CircleCityCon 2016: Full Schedule

10:00am EDT

Introduction to Software Defined Radio with the RTL-SDR on Windows and the Raspberry Pi 2

4-hour introduction to Software Defined Radio, using the RTL2832U chipset, covering both Microsoft Windows and the Raspberry Pi. We will be going over how to track airplanes, scan radio frequencies to find people talking, and covering a little radio theory. Covering RTL-SDR due to the cost of equipment. A list can be provided to students prior to the course.

Outline:

1. Basic theory of electromagnetic radiation known as radio waves
2. Install SDR# software and configure Dongle on Windows to monitor broadcasts (FM radio, Ham Radio, Other bands).
3. ADBS (Track airplanes, basically how FlightAware does it, with remote sensors people run)
4. Frequency counting (finding what Freqs are popular in an area to do more of item 2).
5. Radio Directional Finding, using RTL-SDR dongles on a Raspberry Pi with a touchscreen and gui software.
5a. (for licensed HAMS) how to turn the Raspberry Pi in to a broadcasting radio

Please bring the following to the workshop:

A computer running Windows you are authorized to install software on. I discourage using your work computers.

· A R820T2 RTL2832U radio dongle. (any 1 of the 4 listed below).

o RTL-SDR Blog R820T2 RTL2832U Metal case (built in heat sink to prevent Frequency drift), and 2 telescoping antennas. Currently sold out, but should be back in stock soon.

o NooElec NESDR Mini+ Al: 0.5PPM TCXO RTL-SDR & ADS-B USB Receiver Set w/ Aluminum Enclosure & Antenna. I have not received mine yet, so do not now the antenna quality.

o NooElec NESDR Mini 2 SDR & DVB-T USB Stick

o NooElec NESDR Mini USB RTL-SDR & ADS-B Receiver Set The antenna it comes with isn’t that great.

· A Raspberry Pi 2 or 3 (the 3 were not out when I wrote the proposal, and I have yet to find one in stock).

o A way to power the Raspberry Pi, I suggest a USB Battery Pack.

o A way to interact with the Raspberry Pi

o 16gb sd card with Raspbian

· USB to TTL Serial Cable for programming / setup

· A Rapsberry Pi Touch Screen

· Headphones / earbuds

Speakers

Chris Jenks

Friday June 10, 2016 10:00am - 2:00pm EDT
Cabinet

Training 1

10:00am EDT

The Art of the Jedi Mind Trick: Learning Effective Communication Skills (Jedi Mind Tricks 101)

The hacker/security community continues to struggle with how to get our message across to others. We know what’s wrong, what’s insecure, and what needs to be done to fix the problems. BUT…we seem to hear more stories about failure rather than success stories. Maybe WE are part of the problem. It’s easy to give a talk at a conference where you’re “preaching to the choir” and everyone speaks your language, but how do you fare when you are trying to give the message to your boss, or your bosses’ boss, or C-Level management?

This workshop/course will explore a variety of techniques that I’ve learned over my 20+ years of consulting/advising customers about how to get the right message to the right people so real change happen.

Topics will include:

overcoming obstacles, roadblocks and challenges;
getting past bad attitudes and misunderstandings (yours and theirs);
practical methods for getting your point across;
helping others to understand what you are saying;
learning to speak their language (e.g. non-technical);
and helping your audience draw the desired conclusion.
Students will have numerous opportunities to speak – both in small groups and also making a presentation to the entire class. We’ll discuss techniques and methods and then practice them, or we’ll attempt some form of communication and then critique how well we do. Students will be expected to evaluate each other on how well we are communicating or putting the techniques into practice, and will provide constructive feedback, share ideas, and collaboratively work together to make everyone a better communicator.

Effective communication, particularly persuasive speech, is part art and part science – and maybe a little luck. I believe there are skills/techniques you can learn that will make you a successful communicator and help you get your message heard.

Speakers

Jeffrey Man

Friday June 10, 2016 10:00am - 2:00pm EDT
Chamber

Training 3

10:00am EDT

Introduction to Digital Forensics (Part 1) & Mobile Device Forensics (Part 2)

With digital devices being involved in an increasing number, and type, of crimes the trace data left on electronic media, can play a vital part in the investigation process. This provides an introduction to the discipline of Digital Forensics, covering Computer (with Part 1) and Mobile Device Forensics (with Part 2).

Speakers

Dav Wilson

Friday June 10, 2016 10:00am - 2:00pm EDT
Council

Training 4

10:00am EDT

Working with WAF

Web Application Firewalls are awesome, but they take a lot of care and feeding. This workshop aims to give you the background you need to develop an effective Web Application Firewall program, regardless of the technology. While not product specific, this training focuses on what it takes to build a WAF program, and how to start down the road of configuring these devices correctly. It will be part program development, part Web App 101, and a lot of WAF Configuration Best Practices. Learn about character set locking, parameter locking, forced browsing protection, ddos mitigation, brute force protection on the technical side; as well SDLC integration, Getting Developer buy off, how to sync up with development timelines. This workshop will try to take some of the sting out of proper WAF deployment.

Speakers

John Stauffacher

Friday June 10, 2016 10:00am - 7:00pm EDT
Caucus

Training 2

2:00pm EDT

Opening Ceremony

Welcome to CircleCityCon! Learn about the great things that are going to happen at this conference and how to participate in the talks, trainings, events, and contests going on over the weekend!

Speakers

CircleCityCon Staff

Friday June 10, 2016 2:00pm - 2:50pm EDT
Track 1 – Cap 1

General Session

Company Opening Ceremony

3:00pm EDT

Keynote – Dave Lewis

Speakers

Dave Lewis

Friday June 10, 2016 3:00pm - 3:50pm EDT
Track 1 – Cap 1

General Session, Keynote

3:00pm EDT

Intro to Burp Suite

Learn about the most widely used HTTP proxy for web application security testing with this hands-on introductory course. No prior knowledge required.

Speakers

Marius Nepomuceno

Friday June 10, 2016 3:00pm - 7:00pm EDT
Cabinet

Training 1

3:00pm EDT

Spear Phishing – How-to and Prevention

This training aims to effectively improve Security Awareness Training and education as it pertains to Phishing. I will illustrate advanced techniques that can be leveraged by anyone in an organization that wants to help create a better security awareness program. Phishing keeps topping the list year after year as a major if not the most major factor in breaches. Spear Phishing does not have to rely on exploits, unpatched machines or the execution of code. Spear Phishing combines a bit of Social Engineering as well as other clever tactics, that serve to allow attackers access into an organization. My Spear Phishing training is interactive, wanton and above all fun. I engage my trainees and keep interest and focus on the fascinating and potentially devastating topic at hand. My phish’ are the best phishes, you will be glad to know I play for the good guys because the alternative would keep you awake at night.

Speakers

Rich Rumble

Friday June 10, 2016 3:00pm - 7:00pm EDT
Chamber

Training 3

3:00pm EDT

Getting a Job through Social Engineering

Do you want a job in information security? If you have a job, do you want a better one?

This workshop is about how to get a job through social engineering. Josh More has, for years, been helping technologists and introverts get an advantage over the less skilled but more social candidates in the job market. When done properly, a job search can be run like a penetration test, where you identify your target, perform your reconnaissance, develop your plan, take over the process, and land the job. Everyone has the base skill level they need to execute, but often lack the natural social ease that others have. If you have ever found yourself looking at a boss or colleague and wondering how they managed to get the job or promotion that should have been yours, this workshop is for you.

This workshop draws from Josh’s two books _Job Reconnaissance_ and _Breaking In_, both aimed at hacking the job market. The workshop will open with an overview of how the job market works, economically and socially, so we understand the systems in which we must work. It will then move into the target selection phase, so we can identify the types of firms we wish to target. Then, we will explore those targets through basic reconnaissance and identify what sorts of “attacks” would be likely to work and which ones would not. This process will involve reverse engineering their use of metaphor and narrative so you can develop custom approaches that will bypass their filters.

In the end, you will have created a customized resume, approaches to landing an interview at your preferred target, using that resume within an interview, a plan for retaining access throughout the process and, if time allows, a customized portfolio to take complete control of the process.

Speakers

Josh More

Friday June 10, 2016 3:00pm - 7:00pm EDT
Council

Training 4

4:00pm EDT

Food Fight!

From farm to fork, food production in America is a complex and interwoven system of technologies. This session explores a slice of that system and relies upon food production as an example of multifaceted penetration testing. With a combination of stories and lessons learned, we will discuss and learn from the challenges of scaling up penetration testing and adapting it to unique technologies. This provides us an opportunity to sharpen up on the basics while learning advanced techniques. Moreover, given food production’s reliance upon SCADA and ICS systems, the session will describe how these non-traditional systems can be assessed. All in all, for the defenders, what we learn from a good food fight can be directly applied to securing our own complex networks.

Speakers

J. Wolfgang Goerlich

Advisory CISO, Duo Security

J Wolfgang Goerlich supports information security initiatives for clients in the healthcare, education, financial services, and energy verticals. In his current role with CBI, a cyber security consultancy firm, Wolfgang is the senior vice president for strategic security programs... Read More →

Friday June 10, 2016 4:00pm - 4:50pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

5:00pm EDT

IoT on Easy Mode (Reversing and Exploiting Embedded Devices)

As technology, matures we are seeing a trend of products that are now “smart.” The problem is that once we discover how these devices are programmed we can identify the flaws but unfortunately the hardware aspect scares some people away from digging deeper. This talk is to show people how easy it really is to get into embedded device hacking while also expanding their knowledge outside of the x86/x86_64 space. By the end of this talk the audience will be encouraged to go out and start their journey into the embedded device world while having the tools that they need. This talk will also cover the reasoning behind purchasing products such as a logic analyzer and the bricks walls I personally went through to justify the needs for one.

Speakers

Elvis Collado

Friday June 10, 2016 5:00pm - 5:50pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

6:00pm EDT

Binary defense without privilege

What would you do if you were given a binary service that contained multiple vulnerabilities and were told you must run and defend that binary for the next 3 days? And oh, by the way, you don’t get root, virtual machines, docker containers, firewall configs, or any other form of privileged access. This is exactly the challenge faced in elite attack/defense capture the flag competitions. Many of the lessons learned from these war-games can reveal new defensive opportunities in real world scenarios. This talk will discuss realistic strategies and techniques available in such a precarious defensive position. We will go far beyond simply finding bugs and patching them in the binary. For example, how might we analyze and filter network traffic without network, firewall, or root access? Could stack frame and heap allocation sizes be patched and why would that matter? How can we limit disk access as a regular user? What can we do to determine if we were exploited? All of these questions will be answered during the talk.

Speakers

Steve Vittitoe

Friday June 10, 2016 6:00pm - 6:50pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

10:00am EDT

Break on Through (to the Other Side)

For almost every defense an effective offensive response can be constructed. These responses will be highlighted alongside the defensive techniques presented. Finally, a real working practical implementation of the presented techniques will be reviewed thanks to the Samurai CTF team open sourcing the Gatekeeper project (https://github.com/samuraictf/gatekeeper) in December 2015.

Speakers

Grape Ape

Saturday June 11, 2016 10:00am - 11:00am EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

10:00am EDT

Establishing a Quality Vulnerability Management Program without Wasting Time or Money

Learn how to tell a story and prove you have met the goals of your program. Compare Vulnerability Management (VM) tools and learn how to pick the best for your environment. What devices do you need to include when deciding what to purchase (mobile, employee devices, mainframe, plant floor, medical devices, SCADA)? Get perspective from an experienced former VM consultant. Once you’ve chosen a tool, explore the costs and advantages of paying for Professional Services deployment vs. training your team. Learn what skills are necessary, how to make a good runbook and report templates. Save money by using the tools to do a quarterly vulnerability assessment rather than paying for external pen test. Five steps to avoid when setting up your VM program. What are some good baseline metrics you want to show? What type of reports should you focus on? Metrics: measure the success of your vulnerability management program.

Speakers

Zee Abdelnabi

Security Researcher| Technical cyber security manager| Building best in class talent | Experienced in connected car security, SIEM, vulnerability management, threat modeling, security testing and mobile security and is an active security community member.

Saturday June 11, 2016 10:00am - 11:00am EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

10:00am EDT

Why it’s all snake oil – and that may be ok

Every few years, security vendors entice us with “next generation” security products with 0day detection and we must decide if this product will be our salvation or it’s more snake oil full of empty promises. Basic theorems of computer science mathematically guarantee that many of the claims made by vendors are false without certain allowances, but that doesn’t mean that the products are useless. Take a walk through the history of exploitation and computer science to learn how to ask the questions that will allow you to see if the vendor’s claims can be achieved in your organization or whether you’re being sold a bill of goods.

Speakers

Pablo Breuer

Saturday June 11, 2016 10:00am - 11:00am EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

10:00am EDT

Intro to Ham Radio

Interested in getting your FCC license but don’t know where to start? This class will cover everything you will need to know to be able to pass the technician class license and get on the air. Students are encouraged to bring an open mind. No previous experience necessary. Complex math will NOT be required to pass. If students have access to a handheld transceiver please bring them to the class as we will be using them in demos.

Speakers

Justin Herman

Saturday June 11, 2016 10:00am - 2:00pm EDT
Cabinet

Training 1

10:00am EDT

Introduction to Wearables

During this class, you will learn about the world of wearable technology and work on your own e-textiles project using sewable LEDs and conductive thread. Basic sewing skills will also be covered during the class. The kit that we will be using comes with a fabric project template; however, it is recommended that you bring your own item to use for the project (tie, bag, hat, shirt). Here is a link to the kit that we will be using: https://www.sparkfun.com/products/11032

Speakers

Babs O’Matic

Saturday June 11, 2016 10:00am - 2:00pm EDT
Chamber

Training 3

10:00am EDT

Writing your first exploit

Getting started in offense can be tricky. While a number of resources exist to assist newcomers, they tend to focus on using existing tools. Using tools and scripts is expected, but one must also know what those tools are doing in great detail and the best way to understand those tools is to learn how to write your own.

This training will cover the core concepts in writing exploits for network services. Students will examine the flow of control during buffer overflows in order to understand why and how buffer overflows are exploitable. Using basic Python network programming skills, students will then look at writing their own fuzzing utilities to trigger buffer overflows in software accessible over a network. After developing a fuzzer that successfully crashes a network service, students will look at tracing the crash and taking control of it so that they can achieve remote code execution on the target system. Writing custom payloads will also be discussed as time permits.

Speakers

Robert Olson

Lecutrer, SUNY Fredonia

Saturday June 11, 2016 10:00am - 2:00pm EDT
Council

Training 4

10:00am EDT

Enterprise Identity & Access Management Architecture

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your I&AM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service.

This interactive session, taught by an experienced I&AM veteran and practitioner, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. This course will provide a level-set on the fundamental building blocks to an enterprise I&AM program, as well as a customized, detailed and interactive session to focus on the specific identity disciplines that students find most challenging.

Speakers

Dan Houser

Group Mgr, Security Advisory, Avanade

I enable the business to take on more risk, safely, to acquire new markets, open new countries of operation and make connections that were impossible before. Lift and Shift never really works. I help organizations transition and achieve twice as much with half as much.I was fortunate... Read More →

Saturday June 11, 2016 10:00am - 7:00pm EDT
Caucus

Training 2

11:00am EDT

Creating a Successful Collegiate Security Club (WIP)

There may seem like an abundance of collegiate security clubs, but not every college has one; and not every club that is established is well organized. In this talk we am going to highlight the successes, and failures, of creating Illinois State University Security Club (ISUSec). We will talk about information that we know now that I wished I knew when I first started the club. We will also cover details about how to deal with the politics involved with starting a security club, how your involvement is key to the club’s success, and the amount of effort that will be required to ensure the club continues after you leave college. We will also cover topics such as utilizing social media, public speaking, competitions, conferences, and all of the things you may want to focus on with your club. It took me a couple of years to get ISUSec off the ground. It is our hope that this talk will help guide you through the process of becoming a registered student organization in less time and with greater success!

Speakers

Adam “avidhacker” Ringwood

Chris “Lopi” Spehn

Saturday June 11, 2016 11:00am - 12:00pm EDT
Track 1 – Cap 1

Track 1 Talk

11:00am EDT

Bootstrapping A Security Research Project

It has become increasingly common to see a headline in the mainstream media talking about the latest car, television, or other IoT device being hacked (hopefully by a researcher). In each report, blog, or presentation, we learn about the alarming lack of security and privacy associated with the device’s hardware, communications mechanisms, software/app, and hosting infrastructure in addition to how easy it might be for an attacker to take advantage of one, or multiple, threat vectors.

The truth is, anyone can perform this kind of research if given the right guidance. To many security professionals, however, the act of researching something isn’t the problem…it’s what to research, how to start, and when to stop. Academics think nothing of researching something until they feel it’s “done” (or their funding/tenure runs out). Security professionals, however, often do not have that luxury.

This session will discuss how to research, well, ANYTHING. Proven methods for starting, continuing, ending, leading, and collaborating on reproducible research will be discussed – taking into account real-world constraints such as time, money, and a personal life. We will also discuss how to generate data, design your experiments, analyze your results, and present (and in some cases defend) your research to the public.

Speakers

Andrew Hay

CISO, DataGravity

Andrew Hay is the CISO at DataGravity where he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, Andrew was the Director of Research at OpenDNS... Read More →

Saturday June 11, 2016 11:00am - 12:00pm EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

11:00am EDT

Playing Doctor: Lessons the Blue Team Can Learn from Patient Engagement

At CircleCityCon 2015 in the presentation “Turn Your Head and Cough”, Nathaniel “Dr. Whom” Husted compared security architecture assessments to being a physician. The similarities run deep. Doctors struggle with patient compliance, complex and unclear problems, time and resource pressures, and succeed only when others carry out their recommendations. Doctors struggle all the time. In this session, we explore the field of patient engagement and discuss how doctors are trained to drive patient behavior. We will cover the metrics and reporting used to determine patient engagement. And at each step along the way, lessons will be shared for applying these ideas to information security. So the next time you present an IT compliance report, the next time you share your findings from a penetration test, or the next time you tell developers their code is weak, you’ll be ready to drive behavior and get results by playing doctor.

Speakers

J. Wolfgang Goerlich

Advisory CISO, Duo Security

Saturday June 11, 2016 11:00am - 12:00pm EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

12:00pm EDT

Now You See Me, Now You Don’t – Leaving your Digital Footprint

Your first impression is your only impression. However, your first impression may already have been made. Many people leave behind bread crumbs of their personal life on social media, within professional organizations, and on other websites. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that exist that leak your information, and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators used to track individuals. Learn how you can hide from the Internet, or use it to uncover someone’s deepest darkest secrets.

Speakers

Aamir Lakhani

Global Security Strategist and Researcher, Fortinet

Aamir Lakhani is a senior red team researcher and exploit developer. He works as a breach specialist helping organizations create, detect, and test against advanced adversarial techniques and attacks. Over the last year Aamir has created or discovered several zero-day remote execution... Read More →

Saturday June 11, 2016 12:00pm - 1:00pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

12:00pm EDT

Planes, Trains and Automobiles: The Internet of Deadly Things

“When worlds collide!” is not just another random Seinfeld reference, it is the wake-up call for all security practitioners and cyber savvy citizens. Cyber was once the exclusive domain of digital denizens but now digital digits can reach out and “touch” someone.

As more and more discretion is taken away from human operators and assigned to autonomous & semi-autonomous systems, our safety becomes dependent on ubiquitous sensor networks that are “Connected”. New threat catalogs are required to design systems that are safe and secure. The speaker will articulate the attack surface, move beyond the hype and propose reasonable response strategies for surviving in a world where cyber and physical intersect.

The session blends several timely themes; Cyber, IoT, Pervasive Surveillance, Privacy, M2M Communications, Discretion and Trust Enhanced Risk Management in a unique way designed to educate practitioners to the necessity of understanding multiple domains -when worlds collide.

Use cases which will articulate architectural attack surface characteristics and mitigation approaches. In addition, using the “Evil Robot” taxonomy, the speaker will introduce a novel Risk Assessment Process for quickly profiling ANY Cyber-Physical system and identifying relative risk rankings.

Two example use cases:

Air traffic control systems use a lot of sophisticated tracking, communication systems and autonomous warning systems to keep travelers safe. However, it is ultimately the “human” operators that make the key decisions. What does the introduction of autonomous and semi-autonomous drones mean to this ecosystem? How much discretion will the “human” operators be entrusted

Every day human operators of vehicles must make decisions concerning signaling, accelerating and stopping. Would autonomous or semi-autonomous vehicle apply the same logic? How would an autonomous vehicle apply discretion in the face of a “no win decision” – Hit the elderly person crossing the street or swerve and hit a school bus?

The presentation will articulate how to use this the risk & trust assessment process as a practical decision support tool, which will allow the user to quickly determine the controls they have at their disposal to exercise with discretion and which systems limit or do not afford any user discretion, control or choice.

Speakers

Bryan K. Fite

Saturday June 11, 2016 12:00pm - 1:00pm EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

12:00pm EDT

Killing you softly

The entire security industry has a serious skill problem. We’re technically able, but we have no soft skills. We can’t talk to normal people at all. We can barely even talk to each other, and it’s killing our industry. Every successful industry relies on the transfer of skills from the experienced to the inexperienced. Security lacks this today.

If I asked you how you learned what you know about security, what would your answer be? In most cases you learned everything you know on your own. There was minimal learning from someone else. This has left us with an industry full of magicians, but even worse it puts us in a place where there is no way to transfer skill and knowledge from one generation to the next. Magicians don’t scale.

If we think about this in the context of how we engage non security people it’s even worse! Most non security people have no idea what security is, what security does, or even why security is important. It’s easy to laugh at the horrible security problems almost everything has today, but in reality we’re laughing at ourselves. Historically we’ve blamed everything else for this problem when in reality it’s 100% our fault.

One of the our great weaknesses is failing to get the regular people to understand security and why it’s important. This isn’t a surprise if you think about how the industry communicates. We can barely talk to each other, how can we possibly talk to someone who doesn’t know anything about security? Normal people are confused and scared, they want to do the right thing but they have no idea what that is.

The future leaders in security are going to have to be able to teach and talk to their security peers, but more importantly they will have to engage everyone else. Security is being paid attention to like never before, and yet we have nothing to say to anyone. What has changed in the last few years? If we don’t do our jobs, someone else will do them for us, and we’re not going to like the results.

Security isn’t a technical problem, technical problems are easy, security is a communication problem. Communications problems are difficult. Let’s figure out how we can fix that.

Speakers

Josh Bressers

Saturday June 11, 2016 12:00pm - 1:00pm EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

1:00pm EDT

Lunch

Lunch, the abbreviation for luncheon, is a light meal typically eaten at midday. The origin of the words lunch and luncheon relate to a small snack originally eaten at any time of the day or night. During the 20th century the meaning gradually narrowed to a small or mid-sized meal eaten at midday. Lunch is commonly the second meal of the day after breakfast. The meal varies in size depending on the culture, and significant variations exist in different areas of the world.

Speakers

Your food

Saturday June 11, 2016 1:00pm - 2:00pm EDT
Lunch

Lunch

1:00pm EDT

Lunch

Speakers

Your food

Saturday June 11, 2016 1:00pm - 2:00pm EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

1:00pm EDT

Lunch

Speakers

Lunch

Saturday June 11, 2016 1:00pm - 2:00pm EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

1:00pm EDT

Sans NetWars

SANS NetWars is a suite of hands-on, interactive learning scenarios that enable information security professionals to develop and master the real-world, in-depth skills they need to excel in their field. In SANS award-winning courses, attendees consistently rate our hands-on exercises as the most valuable part of the course. With NetWars, we have really raised the ante, as participants learn in a cyber range while working through various challenge levels, all hands-on, with a focus on mastering the skills information security professionals can use in their jobs every day.

Sponsors

Sans

Saturday June 11, 2016 1:00pm - 6:00pm EDT
NetWars Grand IV

NetWars

2:00pm EDT

Red Team Madness – Or, How I Learned To Stop Worrying and Expect Pentester Mistakes

Defensive blue team members are often seen as the “Walmart Greeters” of information security. Tiring of this view and the constant barrage of yet another red team “i totally pwned your network” presentation, @jeremynielson pulls together real-life stories about catching penetration testers on his network, some ideas on how to respond, and provides details on how your security operations center can do the same. Practical examples and humorous anecdotes will be presented. Happy hunting!

Speakers

Jeremy Nielson

Saturday June 11, 2016 2:00pm - 3:00pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

2:00pm EDT

Open Source Malware Lab

The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.

For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation.

Speakers

Robert Simmons

Saturday June 11, 2016 2:00pm - 3:00pm EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

2:00pm EDT

So you want to be a CISO?

So you want to be a chief information security officer? This talk will
examine what the CISO role entails in a modern organization, the
technical and non-techncial challenges it faces, and some heuristics
based on the presenters experience for making the everyday decisions
that will come your way.

Speakers

Von Welch

Saturday June 11, 2016 2:00pm - 3:00pm EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

2:00pm EDT

Intro to LockPicking A

TOOOL will be conducting a 2 hour workshop teaching locksport techniques to those who are new or need a refresher. The course will teach basic picking techniques to students and educate on locks and risks. The class includes picks and a basic progressive lock set to take home and practice with.

For more information on TOOOL, please visit toool.us

Speakers

The Open Organisation of Lockpickers (TOOOL)

Saturday June 11, 2016 2:00pm - 4:00pm EDT
Council

Training 4

3:00pm EDT

Medical Devices, the Flat Network of Unknown Risks

The ratio of networked medical devices in modern hospitals is 2.4 devices per bed. These devices range in use from nuclear medicine to glucose monitoring and can have operating systems from Windows 98 to RTOS. Much like industrial control systems, availability and integrity trump confidentiality. These devices may behave like traditional computers on the network but the operational, regulatory, and patient safety risks are very different. Healthcare providers need to implement acquisition processes to mitigate the new risks and solve unique challenges that existing healthcare technology infrastructures present. Clinical Engineering and Information Technology organizations need to work together to ensure delivery of care.

Speakers

Arlie Hartman

Saturday June 11, 2016 3:00pm - 4:00pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

3:00pm EDT

Title: You want to put what…where?

Github, Bitbucket, Pastebin what do they all have in common? Your developers are using them as a personal dumping ground for all things awesome. From code, to credentials, to api keys let’s take a look at some of the venerable gold that your attackers can find with just some simple Google Fu(tm) and a bit of regex fun. We’ll take a trip into a years worth of research uncovering everything from Corporate Admin credentials to complete firmware tool chains for unreleased products. Your developers want to be “agile” they want to share, and collaborate — and you need to be watching what tools they choose to do that with.

Speakers

John Stauffacher

Saturday June 11, 2016 3:00pm - 4:00pm EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

3:00pm EDT

PPRT – PowerShell Phishing Response Toolkit

Responding to phishing emails is a tedious/mindless job, but somebody has to do it. During this talk I will be discussing a set of PowerShell tools called PPRT (PowerShell Phishing Response Toolkit) that can speed this process along. Now that we have some intel, what can we do to protect our organization? Oh, and Maps!

Speakers

Josh Rickard

Josh's primary focus is in Windows security and PowerShell automation. He is a GIAC Certified Windows Security Administrator (GCWN) and GIAC Certified Forensic Analyst (GCFA). You can reach Josh at MSAdministrator.com or on Twitter at @MS_dministrator.

Saturday June 11, 2016 3:00pm - 4:00pm EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

3:00pm EDT

Ham Radio Exams

Saturday June 11, 2016 3:00pm - 7:00pm EDT
Cabinet

Training 1

3:00pm EDT

Advanced Wearables with Kaleidoscope Eyes

During this class, you will make programmable goggles using LED rings and an Adafruit Arduino Trinket! They are an easy build and when you’re done you’ll have a captivating accessory to wear. You do not need to have programming experience to attend this class; all the starting code needed for the Arduino Trinket will be provided. This class does require that you bring a computer and have basic soldering skills. A few soldering irons will be available for participants to share. Here is the kit that will be using: https://www.adafruit.com/product/2221

Speakers

Babs O’Matic

Saturday June 11, 2016 3:00pm - 7:00pm EDT
Chamber

Training 3

4:00pm EDT

Top 10 Mistakes in Security Operations Centers, Incident Handling & Response

This talk covers common errors organizations make, often over and over again, related to Security Operations Centers (SOC), Incident Handling (IH), and Incident Response (IR). Security professionals at all levels can leverage this information to help mature their SOC, IH, and IR teams.

Speakers

Paul R. Jorgensen

Saturday June 11, 2016 4:00pm - 5:00pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

4:00pm EDT

Untrusted Onions: Is Tor Broken?

Tor is used by dissidents, journalists, whistleblowers, and shadier characters to access the Internet anonymously. Cases where people engaging in activity frowned upon by their government have been caught despite using Tor usually involve one or more of the following factors 1) Tor misconfiguration 2) Not using Tor consistently (Sabu from Lulzsec) 3) OPSEC failures (Dread Pirate Roberts of the Silk Road). Are there ways to catch people who are connecting to specific Tor hidden services even if they are doing everything right?

I will examine a theoretical attack presented in a paper published by a research group at MIT in August 2015. Their claim is that they can identify a users’ involvement with hidden services with up to a 99% true positive rate and 0.07% false positive rate, using a passive circuit fingerprinting attack. Furthermore, since the attack is passive, it cannot be detected until nodes have been deanonymized.

Speakers

Joshua Galloway

Saturday June 11, 2016 4:00pm - 5:00pm EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

4:00pm EDT

Contextual Threat Intelligence: Building a Data Science Capability into the Hunt Team

I know…”Say ‘Threat Intelligence’ again–I dare you.” Got it. But this talk isn’t about shiny new feeds or tools. It’s about the need to re-think the collective skill sets required to give defenders a fighting chance of detecting evil *before* things go all nuclear and front-page-news. Specifically, this talk highlights the need to build a data science capability into the hunt team in order to sift through ever increasing amounts of data and derive actionable insights. Further, we’ll explore the need to add this skill set on top of existing domain knowledge of offensive and defensive tactics within information security.

This combined arsenal of knowledge and skills across the data science and infosec realms should also be deployed in the context of the Intelligence Cycle. From the initial phase of Planning & Direction through Collection, Processing & Exploitation, Analysis, and Dissemination, there are parallels between hunt team operations and kinetic ops. To illustrate this point, we will consider an example of a specialized Long Range Surveillance military unit that required rapid acquisition of personnel with specialized skill sets, training and preparation prior to a combat deployment.

Most importantly, it’s about the people and their analytical expertise, not the tools.

Speakers

Brian Genz

Saturday June 11, 2016 4:00pm - 5:00pm EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

4:00pm EDT

Intro to LockPicking B

Speakers

The Open Organisation of Lockpickers (TOOOL)

Saturday June 11, 2016 4:00pm - 6:00pm EDT
Council

Training 4

5:00pm EDT

Head in the Sand Defence or A Stuxnet for Mainframes

You say ICS SCADA we say … mainframes. In this talk, we’ll show you some remarkable – and scary – parallels between the worlds of ICS SCADA and mainframes. Notably, that what each system manages is critical to our lives. And that their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. We know what happens when critical infrastructure goes down. We know what happens when the global economy goes down. Let us present to you Information Security as a proving ground that history repeats itself; too often we fail to learn from the mistakes of those who came before us. Establishing the similarities between mainframes and ICS SCADA in their cultures, perceptions, and defences, we extrapolate the future of security for mainframes based on the challenges and failures of ICS SCADA as it has evolved from sequestered to connected. You’ll learn how ICS SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man. And we’ll present to you the scenario of a Stuxnet for Mainframes.

Speakers

Cheryl Biswas

Threat Intel Specialist, TD Bank

Cheryl Biswas is a Threat Intel Specialist with TD Bank in Toronto, Canada. She gained initial access to InfoSec through a helpdesk backdoor, pivoted into roles for vendor and change management, jumped a gap into privacy and DR/BCP, then laterally moved into security audits and assessments... Read More →

Haydn Johnson

Haydn Johnson has over 4 years of information security experience, including network/web penetration testing, vulnerability assessments, identity and access management, and cyber threat intelligence. He has a Masters in Information Technology, the OSCP and GXPN certification. Haydn... Read More →

Saturday June 11, 2016 5:00pm - 6:00pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

5:00pm EDT

SIEM, Supersized!

This talk will go into the world of Security information and event management (SIEM) Monitoring and its potential. In order to properly optimize your SIEM, forwarding logs for alerts falls short of properly detecting threats within an organization. In order to properly Utilize your SIEM, a variety of log source types must be used to properly have a deep detection of your network for intrusions and threats. In order to utilize your SIEM properly, logs, flows, vulnerability data, and File monitoring must be collected, and parsed. This data must be properly aggregated and tuned to the organization’s needs for more actionable alerting and reporting.

Speakers

Walleed Aljony

Saturday June 11, 2016 5:00pm - 6:00pm EDT
Track 2 – Cap 2

Track 2 Talk, Track 2

5:00pm EDT

Fantastic OSINT and where to find it

Open-Source security intelligence is bountiful if you know where to look. The goal of my talk is show you where to find this data, how to utilize it, and how the data you find can be enriched through free and/or commercial tools.

Speakers

Tony Robinson (da_667)

Saturday June 11, 2016 5:00pm - 6:00pm EDT
Track 3 – Cap 3

Track 3 Talk, Track 3

10:00am EDT

A Major New Trend in the Enterprise is Whitelisted Proxies

A major new trend in the enterprise is whitelisted proxies. Enterprises (and by enterprise we mean large companies, not java) love their perimeter because, well, let’s face it, everything’s broken inside. However they still want their employees to have internet access as it is critical but they have a flat network. The current trend is whitelisting all traffic and doing an SSL Man-In-The-Middle. Our goal is to show that that does absolutely nothing by exfilling through commonly whitelisted platforms and using steganography to hide all the data.

We have written tools that allow covert communication through youtube and twitter to establish a reverse shell. Using the steganography from the exfil toolkit (which will be released under the GPL) we will incorporate steganography into youtube comments so that even with ssl decryption it just looks like a drunk youtube commenter. With twitter there is text stego but also images can contain steganography. We will also discuss polymorphism in stego algorithms to evade heuristics.

Speakers

Matt Dyas

John Valin

Sunday June 12, 2016 10:00am - 11:00am EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

10:00am EDT

Haking the Next Generation

Kids are wired to learn. They are learning while they are playing so why not give them an environment where they can play while they are learning. A group of volunteers created a conference, which later became a 501(c)(3) charity, to give kids ages 7 thru 17 a technology playground. In this technology playground, children can explore science and technology, learn Internet safety and best practices…while having fun. They get to compete in a jrCTF, win prizes, get trained in hands-on workshops, listen to interesting speakers and interact with experts in the fields of IT and InfoSec. Just like you do at this conference. Hak4Kidz is addressing the growing need for our geeky kids wanting to become like their geeky parents. Hak4Kidz is creating a safe environment for these kids to find like minded peers to begin developing a community for them. If we can properly educate today’s generation as to how technology works and to push it’s limits rather than accepting how it works, ultimately, those kids will be better leaders. Leaders who will me making prudent decisions about technology as opposed to decisions based on fear. The Hak4Kidz CircleCityCon and Hak4Kidz Chicago conferences from 2015 have survey results demonstrating some of the success of Hak4Kidz. We will share our mission, our passion and hope to inspire you with the desire to organize a Hak4Kidz conference in your local city.

Speakers

David Schwartzberg

Sunday June 12, 2016 10:00am - 11:00am EDT
Track 2 – Cap 2

Track 2 Talk

10:00am EDT

Where to Start When Your Environment is F*(K3d

So many of us have been there. We’ve walked into an environment that has exploded with technology, but no talent to manage it, no leadership to distinguish FUD from real threats, and either zero infosec budget or so much they aren’t sure what to do with it. If you are currently in this situation, you may not even know where to start. I’ll go over great steps to start with that will have little impact on budget, but a large impact on moving forward for a more secure environment. Not everyone can afford or wants to hire a contractor to come in and fix everything for them and I want this to help play the part of the blue team contractor.

Speakers

InfoSystir (Amanda Berlin)

Sunday June 12, 2016 10:00am - 11:00am EDT
Track 3 – Cap 3

Track 3 Talk

10:00am EDT

Getting a Job through Social Engineering

Do you want a job in information security? If you have a job, do you want a better one? This workshop is about how to get a job through social engineering. Josh More has, for years, been helping technologists and introverts get an advantage over the less skilled but more social candidates in the job market. When done properly, a job search can be run like a penetration test, where you identify your target, perform your reconnaissance, develop your plan, take over the process, and land the job. Everyone has the base skill level they need to execute, but often lack the natural social ease that others have. If you have ever found yourself looking at a boss or colleague and wondering how they managed to get the job or promotion that should have been yours, this workshop is for you. This workshop draws from Josh’s two books _Job Reconnaissance_ and _Breaking In_, both aimed at hacking the job market. The workshop will open with an overview of how the job market works, economically and socially, so we understand the systems in which we must work. It will then move into the target selection phase, so we can identify the types of firms we wish to target. Then, we will explore those targets through basic reconnaissance and identify what sorts of “attacks” would be likely to work and which ones would not. This process will involve reverse engineering their use of metaphor and narrative so you can develop custom approaches that will bypass their filters. In the end, you will have created a customized resume, approaches to landing an interview at your preferred target, using that resume within an interview, a plan for retaining access throughout the process and, if time allows, a customized portfolio to take complete control of the process.

Speakers

Josh More

Sunday June 12, 2016 10:00am - 2:00pm EDT
Cabinet

Training 1

10:00am EDT

Power of Pi Revised

Course Description: Want to learn about a low-cost low energy consumption platform for pen testing, recon, and threat analytics? The Raspberry Pi is a compact mini ARM processing environment which supports a number of Linux distributions; allows connectivity to numerous peripheral devices, and is small enough that it can be placed anywhere. This workshop will tell you more about the Raspberry Pi, how to use it, and why it can be so attractive to keen security minds. Additionally, the talk will also focus on troubleshooting common issues that arise during the operating system install, hardware device connectivity, and general use. The course will provide numerous hands-on labs for getting the system up and running, wireless penetration testing, using common attack tools, and other wicked attacks.

Kits —

Raspberry Pi 2

5v / 2A power suppy

8 Gb Noobs

HDMI Cable or HDMI to VGA adapter depending on monitor inputs

TP-LINK TL-WN722N (Wireless Adapter)

Speakers

Sunil Peddakotla

Jeff Weaver

Sunday June 12, 2016 10:00am - 2:00pm EDT
Caucus

Training 2

10:00am EDT

Making Your Home Router Into Enterprise

Go over hardware concepts and manufacturers of home routers. Explain the types of aftermarket firmware. Then install Shibby Tomato firmware and go over some feature sets.

Students are required to have

Asus rt-n66r or Asus rt-n66u (This device will be flashed) and a Windows Laptop.

Speakers

Alex Kot

Sunday June 12, 2016 10:00am - 2:00pm EDT
Chamber

Training 3

10:00am EDT

How to Build a Home Lab

“You need a home lab” is advice often given by people within the infosec community to people looking to break into the field or advance their career. This might seem like a monumental task.

“Where am I going to get the networking equipment, servers, and computers to build this lab?”

“Once I have the equipment, how do I put it together?”

“What do I do after I get it setup?”

These are just three of the many question someone looking to build a home lab are asking. A home lab is invaluable to those new to the information security field. Getting one setup is easy and doesn’t require a lot of hardware or money. All it requires is a little time and patience. This training is meant to help answer those questions.

This training will walk through the technology requirements, how to setup your lab, and discuss the different kinds of labs aspiring red and blue team members can setup. Finally, the training will review some lab activities you can run through to help improve your skills.

Attendees are encouraged to bring a laptop with VMware or VirtualBox, a download of the VMware/VirtualBox image for Kali Linux, and any ISOs or virtual machines they would like to setup in their lab (e.g. Ubuntu, OWASP BWA, Metasploitable 2, etc.).

Speakers

Tim DeBlock

Chris Maddalena

Sunday June 12, 2016 10:00am - 2:00pm EDT
Council

Training 4

11:00am EDT

Hacking Our Way Into Hacking

It may seem like everyone in infosec has always been a hacker. However, many of us have come to hacking from other industries, and as we make our way through the infosec community it’s often hard to find others like us. This is a conversation for every hacker who started as a mechanic, a kindergarten teacher, or a gender studies major: let’s talk about where we came from, how we got here, how we leverage the skills from our previous careers, and some of the unique challenges we’ve come across as hackers with “past lives”.

Speakers

Kat Sweet

Sunday June 12, 2016 11:00am - 12:00pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

11:00am EDT

Attacking OSX for fun and profit: Toolset Limitations, Frustration and Table Flipping

I was approached by Fusion to be part of their ‘Real Future’ documentary – specifically, and I quote, to ‘see how badly I could fuck his life up, while having control of his laptop’. They wanted me to approach this scenario from how a typical attacker would see it. This journalist was San Francisco Bay Area based, so that meant he was using a mac, an iphone, and his office was using google apps and likely 2 factor authentication for everything. No windows, no powershell, no ms08_067, no netbios, no backdoored ms office documents – how was I supposed to get in? Well, I did get in, but then I was faced with another problem – metasploit doesn’t work so well when attacking osx. And outside of that, there really aren’t ANY tools (at least public ones) that are built for attacking osx. I had to build a toolkit for myself ON THE VICTIMS MACHINE, LIVE during the engagement. And I’m going to tell you all how I did that, what I did, what worked and what didn’t work. The one thing I can say is now I understand why the NSA does surveillance the way they do. You learn 10x more from watching someone via screenshots than you will from any shell, hands down, every time.

Speakers

Viss (Tentler)

Sunday June 12, 2016 11:00am - 12:00pm EDT
Track 2 – Cap 2

Track 2 Talk

11:00am EDT

Intro to Mobile Device Testing

As mobile devices become more ubiquitous, controls more aspects of our lives, and contain more and more sensitive data, testing these devices from a security perspective becomes ever more critical. However, testing mobile platforms, such as iOS, Android, or Windows Phone, can be confusing at first. I’ll be walking through the basics of how to approach testing these devices, tools and techniques, and what to look for.

Speakers

Damian Profancik

Sunday June 12, 2016 11:00am - 12:00pm EDT
Track 3 – Cap 3

Track 3 Talk

12:00pm EDT

Lunch

Speakers

Lunch

Sunday June 12, 2016 12:00pm - 1:00pm EDT
Track 1 – Cap 1

Lunch

1:00pm EDT

Your Password Policy Still Sucks!

I began talking about this topic back in 2008 when I started getting into GPU’s and password cracking contests. Seven years and hundreds of pentests later I can still say with confidence that the number one way we breach orginizations is with passwords. Why have we not learned anything? Password cracking is still a fundamental foundation of security so everyone should know how to do it. Through this presentation attendees will learn about the attacks, tools, and techniques employed by today’s password crackers (mostly hashcat because it RULES!!!!), as well as potential countermeasures that can help protect against these attacks. Anyone who has anything to do with password policy at a company should be interested in this talk. People always are, and always will be the weakest link in any network environment and password creation left up to the user can be detrimental to an organizations infrastructure.

Covered topics include:

Profiling password policies
Analyzing password lists
Establishing a better password policy
Password cracking tools, rule sets and other tricks to attack
How to conduct regular password audits

Speakers

Martin Bos

Sunday June 12, 2016 1:00pm - 2:00pm EDT
Track 1 – Cap 1

Track 1 Talk, Track 1

2:00pm EDT

Closing Ceremony

Awards, con-recap, GO HOME!

Speakers

CircleCityCon Staff

Sunday June 12, 2016 2:00pm - 3:00pm EDT
Track 1 – Cap 1

General Session, Track 1