Tuna-Potato-Cutlet-Spicy-Salty

BSidesDFW 2022

A chinese dragon

Villages / Speaker Bios

TRAINING - Threat Modeling for Everyone

Authored and Facilitated by Ellopunk / ellopunk.com / @Ell_o_Punk
Sponsored by Grimm Cyber / @GRIMMCyber

Synopsis:
Threat modeling is a critical aspect of secure application development and a major part of the DevOps methodology’s “Plan" phase. This course will familiarize individuals with the predominant Threat modeling frameworks using hands-on activities in order to drive home the importance of performing Threat Modeling very early in the DevOps process, allowing teams to avoid costly patching or even redevelopment later in an application's life cycle.

Prerequisites:
Watch the movie WarGames within two weeks of the workshop (https://www.imdb.com/title/tt0086567)
Available on major streaming services such as Hulu and Youtube.
Safari or Edge browser
Account on draw.io

Who should attend this workshop:
Developers who want to understand attacked methodologies and mindsets in order to better comprehend the “why” behind secure coding practices.
Security professionals looking to understand how they can work with development teams to build environments with security from the ground up.
Management looking to support either team in secure development

TRAINING - Introduction to Kali linux

Authored and Facilitated by Lee Heath “Madhat” / @unspecific
With TA Brian Mork “Hermit” / @hermit_hacker

Synopsis:
A fast paced introduction to the Linux operating system. Learn to understand how Linux environments are most commonly set up. Learn how to use the command line to explore the system, manipulate files, install/upgrade applications, and more.

This course is based on Kali Linux, but most aspects will extend to most Linux distributions.

This Course is a precursor to the other 2 classes taught by Lee Heath, ‘Introduction to Nmap’ and ‘Wifi Hacking with Wireshark’.

This course will not cover shell scripting or any of the common scripting languages.

Prerequisites:
Laptop needed for labs/exercises
Live USBs will be provided (USB Type A)

Audience:
Penetration Testers
SOC Analysts
System Administrators

TRAINING - Introduction to Nmap

Authored and Facilitated by Lee Heath “Madhat” / @unspecific
With TA Brian Mork “Hermit” / @hermit_hacker

Synopsis:
Have you heard of Nmap but don’t really know where to start? Maybe you have run a few scans but don’t feel like you know what you are doing? Have you been told Nmap is the tool you need, but you don’t understand how or why?

Introduction to Nmap is here to help you. We will start from the installation, to the first run of Nmap, to more complex scans, output, fingerprinting, Nmap scripts, and more.

This is the perfect place to get started or to understand better why Nmap is so widely popular and useful.

Prerequisites:
Laptop needed for labs/exercises
Live USBs will be provided (USB Type A)

Audience:
Penetration Testers
SOC Analysts
System Administrators
Network Administrators

Exploring Wireless Networks with Wireshark

Authored and Facilitated by Lee Heath “Madhat” / @unspecific
With TA Brian Mork “Hermit” / @hermit_hacker

Synopsis:
This introduction to Wireshark, the powerful protocol analyzer, will explain the the basics of the User Interface (UI), then work on a real time example of monitoring a WiFi network, including decrypting the packets.

This class will also utilize a few command line tools, such as airmon-ng and airodump-ng. If you do not have a WiFi card that can be used in monitor mode, you will still be able to follow along via a packet capture provided.

Prerequisites:
Laptop needed for labs/exercises
Live USBs will be provided (USB Type A)

Audience:
Aspiring and New Penetration Testers
SOC Analysts
System Administrators
Network Administrators

TRAINING - Python Code Reading

Authored and Facilitated by Count3rmeasure / @count3rmeasure

Synopsis:
Your eyes feel gritty as the minutes cascade past. Time grants no favors. The dread collaboration software lacerates your concentration with demands for another status update. Is it sophisticated obfuscation, a new trivial technique, or are you simply not seeing it…

Reading computer languages, “code”, is different than reading traditional written languages and different from writing the code originally. Ask any developer to review their own work from a year before. This class attempts to empower the student to better find specific pieces of code, navigate large codebases, and enable then to contextualize the code they are reading in medium to large code bases.

This class will open with a brief overview of Python syntax and structure. It is assumed the student has some exposure to programming, not necessarily in Python.

Continuing on, the class will take an in-depth look at real world data structures and syntax. Case study examination will be include:
specific important data structures from several real security focused projects
reading protocols for more rapidly comprehending individual pieces and files
regular expressions and unix command line tools for integration with python codebases

Finishing with several brief examples of real vulnerabilities in python codebases.

Join Count3rmeasure in developing a often overlooked skill, be it for a better understanding of code, improving efficiencies in reverse engineering, creating patches custom patches, stock piling CVE credits, or dropping 0-days.

Prerequisites:
Familiarity with basic programming concepts
Laptop needed for labs/exercises

Audience:
Developers / Programmers
Malware Researchers
Vulnerability Analysts
Penetration Testers
SOC Analysts
Threat Intelligence Analysts

Big Browser - Attacking & Defending the Process that Knows Everything

A lot of focus has been placed on leveraging data purchased from data brokers for nefarious intent. This talk aims to inform the attendee on what data is actually collected by data brokers, as well as how that data can be leveraged for good and not just evil. This talk explores a real world case study that used data purchased from several data brokers and how that data was used to target and impact human trafficking operations. This talk also includes challenges faced and how data from data brokers needs to be analyzed to prevent biased/inaccurate reporting.

@R41nM4kr

Unraveling the Russian Snake: Turla

Turla is a very old and prolific threat group that has been attributed to the Federal Security Services (FSB) of Russia publicly by a foreign intelligence agency. Operating since the late 90s, they have compromised major government entities with a heavy focus on embassies and former Soviet states. In this talk, I will detail the immense capabilities of Turla, which include use of Satellite networks for infrastructure and the ability to stay undiscovered on victim networks for several years. And with Russia actively engaged in open warfare in Ukraine, it's important for all organizations to stay informed and prepared against this specific threat group.

@dfir_janitor
Paul is an extremely passionate, technical, and results oriented security professional with over 10 years of incident response and 15 years of IT experience. He has a long distinguished record of reducing enterprise risk and guiding organizations to an improved security posture. Some highlights include breaking into a 2-factored VPN as a pen tester, successfully investigating an insider threat case across the globe as a forensic examiner, and hunting & ejecting nation state adversaries from corporate and government networks.

Effective DFIR Triage Techniques to Detect Modern Rootkits

The wealth of data available to incident response handlers during breach investigations is often overwhelming to both junior and senior analysts alike. Depending on the IT maturity of the victim organization, this data can range from days to months of forensic data acquired from hard drives, volatile memory (RAM), network sensors, AV/EDR engines, SIEMS, and beyond. Effectively and efficiently locating signs of malware and intrusions in such a large data set requires an analyst to possess techniques that lead to quick wins and avoid falling into rabbit holes. In this presentation, a walkthrough of effective DFIR techniques will be showcased against Windows rootkits that have been discovered in the wild. Through a combination of targeted file system and memory analysis, attendees will see precisely where the most actionable artifacts reside and how to detect such malware in an automated fashion. They will then be able to apply these techniques in the field to detect threats throughout environments they protect.

@attrc
Andrew Case is a senior incident response handler and malware analyst.
He has conducted numerous large-scale investigations that span enterprises and industries.
He is a core developer on the Volatility memory analysis framework, and a co-author "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory".
www.dfir.org

Container Crisis 3: More Containers More Problems

This talk is an overview of Docker, where you will discover what it is, its implementation and how it can be incorporated into security. Caprico guides us through an introduction to Docker complete with a demonstration of how he found and assisted in taking down a botnet that utilized Docker. This will also include the trends of more than three years of data collection and open source intelligence (OSINT) research to track these botnets across the internet.

Docker, one of the fastest growing technologies in the production,development, and interestingly security. Being heralded as the new alternative and more secure alternative to Virtual Machines (VMs). But anytime that someone says something is more secure, I want to test it. Call it an itch that you need to scratch. So I scratched the itch.

Docker in a basic sense in comparison with virtual machines is like comparing a Russian Nesting Doll to a Container Barge.

Docker Botnet: A docker botnet has been defined as a malicious image/container that is created to serve a threat actors use case. These use cases can range from Distributed Denial-of-Service (DDOS),crypto-mining, credential harvesting, and command and control access(C2).

With this talk,
Red Team: You get a super fun exploit and an exciting way to pivot around a network. With the adoption of docker and container architecture continuing to grow in the cloud-based hosting
Blue Team: You get a new thing to watch for. Threat intel galore. Especially if you are using or thinking of using Docker as your company's infrastructure.
Both: I've written a tool that is great for collecting OSINT andThreat Intelligence against Docker hosts.

There will be two github repositories that will be referred to and additional blog posts referenced during the talk that I have written and publish to show the trends and evolution of threat actors utilizing these kinds of botnets to essentially print free money.

@C4pr1c0
Caprico is an offensive security professional and OSINT specialist with experience in conducting full scope red team activities (including social engineering and physical penetration testing). In addition, Caprico is also well versed in DFIR through trial by fire with boots on the ground investigation and recovery efforts from ransomware attacks, insider threat, and data loss prevention.
capricocave.wordpress.com

Intro to API Hacking

APIs are everywhere, and they are a huge part of how the web functions today. This talk will provide a basic primer on APIs, common vulnerabilities, and resources to help you get started with hacking APIs.

@JamyCasteel
Jamy Casteel is a Senior Security Consultant at Kroll. He leverages more than 18 years of experience in IT and Information Security. He is 9x GIAC certified and holds the CISSP, OSCP, eCPPT, among other certifications.
https://www.linkedin.com/in/jamy-casteel/

Leveraging Data to Stop Human Trafficking

A lot of focus has been placed on leveraging data purchased from data brokers for nefarious intent.
This talk aims to inform the attendee on what data is actually collected by data brokers, as well as how that data can be leveraged for good and not just evil.
This talk explores a real world case study that used data purchased from several data brokers and how that data was used to target and impact human trafficking operations.
This talk also includes challenges faced and how data from data brokers needs to be analyzed to prevent biased/inaccurate reporting.

@0dayallday
Chris is a Professional Security Consultant, Developer, and Entrepreneur with over 20 years experience working within the Information Security (INFOSEC) industry.
He has developed numerous products for both the offensive and defensive computing markets as well as spoken and trained at Blackhat and other prominent security conferences.
0dayallday.org

Purple Teaming Cloud Identity: Simulation Labs for Red and Blue teams

The increased importance of the cloud and identity is not lost on attackers. To simulate adversary tradecraft, Red teams must be able to evolve offensive techniques against cloud identity systems. Cloud defenders must adapt quickly to understand these same attacks and instrument defenses. This talk will share practical use cases and effective open-source tools that security teams can use to advance their security programs. PurpleCloud (https://www.purplecloud.network) is a tool allowing security professionals to create an Azure AD penetration testing lab and other attack and defense security simulations. Enhancements for practical use and Purple Teaming will be shared with participants.

@securitypuck
Jason Ostrom is a SANS Instructor teaching Cloud Penetration Testing. His day job is helping the SANS Institute build solutions in the cloud. When not found doing penetration testing and security research, he enjoys authoring open-source security tools. Jason is a graduate from the University of Michigan and resides in DFW area of Texas.
https://medium.com/@iknowjason

Rosetta 2: Keeping Mac Malware Alive for Years to Come

In late 2020, Apple announced that they were changing their processor architecture from Intel to ARM and introduced their new chip, the M1. This switch in architecture would normally cause a plethora of compatibility issues with existing software, however Apple also released the Rosetta 2 translation layer to mitigate compatibility issues. Rosetta 2 allows for Intel-compiled binaries to run on the ARM processor through dynamic binary translation, removing the need for all applications to be updated and recompiled with Apple silicon-specific support. The announcement of these features led our team to wonder which steps, if any, would be needed to enable malware compiled for Intel systems to execute and infect systems on the new architecture. We were also curious about which of the native and Objective-C API functions commonly abused by Intel-compiled Mac malware were present and functioning on Apple Silicon. To answer these questions, we first ran many Mac malware samples originally found in the wild during targeted attacks. These samples were compiled for Intel systems, and we observed and documented their behavior on our M1 test systems. We also developed proof-of-concept applications that mimicked behavior observed in historical Mac malware, and documented which features are still available to malware authors. In this talk, we present the results of our research and analysis efforts, many of which surprised us, as well as discuss system changes in macOS that are now relevant to incident response handling and malware analysis.

@rmettig_
Raphaela is a cybersecurity researcher currently affiliated with the LSU Applied Cybersecurity Lab (ACL) whose main areas of research focus are memory forensics and malware analysis. She rceived her Bachelor of Science and Master of Science degrees in Computer Science from Louisiana State University and has also worked as a threat intelligence analyst and as a product security engineer throughout her degrees. In her free time, she enjoys playing guitar, going to concerts, and reading.
rmettig.github.io

Charles is a cybersecurity instructor at Louisiana State University (LSU) who is also affiliated with the Applied Cybersecurity Lab. He received his B.S. and M.S. in Computer Science from LSU in 2019 and 2022 respectively. He has also interned at Los Alamos National Laboratory and co-founded a software development company. In his free time, he enjoys many different forms of exercise, being in nature, and playing piano and baduk.
Charles Glass

Routers HATE This One Neat Trick: Exploiting Cisco Smart Routers HATE This

Aspiring pentesters are often told to learn networking basics before they try to hop to offensive security - here is a little incentive.The Cisco Smart Install feature of Cisco routers is an easily exploitable vulnerability that can lead to complete control of corporate networks. When configured correctly, it allows network teams to automate configuration changes and upgrade network devices at scale.We will demonstrate direct exploitation of the Cisco Smart Install feature,deep dive Cisco configs to identify the security gaps often made by the NOCto show business impact, and teach the good guys how to stop this attack inits tracks. We'll also go over which APTs have used this attack vector,what they did, what they could have done in a warfare context, and show just how many orgs are vulnerable externally.This talk is aimed at pentesters looking to turn an easy win into critical business impact by utilizing the data easily obtained by exploiting CiscoSmart Install to grab power and escalate access on corpo networks, and to scare NOC management into hardening their network devices. Link this talk if you're having trouble getting those config changes through a CAB call.

@bruthacker
Eric is a former network support and operations engineer and current network pentester for a consulting firm who made the transition to offsec after being inspired at BSidesDFW, Hack_FTW, and (allegedly) DHA. When he asked what it would take to make it in infosec, a colleague advised him to "be a network guy for 5 years"... so he did.
https://www.linkedin.com/in/eric-arnold0/

Broken Access Control : How to Protect Your APIs Against the World's Top Vulnerability?

Even though we all use identity and access systems everywhere in our lives every day, access control (ensuring users are able to do just the right amount of things in as seamless and unobtrusive a manner as possible) is still the most commonly misconfigured security weakness. (Currently ranks as #1 on the Open Web Application Security Project aka OWASP top 10 for 2021). In this talk we will discuss common access control problems, how to detect them in your apps and services, and how developers could avoid introducing them in the future by following best practices recommendations. Our talk builds on our years of experience securing thousands of applications. This presentation will be useful for IT managers and developers looking to secure their application ecosystems.

Jhansi Munukoti
Jhansi Munukoti is a Product Manager in Identity and Access Management Space at Microsoft. She has a decade of experience with a demonstrated history of shipping Enterprise as well as Consumer products across endpoints (Cloud, Mobile and PC).
Fun Fact: She has spoken at several conferences including TEDx and storytelling is her swag!
Claim to Fame: Jhansi has a world record on her name for making world's largest fully solvable Maze.

@k3n_5s
Ken Nichols has been at Microsoft his entire career, working as a Senior Product manager (and recovering engineer) across Windows, MSN, Bing, and Identity divisions. Outside of work Ken can frequently be found tweeting security memes on Twitter.
Fun Fact: SwitftOnSecurity (With 350K Followers and follows < 10k) follows Ken on twitter!
Claim to Fame: Ken attended Def Con 4!

Cybersecurity Imposter Syndrome & Burnout

A panel discussion of 3-4 people with pre-outlined questions specifically on how they have/have not experienced imposter syndrome specific to cybersecurity/hacking, what portions of that may be due to diversity or specifically cybersecurity/hacking niche, and how to not just get into security but stay in security/the community.

@vvanitydevil
@frankiedoescomedy
@sensei-hacker

Hacking Mobile Applications for Fun and Profit

In the current security world, it is well known that bugs cannot be totally eliminated. Mobile applications are considered as one of the most popular targets for hackers right now. Hackers take advantage of mistakes made by mobile app developers, and it may be very expensive for businesses. This could be due to developer inexperience, a hurry to market, or bad coding skills. Mobile app vulnerabilities had terrible years in the past and are surging exponentially which proves to be even worse. Nearly all the industries are hit by the cyber-attacks which prove they are not fully prepared for the adversarial cyber-attack. In this session you will see mobile app attack vectors which led me to earn multiple thousand dollars from the mobility industry for showing the compromise of more than 100 million customer accounts with some additional attack cases from the telecom industry.

@kamranmohsin31
Kamran Mohsin is an efficient and seasoned information security researcher. He holds a Master degree in Information Security. He is fairly interested in web, mobile and system exploitation. He started his career as a penetration testing engineer and delivered his services in government, financial and healthcare organizations. In a short span of time he has achieved the renowned industry certifications, the prominent of which are OSCP, OSCE, OSWE and CEH. Apart from the routine work he enjoys bug hunting for fun and profit, he had also published his blog on information security subjects and actively shares his knowledge in information security conferences.

The Journey of Security Automation

Security teams are constantly burnt out due to the unlimited amount of investigation and operational tasks. It becomes essential for the security defense team to leverage automation to improve the efficiency of the SOC center. In this talk, I would like to share a few open-source automation tools, walk through a few use cases and discuss the journey of security automation. Outline:Security teams are constantly burnt out due to the unlimited amount of investigation and operational tasks. It becomes essential for the security defense team to leverage automation to improve the efficiency of the SOC center. In this talk, I would like to (1) share open-source automation tools Node-red; (2) hands-on use cases demo with Node-red; (3) the difference between AI and Automation and AI use cases, and (4) the journey of security automation and security maturity level.

@Peter_DTonomy
Ph.D. in computer science. Four patents on cyber security solutions. He co-founded DTonomy, an AI-based security analysis and response company. Before that, he is tech lead for Microsoft Office 365 SOC center, built the first ML-based EDR protecting Exchange/Sharepoint/One Drive, etc.
https://www.dtonomy.com/blog/

Dude check your privilege: Privileged Account Management solutions and how they could either become your bestie or ruin your day.

Although PAM solutions are unable to protect an organization just by themselves, they definitely play an important part when it comes to security controls. A discussion of how best practices can provide a defense in depth layer or hand attackers the keys to the kingdom on a silver platter.

Melina, Senior Security Engineer with 8+ years of experience in IT focusing on Security Operations, Incident Detection and Response. Offensive security/Red team enthusiast.
https://www.linkedin.com/in/melinaphillips-cissp/

Minimizing AWS S3 bucket attack vectors at scale

AWS provides services and third-party solutions, such as AWS Macie and Trend Micro, that can help us secure our S3 buckets and associated components. Macie is a fully-managed data privacy and data security solution that provides customizable alerts and findings on sensitive data found in S3. The downside is that it does not: (1) Auto-remediate threats and misconfigured S3 buckets; nor (2) Inspect and quarantine malicious files (malware, ransomware, etc.); Therefore, the security engineer must figure out how to overcompensate for these missed features by scanning each file to determine whether it is malicious using CloudOne and by inspecting Macie's findings report. The key issue, however, is that the engineer would have to manually undertake remediation actions. In this talk, I will discuss the pre-existing gap and the open-source solution known as DataCop. I'll also break down the architecture of DataCop, which will consist of: (1) Utilized Services (AWS Macie, S3, Trend Micro Cloud One); (2) S3 Remediation Actions - entire process and flow; (3) IAM Considerations; and (4) Language and Development Kits. Following the architectural deep-dive, there will be more information on the value added to existing processes if this solution were to be adopted. To conclude, those who attend this talk will leave with practical knowledge on automating the remediation of S3 buckets on Macie's and Trend Micro Cloud One's findings.

@damienjburks
Damien Burks (he/him) is currently a Cloud Security Engineer - VP at Citi. Recently, he worked as a Security Software Engineer at Verizon as a supporting developer for the CSO 50 award-winning in-house DLP solution. Over the past three years of his career, he has obtained four AWS certifications with the AWS Security Specialty as the most recent. In addition, he is pursuing a Master's of Science in Cybersecurity Technology from UMGC. Outside of his career and education obligations, he is an avid writer/blogger, open-source contributor, and mentor to BIPOC LGBTQ+ tech professionals who wish to break into the tech industry. To decompress, Damien likes to play video games, modify his car, and attend local car meets within the DFW area.
www.damienjburks.com

What the smish!?

Globally, we are seeing a drastic increase in smishing attempts. This will cover lessons learned while trying to identify methods of takedown, attempting to work with telco providers to identify the groups behind this, and best practices for prevention.

@drb0n3z
Steven is a technology and cyber risk leader who currently serves as the Manager of Incident Response and Threat Intelligence for LoanDepot. Steven has directly contributed to the success of financial services companies including Hilton Worldwide, and most recently Santander Consumer USA where he managed the Incident Response team. Steven has an extensive background in enhancing organizations' cyber response capabilities while reducing their cyber risk posture.
https://drb0n3z.wordpress.com

Code of Conduct (CoC)

A chinese lion statue

Behave yourselves!

Security BSides Dallas - Fort Worth was founded to facilitate the exchange of information and the development of relationships. We welcome and encourage the expression and debate of ideas. We also recognize that we do not have to agree in order to listen to, and/or understand, a given point of view. However, there is a language and a behaviour that is appropriate and expected in achieving that discourse.

Harassment and/or abusive behaviour will not be tolerated.
Any participant that experiences and/or witnesses inappropriate behaviour is expected to report said behaviour to event staff.
Any participant that experiences and/or witnesses inappropriate behaviour is encouraged to ask the offending individual to stop.
Any participant asked to stop a behaviour is expected to comply immediately.

Event organizers reserve the right to respond to observed and/or reported behaviour in a manner deemed appropriate, including but not limited to expulsion without refund and referral to the relevant authorities.

It is our goal to ensure that the event is welcoming, enjoyable, and safe for all participants.
Be exemplary for each other. See something, say something.