BSIDES PITTSBURGH 2015

June 19th, 2015
Left Field Meeting Space

There are a lot of people in Pittsburgh doing awesome things in the field; let's get them all together! BSidesPittsburgh is a volunteer-run computer security conference held in Pittsburgh annually. Security BSides is part of a global series of community-driven conferences presenting a wide range of information security topics from technical topics, such as dissecting network protocols, to policy issues such as managing information leakage via social networks.

Pittsburgh has a flourishing information security community; this is a great chance to meet each other, share ideas and work together. Many of those professionals in Pittsburgh as well as nationally recognized experts are doing awesome things in the field; let's get together to learn, collaborate, and protect.

Speakers and Talks

9:00 - Brent Kennedy (@bk_up) , Will Schroeder (@harmj0y), Jason Frank (@jasonjfrank) - Go Hack Yourself: 10 Pentest Tactics for Blue Teamer

Penetration testing is an art and a science. It takes the knowledge of networks/applications/all things computing as well as critical thinking and an understanding of human behavior to become a truly great tester. The tools and processes to carry out the trade have evolved significantly in the past few years with the explosion of offensive PowerShell, lowering the barrier to entry for the execution of advanced offensive tactics. If attackers are using these tools to break into networks, why shouldn’t defenders use the same to make their environments more secure? A popular question from system administrators to CISOs is: What can I do to learn this “stuff”? While penetration testing takes years of experience to master, defenders can use recent tool advancements to plug many of the common holes offensive teams take advantage of. This talk will highlight 10 key areas blue teams can regularly audit using offensive toolsets without needing a red team background. From quickly triaging open files shares, to examining domain trusts, to easily testing border egress, these red teams tools and tactics can help blue teams better secure the networks they defend.

Brent Kennedy leads the penetration testing and assessment group at the CERT division of the Software Engineering Institute at Carnegie Mellon University. Brent’s major responsibility is working with the Department of Homeland Security’s Risk and Vulnerability Assessment (RVA) program to provide penetration testing services to federal, state and local government entities as well as critical infrastructure customers. Additionally, Brent’s group aims to enhance the state of the penetration testing field through technical research and process improvements.

Will Schroeder is a security researcher and pentester/red-teamer for Veris Group’s Adaptive Threat Division, and is one of the co-founders and active developers of the Veil-Framework. He has presented at Shmoocon, Carolinacon, Defcon, and Derbycon on topics spanning AV-evasion, post-exploitation, red teaming, offensive PowerShell, and more.

Jason Frank is the manager of Veris Group’s Adaptive Threat Division, where he oversees penetration testing efforts for various government agencies, including the Department of Homeland Security (DHS), Department of Treasury, and multiple Fortune 500 clients. Jason specializes in leading penetration testing programs, while developing and maturing client’s internal assessment efforts. In addition, Jason has several years of experience training participants in testing methodologies, including at major industry conferences such as Black Hat.

10:15 - Tom Kopchak (@tomkopchak) - An Effective Approach to Defense in Depth

We've all heard about Defense in Depth. All too often though, we don't know how to effectively explain this concept. Many presentations about this topic are just plain boring and repetitive. How do we break the mold?

In this Defense in Depth presentation, Tom illustrates an effective security approach through the image of a castle. He reviews many of the different defenses that can be deployed in unison to better secure a network from a range of threats, using examples based on a wide range of experiences across enterprises of all shapes and sizes. Tom also provides examples of improvements that can be made leveraging existing controls to provide an overall increase in organizational security. While a single layer of defense cannot be considered adequate and no system can be considered absolutely secure, a multi-tiered security approach can effectively reduce the overall risk an organization must face.

Tom Kopchak is a Senior Security Engineer and Operations Team Lead at Hurricane Labs, an Information Security Firm in Cleveland, Ohio who specializes in Splunk design and implementation, network integration, and firewall and network security. Tom is an alum of the Rochester Institute of Technology, with a background in Computing Security and Information Security (MS) and Applied Networking and System Administration (BS). His research areas include computer forensics and data storage technologies. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ.

10:45 - Jonathan Spring - Global Adversarial Capability Modeling

Computer network defense has models for attacks and incidents comprised of multiple attacks after the fact. However, we lack an evidence-based model the likelihood and intensity of attacks and incidents. Purpose: We propose a model of global capability advancement, the adversarial capability chain (ACC), to fit this need. The model enables cyber risk analysis to better understand the costs for an adversary to attack a system, which directly influences the cost to defend it. Method: The model is based on four historical studies of adversarial capabilities: capability to exploit Windows XP, to exploit the Android API, to exploit Apache, and to administer compromised industrial control systems. Result: We propose the ACC with five phases: Discovery, Validation, Escalation, Democratization, and Ubiquity. We use the four case studies as examples as to how the ACC can be applied and used to predict attack likelihood and intensity.

Jonathan Spring is a researcher and analyst at the CERT program at Carnegie Mellon University. He is the co-author of an information security textbook, "Introduction to Information Security: A Strategic-Based Approach," and also serves as an adjunct professor at the University of Pittsburgh's School of Information Sciences and as an ICANN research fellow. Publication list available from: url.sei.cmu.edu/jspring.

11:15 - Kevin Gennuso (@kevvyg) - Microsoft EMET Overview and Demonstration

Microsoft EMET is a free tool that can be used to improve endpoint security. It provides advanced mitigation for software most targeted by attackers. This talk will discuss the features, deployment strategies and targets, and upkeep. We'll then demonstrate effectiveness using real-world attacks against a vulnerable system without EMET and then compare against the same system with EMET installed.

Kevin is a security architect and part time packet mangler. He has over 17 years of experience in both the offensive and defensive sides of information security, and has done work for a number of organizations across the technology, healthcare, finance, and retail sectors.

1:30 - Allen Householder (@adh - Systemic Vulnerabilities: An Allegorical Tale of Steampunk Vulnerability to Aero-Physical Threats

What can we learn about vulnerability analysis, mitigation, and designed-in security for the emerging internet of things from history? In this talk we'll trace the origin and evolution of a physical-world vulnerability that dates to the late 19th century, and explore whether "building security in" is even always an available option. We'll also look at how a number of industries have approached the analysis of their safety failures and what that implies for interconnected embedded systems. Along the way we'll meet Andrew Carnegie and a few other historical figures and events that help illuminate some ideas that presage the future of cybersecurity in a world of smart things.

Allen Householder is a Senior Vulnerability Analyst in the CERT Division of the Software Engineering Institute at Carnegie Mellon University. His recent work includes being the technical lead for the CERT Basic Fuzzing Framework (BFF) and Failure Observation Engine (FOE), and research into the (in)security of the Internet of Things. His research interests include fuzzing, threat modeling, vulnerability disclosure, and modeling information sharing and trust among Computer Security Incident Response Teams (CSIRTs).

2:00 - Justin Rogosky (@cptsexy) - Robots.txt - There's Gold in Them Thar Files

Web penetration testing has benefited from certain sites providing a ready made list of sensitive areas that they don't want crawled, robots.txt. I pulled, and analyzed, the robots.txt file from numerous sites to determine most common user-agents and locations. From the results, I have derived a better listing of directories to use with tools like dirbuster and for better reconnaissance.

3:00 - Balaji Palanisamy - Security-Aware and Privacy-Conscious Cloud Computing

Out of respect for the presenter's wishes this presentation was not recorded and the slide deck will not be made available.

Cloud computing and its pay-as-you-go cost structure have enabled infrastructure providers, platform providers and application service providers to offer computing services on demand and pay-per-use just like how we use utility today. This growing trend in cloud computing, combined with the demands for Big Data and Big Data analytics, is driving the rapid evolution of cloud technologies towards more security-aware and privacy-conscious technology agnostic solutions. Computing in the Cloud primarily demands for protections of data privacy, access privacy and execution privacy of consumer jobs against any unauthorized data access and program execution. The responsibility goes both ways in a cloud service model, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the user must take measures to fortify their application and use strong access control and authentication measures. This talk provides an introduction to security and privacy issues in cloud computing covering the issues of data and execution privacy in modern cloud computing systems.

Balaji Palanisamy is an Assistant Professor in the School of Information Science in University of Pittsburgh. His research interests lie in scalable and privacy-conscious resource management for large-scale Distributed and Cloud Computing systems. He is a recipient of the Best Paper Award at the 5th International Conference on Cloud Computing, IEEE CLOUD 2012 and a Best Paper Award nomination in the 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, IEEE/ACM CCGRID 2015. At Pitt, he teaches courses related to security and privacy and has recently developed a new course on Cloud Computing.

3:30 - Dave Demase (@Demase126) - SMAC & Cloud Security

The beat of cloud computing expansion has exponentially grown larger and stronger each year,showing no signs of slowing down. In addition to the base element of scale growth alone, more recent factors and influences only serve to add more fuel for the fire along with added complexity and dimension. Contemporary security tools take a wholly different approach to enabling content oversight, governance, and control that typically are relinquished to the service provider when moving to the cloud. This presentation will provide insight into how to address this need of regaining that visibility and authority.

Dave Demase is a seasoned InfoSec Professional with a deep and broad career experience base spanning more than 20 years. He has endeavored at enterprises both large and small; from Fortune 50 to less than ten colleagues. His expertise was gained through exposure to environments inside large IT organizations both as an internal team member as well as in the role of external consultant. In addition, his multi-security-discipline acumen has been established across the areas of technical infrastructure design & implementation, assessment, governance, risk, and compliance.

4:15 - Rob Ragan (@sweepthatleg) and Christina Camilleri (@0xkitty) - Never Surrender: Reducing Social Engineering Risk

The weakest link in the security chain is often between the keyboard and the chair. People are a problem. We have a natural instinct as humans to trust someone's word. Although various technical means have been developed to cope with security threats, human factors have been comparatively neglected.

Once you put a human in a security chain, you have a weakness. That problem should be addressed by security practitioners, not every member of an organization. Very few would disagree that social engineering is the the most common and least challenging way to compromise an organization, but most accept the notion that there isn't much they can do about it. False!

This talk will focus on the psychological, technical, and physical involvement of social engineering, and also look at how we can remove the human element of the human problem. We will explore what organizations are doing wrong, also the processes and technical controls that can be put in place to achieve a strong social engineering defense.

We'll template a solution that can be customized. What will really help? What is the truth? What if we don't want to surrender our organization to social engineers?

Rob Ragan: As a Senior Security Associate at Bishop Fox, Rob Ragan leads a team of highly skilled penetration testers. With over a decade of experience building and breaking systems, Rob specializes in application security, source code review, social engineering, wireless, mobile, and network penetration testing. Rob actively conducts security research and has repeatedly presented at Black Hat, DEFCON, InfoSec World, SyScan 360, SummerCon, and Outerz0ne. He is also a contributing author to Hacking Exposed Web Applications 3rd Edition.

Christina Camilleri: Christina is a security analyst at Bishop Fox by day and is a breaker of things by night. She specializes in web application penetration testing and social engineering; not only the psychological and physical involvement of social engineering, but also the manipulation and social influencing techniques that are able to exploit the behaviour of others. She has attended and presented at local and international conferences on social engineering and has won highest scoring OSINT report for two years in a row in the DEFCON Social Engineering CTF. She's an active and passionate contributor in the infosec industry, and a strong believer in user privacy, free expression, and innovation.

Planners

John Kostuch (@kostuch)

Geo Warnagiris (@GeoWarnagiris)

Joe Wynn (@wynnjoe)

Andy Johnson (@pierogipowered)

Steve Groark (@SteveGroark)

Jon Zeolla (@JonZeolla)

Brian W Gray (@BrianWGray)