BSIDES PITTSBURGH 2014

June 6th, 2014
Point Park University

There are a lot of people in Pittsburgh doing awesome things in the field; let's get them all together! BSidesPittsburgh is a volunteer-run computer security conference held in Pittsburgh annually. Security BSides is part of a global series of community-driven conferences presenting a wide range of information security topics from technical topics, such as dissecting network protocols, to policy issues such as managing information leakage via social networks.

Pittsburgh has a flourishing information security community; this is a great chance to meet each other, share ideas and work together. Many of those professionals in Pittsburgh as well as nationally recognized experts are doing awesome things in the field; let's get together to learn, collaborate, and protect.

Speakers and Talks

Track 1 - 9:00 - Paul Smith (@PaulSmith) - Healthcare.gov

Paul Smith is co-founder of Ad Hoc LLC, a new software company. Prior to forming Ad Hoc, he was part of the so-called "tech surge" team that turned HealthCare.gov around after its disastrous launch in 2013, and enabled it to enroll 8 million Americans in private health insurance plans by the end of the first open enrollment period. He is a software engineer, and was previously the deputy director of technology at the DNC during President Obama's 2012 reelection campaign, co-founder of the pioneering hyper-local news site EveryBlock.com, and director of technology of a community wireless network project at the Center for Neighborhood Technology in Chicago. He lives in Baltimore with his wife and daughter.

Track 1 - 10:00 - Kevin Gennuso (@kevvyg) & Eric Mikulas (@erockpgh) - Pentesting Layers 2 and 3

Lower level network protocols have been around for decades and haven't changed much in that time. A number of tools to exploit weaknesses in those protocols have been released over the years, and those haven't changed much either. What has changed is the hardware. Routers used to be bulky, expensive, and proprietary. Now they are small, cheap, and open source. What better way is there to attack network gear than with another piece of network gear? This presentation will focus on layer 2 and layer 3 protocols, their weaknesses, and how to protect against exploitation. We'll revisit tools such as hping, Nemesis, Yersinia, Loki, and Scapy, and show how they can be used to attack vulnerable networks. Finally, we'll demonstrate the use of these tools on routers that run OpenWRT.

Kevin is a security testing manager and part time packet herder. He has over 17 years of experience in information security and network architecture, and has done work for a number of organizations ranging from dot-com era start-ups to large financial institutions. Eric is a software developer and pre-"maker" maker. He has been writing code and wielding a soldering iron since second grade. He has over 10 years of experience as a developer and has worked for a variety of companies both as a full-time employee and independent contractor.

Track 2 - Ramece Cave (@feedbrain) - Orginizational Insight Through the Eyes of a Web Server

This presentation will cover some of the information provided by web servers and how it can reflect on a organizations current security posture regarding its web services. Delving into some of the reasoning behind running specific versions, and what it can mean to potential attackers. We will also be looking at supporting information from malicious campaigns and information collected on various malware domains, how they all intertwine and evolve into other nefarious practices.

Ramece Cave, Research Analyst, started working in IT Security in 1999 as a Fraud and Abuse Investigator for UUNET, holding various forensic focused roles. He transitioned into Research and Development in 2009 focusing on the areas of malware analysis, reverse engineering and host and network intrusion detection. Research interests include, analysis automation and correlation, covert channel analysis and identification, threat intelligence, protocol anomalies and mobile malware.

Track 1 - 10:50 - Grecs (@Grecs) - A Jobsonian Look At Information Security

In the day-to-day drudgery of attempting to engineer secure systems or defend them, we blindly apply time tested security practices to solve the issues we come up against. All too often however we become complacent … and even sometimes lazy ... in how we do things. We accept the way things are done because that's they way they have always been done. But did we ever stop to consider why we do those things we are doing? And are they even relevant anymore? This talk examines the psychology of why we tend to stagnate as a human race, provides examples from other fields where others have successfully innovated with unique approaches, and presents several information security practices we need to toss aside along with their proposed alternatives.

grecs has over 17 years experience, undergraduate and graduate engineering degrees, and a really well known security certification. Despite his formal training, grecs has always been more of a CS person at heart going back to his VIC-20, Commodore 64, and high school computer club days. After doing the IT grind for five years, he discovered his love of infosec and has been pursuing this career since. Currently, he spends his days doing cybersecurity paperwork drills in building multi-billion dollar government systems. At night he runs a local infosec website and tries to get some hands-on skillz.

Track 2 - 10:50 - Justin Rogosky (@CptSexy) - Selling Security - Using Propaganda

Throughout history, mankind has attempted to influence others for a variety of reasons and they developed techniques to improve the chances of affecting behaviors. The collection of these techniques is called propaganda. From it's early beginnings as a way to spread the Christian religion, to modern techniques developed to mass market consumer goods, propaganda has been honed and shaped to allow the public to be influenced on a variety of different levels and usually without their knowledge or consent. While these techniques can be used to sell goods or rally a populace around a war, they can also be used to change corporate culture.

Track 1 - 1:00 - Jake Liefer, Tim Wainwright, Chris Salerno, Dan Astor - I've Got 99 Problems But HID Ain't One

While you are standing in line at Starbucks, discussing your plans for the day with some fellow co-workers, an unsuspecting stranger approaches you in line. Although you don’t exchange anything other than a friendly “Hello”, you have given him everything that he needs to gain access to your most critical assets. You see, your RFID badge just transmitted all the information needed to get into the building... Access control mechanisms are a major factor in physical security for corporate facilities, however vulnerabilities exist in these systems which attackers can easily exploit. In this session, we will discuss the technical and not so technical aspects of attacking access control systems. From social engineering to cloning RFID badges, we’ll discuss ways attackers can gain access to your facilities as well as ways to protect your critical physical infrastructure. Many physical security talks focus on unproven ‘what-if’ scenarios. This talk will not be one of them. All examples and technical details in this session have been proven by us in real world situations, providing valuable insight into the actual threats and how to mitigate them.

Track 2 - 1:00 - Tom Kopchak - Attacking And Defending Full Disk Encryption

One of your company’s laptops was just stolen. You know that there was
sensitive information on the machine. You also know that full disk encryption was deployed. Is your data safe? Can you prove it? Many organizations are flocking to full disk encryption solutions as a solution to their data security requirements. Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets. All too often, these systems are not properly configured and adequately tested. In this talk, Tom will analyze the challenges associated with attacking and defending systems protected with full disk encryption. Many of the examples provided will draw from Tom's personal experience, including several scenarios where a fully encrypted and powered down system was fully compromised as part of a penetration test.

Tom Kopchak is a Senior Security Engineer at Hurricane Labs, an Information Security Firm in Cleveland, Ohio. Tom is an alum of the Rochester Institute of Technology, with a background in Computing Security and Information Security (MS) and Applied Networking and System Administration(BS). Tom’s passion for information security stems from his experiences in the Collegiate Cyber Defense Competition. His research areas include computer forensics and data storage technologies. When he is not working with computers, Tom enjoys composing, music improvisation, and playing both the piano and organ.

Track 1 - 1:50 - Rob Kraus - How Highly Effective CISOs Prepare For DDoS

How do CSOs at the top of their game prepare for and handle DDoS attacks while keeping their day jobs? DDoS attacks are among the most impactful, and feared, attacks encountered by enterprises today. Most organizations today are not prepared to address these attacks, and almost as many are unable to even explain them. From this presentation, understand the threat, implement appropriate countermeasures, anticipate problems, be ready to react, and be a winner as a CSO.

Rob Kraus is the director of research for the Solutionary Secuity Engineering Research Team (SERT). He specializes in vulnerability research, threat intelligence, incident response, application security assessments and attack mitigation tactics. Rob is also the author of the Seven Deadliest Windows Attacks and co-author for the Seven Deadliest Network Attacks books, part of Syngress Publishing’s Seven Deadliest Attack Series. Rob was previously a manager within Solutionary’s security consulting services group. He performed offensive-based security assessments consisting of penetration testing, social engineering, wireless and VoIP penetration testing, and web application penetration tests.

Track 2 - 1:50 - Charles Wood (@ProfCWood) - Compliance With PCI, HIPAA, and SOX: Tales of Horror (And How To Information)

Compliance with various standards can be important. In this presentation, we cover basic compliance concepts in HIPAA (for health care), PCI (for credit cards), and SOX (for publically traded companies and those that do business with them), and the horrible, terrible, gut-wrenching things that have happened to those who do not comply.

Charles Wood has over two decades experience as a systems consultant, instructor, and author, including over ten years experience in developing software in Java, C++ and C#, VB.NET, HTML/XML/JavaScript/CSS, and other languages. Chuck is a holds a CISSP (Certified Information Systems Security Professional) and he teaches and consults in information security, software development, and infrastructure.

Track 1 - 2:40 - Dave Kennedy (@HackingDave) - Moving The Industry Forward: The Purple Team

Let’s start off with a strong statement – pentesting today isn’t working. The blue team today isn’t working. When a pentest occurs, even done by some of the industries leading folks and the quality is there – the pentesters go in, blow stuff up, write the report and leave a trail of destruction to be cleaned up until the next pentest. The next year, the same thing, the year after that the same thing. The blue team on the other hand is tasked with securing the entire company and one flaw exposes the entire organization to attack. I’m here to tell you that we can accomplish both and continue to strengthen how we defend and build detection – its called the Purple Team. Instead of doing covert testing, move to more of a blended approach and build out defenses against the entire life cycle of a hack. This talk goes into how to structure the best and effective purple team within an organization as well as walk through a number of different attacks and how to defend them. Like my normal talks, I’ll be going through the Social-Engineer Toolkit and how you can actively block its attacks and use some cutting edge things that haven’t been discussed before on how to block the attacks in the toolkit.

Dave Kennedy is founder and principal security consultant of TrustedSec - An information security consulting firm located in Cleveland Ohio. David was the former Chief Security Officer (CSO) for a Fortune 1000 company where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has presented on a number of occasions at Black Hat, Defcon, ShmooCon, BSIDES, Infosec World, Notacon, AIDE, ISACA, ISSA, Infragard, Infosec Summit, and a number of other security-related conferences. Kennedy has been interviewed by several news organizations including CNN, Fox News, the Katie Couric show, and BBC World News. Kennedy is the co-host of the social-engineer.org podcast and formally the ISDPodcast. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Track 2 - 2:40 - Brandon Franklin - Building Trust in the Cloud

Most organizations are using cloud services through either vendor services or direct engagement. Addressing risk in one-size-fits-all solutions, or worse, "sure, we can do whatever you want, let me work up some numbers" solutions is a complex task. In this talk we'll cover the basics of figuring out just how insane giving a service provider your data is, and go into some of the cutting edge architectures that support operating in a completely untrusted cloud environment.

Brandon has spent 10 years in the information security profession. He plays for the blue team most days, but doesn't mind playing for the red team when vetting new vendors.

Track 1 - 3:30 - Robert C Seacord - Dangerous Optimizations and a Loss of Causality

Compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This presentation describes some common optimizations, describes how these can lead to software vulnerabilities, and identifies applicable and practical mitigation strategies.

Robert C. Seacord is the secure coding technical manager in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). The CERT Program is a trusted provider of operationally relevant cyber security research and innovative and timely responses to our nation’s cyber security challenges. The Secure Coding Initiative works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. He is the author of eight books, including “Secure Coding in C and C++, Second Edition” (Addison-Wesley, 2013), and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” (Addison-Wesley, 2014). He has also published more than 40 papers on software security, component-based software engineering, Web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development. Robert has been teaching secure coding in C and C++ to private industry, academia, and government since 2005. He started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. He represents Carnegie Mellon University (CMU) at the ISO/IEC JTC1/SC22/WG14 international standardization Working group for the C programming language.

Track 1 - 4:20 - Geo Warnagiris (@GeoWarnagiris) - BSides 2015

BSidesPGH is growing! After a quick look at the history of BSides Pittsburgh, we will discuss the current state of the event, including the organizing committee, the budget and lessons learned in 2014. Then we will talk about plans for BSidesPGH in 2015 and going forward. The non-profit corporation, sponsorship, end goals, alternate venues and other topics will be considered if there is interest.

@GeoWarnagiris is a data scientist at the Teneo Group and a volunteer on the BSides Pittsburgh 2014 organizing committee. He has been doing infosec since '99, is an expert in TCP/IP and the network stack and is a fervent Linux supporter. TheTeneoGroup.com is a national, information security services provider and a proud member of the Pittsburgh information security community.

Planners

Dan Klinedinst (@dklinedinst)

John Kostuch (@kostuch)

Geo Warnagiris (@GeoWarnagiris)

Joe Wynn (@wynnjoe)

Scott Kriebel

Andy Johnson (@pierogipowered)

Steve Groark (@SteveGroark)

Pete Giannoutsos (@Panogi)

Nick Hovanic (@n_hov)

Jon Zeolla (@JonZeolla)

Brian W Gray (@BrianWGray)

Kevin Dunlap