OSINT and the Hermit Kingdom – Nick Roy


Leveraging online sources to learn more about the worlds most secret nation.

Nick Roy is currently a Senior Security Specialist at Splunk focusing on security automation and improving blue team response. Before Splunk, Nick was at Phantom Cyber working with partners across the globe build out their security automation practices and delivering them to their customers.

Read More

First Try DNS Cache Poisoning on IPv4 and IPv6 – Travis Palmer


DNS fragmentation attacks are a more recent series of attacks that take advantage of the consistent composition of fragmented DNS responses by sending a crafted (malicious) second fragment to be reassembled with a legitimate first fragment at the IP layer. Even if DNSSEC is fully implemented, an attacker can still poison unsigned “glue” records.

These types of attacks are difficult, and have really only been considered remotely feasible over IPv4. Most nameservers use “per-destination” IP-layer ID (IPID) counters, and the IPID in the IPv6 Fragment Extension Header cannot be easily guessed blindly, as the number of bits in the field has been comparatively doubled to 32 bits (making blind-guessing even in ideal conditions take an average 34 million iterations).

Unfortunately, as part of optimizations made to Linux. The IPID counter is no longer truly “per-destination” and the IPID for a given destination can be inferred consistently enough to facilitate an attack. This allows DNS poisoning on IPv4 and IPv6 with equal consistency and precision, and makes poisoning on the first attempt “thousands” of times easier.

This talk will cover how this attack is carried out, how consistent it really can be, and mitigations that can be put in place by operators of both DNS nameservers and resolvers to limit its effectiveness.

Travis (Travco) Palmer is a Security Research Engineer at Cisco. Travis is a certified OSCP and OSCE who has been getting paid to either fix or break something for over seven years. He is a fan (and sometimes-contributor) of a number of simulator/sandbox video games, and keeper of too many unfinished hardware projects. https://www.linkedin.com/in/travco1

Read More

Building Threat Models to Support Innovation and Save the World


Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

The thought of building a network rife with IoT devices and remotely-accessible critical control systems is enough to bring most infosec professionals to tears. When that same network promises to reduce urban potable water demands by 70% while still supporting commercial and residential irrigation, it is probably worth wiping away the tears and rolling up our sleeves. Innovation is all around us, working to protect natural resources, provide opportunities for better lives, and ideally doing it in a way that ensures the availability, confidentiality, and integrity of the networks supporting these efforts.

Following a year-long, collaborative research project into network security in some of the most innovative areas of wastewater reclamation and treatment, this talk will focus on how to engage with and support industries with real needs for complex networks and with even more complex threat profiles. You will come away with an understanding of why asking questions and relying on experts outside of security is critical, learn how to identify and adapt industry-specific risk frameworks, and how to apply threat-based recommendations when the stakes are high and existing data is hard to come by.

Rebekah Brown has helped develop threat intelligence programs at the highest levels of government and has had some exciting experiences along the way. She is a former National Security Agency network warfare analyst, U.S. Cyber Command training and exercise lead, and crypto-linguist and Cyber Unit Operations Chief for the U.S. Marine Corps. She’s even provided a briefing at the White House. But if you ask Rebekah what she’s most proud of, she’ll tell you it’s the success of the students and co-workers she’s mentored throughout her career. Rebekah started out in traditional military intelligence work, focused on Chinese cryptologic linguistics. She was then selected to cross-train as a network warfare analyst, which provided the opportunity to fuse her understanding of language and culture with network defense. “I loved the ability to combine different aspects of intelligence and apply it in ways that many people in the intelligence community were just beginning to understand,” she says. Rebekah has since provided threat intelligence for all types of security programs ranging from national security operations to state and local governments and Fortune 500 companies. She currently is the threat intelligence lead for Rapid7, where she supports incident and analytical response and global services and provides product support. She is also a course instructor and student mentor at SANS, where she teaches FOR578: Cyber Threat Intelligence, a course she co-authored. She is also co-author along with SANS Instructor Scott Roberts of the book Intelligence Driven Incident Response.

Read More

S1/E3: Do You C2? If You Do, ICU


Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

Wherein an Evil Agent does what an Evil Agent has to. We will run it down once more…

Yayyyy Deadwood again! So many new scary things to learn about! Wicked Wizards and 0days! Almost certain @HackingDave and @DeviantOllam and @MalwareJake and so many others are going to shift how you think about everything!

Meanwhile, back at the office, Steve Secretary clicks a link. Then a browser goes pop. A new Evil thread emerges in the world. It doesn’t know what to do! Halp! It needs a meeting! It needs to call Mom. And when it does…

When it does, I will see it. Without spectacularly expensive tools. Without dark skills. I will see it just by looking.

Jonathan is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO (and an emphasis on process over products), he has helped his clients achieve greater success for over 20 years, advising in both the public and private sectors, from small upstarts to the Fortune 500. He’s been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than 2000 feet underground, and chartered and trained the CIRT for one of the largest U.S. Civilian Federal agencies. He has variously held the CISSP, GSEC, GCIA, and GCIH certifications, and is a member of the GIAC Advisory Board. A former combat medic, Jonathan still spends some of his time practicing a different kind of emergency response, volunteering and teaching for both the National Ski Patrol and the American Red Cross.

Read More

Nerdlist: The Totally Not 1,337 Bad Ideas That Give Infosec Noobs a Foot in the Door


Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

Let’s face it: hacking things is boring as hell, and until Eliot Alderson, no one made command-line fu anything other than the setup for the first act while we waited for Mr. Anderson to become Neo. What do we do while staring at 1s and 0s? Watch movies, tv, YouTube, old memes, and rehash terrible jokes on IRC and then Slack and in Twitter memes. See—here’s the thing. That means that those of us who are like Razor and Blade (“they’re elite!”) can sometimes let our love of bad inside jokes get the better of us…and into our passwords.

The Nerdlist is a collection of self-reported or accidentally discovered anecdotally in-use administrator and system passwords. Let HaveIBeenPwned collect statistics and give us the top 1000, and let RockYou.txt be the dancing broken washing machine in the background. The Nerdlist has become the place where at least fifteen people who have never publicly contributed to an infosec project have made their first commits, because it’s funny, and nonthreatening. We now have interesting geometric shapes and patterns…and one of those unlock gesture codes is in the shape of the Harry Potter spell “Alohomora!”

Anecdotally, when asked to pick a number between 1-100, graduate students in computer science or engineering or complex systems will choose *42* approximately 18% of the time. That’s not a coincidence: it’s the answer to Life, The Universe, and Everything. That’s why the Nerdlist can help us find and fix bad leet passwords, and be a welcoming project for noobs at the same time. Listeners will get an update on the project, hear some startling insights, and see where the Nerdlist will go in future, as well as being welcomed to participate with specific instructions and the formation of collaborative partnerships. Give us your puns, your wit, your searing humor, your correct horse battery staple.

Tarah Wheeler is Chief Information Security Officer at Setec Astronomy. She holds a PhD in Horribleness from Pacific Tech, N.E.W.T.s in Herbology, Charms, and Defence Against The Dark Arts, and yes, she would like to play a game.

Read More

Active Defense Web Edition: Web Apps Dripping With Honey!


Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

In this talk, Mick will show you how to honey *every single thing* in your web app stack to become the nastiest, meanest, and downright most painful web app to attack. From client side, through servers, all the way to your data… everything will become a sensor. Even better, attendees will walk away with multiple response options to confuse, frustrate, and drive the attackers to tears!

Even when his job title has indicated otherwise, Mick Douglas has been doing information security work for over 10 years. He received a bachelor’s degree in communications from Ohio State University. He is the managing partner for InfoSec Innovations.

Read More

Py2k20: Transitioning From Python2 to Python3


Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

It’s time to talk about the 2020 End of Life for Python2. We’ll address what the short, and medium term impacts will likely be. Key language differences will be highlighted with techniques to modify your code to be forward compatible.

As a SANS instructor teaching SEC573: Automating Information Security with Python, over the past three years, I have steadily moved my teaching materials, examples, demonstrations and personal coding to Python3. In this process, I have had to break habits and learn new habits to write Python3 compatible scripts. I also spend considerable effort showing people how to write Python2 scripts which are forward compatible with Python3 in order to ease the transition.

The largest barrier that most people struggle with is the idea that Python3 has changed the default string encoding to UTF-8 rather than simple byte encoding. Once you learn how to manage your string objects, the remaining transition issues are mostly modern improvements to the language which most people consider advantageous to adopt.

Since Python2 will no longer have active releases after 2020, it is important to embrace the change and move forward with the Python scripting community.

Joff has over 20 years of experience in the IT industry as an enterprise network architect, network security defender, information security consultant, software developer and penetration tester. He has extensive experience covering intrusion prevention/detection systems, infrastructure defense, vulnerability analysis, defense bypass, source code analysis, and exploit research with related software development skills in multiple programming languages. Joff is a certified SANS instructor for SEC573, has mentored SANS SEC503, and also taught mastering packet analysis for SANS. He is also a co-host on the Security Weekly podcast.

Read More

Baselining Behavior Tradecraft Through Simulations


Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

With the adoption of endpoint detection and response tools as well as a higher focus on behavior detection within organizations, when simulating an adversary it’s important to understand the systems you are targeting. This talk will focus on the next evolution of red teaming and how defeating defenders will take more work and effort. This is a good thing! It’s also proof that working together (red and blue) collectively, we can make our security programs more robust in defending against attacks. This talk will dive into actual simulations where defenders have caught us as well as ways that we have circumvented even some of the best detection programs out there today. Let’s dive into baselining behavior and refining our tradecraft to evade detection and how we can use that to make blue better.

David Kennedy is founder of TrustedSec and Binary Defense Systems. Both organizations focus on the betterment of the security industry from both an offense and defense perspective. David also serves on the board of directors for the ISC2 organization. David was previously CSO for a Diebold Incorporated where he ran the entire INFOSEC program. He is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. He is also the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. He is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David is the co-founder of DerbyCon, a large-scale conference in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Read More

Story Time With Johnny Long


Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

I’ve had some interesting adventures in my twenty-or-so years as a professional hacker and INFOSEC dude, and I’ve learned quite a few things about the hacker community. In this talk, I’ll unload some of the stories of my adventures all over the globe and share the valuable insights I’ve gained about what it means to be a hacker and why this community is unique, valuable and worth fighting for.

Johnny Long spent his career as a professional hacker. He has penetrated and subsequently secured some of the world’s most securely government, military and corporate networks and facilities and is currently a senior staff member at Offensive Security. He is the author of numerous security books including No-Tech Hacking and Google Hacking for Penetration Testers. Johnny spent seven years living full-time in Uganda, East Africa, where he focused on his work with Hackers for Charity (HFC). HFC is a non-profit organization that leverages the skills of technologists. They solve technology challenges for various non-profits and provide food, equipment, job training and computer education to the world’s poorest citizens. Johnny’s website is: https://hackersforcharity.org.

Read More

The Hacker’s Apprentice


Join us at Way West Wild West Hackin’ Fest in San Diego in March 2020: https://www.wildwesthackinfest.com/

I turned my house into an escape room! In this talk I’ll show you how I used IoT devices and open source software to turn my house into an escape room. Topics will include HomeAssistant, the HA AppDaemon, Alexa, Python coding and puzzles.

Mark Baggett is the owner of Indepth Defense, an independent consulting firm that offers incident response and penetration testing services. Mark has more than 28 years of commercial and government experience ranging from Software Developer to Chief Information Security Officer. Mark is a Senior Instructor for The SANS Institute and the author of the Automating Information security with Python course (SEC573). Mark has a Master’s Degree in Information Security Engineering and many industry certifications including being 15th person in the world to receive the prestigious GIAC Security Expert certification (GSE). Mark is very active in the information security community. Mark is the founding president of The Greater Augusta ISSA (Information Systems Security Association) chapter which has been extremely successful in bringing networking and educational opportunities to Augusta Information Technology workers. Since January 2011, Mark has served as the Technical Advisor to the DoD for SANS where he assists various government organizations in the development of information security capabilities.

Read More