are revealed. Take a hard look as a real-world Minority Report is one step closer.
“AWShit. 'Pay-as-you-go' pentesting”
Learn about how to use Amazon Web Services to host your whole pentesting platform. Launch almost anything on Amazon Web Services, including Kali Linux, Backtrack, and more. The best thing, it's all 'pay-as-you-go'.
“Post-Incident Analysis with Pretty Pictures”
This talk will focus on discovering more about those pesky malware distribution networks and converting your data into something tangible for the not-so-security-inclined. By taking a few extra minutes of time we can start associating public data to potentially uncover additional IOC's, related malware, and in some cases, personal data fragments about the distributors themselves.
Grid (aka Scott M)
In this demo-heavy talk, I will provide tips and tricks for hacking wireless networks, as well as securing them. I'll review some commonly-used tools (software & hardware), and provide practical examples.
“Just Got PWND.sh”
You've been at it for all night. Trying all the exploits you can think of. The server seems tight.You've tried everything. Guessable passwords, SSH bugs, shellshock and so on... Nothing. WAIT! What's that!?!? A "#" ?? Finally! After seeming endless toiling, you've managed to steal root. Now what? Meet pwnd.sh, a pure post-exploitation framework written in Bash. In this talk, I will unveil pwnd.sh and demo how it can be used to backdoor a machine, run reconnaissance, search for assets and more.
“Out of Denial: A 12-Step Program for Recovering Admins”
With massive data breaches being announced almost daily, the number of IT professionals moving into the security arena continues to grow. Some of these (like myself) come from systems and network admin backgrounds. Many of these “recovering admins” think they know security because they managed firewalls, established VPNs and created AD password policies. Most, however, are wrong - they don’t understand the enemy, his tactics or what’s at stake. To help with this learning process, we will work through a "12-step” program designed to help face the harsh reality, dispel many common misconceptions and provide some clear directions to move forward.
“What can you do?”
Wrecking networks with ease. An offensive review of layer 2, this ain't your grampa's poison. Exploring and exploiting networks by unforeseen means. Not only covering vectors, but also include instruction allowing for exploitation of applicable situations. Starting on layer 2, but not arp poisoning, gain (man in the middle), and the best part without any tools which are not already available to the root user of a Linux machine. Going beyond MITM, attacking relationships in networking stealing ports, & replacing content.
“Building an Applied Intelligence Model”
Dave Marcus & Wally Prather
“Building an Applied Intelligence Model”
The Advanced Programs Group (APG), has combined traditional malware and cyber-attack research with advanced intelligence community analytics. This molding of methodologies has led to significant advancements in the identification and targeting of today's cyber-criminals and hackers. APG research and projects combine traditional malware and threat research with US Special Forces Analytical Methodologies of Human Intelligence, High-Value-Individual Targeting, Open Source Intelligence, and Social Network Analysis to create advanced threat profile focused on the individuals and networks behind these cyber-attacks. There are humans and networks behind EVERY one of today's cyber-attacks. These humans have patterns, agendas, lifestyles, and a worldly presence that can be tracked, analyzed, and quantified as human and networks tend to behave in patterns. Let APG show you how they are building the tools and processes to identify and take down these cyber-criminals and hackers.
“So You Wanted to Work in Infosec”
Ten years of experience working as a grunt and as a manager, have provided an interesting view on the field. This talk may resonate with the experienced and be insightful for the newly initiated to consider their career goals.
“Closing the gap between Operations and Cybersecurity.”
“Spy Game: Red Teaming In The Real World”
Red Teaming or Tiger Teaming is a black hole of misinformation and knowledge most have never had the opportunity to experience. Whether working for the dark or the light side, an understanding of what information is available about an organization is key to their security. Both professional Information Security people and those that have an interest in further understanding the depth and methodology of what a professional “attacker” team can and will do to gain access is key to their success. During “Spy Game” we will look at the entire methodology of what it takes to execute a successful Red Team engagement. We will cover the initial OSINT and intelligence gathering, the pre-advance, surveillance / counter-surveillance, understanding security breach vectors, communications, execution, and even reporting and delivery. As part of “Spy Game” the attendee will be thrown into the weeds of a “real life” engagement.
Along with the knowledge and skills the attendee will receive a Red Team Bag that will include:
A Handheld Radio for communication
A set of LockPicks
A set of Cyber Security Tools for the covert/clandestine operator
“How I Learned to Stop Worrying and Love the Blue Team”
The journey from pen tester to bona fide red team leader. How to elevate your skills to meet the demands of blue teams and make real impacts.
“Hacking Open-Source Licensing”
Open source is, in general, a friendly, giving, and even forgiving community. That, however, isn't always the case and if you understand the legal framework under pinning the licenses, it's possible to spin the open source world on its head -- for better or for worse. We'll cover the basics of open-source licenses, but, more importantly, we'll be delving into the darker side of open source licensing and some of the opportunities for the open source when you throw in a healthy dose of the hacker spirit.
“You Are Being Manipulated”
There is constant pressure coming from companies, people, and attackers. Most times we don’t realize that manipulation has occurred until it is too late. You can put safeguards in place to help avoid being the victim. My four-year-old daughter became my trainer, and this talk discusses how interacting with her has improved my defenses. Comparing her strategies to real world examples will show how to build a training framework of your own even if you don’t have access to small children.
“Maintaining Jedi order after Jar Jar Binks was left in command”
Avoid Storm trooper camp by joining the rebellion. Get your midichlorians at the door because Jedi boot camp starts with preserving effective pentesting by offloading, consolidating, and fruitful targeting. Understand how and when the client, scope, or management is screwing your deliverable and how you can take initiative that will deliver useful and positive results, regardless of the droids you're looking for. As a bonus BB-8 will be rolling some free code!
Josh "ğɧØƨŦ" Sheppard
“The Mysterious World of Polyglots”
Have you ever wondered how to reach a piece on unexploited code that you cant seem to quite touch with normal payloads? Have you ever run into issues with advanced filter bypassing? Do you want to take your web application pen testing to the next level in terms of creative exploit creation? Come visit the mystery that is polyglotting and let your creativity and context propel you in your future engagements!
“Hunting: Defense Against The Dark Arts”
We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
“Security Guards - LOL!”
During “black box” social engineering assessments, it is quite common that you will encounter a security guard, especially when forced to enter via a lobby or other single entry points. For situations where guards are unavoidable, we will share several war stories and techniques that have helped us turn these potential issues into successful engagements. During this presentation you will hear real-world stories from various Red Team assessments that we’ve performed. These assessments will be broken down to discuss the various social engineering and physical security bypass methods and tools used. We will also provide our recommendations for remediation and provide the audience the opportunity to ask questions.
Cyni Winegard & Bethany Ward
“I Promise I'm Legit: Winning with Words”
Social engineering is quickly becoming more prevalent in the infosec industry. Users are becoming more educated about social engineering attempts, but they still fall victim to attacks. Why? Well, like all technology, with great improvement to technology comes great improvement to exploitation, and maybe not so great improvement to security. This presentation explores the subtleties involved in wordcrafting, tone of voice, and adaptability during dreaded human interaction.
“Blinded By The Light”
Did you know some of your tablets and smartphones broadcast IR even with the screen off? These signals can be used to spot and identify specific operating systems and in some cases specific devices? This talk will show how we use this flaw to identify pen testing equipment like PWN Phones and Nethunter even in monitor mode. We call this toy IRIS.