BSIDES PITTSBURGH 2013

June 14th, 2013 at Left Field Meeting Space
June 15th, 2013 at Tech Shop

BSides Pittsburgh is a free, volunteer-run computer security conference held every summer in Pittsburgh, PA. Security Bsides is a global series of community-driven conferences presenting a wide range of information security topics from technical topics, such as dissecting network protocols, to policy issues such as managing information leakage via social networks. In keeping with the community-driven theme and to help minimize event costs, the conference format, talks, and activities are agreed upon by all attendees. We're currently looking for presenters, ideas and topics. Please post your ideas at the BsidesPittsburgh website.

Pittsburgh has a flourishing information security community; this is a great chance to meet each other, share ideas and work together. Many of those professionals in Pittsburgh as well as nationally recognized experts are doing awesome things in the field; let's get together to learn, collaborate, and protect. Please see our web page for more information, to RSVP, or to submit a talk or suggestion. The event is free – even the food and drinks – and held in full view of the City of Pittsburgh and PNC Park at the Left Field Meeting Space on the north shore.

This year we are adding a second day of events. Friday will be at Left Field and will focus more on policy, best practices, security management, and legal issues (although technical submissions are still welcome.) Saturday will be at a different location and will be entirely technical deep-dives. Attendance at either or both is free.

Speakers and Talks

9:00 - SSA J. Keith Mularski - Cyber Threat Landscape

A discussion of the cyber threat landscape, with examples of what the FBI is seeing in the areas of Advanced Persistent Threats, organized cyber criminal gangs, underground forums, Anonymous and other hacktivists, and cyber terrorism.

10:00 - Dave Kennedy (@HackingDave) - Getting Creative: A Story in Thinking Outside of the Box

Ever run in to a crazy configuration and secure setup that you just couldn't break in to? It's rare, but it happens. As penetration testers, we need to think outside of the box and get creative. We are hackers and we need to think like them. This presentation goes over some examples that I've run in to during penetration tests that made me get creative and think outside the box. Often times we get complacent when we can't find MS08-67, the latest and greatest exploit, or a default password. We chalk it up and walk away as if they're secure. Instead, let's fight, work for it, and most importantly, pop a box. This presentation will have lots of demos, tricks that I use during penetration tests, and more.

11:00 - Eve Adams (@hackerhuntress) - Hack The Hustle! Career Strategies For Information Security Professionals

While information security is widely considered a negative-unemployment industry (it's actually closer to 3%), most of us will look for a job at some point. Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that attract the kind of attention you want, getting short-listed for cool positions before they're even posted, strategically riding infosec employment trends, and how to most effectively work with those delightful recruiters. This talk will have something for those just entering the workforce, mid-career security professionals, and former VAX hackers alike!

1:00 - Randy Trzeciak - Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

The Insider Threat Center at CERT, which was formed in 2001, has built an extensive library and comprehensive database containing hundreds of actual cases of insider cybercrimes. This presentation will describe findings from our analysis of three primary types of insider cybercrimes: IT sabotage, theft of intellectual property (e.g. trade secrets), and fraud. All CERT insider threat research focuses on both the technical and behavioral aspects of actual compromises. The presentation will describe who committed the crimes, their motivation, organizational issues surrounding the incidents, methods of carrying out the attacks, impacts, and precursors that could have served as indicators to the organization in preventing the incident or detecting it earlier. In addition, this session will outline nineteen practices organizations should consider implementing to prevent, detect, and respond to insider threats. It will convey the "big picture" of the insider threat problem - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time.

2:00 - Jake Liefer - Building a Better Pond: Tactically Thwarting Spear Phishing Attacks

While you were busy reviewing your onerous firewall rules, an attacker just bypassed all your best efforts and gained internal access on your network thanks to a simple, well crafted malicious email that took 10 minutes to create. From high profile attacks on corporations such as RSA, to the thousands of unreported and unknown attacks, spear phishing has become a formidable threat. However, in the midst of these mounting attacks, many security teams best effort is to simply tell users to not open malicious emails. Evidence shows that this is not working.

In this session, we'll discuss the tactical and technical details to thwarting spear phishing attacks. We'll look at real world attacks and how to stop them. From developing a network infrastructure that detects these threats in-bound to fingerprinting what these attacks look like, we'll go beyond simple user awareness training to actively detect and mitigate spear phishing attacks.

3:00 - Kevin Poniatowski - How I Stopped Worrying and Learned to Love BYOD

“Tweeting from the pub using my work Twitter account seemed like a good idea at the time.”

“How could our customer data be stolen? No one knows my iPhone pin except me.”

“After I send off this email to sales, I’m going to download Angry Chinese Birds. It’s free!”

It’s becoming more and more common for staff to bring their own devices to work, and blending their personal data with sensitive organizational data. What could possibly go wrong? Lack of user education concerning both physical and cyber threats to mobile devices and the sensitive data stored within them is creating an epidemic of embarrassment to organizations. This presentation will highlight the dangers of an untrained staff bringing their own devices to work and the steps that could be taken to mitigate the risk of lost data, compromised devices, and embarrassing Twitter posts.

Learning Objectives:

Attendees will become much more paranoid about the common practice of blending personal and organizational data and applications within their mobile devices. They will also be introduced to coping skills, also known as secure best practices, for dealing with this paranoia.

4:00 - Dave Ries - What Is Reasonable Security from a Legal Perspective?

Corporate officers and boards, security professionals, and attorneys advising them regularly face the challenge of defining and implementing “reasonable security” for the business or enterprise. The answers are complicated by rapidly developing technologies, increasing threats, advances in available safeguards, and changes in regulatory requirements. This session will explore current legal requirements and evolving standards for “reasonable security” under them.

Training Sessions

Raphael Mudge (@ArmitageHacker) - Armitage and Cobalt Strike Penetration Testing Lab

The Metasploit Framework is a must-have tool for penetration testers. Armitage builds a workflow on top of the Metasploit Framework and exposes its most advanced capabilities. Cobalt Strike augments Armitage with tools to simulate advanced persistent threat-style targeted attacks. This lab oriented class will introduce you to the penetration testing process from the perspectives of Armitage and Cobalt Strike. You'll learn how to craft an attack package, deliver it to a target, spy on a user, attack systems from a foothold, and abuse trust relationships to gain access.

Student Requirements:

Students must bring a laptop with a VMWare product installed. VMWare player is OK. The instructor will provide attack and target virtual machines on a DVD. A USB DVD drive will be available to use. Student systems must have 12GB of free space and at least 2GB of RAM.

Brent Kennedy (@bk_up) - Pentester Playground

Andy Cooper - iptables and doing stuff with it

Brandon Morris - Eating the Elephant: Using Nessus and Microsoft Office to Analyze and Compare Large Host Scans

Chances are you've heard of the Tenable Nessus Vulnerability scanner. It slices, it dices, it can run over 50,000 security checks against a wide range of targets. However, if you've ever tried to use it to assess 500, 1000, 2000 hosts it can quickly become an overwhelming endeavour. This presentation is how to tame the Nessus beast using Powershell to import multiple scans into a Microsoft Access Database, Easily Review/Filter/Query Results, Create comparative finding matrices in Microsoft Excel, and much much more.

Charles Wood (@ProfCWood) - The Dangers of Steganography: What Worked for Bin Laden can Work Against You

Osama Bin Laden transmitted messages embedded inside porn pictures through the Internet. His methods are still hard to detect. The same techniques that Bin Laden used to transmit secret messages to terrorists can be used to do the following:

Steganography can be used to transmit customer lists secretly from the CRM system from your site!
Steganography can be used to transmit private Visa card information from the accounts receivable department from your site!
Steganography can be used to transmit engineering plans or future business opportunities to domestic and foreign competitors from your site!
And there is little in place to stop it. Email filters won’t work. Viewing the emails won’t detect anything amiss. It is truly, truly scary!

This presentation will incorporate some PowerPoint with some examples of tool use to encrypt and embed secret messages, and will illustrate what steganography is, how it works, why it works so well(!) and is so undetectable(!), and what you can do to stop it. Further, the presentation discusses what tools need to be developed that are not currently available to protect ourselves from our secret information being transmitted. The presentation will start out managerial, move to computer science as we go to the bit-level representation of information and how that can be used to embed information, and then move back to managerial to discuss the tools that are readily available to hackers, and the lack of tools that are readily available to managers.

Joshua Schwartz - Making Attacks Go Backward

Imagine a pentest where there is no scope, no time restraints, and no budget. How would you do it? Would you write your own tools? Would you get detected? And if you did would they know what you stole and what was owned? As time went on, would you get lazy?

It sounds like a dream gig for most pentesters out there and lucky for some threat actors, this is the 9 to 5 job. By now we shouldn't have to mention the advanced persistent buzzword for you to know what we are talking about. Targeted threat actors are people too, they make mistakes, their judgement is bad sometimes, they get lazy, and sometimes their skills are bad and they should feel bad.

In this talk we will cover how attacker tactics can leave behind obvious evidence, how their tools can be identified and analyzed quickly, and how the human side of every attacker can lead to some great lulz. Attendees should leave armed with a variety of examples from the trenches of incident response and malware analysis that will give them an edge against the less advanced of advanced attackers. Key takeaways will include tips and tricks for identifying and reverse engineering malware and utilities used in targeted attacks as well as the forensic evidence they leave behind.

Brandon Franklin, Justin Zimmerman - Skeletons in the Closet: Is Your Crypto Keeping You Safe?

Cryptography, like many areas of security, has the devil in the details. Most of us know better than to develop our own crypto algorithms, but there are a host of gotchas that come with the implementation of any secure protocol. Properly applying secure algorithms is critical for maintaining safe harbor under regulations such as HIPAA. The presentation will cover a set of common cryptography anti-patterns we have encountered in security assessments and how to fix these broken architectures. Less technical folks should expect to walk away with a checklist of things to watch for in their daily practice. More technical folks will come away with a better understanding of how to critically think about architecting crypto solutions.

Sid Faber, George Warnagiris - A Profile of Traffic on my Home Network

David Warren - Software Defined Radio

John Geyer - We Need More D-Fence

Mid size and small businesses require teamwork to get the job done. Not every company has a dedicated security team, and operations staff usually share the work load. We will discuss why your defense still sucks, why rock stars do not fit in, why zealots ruin such a potentially awesome defensive career candidates, and why we train for offensive security when we need more d-fence.

Planners

Dan Klinedinst (@dklinedinst)

Joe Wynn (@wynnjoe)

Scott Kriebel

Scott Thomas (@notscottthomas)

Tracy Cassidy