Wednesday, January 8, 2014

ShmooCon Epilogue 2014 Schedule

The following is the speaker line up for Jan 20 2014 ShmooCon Epilogue. Thanks to everyone who submitted talks. It was very hard to pick between all of the great talks submitted but here is the final list:


Talk Title/Description
The Allegory of the Cave: Has Application Whitelisting Coagulated As Expect?
Curt Shaffer & Judah Plummer
Attacker Ghost Stories: Mostly free defenses that give attackers nightmares
LUNCH TALK - Project Kid Hack
Hash All The Things
Password Topology - Histogram Wear Leveling
Hank Leininger
Statistical Probabilities
15:00 (30 min)
GuessWhat: Educational Malware
Sean Pierce
15:30 (30 min)
BACKFIL - Finding those backup files
Tobias McCurry
Gone Phishing and I Want My Hook Back!
AV Evasion with the Veil Framework
Christopher Truncer and Harmj0y
Backup Pwnage
20:00 (30 min)
Ultrasonic Hardware Hacking
20:30 (30 min)
OMG HE HAXX!!: an Introduction to the Game Hacking Framework
Jason Haddix

Talk Descriptions:

The Allegory of the Cave: Has Application Whitelisting Coagulated As Expect?

by Curt Shaffer & Judah Plummer

Application white listing continues to be touted as a superior measure of defense against new, unseen malware and advanced threats. As such, it has become a staple in the defense of many large corporations and various departments of the government. While we understand that to properly protect hosts, more is needed beyond just simple AV. Unfortunately, we do not believe application whitelisting to be the “silver bullet” as some continue to claim, and in fact, we have seen the vendors themselves compromised this year. This leads to a false sense of security within these organizations and validates the importance of a defense-in-depth approach to protecting networks. 
We will take the audience through our testing methodology, testing Bit9 Parity, Microsoft AppLocker, and McAfee Application Control. We will show how current versions of these software products are still susceptible to the old methods discussed previously and new techniques as well; due to lack of features, lack of understanding the current threat landscape, and in some cases, vulnerabilities in the software itself that allows for a complete bypass. We will end the talk by releasing a Metasploit module that incorporates the successful techniques we found so they can be utilized in penetration testing.

Attacker Ghost Stories: Mostly free defenses that give attackers nightmares 

by mubix

This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks.

Going over a number free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done.

Project Kid Hack

by grecs

Wanna teach your kid to be a hacker but don’t know where to start? Security is a fairly complex topic but games offer the best way for kids to learn the basics. This presentation not only reviews a sample of existing games that teach security fundamentals to a younger audience but also discusses a new crowdsourced project to catalog similar fun and entertaining ways to teach kids security. This project could help spur interest in later university and other programs and potentially a career … or at least make our children a more security-conscience adult in whatever field they choose.

Hash All The Things

by Hectaman

In Bro 2.2 we release the files framework- under research for the past three years, this real time streaming file analysis library gives network operators and security teams a new flexible way to work with files at both a micro and macro level- real time hashing, analysis and more will be demonstrated in the demonstration heavy presentation.

Password Topology - Histogram Wear Leveling

by Hank Leininger

PathWell is a novel approach to enforcing password complexity, designed to thwart modern cracking tools and approaches while retaining compatibility with existing enterprise authentication systems and password stores.

Recent trends in password cracking, such as the hashcat suite's mask modes, focus on common password "shapes" or topologies, such as "start with an uppercase letter, then several lowercase letters, then several digits" -> "?u?l?l?l?l?l?d?d". We find that topology use is so skewed, that exhausting the 1-5 most common topologies (out of tens of thousands to millions of possible topologies) will result in 25+% of all passwords cracking for a typical enterprise network.

PathWell is a way to audit and/or enforce topology uniqueness across an enterprise. This greatly reduces the attacker's success rate when cracking passwords, and increases their work factor to crack any sizable percentage.

The concepts apply to both medium-weak hash types, extending the effective lifespan of deployed systems, and also to systems using stronger hash types, making them even more resistant to cracking. 

Statistical Probabilities

by aricon

Given the sheer amount of data the various vocations the security fields are required to digest an understanding of statistics is crucial to our accomplishment of any meaningful goals. In order to demonstrate why understanding this principles is key, examples in gather from recent events and underpinning a meaningful subset of techniques used by those in forensics, network defense, penetration testing and policy creation will be examined as to why these tools of analysis are so important for practitioners to know.

GuessWhat: Educational Malware

by Sean Pierce

Learning to quickly triage malware is undoubtedly useful and can be taught rather quickly, however an in depth malware analysis requires a non trivial amount of experience with common malware behavior and analysis tools. GuessWhat is a proof of concept game which allows hands-on training for novice malware analysts who want to expand their knowledge and experience.

BACKFIL - Finding those backup files

by Tobias McCurry

One of the key steps in web application pentesting is analyzing the application. This application helps identify any files that may have been copied to the production server.

Gone Phishing and I Want My Hook Back!

by N1tr0

It is about being able to deploy your exploits, phish your target, then keep you exploit or deployment method.

AV Evasion with the Veil Framework

by Christopher Truncer and Harmj0y

As antivirus has started to slowly increase in effectiveness, more of the payloads used during penetration tests are being caught. While the industry as a whole has demonstrated its capabilities of bypassing AV solutions in nearly all situations, valuable assessment time is often lost.

The Veil-Evasion Framework (Veil) was developed to solve this problem by offering a modular, open-source, and UI focused framework for generating AV-evading payloads in a programming language and technique agnostic way. Veil's structure greatly simplifies payload generation and allows for the integration of public and private AV evasion methods. In this talk we will go over the genesis of the framework, its structure and features, and how to develop your own payload modules. Recently released modules will also be covered, and our implementation of a lesser known shellcode injection method will be released.

We will also cover public reaction and disclosure ethics, and we plan on discussing Veil-Catapult, our payload delivery tool. Veil-Catapult extends the capabilities of the existing Veil framework by utilizing various methods to deliver and trigger payloads across targeted machines. We will conclude with a discussion of current and future mitigation strategies to combat Veil’s effectiveness.

Backup Pwnage

by Anagogue

Backup systems are an important security tool. But they're also a great way to take over an entire organization.

Ultrasonic Hardware Hacking

by Aly

Ultrasonic Testing is frequently used in the evaluation of semiconductor components used in computers, smart cards, cell phones, and other electronic components. Reverse engineering often requires tedious logic analysis or use of hazardous materials to decap devices. Ultrasonic testing is a unique alternative providing non-destructive analysis of internal structures. I’ll cover ultrasonic basics, typical testing setup, and hobbyist alternatives.

OMG HE HAXX!!: an Introduction to the Game Hacking Framework

by Jason Haddix

Some of the most prolific apps these days are video games. They are sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, monetary transfers, social interactions, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). Join me as I release a NEW OWASP project to help classify the diverse types of game hacks that exist for some of the world’s biggest games. We'll use history as an example, and break down the flaws as much as possible, creating a do-not-do list of flaws new game companies can reference when creating new games. This is very much an alpha project, come participate and be part of history! (or something like that ;)

ShmooCon Training Replacement

Unfortunately one or trainers had to cancel their training at ShmooCon Epilogue. All tickets have been refunded for that class and I would like to introduce the new training option for ShmooCon Epilogue.

Ticket sales options have already been updated on the ticket sales site so please head over and pick one up!

Hands On Security for Sysadmins

by: Branson Matheson


System administrators often run into interesting conflicts between sysadmin, customer, and IT security needs. These conflicts generally lead to difficulty in achieving a balance between administrative convenience, good customer service, and minimal risk. There are processes or services available that can significantly improve any of these areas; however, many times they are costly or resource intensive. This course is designed for system administrators who want to improve the security posture of their organizations, using IT security standards paired with good system administration practices, resulting in better service, lower risk, and minimal impact to time and budget.
We will walk a path, covering many domains of IT security and enterprise system administration in ways that utilize the interconnection between good system administration practices and security fundamentals. We will discuss recent risks and threats, analyze them with respect to your environment, review possible impacts and develop mitigations that you can apply immediately. Training includes instruction, discussion, many hands-on labs, and a strong dose of common sense.

Attendees should bring a laptop capable of running a Virtual Guest and will be provided a VM in which to work. The class will have access to a test network of systems for training and lab exercises. You will return to your organization with a toolbox of documentation, (mostly) free software, and a good starting point for developing better practices to improve security and system administration.

Who should attend:
Beginning to mid-level system administrators of any stripe with an interest in IT security and a desire to improve their security. It is suggested that participants have experience with the  *nix command line.

Take back to work:  Documentation, tips, tricks, and tools tailored to your environment that can be implemented to improve security posture, processes, and operations in your organization.

Topics include:
 - The relationship between system administration and IT security
 - Security theories, standards and risk mitigation as applied by SA's
 - Information management using Trac and Subversion
 - Good system administration practices that directly improve IT security
 - Basic configuration driven system management using Puppet
 - Host and network auditing, hardening, and monitoring
 - Developing an effective security awareness program

Tuesday, January 7, 2014

ShmooCon Epilogue 2014 - Training

The CFT is done, and the trainings are out:

Tickets (16 max per class):

Tradecraft - Red Team Operations Workshop by Raphael Mudge

This demonstration and lab-oriented class teaches IT professionals,
penetration testers, and developers how to replicate a modern threat
using Cobalt Strike. Students will attack a simulated enterprise
network to learn this course's concepts. Expect to send phishing
messages, put together a client-side attack, spy on users, sift
through data, and abuse trust relationships to move laterally in the
Students must bring a laptop capable of connecting to a wireless
network and hosting a VMWare virtual machine. Instructor will bring
DVDs with the course materials and external DVD drives for those who
need them.
This is an intermediate level class. Students should feel comfortable
working on the command line and have some familiarity with the
Metasploit Framework.

 Threat Intelligence Gathering by Brandon Dixon and Steve Ginty

Threat Intelligence is the new buzzword, but many people are still scratching their heads as to what makes threat intelligence and how you begin to produce your own. This training will cover concepts in finding intelligence, making the most of it and using everything you can to defend against cyber espionage-based attacks. Many of the examples cited will be from the presenter's experience of researching attacks and dealign with real-world incidents.