BSidesDFW 2017

Speaker Bios

BSidesDFW 2017

"The Long Con - Lessons From Early 20th Century Con Artists For Modern Hackers"
-- Wesley McGrew

The history of confidence scams, or "cons", of the early 20th century contains a wealth of lessons, tools, and techniques that we can apply to modern social engineering and the defense of organizations' networks. In this talk, we will explore the various types of "classic" cons, focusing on the structure of "big store" games, while simultaneously discussing how the principles of these historic cons can be applied to modern social engineering (and criminal) operations. We will also discuss the similarities, in terms of culture, community, slang, and media representation of confidence artists, hackers, and professional information security practitioners. MSU.

@McGrewSecurity |

Dr. Wesley McGrew oversees penetration testing as Director of Cyber Operations for HORNE Cyber Solutions. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA. He holds a Ph.D. in CS from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems, and served as a professor teaching reverse engineering at MSU.

"Designing, Fabricating, and Building an Electronic Badge"
-- Jim Apger

The process of building your first Printed Circuit Board (PCB) has never been easier, inexpensive, and faster than it is right now.  We will walk through a recent project from concept to final product where I was tasked with building an electronic badge for a user conference.  There are many choices for free and easy to use Integrated Development Environments (IDE) for programming microcontrollers.  There are multiple CAD packages for designing your circuits and laying out the PCB.  The cost and turnaround times for having beautiful PCBs and it's associated components show up at your door are hard to believe.

Anyone interested in cranking out your first PCB, programming microcontrollers, or even discussing high-level techniques (reflow/iron) for soldering surface mount devices (SMD) to your PCB will walk away well prepared to start or extend your journey as a maker.

Jim Apger

Jim is a 20-year veteran of the tech industry. He began his career in the manufacturing environment developing solutions to interconnect heterogeneous robotics, controls, analytics and supervisory systems. His digital hardware and software background paved a path for him to spend nearly ten years as an innovator in the network intrusion prevention space. Prior to joining Splunk as a Security Architect in 2014, Jim made many key contributions in the fields of web fraud detection, anti-money laundering, security information/event management (SIEM), Security Operations, and cyberthreat intelligence. Jim earned his bachelor's degree in Electrical Engineering from The Ohio State University.

"Pulling back the hood(ie): What do security threats look like?"
-- Austin McBride

Threats are complex, detecting anomalies in nebulous log data is difficult, and mapping out the attacker’s malicious infrastructure can be tedious. Trying to build intuitions and identify patterns in log data can be daunting, but with the use of visual intelligence pivoting through your data becomes a far easier task.

In this talk I will dive into a different approach to visualizing threat data that focuses on constructing a cohesive narrative for threats and the infrastructure that support them. By understanding the components required for distributing malware and visualizing their infrastructure we are in a better position to spot trends, identify key bottlenecks, and mitigate compromises. Using open sourced data visualization software and other tools I will demonstrate how to use visualizations to enrich DNS, IP, ASN, and WHOIS data to better understand threats and how to build classifiers to identify, flag, and block them. I will demo three use cases in this talk: 1) Mapping out threats to easily pivot between domains, IPs, and domain registrants to find and block additional malware delivery vectors. 2) Visualizing ASNs domain hosting volume over time to spot suspicious patterns and block specific IP ranges or the entire ASN. 3) The use of visual intelligence in developing classifiers to automatically block malicious infrastructure.

Austin McBride |

Austin McBride is a Database Architect at OpenDNS (now Cisco Umbrella) with a background in data mining, analytics, security research, and data visualization. Currently, his research focuses on mapping out the relationship between attackers malicious infrastructures and the malware they distribute.

"Lesser-Known Application Vulnerabilities"
-- Kevin Cody

Vulnerabilities are expensive, there’s simply no way around it. Whether it's mitigation costs, Penetration Testing fees, auditing, or bug bounties - vulnerabilities and bugs are pricey. While SQLi and XSS are certainly dangerous, this talk will focus on some of the more obscure application vulnerabilities which were identified within apps and services we use every day. This presentation won’t simply stop at introducing these talking points; rather, we will dive into identification, both risk and technical analysis, and finally remediation techniques. The goal of this discussion will be to arm security practitioners, of all skill levels, in better understanding application risks in 2017.


Kevin is a Senior Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems. Kevin is adamant on helping build-up developers through security, which can be seen in his involvement within OWASP or while speaking at events like CodeMash or BSides. In his spare time, Kevin can be found attempting to repair something (via online DIY videos), reading tech books, fishing, or simply spending time with his wife and children.

"Return From The Underworld - The Future Of Red Team Kerberos"
-- Jim Shaver & Mitchell Hennigan

This talk discusses Kerberos Key derivation, cracking and the future of Kerberos, kerberoasting and NTLM. Also discusses the possibilities for increased knowledge around Kerberos in the security community.


Jim Shaver is a penetration tester working on penetration assessments, infrastructure security reviews as well as social engineering. Jim has been working in IT, security and pen testing for 9 years. Jim is a contributor to mitmproxy and pyOpenSSL.


Mitchell Hennigan is a penetration tester working on penetration assessments, infrastructure security reviews as well as social engineering. Mitchell has been involved in the penetration testing field for 2 years.

"Love is in the Air - DFIR and IDS for WiFi Networks"
-- Lennart Koopmann

Every company uses wireless networks in some way and asking for the WiFi password, simply expecting a wireless network to be present, is the new normal. We are constantly surrounded by dozens of devices, constantly blasting out wireless packets that are not only full of interesting information but also unencrypted.

The WiFi attack vector has been identified a long time ago and the famous Wifi Pineapple devices make it possible to exploit issues with the 802.11 WiFi standard even without strong wireless expertise. To make things worse, access point logs are rarely centralized and even if they are, they don't contain information that could let you spot an attack early. In this talk, we will walk through the the 802.11 standard and demonstrate how to collect wireless frames using an Open Source tool, “nyzme.”


"Facilitating Fluffy Forensics 3.0"
-- Andrew Hay

Cloud computing enables the rapid deployment of servers and applications, dynamic scalability of system resources, and helps businesses get products to market faster than ever before. Most organizations are aware of the benefits of adopting cloud architectures and many are becoming aware of the potential security risks. The majority of organizations, however, don’t realize the numerous challenges of conducting incident response (IR) activities and forensic investigations across public, private, and hybrid cloud environments.

It’s not all doom and gloom, however. The consumption model of cloud architectures actually lends itself to helping investigators conduct forensic and IR exercises faster and more efficiently than on a single workstation. For this to happen, however, the tools and techniques employed must evolve.

In this session, LEO Cyber Security CTO Andrew Hay will revisit the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations.

@andrewsmhay |

Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Co-Founder & CTO for LEO Cyber Security, he is responsible for the creation and driving of the strategic vision for the company.

"Malware From Thin Bits"
-- Itzik Kotler

Behind every great malware is a great C2 server. Problem is, C2 servers can be shut down, and communicating with them may trigger multiple security alarms. But what if you could use a website like Yahoo to host your latest malware binary? Or a website like Wikipedia to turn your favorite CALC.EXE into a malware configuration file? That’s what this talk is all about! Come see how you can spice up your red team engagements with the new mkmalwarefrom tool!

@itzikkotler |

Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEF CON, Black Hat, THOTCON, SkyDogCon, Hack In The Box, RSA, CCC, and H2HC.

"The FaaS and the Curious"
-- Bryan McAninch

Function as a Service (FaaS) platforms facilitate application deployment and event-driven execution with minimal cloud infrastructure and operational overhead. Consequently, the FaaS market is forecasted to grow 33% with an estimated valuation of $7.75B USD by 2021. However, every benefit has a cost and FaaS is no exception. Despite Amazon’s diligent efforts to secure their Lambda FaaS platform, its intended ability to access a variety of resources and services can be abused for unintended results. This presentation explores the attack surface of the AWS Lambda FaaS platform and how it can be surreptitiously used to circumvent security controls. Specifically, it will demonstrate how to hijack and impersonate Lambda functions, gain persistent remote access to the AWS cloud environment, and reverse engineer the Lambda runtime environment itself.


Bryan McAninch is an information security professional with over twenty years experience in various disciplines including digital forensics, penetration testing, and security architecture. His current area of research is focused on the security implications of cloud and container technologies. He holds a Bachelor of Science in Business Administration from the University of Texas at Dallas and a Master of Science in Information Assurance from the University of Dallas. Bryan is passionate about information security and giving back to the community. He is an organizer of the North Texas Cyber Security Group, member of the Dallas Hackers Association, and owner of Prevade Cybersecurity.

"Defending Against the Grifter"
-- Sophie Daniel

Maybe you've seen the movies and read the psychological thrillers that imply con artists have almost magical abilities to re-program your brain or hypnotize a mark in order to bypass pesky locks, or even swindle your wallet away from you. But this is simply not the case. We will go through several real-life examples of social engineering attacks and detail how you can protect yourself and your company against the grifter.

@HydeNS33k |

Sophie Daniel is a penetration tester and information security consultant. She specializes in social engineering penetration assessments including, physical, voice (vishing), and text (phishing) and red team pentests. Further, she consults in remediation and prevention through the creation and implementation of policy and procedure, as well as in-person customized training. Prior to working in InfoSec, Sophie was a journalist.

"Strengthen Your SECOPS Team by Leveraging Neurodiversity"
-- Megan Roddie

High productivity, extreme attention to detail, logical/calculated, passionate, and hyper-focused. These are all characteristics considered valuable in the information security industry. However, a certain group of people who exceed expectations in these skill sets are constantly overlooked for job positions. That group of people is the High Functioning Autistic (HFA) community.

Individuals in the high functioning autistic community are often overlooked for job positions due to their social disabilities which makes them perform poorly in an interview and in their interactions with other people. However, if you look past their awkward behavior and social struggles, you will find these individuals are perfectly suited for roles in the information security industry.

This talk aims to show the listeners that, as many tech companies have found, the HFA community is ripe with individuals who could be the best of the best in the security industry if given the chance. The audience will realize that a small investment in time, understanding, and acceptance can result in the addition of an invaluable member to a Security Operations team.


Megan Roddie is a graduate student pursuing her Master’s in Digital Forensics at Sam Houston State University while also working as a Cyber Security Analyst at the Texas Department of Public Safety. As a 20-year old with Asperger’s Syndrome (High Functioning Autism), Megan offers a unique perspective in any topic she discusses. Megan can articulate her struggles and how small modifications in daily life have made her successful.

"Barcowned - Popping Shells with your Cereal Box"
-- Michael West

Barcodes are ubiquitous in many industries and work with untrusted user data on labels, boxes, and even phone screens. They also allow programming the scanner by scanning barcodes. See the problem? By scanning a few programming barcodes, you can infect a scanner and access the keyboard of the host device, letting you type commands just like a Rubber Ducky. This culminates in Barcowned - a small web app that allows you to program scanners and execute complicated payloads in seconds. Released here at BSidesDFW!

@t3hub3rk1tten |

Michael West, aka T3h Ub3r K1tten, is a Technical Advisor at CyberArk who likes cats. His homelab has over 640 kilobytes of RAM. Michael presents regularly at Dallas Hackers Association and enjoys combining his software dev background with infosec to build tools for others. His interests include OSINT, radio, Twitter, barcodes, and parsing ugly data.

"PSAmsi: Offensive PowerShell Interaction with the AMSI"
-- Ryan Cobb

As use of "fileless" malware using PowerShell to stay in memory and evade traditional AV file scanning techniques has increased, Microsoft introduced the AMSI protocol in Windows 10 to allow AV vendors to scan scripts executing in memory and prevent execution.

With these newer in memory AV techniques, attackers need tools to help avoid AV detection of their scripts in memory. PSAmsi uses PowerShell reflection to load Windows AMSI functions into memory, allowing an attacker to interact directly with the interface.

We will discuss (and demo!) several use cases built into PSAmsi (offensive and defensive) for interacting with the AMSI, including using PSAmsi to automatically, minimally obfuscate scripts to simultaneously defeat both AMSI signatures and obfuscation detection techniques.

@cobbr_io |

Ryan Cobb is a pentester and consultant at Protiviti. He actively develops open source security tools, such as PSAmsi.

"Protecting Yourself from Golden Ticket Attacks with Rainmaker"
-- Andy Thompson

This talk highlights the risk of kerberos attacks against Active Directory, specifically the Golden Ticket attack. Andy demonstrates the phases of an advanced targeted attack against a SWIFT banking organization using nothing but PowerShell empire and some bad techno music. It's so easy, you don't have to be a 400lb hacker living in your mother's basement to do it!

@R41nM4kr |

Andy Thompson is the Strategic Advisor of Customer Success in the Southwest region for CyberArk Software. He is responsible for providing guidance in securing organizations with technologies and security best practices in order to prevent credential theft and breach. Andy spent the last 20 years in the fields of Web Development, Systems Engineering/Administration, Architecture, and the last 6 in Information Security and Architecture primarily focusing on large retail organizations. Andy is also active in the Information Security communities of Texas as a member of Shadow Systems Hacker Collective and the Dallas Hackers Association. Andy holds a Bachelor's of Science degree in Information Systems from the University of Texas at Arlington as well as the Certified Information Systems Security Professional (CISSP), and Systems Security Certified Practitioner (SSCP) certifications from (ISC)2. He is also COMPTIA Security+ Certified as well as a GIAC Certified Penetration Tester (GPEN). Andy is also a member of the SANS advisory council and CISSP instructor Previous speaking events include BSidesTampa 2017, BSides Oklahoma 2017, BSides Iowa 2017, BSides Denver 2017, BSides Cincinatti 2017, Information Warfare Summit 2016, ISSA International 2016 and others.