CircleCityCon 2016

From farm to fork, food production in America is a complex and interwoven system of technologies. This session explores a slice of that system and relies upon food production as an example of multifaceted penetration testing. With a combination of stories and lessons learned, we will discuss and learn from the challenges of scaling up penetration testing and adapting it to unique technologies. This provides us an opportunity to sharpen up on the basics while learning advanced techniques. Moreover, given food production’s reliance upon SCADA and ICS systems, the session will describe how these non-traditional systems can be assessed. All in all, for the defenders, what we learn from a good food fight can be directly applied to securing our own complex networks.

As technology, matures we are seeing a trend of products that are now “smart.” The problem is that once we discover how these devices are programmed we can identify the flaws but unfortunately the hardware aspect scares some people away from digging deeper. This talk is to show people how easy it really is to get into embedded device hacking while also expanding their knowledge outside of the x86/x86_64 space. By the end of this talk the audience will be encouraged to go out and start their journey into the embedded device world while having the tools that they need. This talk will also cover the reasoning behind purchasing products such as a logic analyzer and the bricks walls I personally went through to justify the needs for one.

What would you do if you were given a binary service that contained multiple vulnerabilities and were told you must run and defend that binary for the next 3 days? And oh, by the way, you don’t get root, virtual machines, docker containers, firewall configs, or any other form of privileged access. This is exactly the challenge faced in elite attack/defense capture the flag competitions. Many of the lessons learned from these war-games can reveal new defensive opportunities in real world scenarios. This talk will discuss realistic strategies and techniques available in such a precarious defensive position. We will go far beyond simply finding bugs and patching them in the binary. For example, how might we analyze and filter network traffic without network, firewall, or root access? Could stack frame and heap allocation sizes be patched and why would that matter? How can we limit disk access as a regular user? What can we do to determine if we were exploited? All of these questions will be answered during the talk.

For almost every defense an effective offensive response can be constructed. These responses will be highlighted alongside the defensive techniques presented. Finally, a real working practical implementation of the presented techniques will be reviewed thanks to the Samurai CTF team open sourcing the Gatekeeper project (https://github.com/samuraictf/gatekeeper) in December 2015.

There may seem like an abundance of collegiate security clubs, but not every college has one; and not every club that is established is well organized. In this talk we am going to highlight the successes, and failures, of creating Illinois State University Security Club (ISUSec). We will talk about information that we know now that I wished I knew when I first started the club. We will also cover details about how to deal with the politics involved with starting a security club, how your involvement is key to the club’s success, and the amount of effort that will be required to ensure the club continues after you leave college. We will also cover topics such as utilizing social media, public speaking, competitions, conferences, and all of the things you may want to focus on with your club. It took me a couple of years to get ISUSec off the ground. It is our hope that this talk will help guide you through the process of becoming a registered student organization in less time and with greater success!

Your first impression is your only impression. However, your first impression may already have been made. Many people leave behind bread crumbs of their personal life on social media, within professional organizations, and on other websites. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that exist that leak your information, and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators used to track individuals. Learn how you can hide from the Internet, or use it to uncover someone’s deepest darkest secrets.

Defensive blue team members are often seen as the “Walmart Greeters” of information security.  Tiring of this view and the constant barrage of yet another red team “i totally pwned your network” presentation, @jeremynielson pulls together real-life stories about catching penetration testers on his network, some ideas on how to respond, and provides details on how your security operations center can do the same.  Practical examples and humorous anecdotes will be presented.  Happy hunting!

The ratio of networked medical devices in modern hospitals is 2.4 devices per bed. These devices range in use from nuclear medicine to glucose monitoring and can have operating systems from Windows 98 to RTOS. Much like industrial control systems, availability and integrity trump confidentiality. These devices may behave like traditional computers on the network but the operational, regulatory, and patient safety risks are very different. Healthcare providers need to implement acquisition processes to mitigate the new risks and solve unique challenges that existing healthcare technology infrastructures present. Clinical Engineering and Information Technology organizations need to work together to ensure delivery of care.

This talk covers common errors organizations make, often over and over again, related to Security Operations Centers (SOC), Incident Handling (IH), and Incident Response (IR). Security professionals at all levels can leverage this information to help mature their SOC, IH, and IR teams.

You say ICS SCADA we say … mainframes.  In this talk, we’ll show you some remarkable – and scary – parallels between the worlds of ICS SCADA and mainframes.  Notably, that what each system manages is critical to our lives.  And that their worlds are insular, proprietary, and seemingly shut-off to everyone else.  Except for when they aren’t. We know what happens when critical infrastructure goes down. We know what happens when the global economy goes down. Let us present to you Information Security as a proving ground that history repeats itself;  too often we fail to learn from the mistakes of those who came before us. Establishing the similarities between mainframes and ICS SCADA in their cultures, perceptions, and defences,  we extrapolate the future of security for mainframes based on the challenges and failures of ICS SCADA as it has evolved from sequestered to connected.  You’ll learn how ICS SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man. And we’ll present to you the scenario of a Stuxnet for Mainframes.

A major new trend in the enterprise is whitelisted proxies. Enterprises (and by enterprise we mean large companies, not java) love their perimeter because, well, let’s face it, everything’s broken inside. However they still want their employees to have internet access as it is critical but they have a flat network. The current trend is whitelisting all traffic and doing an SSL Man-In-The-Middle. Our goal is to show that that does absolutely nothing by exfilling through commonly whitelisted platforms and using steganography to hide all the data.

We have written tools that allow covert communication through youtube and twitter to establish a reverse shell. Using the steganography from the exfil toolkit (which will be released under the GPL) we will incorporate steganography into youtube comments so that even with ssl decryption it just looks like a drunk youtube commenter. With twitter there is text stego but also images can contain steganography. We will also discuss polymorphism in stego algorithms to evade heuristics.

It may seem like everyone in infosec has always been a hacker. However, many of us have come to hacking from other industries, and as we make our way through the infosec community it’s often hard to find others like us. This is a conversation for every hacker who started as a mechanic, a kindergarten teacher, or a gender studies major: let’s talk about where we came from, how we got here, how we leverage the skills from our previous careers, and some of the unique challenges we’ve come across as hackers with “past lives”.

I began talking about this topic back in 2008 when I started getting into GPU’s and password cracking contests. Seven years and hundreds of pentests later I can still say with confidence that the number one way we breach orginizations is with passwords. Why have we not learned anything? Password cracking is still a fundamental foundation of security so everyone should know how to do it. Through this presentation attendees will learn about the attacks, tools, and techniques employed by today’s password crackers (mostly hashcat because it RULES!!!!), as well as potential countermeasures that can help protect against these attacks. Anyone who has anything to do with password policy at a company should be interested in this talk. People always are, and always will be the weakest link in any network environment and password creation left up to the user can be detrimental to an organizations infrastructure.

Covered topics include:

Profiling password policies
Analyzing password lists
Establishing a better password policy
Password cracking tools, rule sets and other tricks to attack
How to conduct regular password audits