BSidesDFW 2023

A chinese dragon

Training Information / Speaker Bios

TRAINING - Incident Readiness Training

Facilitated by Chad / Tyler
Sponsored by Critical Start / @CRITICALSTART

Synopsis: During an investigation every second matters, early action can return business operations to normal faster. This training covers which evidence to gather first, evidence collection procedures, and evidence handling techniques.

  • Identify basic do's and don'ts of evidence handling
  • Describe how and what evidence should be collected
  • Discuss evidence handling procedures
  • How best to preserve evidence for a successful investigation resulting in faster eradication and remediation

  • Duration: 2 hours
    Prerequisites: None

    Who should attend this workshop: Help desk, systems and network administrators,
    incident responders, policy and process creators, blue teamers…
    come one and come all.

    TRAINING - Cyber Threat Defense Program

    Sponsored by Dark Angel Contracting

    Synopsis: Dark Angel Contracting provides a comprehensive Cyber Threat Defense Training Program, designed for corporations, the Department of Defense (DoD), federal and local governments, and high-net-worth individuals. We empower organizations, officers, executives, and private individuals with the tools necessary to minimize their digital footprint, enhance their cybersecurity posture, and protect sensitive and valuable Information.

    Led by our deeply experienced civilian and DoD professionals, this hands-on instructor-taught training series is the perfect opportunity to comprehensively learn the operational threats in today's ever evolving digital landscape. Drawing from the knowledge and experiences of offensive and defensive Cyber Operators from multi-industry verticals as well as DoD, attendees will be walked through the "Cyber Hacking Kill Chain". Utilizing real world scenarios, attendees will learn how to implement cybersecurity techniques to mitigate nefarious threat actors from accessing sensitive information or conducting malicious attacks. Successful completion of the Cyber Threat Defense Program will empower attendees with the ability to minimize their digital footprint and thereby reduce potential cyber intrusions.

  • Ubiquitous cyber threat identification and capability understanding.
  • Signals and human intelligence collection modalities with operator protection methodologies.
  • Technical hands-on device, network, software, and online best practice development.

  • Educate attendees on the core concepts of how technology operates today
  • Attendees will learn the tactics, techniques, and procedures to leverage and minimize the threat, information collection, and exploitations.
  • Enable attendees with the ability to identify, install, configure, and maintain hardened computer and internet based systems, software, and applications.

  • Duration: 3 hours
    Prerequisites: None

    Who should attend this workshop: Everyone

    Ransomware Orientation: How to Infect and Extort Companies

    Ransomware has moved out of the basement and has become an organized business with payout structures and hierarchy. The purpose of this presentation is a satirical performance of what I expect an affiliates first day with a ransomware company looks like, based on my experience in incident response and my interactions with threat actors using sock puppet accounts. In this presentation you'll learn start to finish the Tools, Techniques, Procedures, and methodologies used by ransomware groups to get in and get paid

    Lemon is the Principal Security Engineer at Red Threat where he serves as the lead over Incident Response, Penetration Testing and Red Teaming. His primary interests are physical penetration testing and social engineering. Lemon has spent the last 5 years responding to major ransomware events and emulating ransomware groups on Red Team engagements.
    Red Threat

    BB-84 - Quantum Key Distribution... for teens!

    The BB-84 protocol is a secure communication method that involves quantum mechanics to exchange cryptographic keys. This impractical demonstration features lots of props and no-math that maybe some kid would enjoy!


    Upcycling a Digital Greeting Card to Toy TV

    Join a very handy 8-year-old as she helps her Dad hack a digital greeting card into a dollhouse-sized flatscreen TV. We'll tear into the hardware to figure out its basic capabilities, and use basic soldering skills to fix damaged components. Then, we'll learn how to access the USB-based storage and replace the pre-loaded video. Finally, we'll build the new enclosure and mount it on the dollhouse wall.

    Everleigh Goerz
    Everleigh Goerz is an 8-year-old who can solder better than her Dad. She enjoys being a kid, playing with her friends, and riding horses.

    Ben Goerz - her Dad - is much older. He does boring stuff at work, but fights cyber bad guys, so that's pretty cool. He has too many Raspberry Pis because he's often tinkering on basic electronic projects for kids.

    White Phoenix: Beating Intermittent Encryption

    This presentation explores the emerging trend of intermittent encryption in ransomware attacks. Intermittent encryption is a technique where only certain parts of targeted files are encrypted, allowing attackers to impact more files in less time. The flaws and vulnerabilities of this approach are analyzed, highlighting the potential for data recovery from the unencrypted parts of the files. Andy Thompson introduces White Phoenix, a tool developed to salvage content from intermittently encrypted files, and discusses its effectiveness against various ransomware groups. The focus is on BlackCat, a highly sophisticated ransomware group known for its configurable encryption modes. The presentation delves into the different encryption modes used by BlackCat and their implications for data recovery. Additionally, the speaker demonstrates how White Phoenix can recover data from encrypted PDF files and other file formats, such as Microsoft Office documents. The audience will gain insights into the file structures of encrypted files and learn about the techniques employed by White Phoenix to extract valuable information. The presentation concludes with a discussion on the broader implications of intermittent encryption and the potential for developing recovery tools for other file types. Attendees will leave with a deeper understanding of intermittent encryption and its implications for data recovery in ransomware attacks.


    Powershell to the People

    The goal of this presentation is to share knowledge about PowerShell that would be valuable for anyone that wants to learn more, no matter what level of PowerShell foo you are at. The ultimate hope is that everyone walks away with use cases and tools they could use today.

    Passionate and paranoid information technology professional, who also loves to serve the community. Over 18 years experience working in IT operations for military, Fed/State Gov, and various commercial verticals, with over 13 years of that focused on infosec.
    Good Fruits LLC

    Enhancing Cyber Threat Intelligence with Artificial Intelligence

    In today's digital landscape, where cybersecurity threats are omnipresent and ever-evolving, the role of Cyber Threat Intelligence is more crucial than ever before. This presentation, "Enhancing Cyber Threat Intelligence with Artificial Intelligence," delves into the intersection of cutting-edge technologies and proactive cybersecurity practices. This presentation offers a comprehensive exploration of the synergy between AI and cyber threat intelligence, equipping organizations and professionals with the knowledge and insights needed to fortify their cybersecurity posture in an era of relentless digital threats.

    Education in Electronic Engineering Technology and Computer Information Systems. Technical background in Systems Engineering and Security Engineering. A CISSP and CCSP certified professional, with over 18 years of experience in IT administration, including 8 years dedicated to safeguarding organizations against cyber threats. Experience in incident management, risk assessments, and security solution implementation.

    Let Me In!!! An Overview of RFID Badge Systems and Attacks

    A comprehensive overview of the RFID badge system technology currently in the wild, and how to attack those systems.

    Emily Skaggs is a Security Analyst, Physical Pentester, and Defcon Goon. Previously, she gained experience at all levels of the operations stack from: help-desk to network engineering, system administration, server administration and even a stint building self-checkouts. Leveraging her diverse technical skillset, Emily is able to provide valuable insight to her clients environments.

    Defusing The SBOM

    In 2020 the security world was rocked by the Solarwinds attack. A year later, the Apache Software Foundation's "log4j" logging module allowed remote, unauthenticated execution of malicious code. These examples spurred the world to focus on risks upstream in the supply chain. Managing those risks demands that we know not just what software we run, but also what else is embedded in that software. We need a list of ingredients for our software: the Software Bill of Materials. The SBOM is rapidly becoming a requirement for doing business with governments and large corporations. Once an informal text document or a simple spreadsheet list, the SBOM is evolving into a structured data model of software dependencies used for security, legal compliance, license and inventory management. The unique characteristics of open source programs and libraries create new ambiguities and challenges for those preparing and using SBOMs.

    David Hayes
    David Hayes started with computer security by breaking into a timeshared PDP-8 in 1976. Now reformed, David has worked as a Pentagon staff officer, done network management in academia and developed commercial software used at Fortune-500 companies. Since 1994 David has worked in computer security policy and practice at Verizon. He holds MS and JD degrees and three US patents.

    The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

    Modern video encoding standards such as H.264 are a marvel of hidden complexity. But with hidden complexity comes hidden security risk. Decoding video today involves interacting with dedicated hardware accelerators and the proprietary, privileged software components used to drive them. The video decoder ecosystem is obscure, opaque, diverse, highly privileged, largely untested, and highly exposed -- a dangerous combination.

    We introduce H26Forge, a framework that carefully crafts video files to expose edge cases in H.264 decoders. H26Forge's key insight is operating on the syntax elements rather than on the encoded bitstring to build syntactically correct but semantically spec-non-compliant video files. These videos cause H.264 decoders to find themselves in undefined states or unhandled errors when decoded.

    We used H26Forge to uncover numerous vulnerabilities across the video decoder ecosystem, including kernel memory corruption bugs in iOS, memory corruption bugs in Firefox and VLC for Windows, and video accelerator and application processor kernel memory bugs in multiple Android devices. These bugs have been acknowledged by multiple vendors including Apple, Mozilla, and FFmpeg.

    In this talk, we will provide a foundation for understanding how video codecs work, and how vulnerabilities may arise in video decoders. H26Forge and its related tools are fully open source and available to participants. We will also discuss how developers can use H26Forge to find vulnerabilities in their own decoders, and show how software-fault isolation tools like RLBox can be used to protect decoders.

    Willy R. Vasquez is a PhD student at The University of Texas at Austin working on cryptography and systems security. Before UT, he received his B.S. and M.Eng. from MIT, and worked at BBN. His research focuses on the security of hardware video decoders and building out zero-knowledge proof technologies. His research interests lie in privacy, systems security, cryptosystems, and formal methods.

    Is the SIEM Tool Really Dead?

    We say yes with a big but... Traditional SIEM tools are an aging technology that basically are log aggregators, in other words, databases that depend on aged SQL searches to determine what happened and what's impacted. What if you didn't need a database at all except for compliance and IR needs? Today the concept of a "platform" is where SIEM is going and in fact is here. SIEM/SOAR as code conducting federated information and doing real streaming analysis to alert you to potential incidents as they are happening.

    Chris Jordan
    Chris Jordan has worked in security for more than twenty years, and is currently CEO of Fluency Corp. Founder and CEO of Endeavor Security (acquired 2009 by McAfee), he was vice president of McAfee's Threat Intelligence.
    Prior to Endeavor Security, Mr. Jordan also founded a security services company, Endeavor Systems, which was acquired by Telesis. Mr Jordan developed and managed a number of Computer Emergency Response Teams (CERT) for several government and commercial organizations. These include the DoD CERT, Army CERT, FAA CISRC, NetSec (now Verizon SOC), JP Morgan CERT and Dupont CERT.
    Fluency Security

    You're In... Now what? A LotL discussion

    You did it! You cracked the perimeter (legally of course) and are now staring at a fresh new shell. Now what? Join me for a discussion on Living off the Land (LotL) techniques to up your post exploit game. Scenarios for Windows (desktop+server), NIX, and cloud (AWS+Azure) will be explored.

    Jon Rhodes is currently employed as Principal Adversarial Engineer at Blackbaud. He specializes in cloud and webapp pentesting and is a member of the Synack Red Team. In his free time, he enjoys spending time with his family, swimming, and gaming.

    Purple Teaming: Advice from a Red Teamer and Why You Should Do It Too

    Over the last year and a half my team has worked closely with our Blue Team to improve various network and endpoint detection. We've bypassed many detections on both the network and endpoint side and aided in the creation of custom detection tailored to our environment, and the common thing we've noticed (and heard directly from the vendors) is no one is testing security products like you are. How?!? This should naturally be something Red and Blue work on together! I will talk about our personal experiences and hopefully give others motivation and reason to do the same at their place of work.

    Cody is a Red Teamer with specialty in adversary simulation, C2 frameworks, EDR/XDR evasion, malware development (primarily in C), and low level computing concepts. He also enjoys collaborating with blue teamers and getting the benefits of the threat landscape from both sides!

    Laughing Through the Firewall: Leveraging Comedy as a Social Engineering Methodology

    In the dynamic world of cybersecurity, the battle against social engineering attacks remains a constant challenge. Hackers continue to exploit human psychology and trust, making it imperative for cybersecurity professionals to explore innovative approaches to enhance awareness and resilience. This presentation at B Sides, the Cyber Security Nonprofit, delves into an unconventional yet highly effective strategy: using comedy as a social engineering methodology.

    Humor has an extraordinary power to engage, disarm, and educate. By strategically incorporating elements of comedy into cybersecurity awareness programs and training, organizations can empower their employees to recognize and thwart social engineering attempts more effectively.

    Frankie Benz

    Do you know where your secrets are? Exploring the problem of secret sprawl and secret management maturity

    Do you know what Uber, CircleCI, and Toyota all have in common? They had hardcoded credentials in their environments, which led to either a public leak or enabled an attacker to expand their footprint during a breach.

    It is easy to understand why hardcoding secrets is a problem, but do you know how widespread this problem is or how fast it is escalating? Do you know how it keeps happening? Do you know what you can do about it?

    This session will deep dive into the research around secrets sprawl and compare it with historical data to show how much worse the situation is becoming, as well as what type of secrets are most commonly involved. We will also explore how to evaluate the maturity of your secrets management strategies and what steps you might consider next on your security journey.

    Dwayne has been working as a Developer Relations professional since 2015 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. Dwayne currently lives in Chicago. Outside of tech, he loves karaoke, live music, and performing improv.

    Vulnerability Management from Scratch: From nothing to operational in 12 months

    Vulnerability Management is a key component of any corporate cyber security department.

    So much so that the Cyber Infrastructure Security Agency offers advice, alerts, and even external assessments for companies that are part of critical infrastructure.

    But how do we ensure our internal vulnerability management programs are adding value to the cyber security department?

    How do CISOs know their programs are reducing risk, not just meeting compliance requirements?

    In this talk, we will explore how to build a vulnerability management program from the ground up, evaluate a programs maturity, and build a multi-year roadmap to increase and existing program's capabilities.

    Jacen earned his BS in Computer Engineering from the University of North Texas where he lead a team of students in a project to optimize IPv6 address assignments in networks located in space for NASA.

    He went on to work for Goldman Sachs' Technology Risk team, followed by joining the Cyber, Risk, & Regulatory department's Strategy, Risk, Compliance team at PriceWaterhouseCoopers.

    Jacen currently works for Trinity, a large heavy manufacturing company, where he stood up and operates their first vulnerability management program including on-prem, cloud, webapp, and other assessments.

    Veilid: How to disrupt the surveillance economy and destroy Data Capitalism, the cDc way

    Walk through the cDc's latest project, Veilid, with Jun34u and Medus4- Medus4 will go into a technical deepdive of the code and tech of the project, while Jun34u discusses the human element and ideals of this revolutionary open source project that we hope will forever change the internet for the better.

    Katelyn "medus4" Bowden is an artist, hacker and activist- she's a member of THE CULT OF THE DEAD COW, as well as one of the designers for online hacker fashion store, Hack.xxx. Katelyn is passionate about bridging the gap between tech and its users, and firmly believes that privacy should be accessible to ALL. A fun fact about Katelyn is that she hates both fun and facts.
    Jun34u was raised in the woods of Alaska on a steady diet of pulp sci-fi novels. They discovered hacking by competing in CTFs. After moving to Dallas, they found a home in the local hacker community. Jun34u works as a pentester and security researcher, attends graduate school, and still finds time to run DC214. They're also a member of the cDc! When they're not hacking the planet, Juneau writes fiction, is an avid snowboarder, and plays bass in a local "y'allternative" band.

    Hacking the Cloud: Enumerating and Attacking AWS And Azure

    In today's interconnected digital landscape, cloud services have become the backbone of modern businesses, with Microsoft Azure and Amazon Web Services (AWS) being two of the leading providers. This technical presentation delves into the critical aspects of enumerating and attacking Azure and AWS resources from an attackers perspective, shedding light on some techniques, attacks, and mitigation strategies.


    Security Automation - The Good, the Bad, and the Ugly

    This talk will take you beyond the buzz words of Security Automation. It will review the top targets for automating tasks that provide the biggest bang for the buck (The Good). It will also review the process challenges (the Bad) and governance challenges (the Ugly) that you will need to overcome.
    This will NOT be a technical talk reviewing how to implement automation code or which product to use. This is a higher level view of Security Automation that aims to help you prioritize your automation targets and identify the obstacles you will need to overcome.

    My name is Richard Gowen a.k.a. @alt_bier and I currently work as a Solution Architect for PepsiCo in the Global Cloud Foundation group.
    In my spare time I'm a hacker, maker, gamer, brewmaster, programmer and more... all the things.
    One of the things I am known for is the indie electronic conference badges I create for the #badgelife movement which celebrates wearable electronic artworks.

    Real life Cyberpunk 2077, Bringing Cyber Capabilities to Augmented Reality

    As seen in Watch Dogs and Cyberpunk 2077, the Heads Up Display or "Hacker HUD" has replaced the cyber-deck model of operator/computer interaction. I've been working on a project that integrates several Offensive Cyber Capabilities and combines them with wearable Augmented Reality gear bringing the concept of a low profile/discreet "Hacker HUD" into reality. By leveraging common off the shelf (COTS) augmented reality gear and combining it with traditional red team cyber capabilities a unique level of interaction with the real world is possible. The platform is expandable and user configurable to allow anyone to customize and make it their own.

    Chris is a Professional Security Consultant, Developer, and Entrepreneur with over 20 years' experience working within the Information Security (INFOSEC) industry. He has developed numerous products for both the offensive and defensive computing markets as well as spoken and trained at Blackhat and other prominent security conferences.

    Code of Conduct (CoC)

    A chinese lion statue

    Behave yourselves!

    Security BSides Dallas - Fort Worth was founded to facilitate the exchange of information and the development of relationships. We welcome and encourage the expression and debate of ideas. We also recognize that we do not have to agree in order to listen to, and/or understand, a given point of view. However, there is a language and a behaviour that is appropriate and expected in achieving that discourse.

    Harassment and/or abusive behaviour will not be tolerated.
    Any participant that experiences and/or witnesses inappropriate behaviour is expected to report said behaviour to event staff.
    Any participant that experiences and/or witnesses inappropriate behaviour is encouraged to ask the offending individual to stop.
    Any participant asked to stop a behaviour is expected to comply immediately.

    Event organizers reserve the right to respond to observed and/or reported behaviour in a manner deemed appropriate, including but not limited to expulsion without refund and referral to the relevant authorities.

    It is our goal to ensure that the event is welcoming, enjoyable, and safe for all participants.
    Be exemplary for each other. See something, say something.