9:00 am
9:30 am
10:00 am
10:30 am
11:00 am
11:30 am
12:00 pm
12:30 pm
1:00 pm
1:30 pm
2:00 pm
2:30 pm
3:00 pm
3:30 pm
4:00 pm
4:30 pm
5:00 pm
5:30 pm
6:00 pm
6:30 pm
7:00 pm
7:30 pm
8:00 pm
Track 1
Track 1
Building an Empire with (Iron)Python
9:00 am - 9:50 am

Jim Shaver

This talk discusses porting Python payloads to Windows using a little known, former Microsoft project. It explores offensive uses of .Net and how to reduce attack surface on .Net payloads.

Jim Shaver is a penetration tester and security researcher.


SAEDY: Subversion and Espionage Directed Against You
10:00 am - 10:50 am

Judy Towers

Industrial espionage is the practice of secretly gathering information about competing corporation or business interest, with the objective of placing one’s own organization at a strategic or financial advantage. A common practice to achieve this advantage is to elicit information from unwitting individuals through what today is called social engineering (SE). We all hear the term SE so often that we become desensitized to it, thereby INCREASING the effectiveness of it against ourselves and organizations. Thus, will call it what it is - Human Intelligence, also known as HUMINT.Presenting personal experiences as an Army counterintelligence agent with examples of military and industrial espionage, will examine tradecraft employed against individuals every day. We will apply lessons learned from the US military and the intelligence community by using two acronyms taught to Army counterintelligence agents: SAEDA (Subversion and Espionage Directed Against the Army) and MICE (Money, Ideology, Coercion, Ego). By presenting different aspects of HUMINT collection efforts will enable individuals to possibly detect, deflect, and protect oneself from such actions.

As an active duty US Army Counterintelligence Agent (6 yrs), Judy provided weekly SAEDA briefings for new incoming unit soldiers and for yearly awareness training requirements. Judy received an Army award for the presentation’s effectiveness in engaging the audience, thereby enhancing self-awareness of the threat. Her experiences include training in traditional espionage tradecraft, along with supervising and conducting counterintelligence investigations of individuals, organizations, installations and activities in order to detect, assess and counter threats to national security. After leaving the Army, Judy started a civilian career in information security as: domain admin for a global company, an IT manager implementing incident response system, Fraud department investigating people stealing company services, and now a Cyber Threat Intelligence Analyst, augmented by a 2nd Master’s Degree in Cybersecurity and Computer Forensics.


11:00 am - 12:00 pm

The anatomy of an extortion attack – hacking large organizations for bitcoin
12:00 pm - 12:50 pm

Amit Serper, Niv Yona, Yuval Chuddy

The security team at a large financial services company recently faced a worst-case-scenario breach: threat actors had been in the network for two months, giving them plenty of time to map the organization's network, move laterally to different machines and exfiltrate 40TBs of data. To keep this information from appearing on the Internet, the attackers demanded that the organization pay them $250,000 in bitcoin. Ultimately, attackers used customized malware, living off the land tactics and many other techniques to compromise multiple machines, including the database servers, mail archive servers and domain controllers. In this talk, Niv Yona, Yuval Chuddy and Amit Serper -- the Cybereason researchers who investigated and responded to the incident -- will dissect the attack, which was carried out against a Cybereason customer, and offer a technical analysis with a focus on the techniques, tactics and procedures that were used. In place of theories on how the attack was conducted, they'll offer real-world examples showing how the threat actors were able to take control of the company's network and make off with data. Understanding the anatomy of an attack is key if the security community wants to learn the latest techniques threat actors are using and how to strengthen their defenses to better defend critical assets.

Amit Serper, Head of security research, Cybereason Nocturnus group:Amit leads the security research at Cybereason's Nocturnus global security practice. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. Whenever he is not taking apart malware and exploring the dark and undocumented corners of operating systems at the office, you could find him in his lab at home reverse engineering routers and other IoT devices and finding horrible bugs on them. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for the Israeli government, specifically in embedded system security. Niv Yona, Threat hunting and research lead, EMEA at Cybereason Nocturnus group - Niv began his career as a team leader of the security operations center in the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. At Cybereason, Niv focuses on threat research that directly enhances product detections and the Nocturnus hunting playbook. Yuval Chuddy, Threat hunter and Security researcher at Cybereason Nocturnus group Yuval began his career as a security researcher in the cyber security department of the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. At Cybereason, Yuval focuses on investigating targeted and complex attacks and conducts threat hunting in customer environments.


How to test Network Investigative Techniques(NITs) used by the FBI
1:00 pm - 1:50 pm

Dr. Matthew Miller

Network Investigative Techniques are used to investigate cyber criminal activities. These techniques have been used to unmask users of TOR whom are downloading illegal content from the Tor network. This talk will discuss such techniques, discuss ethical and legal issues and describe a methodology to test and verify such techniques.

Dr. Matthew has taught Computer Science and assembly and reverse engineering for 6 years at the collegiate level. He has been called as an expert witness on more that a dozen Federal Cases, where he had to reverse engineer the NIT code provided by the government. His expert declarations have been used by the ACLU in their "Challenging government hacking in criminal cases" guide for attorneys and by lawyers in federal cases.


Community Based Career Development or How to Get More than a T-Shirt When Participating as part of the Community
2:00 pm - 2:50 pm

Kathleen Smith, Magen Wu, Cindy Jones, Kathryn Seymour, Doug Munro

Career development is typically seen as a progression of education, certification and job moves. However, to progress in our careers it is helpful to build both technical and non-technical skills in different environments to challenge us and give us the opportunity to learn. Community involvement strengthens not only the overall community but provides opportunities to stretch and learn new skills that support personal growth. We will review presenting, con management and competitions as ways to strengthen your career. We will hear from a recruiter involved in the community how they evaluate these experiences and recommendations on presenting this information in your job search. Finally, we will address burnout, exhaustion and how not to burn bridges.

Kathleen Smith (moderator) in her capacity as CMO and Outreach Lead for CyberSecJobs.Com and ClearedJobs.Net has coached thousands of job seekers and employers on how to better connect and work together to achieve the mutual goal of employment. Kathleen presents at several security conferences each year on recruiting and job search. Some of the conferences she has presented at as a sole presenter or a moderator include BSidesLV, BSidesTampa, BSidesDE, FedCyber, Cyber912 and CyberSecureGov. Kathleen firmly believes that giving back is the best way to move forward and volunteers in many capacities; she is the Director, HireGround, BSidesLV’s two day career track; Women in Cybersecurity, National Conference Planning Committee, Cyber912 and Women in Cybersecurity Celebration Planning Committee. Finally, Kathleen is well respected within the recruiting community; is the co-founder and current President of recruitDC, the largest community of recruiters in the Washington DC area. Cindy Jones brings over 17 years of specialized IT and security experience to her role of Senior Security Consultant with Rapid7. Cindy maintains a CISSP and MCP certifications. She has worked in several arenas including Federal government, with the Department of Defense, education, technology and healthcare, with a focus on the development, maintenance and management of information security programs. Cindy is actively involved within the information security community and volunteers her time leading the registration team for BSides Las Vegas, volunteers for DerbyCon, is a Def Con Goon and holds a position on the board for BSides Texas and is an active volunteer for these local events. Cindy’s favorite color is purple. Kat Seymour is a Red Team Penetration tester at Bank of America with 16 years of experience in the fields of IT and information security. Kat started playing her company’s internal CTF in 2013 as a way to sharpen her hunting skills. She was invited to join the Red Team 18 months later due to her demonstrated skill and dedication. Kat continues to participate in CTFs whenever she can to help practice and sharpen her skills. Doug Munro has been embedded in Talent Acquisition for more than fifteen years, beginning in agency Recruiting before moving into corporate roles. His talent pool immersion has included Software Engineers, Database Developers and Administrators, Network Architects and Engineers, Executives, and Cybersecurity Specialists in multiple disciplines. His experience encompasses both private and public sector customers, both actively recruiting professionals to fill key roles and leading teams of recruiters to elevate firms' Talent Acquisition capabilities. Doug's public sector experience includes securing top security-cleared talent for mission-critical efforts across dozens of Department of Defense and Intelligence Community entities. His current focus is Cybersecurity, identifying talent for Coalfire, a leading Cybersecurity services firm, in the areas of Risk and Vulnerability Assessment, Cyber Risk Advisory, Penetration Testing, and Cyber Engineering. As a proponent of community-based recruiting, Doug has participated in numerous events, speaking and offering resume and career advice at events like RecruitDC, BSidesLasVegas, BSidesDC, and the ISC2 Cyber Summit, among others. Magen Wu is a Senior Associate with Urbane Security with almost 10 years of experience in the technology industry. Wu is currently pursuing her master’s in Organizational Psychology with the intent to apply its principles to security practices and training. She also currently co-organizes BSides Seattle, the mentor track at BSides Las Vegas and DEFCON US and China Workshops.

@YesItsKathleen, @infosec_tottie, @SinderzNAshes, @RecruitCyberDC

Silent Compromise: Social Engineering Fortune 500 Businesses
3:00 pm - 3:50 pm

Joe Gray

Social Engineering and Open Source Intelligence (OSINT) are silent modes of compromising businesses. This presentation takes experience from the field and from a simulated compromise of a Fortune 500 from a Social Engineering Capture the Flag and applies it to help organizations better understand the threat landscape and arms them with actionable advice to employ internally to minimize the impact of such attacks. We also identify places to find data, which provides insight for more valuable data sources. This includes a demo of OSINT techniques, phishing, and a pretexting discussion. This aims to help penetration testers, social engineers, and other interested (and authorized) parties find ways to gain information about an organization and its people to be able to overcome the technical limitations of the perimeter and gain access to allow further exploitation.

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.


Dexter: the friendly forensics expert on the Coinbase security team
4:00 pm - 4:50 pm

Hayden Parker

Sometimes you want to be able to pull forensic images off your production hosts but you want to make sure you set that up correctly because if you don’t people might steal customer financial data or cryptocurrency private keys for hot wallets or something and that would be a very bad day for you and for the cryptocurrency community. This talk introduces Dexter, a forensics tool for high security environments. Dexter makes sure that no single person can do scary forensics things, and that the scary results of the scary forensics things can only be read by people who aren’t scary. I’ll give an overview of the Coinbase production environment, data pipeline, and detection tooling to set the stage for when we might use Dexter. Then we’ll walk through how Dexter works and do a demo that will totally work and not have any technical issues whatsoever.

Hayden Parker is a security engineer at Coinbase, working on detection and response tooling. He has been part of Coinbase for over three years and enjoys almost any project that has to do with networking or golang. Outside of work Hayden enjoys spending his time as far away from computers as possible.

Going on a Printer Safari – Hunting Zebra Printers
5:00 pm - 5:50 pm

James Edge

If you see a label or receipt there is a good chance it was printed by a Zebra printer. Everyone has come in contact with a Zebra printer if you have ever returned a rental car. Every price label you see in your local grocery or department store is printed by a Zebra printer. Warehouses, distribution centers, and even hospitals rely on the ability to print bar-coded labels for tracking purposes. These embedded devices pack a powerful real-time operating system offering an array of services that facilitate communication with the corporate environment. By default these services offer an attack surface into the corporate environment that is alarming. Take a trip on a safari as we go hunting Zebra printers in the wild.

James Edge is an experienced information security professional as a consultant for state and local governments, education, financial services, and retail industries. He has an alphabet soup of certification credentials in information technology, information security, and audit. He is active member for the local chapters of ISACA wherever he happens to reside, has provided support for the Southeastern Collegiate Cyber Defense Challenge (CCDC), and has spoken at various security conferences run by universities, BSides, SkyTalks, and ISACA.


Patching: Show me where it hurts
6:00 pm - 6:50 pm

Cheryl Biswas

Patching – it’s complicated. Organizations at every level struggle with patching. It feels more like a necessary evil rather than a best practice. We're damned if we do, damned if we don't. As much as we like to point fingers of blame and malign the processes in place, the fact is that one size does not fit all when security updates get issued. We’ve lived through the joy of Patch Tuesdays gone bad, watched systems meltdown from patches for Spectre and Meltdown. Given all we should have learned, why does it seem like things are getting worse? Securing our stuff should not be an endless succession of dumpster fires. We need to go beyond just finding the sweet spot between mitigating business risk with vulnerability exposure. Join me in a candid and interactive discussion on this fundamental process that seems inherently broken, especially as it now affects IoT, OT and medical devices. In an off the record, behind closed doors session, let's share what we’ve seen and say what we really think about management, internal and external customers, vendors. Because the cure isn't supposed to be worse than the disease.

Cheryl Biswas, aka @3ncr1pt3d, is a Strategic Threat Intel Analyst with TD Bank in Toronto, Canada. Previously, she was a Cyber Security Consultant with KPMG and worked on security audits and assessment, privacy, breaches, and DRP. Her experience includes project management, vendor management and change management. Cheryl holds an ITIL certification and a degree in Political Science. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building threat intel. She actively shares her passion for security online, as a speaker and a volunteer at conferences, and by encouraging women and diversity in Infosec as a founder and member of the "The Diana Initiative".


Ship Hacking: a Primer for Today’s Pirate
7:00 pm - 7:50 pm

Brian Satira, Brian Olson

In 1995, when the fictitious Dade Murphy and his friends stopped oil tankers from being capsized by a virus in the movie “Hackers”, “digital piracy” was just a euphemism for copyright infringement and sharing music. Today digital piracy is anything but a euphemism or fiction. From breaches by pirates seeking cargo information, to denial of service (DOS) attacks on offshore oil platforms, there are very real threats to the maritime sector. This talk will provide an introduction to understanding ships as Industrial Control Systems (ICS) and lessons learned from vulnerability research on marine diesel engine controllers. We also hope to challenge our peers in the infosec community to apply their skills, red and blue, to protect our maritime critical infrastructure. A talk for anyone who likes computers and pirates. Arrgh!

Brian Satira is an information security researcher with ten years of experience including forensic investigations and vulnerability analysis on various Industrial Control Systems(ICS). Brian is a member of the I Am The Cavalry project and NoVA Hackers. Brian is also a graduate of the University of Pittsburgh and a U.S. Army veteran. Offline, Brian enjoys locksport and is both a registered locksmith in Virginia and a co-founding member of his local TOOOL chapter. Brian Olson is a Security Engineer for CORESCOUT, a tech company focused on big data and network security. A graduate of UMBC with experience in research, pen testing, and systems administration, Brian now works in the DC area focusing on security engineering and threat emulation designing systems with a defensive mindset. When not behind the keyboard Brian enjoys meteorology and sailing; utilizing his skills for navigation/weather routing and tactics for both regattas and deliveries.


Track 2
Track 2
Hardware Slashing, Smashing, and Reconstructing for Root access
9:00 am - 9:50 am

Deral Heiland

This presentation I will be focusing on what is typically referred to as destructive methods for data acquisition from embedded devices. Focusing on the process of removing embedded Multimedia Media Controller (eMMC) devices from circuit boards to gain access to their contents. But we will take it a step further by covering how to restore the device back to operation including methods and technics on altering the devices firmware prior to rebuilding, to allow for full root level access to functional system after recovery. Topics covered will include, Device removal, eMMC firmware extraction and modification methods. Hot air and infrared reflow methods, BGA re-balling manually and with re-ball kit.

Deral Heiland CISSP, serves as a Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris.


App-o-Lockalypse now!
10:00 am - 10:50 am

Oddvar Moe

Want to get a good overview of AppLocker and the different AppLocker bypasses and at the same time learn how defenders can harden their environments to prevent them? Then this is a talk you don't want to miss. This talk will cover a vast amount of bypass techniques and how to harden AppLocker to make it even harder to bypass. Giving you help to either start or avoid an App-o-Lockalypse.

Oddvar is a Cloud and Datacenter Management MVP, security researcher, blogger, trainer, penetration tester, speaker and he works at Advania Norway as a Chief Technical Architect. He has more than 17 years of experience in the IT industry. He is passionate about Windows Security and he loves to share his knowledge with everyone. Oddvar has delivered top-notch sessions in the past at conferences such as IT Dev Connections, HackCon, Nordic Infrastructure Conference and Paranoia. Oddvar loves to work with both offensive and defensive security.


11:00 am - 12:00 pm

Web App 101: Getting the lay of the land
12:00 pm - 12:50 pm

Mike Saunders

Getting started with web apps can be a daunting task. "Ooh, shiny!" rabbit holes are just around the corner with every click. Without a good plan and a road map, it can be very easy to get lost in these holes and run out of time before reaching your goal. This talk covers how to identify the goal and set up a plan that will help you avoid the rabbit holes, identify the points you should focus on, and ultimately help you become an effective application tester.

Mike's love of IT started in the third grade when he discovered he could view the code of BASIC programs on an Apple ][e. He has held many information technology and IT security positions, including developer, network and system administrator, security architect and security incident handler. Currently, Mike is a principal consultant with Red Siege. When he is not at work, he is an avid ice fishing and kayak fisherman and member of a local horn rock band.


Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
1:00 pm - 1:50 pm

Daniel Bohannon

Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses. However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild? In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities. In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never-before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries. I will conclude this talk by giving a live demo of my cmd.exe obfuscation framework called Invoke-DOSfuscation that obfuscates payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.

Daniel Bohannon (@danielhbohannon) is a Senior Applied Security Researcher with FireEye’s Advanced Practices Team with over seven years of operations, security and Incident Response consulting experience. He is the author of Invoke-Obfuscation, Invoke-CradleCrafter, Invoke-DOSfuscation and co-author of the Revoke-Obfuscation detection framework. He has presented at numerous conferences including Black Hat USA, Black Hat Asia, DEF CON, BlueHat, and an up-and-coming con known on the street as DerbyCon. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology (2013) and a Bachelor of Science in Computer Science from The University of Georgia (2010). His primary research areas include obfuscation, evasion and methodology-based detection techniques for endpoint and network applied at scale.


WE ARE THE ARTILLERY: Using Google Fu To Take Down The Grids
2:00 pm - 2:50 pm

Chris Sistrunk, Krypt3ia, SynAckPwn

In this presentation we will show how effective a team of individuals can be in using open source intelligence gathering techniques in gathering leaked data on the electrical grid. By using Google dorking alone, the team has been able to not only gather insider information on grid technologies but also their deployment in the US including and up to passwords to systems and blueprints and runbooks. Using such information an attacker could not only attempt to gain access to power company and grid networks but also easily be able to connect the dots and perform hybrid (physical and electronic) attacks on the US power grid systems.

Chris is an electrical engineer who is fluent in RS-232 and Kirchhoff’s Laws. You can thank Stuxnet (drink!) for bringing him here. Squirrels are his arch nemesis and he hates FUD. His sock game is strong. Krypt3ia has been in INFOSEC since the 90’s working for fortune 500 companies in pentesting and now blue team DFIR. An infamous curmudgeon, Krypt3ia has a blog featuring national security issues and OSINT. He also co hosted Cloak & Swagger a podcast on all things natsec and INFOSEC with a Sasquatch named Ali. SynAckPwn is a semi-professional retired troll that spends most of his time in a hardhat and popping MS08-067 in control systems. Yes, MS08-067 is still a thing and he takes little pleasure in exploiting it. Yes, when it comes to critical infrastructure, it’s still a problem. Yes, most of what you hear about grid hacking is bullsh!t.


Just Let Yourself In
3:00 pm - 3:50 pm

David Boyd

Everyone loves the ‘shiny blinky security hardware’. However, they don’t work as well if a user or your physical security is compromised. In this talk, I will be discussing three (3) different Security Awareness/Social Engineering scenarios: a pretexting exercise, a phishing exercise, and a physical security assessment. I will go over what they are, what they look like, some tips and tricks that I have found for all three (3) that have worked great (at least for me), as well as what failed miserably. There will be some amusing stories from the field, some tips for new folks getting started with social engineering, as well as defense tips for the sys admins and blue teamers out there.

David Boyd (@fir3d0g) is a security analyst for a security company in Knoxville, TN. He is a Christian, husband, and father that also enjoys geek culture, video games and Mountain Dew. He has over 15 years of technical experience in several environments including education, military, retail, government, media, law firms, and hospitals learning something from each one along the way. He also once found Waldo and Carmen Sandiego.


Threat Hunting with a Raspberry Pi
4:00 pm - 4:50 pm

Jamie Murdock

Raspberry Pi's are being used more and more. This talk will cover how to utilize a Raspberry Pi as an automated threat hunting sensor that utilizes open source tools and custom IoC's.

For 20 years, Jamie has specialized defending, securing, and protecting corporate networks. He has worked as an adviser for major verticals including insurance, financial, manufacturing, retail, and health care. During this time, he built security operation centers for Fortune 500 companies, providing expert guidance in all areas of security operations. He has built incident response and threat intelligence programs, focusing on profiling threats specific to individual organizations, and took this information and built adaptive monitoring programs.


Living in a Secure Container, Down by the River
5:00 pm - 5:50 pm

Jack Mannino

Linux container technologies offer the ability to run software in isolation with a significantly reduced attack surface. By reducing the capabilities and resources a container can utilize, we make it increasingly difficult to elevate privileges, gain persistence or move laterally within a cluster of containerized services. While Docker is the container technology most people are familiar with, there are other container types to think about too, each with their own opinionated take on security. It’s getting increasingly common to adopt other runtimes through the Open Container Initiative (OCI) specification using interfaces and shims provided by container orchestration platforms. Containers that use Linux namespaces and control groups for isolation typically provide weaker protections against escaping than hypervisor-based containers, further detaching security reality from your hopes and dreams. This presentation will focus on the security and kernel protections available in several popular Linux container technologies including Docker, Rkt, LXC, Kata and gVisor. We will explore how the default runtime security controls stack up under attack and how they attempt to isolate resources at security boundaries. We will explore the container hardening process through AppArmor, SELinux, Seccomp and Capabilities. At the end of this presentation, you’ll be motivated to run minimally privileged containers that are isolated from doing any real damage. You’ll have plenty of time for security when your code is living in a container down by the river.

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance security across their software portfolios. He has spoken at conferences globally on topics such as secure design, mobile application security, and cloud-native security.


Bug Hunting in RouterOS
6:00 pm - 6:50 pm

Jacob Baines

RouterOS is the “operating system” that router manufacturer Mikrotik built on top of Linux for their embedded devices.Typically, when researchers think of embedded devices they think of simple interfaces and easy-to-find vulnerabilities. However, this isn’t the case with RouterOS. The OS is rich with features you’d expect to find in more expensive Cisco models and it’s been largely protected from bug hunters due to the proprietary protocols it uses with its web client (webfig) and its thick client (winbox). Some APT events like Slingshot and VPNFilter prove that RouterOS is a valuable target. By exploiting vulnerabilities in RouterOS, attackers gain a privileged position in the victim’s network. Yet, there is no public tooling to aid in finding vulnerabilities in RouterOS. In this presentation, I will breakdown Mikrotik’s proprietary protocols and show the audience how to find bugs deep within the system. In this talk, I'll show the audience how to negotiation communication with RouterOS's webfig and break down the proprietary protocol that routes packets through the system. I'll combine what we've learned by showing off an authenticated stack buffer overflow that Tenable found in RouterOS. Note to Review Board: I have a specific authenticated stack buffer overflow I plan to demonstrate. We have already disclosed the vulnerability to Mikrotik and it should be patched (or outside of Tenable’s 90-day disclosure policy) by the time DerbyCon rolls around.

Jacob is the team lead of Tenable's new zero day research team. Previously, he was working as a reverse engineer on Tenable's Nessus project.


Advanced Deception Technology Through Behavioral Biometrics
7:00 pm - 7:50 pm

Curt Barnard, Dawud Gordon

In cybersecurity, the attacker tends to have a significant advantage over the defender. A motivated network defender should look for opportunities to have an asymmetric advantage over the attacker to level the playing field. In this talk, we will apply the concept of Behavioral Biometrics in the realm of deception technologies to obtain such an advantage. There are three common factors used in authentication: something you know (a password), something you have (a token), and something you are (a biometric). Each factor has its own unique strengths and weaknesses. In the case of biometrics, biometric data is, in many cases, easy to steal and spoof. Once biometric data is stolen, it is impossible to change, since it is inherently tied to the user. Behavioral Biometrics is the authentication paradigm of using an individual’s behavior as a biometric, rather than a fingerprint. The technology looks at how how a user interacts with a system, such as how they type or move the mouse, touch the screen, which hand they hold the device in, the characteristics of their gait from the motion sensor, as well as spatial and temporal patterns. The result is a biometric that is not immediately visible to an attacker, and incredibly difficult to spoof. Traditionally, should behavioral components detect an intrusion, access is blocked, authentication escalated, or the user was de-authed completely. However, this does not necessarily have to be the case. Deception technology has emerged as a method to either delay attackers, coax out their TTPs (Tactics, Techniques, and Procedures), or gather clues about their true identities. This strategy typically includes things such as canaries, honeypots, or tainted or tracked data. The challenge with deception technology is often in identifying an attacker in the first place in order to divert them to fake resources. We will demonstrate in this talk that Behavioral Biometrics are uniquely positioned to identify an attacker as unauthorized, independent of credentials, in a way that is invisible and spoof resistant. With that information, deceptive technology can redirect their attack in order to delay it, discover the attackers TTPs, or even learn the identity of the attacker as they attempt to exfiltrate mocked data, transfer funds, or use services. We will conclude by demonstrating this combination live.

Dr. Dawud Gordon is CEO & Co-Founder at TWOSENSE.AI, an NYC-based Behavioral Biometrics firm that makes authentication invisible through AI. Dawud holds a Ph.D. in Computer Engineering from KIT in Karlsruhe, Germany for his work on using Machine Learning to for human behavior analytics. He has published over 30 peer-reviewed papers and patents on related topics, and won several awards for his research. Curt is the Founder and CEO of ThreshingFloor ( Curt holds an MS in Cyber Operations from the Air Force Institute of Technology, and has spent the last decade in cybersecurity across public and private industries, including venture capital. Curt’s research interests lie primarily in network analysis, anonymizing technologies, and generally breaking stuff.

Dawud Gordon - @d4wud, Curt Barnard - @CurtBarnard

Track 3
Track 3
VBA Stomping - Advanced Malware Techniques
9:00 am - 9:50 am

Carrie Roberts, Kirk Sayre, Harold Ogden

There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we refer to as VBA stomping refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. In this talk we will demonstrate detailed examples of VBA stomping as well as introduce some additional techniques. Reverse engineering and defense tips will also be provided.

Carrie Roberts - Carrie is a developer turned Red Team. She became interested in Info Sec after doing PC, mobile and web app development. She obtained her Masters in Info Sec Engineering from the SANS Technology Institute in 2015 and holds 11 GIAC certifications including the GSE. She is currently a Senior Red Team Engineer at Walmart and loves to give back to the Info Sec community. Kirk Sayre is a member of the Dynamic Defense Engineering team at Walmart. One of Kirk's focuses at Walmart has been on the detection and analysis of malicious Office documents. Kirk is one of the primary maintainers of ViperMonkey (, a VBA macro emulator utility. Prior to working for the cybersecurity group at Walmart, Kirk Sayre performed cybersecurity research at Oak Ridge National Lab (ORNL). While at ORNL Kirk was one of the primary developers of a tool for automating the reverse engineering of malware. Kirk is the author of several patents based on this work. Outside of cybersecurity, Kirk has also worked on projects ranging from weapons control systems, medical devices, web applications, corporate software engineering training, and software design tools. Kirk’s educational background includes a PhD in Computer Science from the University of Tennessee where his research centered around using statistical methods to improve the testing of software. Harold Ogden is a member of the Dynamic Defense Engineering team at the Walmart Security Operations Center. He researches malicious documents and observable system behaviors related to common adversary tactics. He writes rules for various file and traffic inspection products, and implements processes to monitor and triage suspected compromise at enterprise scale.

Carrie - @OrOneEqualsOne, Kirk - @bigmacjpg, Harold - @haroldogden

Media hacks: an Infosec guide to dealing with journalists
10:00 am - 10:50 am

Sean Gallagher, Steve Ragan, Paul Wagenseil

Infosec researchers, experts, and hackers in general have a…fraught relationship with media, ranging from exploitive to adversarial. Recent episodes, including the doxxing of Marcus Hutchins by UK media and sensational coverage of his arrest, don't help, nor do broadcast media reports that are often factually incorrect or even damaging to the security of those who take the reports as gospel. And researchers looking to get out word to the general public are often (based on anecdotal data) confused or intimidated by the media machine. This presentation seeks to demystify how news media work, the strengths and weaknesses of each channel of communications, and how to effectively interact with journalists in a way that is constructive and productive. We are infosec journalists—ask us anything.

Sean Gallagher is the IT Editor and National Security Editor for Ars Technica. A former Navy officer and government IT contractor (and for a time the Director of IT Strategy for Ziff Davis Enterprise), Sean has been an IT journalist for over 20 years. He covers information security and privacy as part of his vast beat at Ars. Prior to joining the journalism world in 2005, Steve Ragan spent 15 years as a freelance IT contractor focused on infrastructure management and security. He's a father of two and rounded geek with a strong technical background. Paul Wagenseil heads security and privacy coverage for Tom's Guide. He has also been a warehouse manager, a car deliveryman, a bartender, a fry cook and a dishwasher. That's all he's going to tell you unless you meet him in person.

Sean - @thepacketrat, Steve - @SteveD3, Paul - @snd_wagenseil

11:00 am - 12:00 pm

R.J. McDown - Windows Rootkit Development: Python prototyping to kernel level C2
12:00 pm - 12:50 pm

Red teams are always looking for new ways to persist on hosts that could potentially take several days to compromise. The necessity for reliable, stealthy persistence is highlighted when the compromised target is the initial foothold into the internal target network. Common methods and tools used to persist on compromised hosts will be briefly covered before diving into developing custom software operating at the user and kernel level. A couple of opensource projects, and their APIs, will be introduced that make it possible to interact with kernel level drivers from user-mode programs. Both, Python and C APIs are available, allowing for Python prototyping before moving to C, a compiled language. This is great for testing and researching new features, as design flaws can be worked through quicker. Lastly, a demonstration will be given of evading event logs, subverting host firewall configurations, hiding active C2 network connections from the OS, spawning arbitrary sessions (PowerShell Empire, Metasploit, etc.), and harvesting credentials from network traffic.

R.J. McDown (BeetleChunks) is a security researcher, penetration tester, and red teamer with experience assessing numerous Fortune 500 companies. In his spare time, he works on developing and researching new tools and techniques to be used on client assessments and IOCs associated with them.


Deploying Deceptive Systems: Luring Attackers from the Shadows
12:00 pm - 12:50 pm

Kevin Gennuso

"Assume the network is compromised" has been a popular mantra in information security for years now. So how do defenders operate in such an environment? Honeypots and honeytokens that are well-planned and strategically-placed can enhance any organization's threat detection capability. This talk will demonstrate a few of the various free, open-source solutions available as well as a strategic plan for deploying them.

Kevin is a security architect/manager and part time packet mangler. He has nearly 20 years of experience in both the offensive and defensive sides of information security, and has done work for a number of organizations across the technology, healthcare, finance, and retail sectors.


The Money-Laundering Cannon: Real cash; Real Criminals; and Real Layoffs
1:00 pm - 1:50 pm

Arian Evans

After 15 years of building security products, I decided to join the front lines of the fight by taking a real-world job running product management & engineering, for a team that was building a new cash/debit[credit-rails] payments platform. My first day on the job we discovered we were being attacked by an organized crime ring. For roughly every $150k stolen - it meant we had to lay someone off - further reducing our ability to be effective. Tense moments. We also had no Infosec/Cybersecurity staff, nor any type of Infosec or Anti-Fraud software/systems. We only had a Windows-based “Compliance System” that looked like it was written in the late 90s. In spite of that we managed to cut our losses to zero dollars for almost six months! The next 13 months were a bloody battle that ended with me losing my job. If you like real world cybersecurity; want to learn how we built an anti-fraud system from scratch; or simply like schadenfreude - join me for a laugh and a few super-obvious lessons in statistics. 🙂

Arian is an 18+ year Infosec veteran who has worked as a Builder, Breaker, and Defender. He has built both enterprise financial and security software, and helped catch bad guys. He is fairly certain the majority of his success is due to luck - and the privilege of being surrounded by really smart people. Arian has pontificated in books and papers on software security and breaking software, and blathered at conferences around the world on techniques & technologies for both Red and Blue Teams. He also pads his presentations with bad jokes. Early employee of FishNet, WhiteHat, RiskIQ; also worked at several #Fintech companies you’ve never heard of, and taught my wife to phish kidnappers.


Perfect Storm: Taking the Helm of Kubernetes
2:00 pm - 2:50 pm

Ian Coldwater

Containers don't always contain. For attackers, Kubernetes contains a number of interesting attack surfaces and opportunities for exploitation. For defenders and operators, it's complicated to set up and the defaults often aren't enough. This can create a perfect storm. This talk will walk you through attacking Kubernetes clusters, and give defenders tools and techniques to protect themselves from shipwrecks.

Ian Coldwater is a DevSecOps engineer who spends her days hacking and hardening cloud native infrastructure. In her spare time, she likes to go on cross-country road trips, capture flags and eat a lot of pie. She lives in Minneapolis and tweets at @IanColdwater.


Escoteric Hashcat Attacks
3:00 pm - 3:50 pm


Ever wonder how to get past the 70% password cracking barrier, EvilMog will talk about the Infinite Monkey Theory of Password Cracking, unique attack methods such as Raking, Purple Rain, Prinception and other high entropy attack techniques including live demos.

EvilMog is a Senior Managing Consultant for IBM X-Force Red, a Bishop in the Church of Wifi and a Member of Team Hashcat, he is also the self proclaimed chief shenanigator of DerbyCon


Web app testing classroom in a box - the good, the bad and the ugly
4:00 pm - 4:50 pm

Lee Neely, Chelle Clements, James McMurry

Web based applications and services are the key technologies behind modern service delivery. And their security, or lack thereof, can make or break a company. We developed an approach to follow including tools to help with the assessment throughout each step of the process, leveraging free and commercial products that can assist the assessment process. There are more engagements than there are resources, so we set out on a mission to train new web application testers on a portable platform to teach them an approach to not only test application security but also leverage tools that simplify the process, in effect cheating to win. To conduct that training, we had to develop a classroom-in-a-box, which included the network, the targets and tools for the students. Over the last year, we have leveraged Raspberry Pi Zeros, Thumb Drives with Kali Linux, Chromebooks and Intel NUC servers. We will discuss the pros and cons, showing what works and what to avoid, as well as what can be leveraged to build a home lab, or your own classroom in a box. The user will leave with information they can take back to their home organization to serve as a foundation for either an ad-hoc or ongoing capability.

Jim McMurry is an accomplished Technologist with an entrepreneurial mindset with over 23 years of combined experience in Security, Information Technology, Telecommunication, Networking, Management and Software development. Jim's varied experience in network security, military projects, IT and high-tech arenas, with startups through Fortune 1000 companies, provides him with a unique set of tools as he grows Milton Security. He volunteers for numerous charities, and supports Veterans through the Milton Veteran Hiring program. Lee Neely is a senior IT and security professional at Lawrence Livermore National Laboratory with over 25 years of extensive experience with a wide variety of technology and applications from point implementations to enterprise solutions. He currently leads LLNL’s Entrust team and is the CSP lead for new technology adoption specializing in mobility. He teaches cyber security courses, and holds several security certifications including GMOB, GPEN, GWAPT, GAWN, CISSP, CISA, CISM and CRISC. He is also the President of the ISC2 Eastbay Chapter. Chelle Clements has been associated with computer science and cyber security for over 20 years. She has an AAS in Environmental Science from Northern Virginia Community College, and a BS and an MS in Information Systems Management from University of San Francisco. She is an Army Veteran, one of the first women in the Corps of Engineers (she has some great stories!). She spent 30-years at Lawrence Livermore National Lab as a researcher in three different fields (chemistry, physics and computer science) and also as a community outreach volunteer. She currently supports several Veteran causes with pro bono web development (such as East Bay Stand Down) and served on her city’s art commission.

@lelandneely, @jmcmurry

Metasploit Town Hall 0x4
5:00 pm - 5:50 pm

Brent Cook, Aaron Soto, Adam Cammack, Cody Pierce

In our fourth Metasploit Town Hall, join us for a look at the hotness that landed in Metasploit 5 this past year—including Python-based modules, new exploits, and fresh EternalBlue additions. We’ll demo some of the latest and greatest work coming out of our team and our top-notch contributor base, and then we’ll offer ourselves up to the crowd for questions and conversation about what you’d like to see Metasploit take on next.

We are a few of the many people who make Metasploit awesome. Brent Cook heads up Metasploit’s engineering team at Rapid7, Aaron Soto and Adam Cammack are two of the team’s core developers, and Cody Pierce is the Metasploit product manager. We are all staunch open-source security advocates, contributors, and community members.

Brent Cook - @busterbcook, Aaron Soto - @_surefire_, Cody Pierce - @codypierce, Metasploit - @metasploit

Cloud Computing Therapy Session
6:00 pm - 6:50 pm

Cara Marie, Andy Cooper

You don't have to hate your motherboard, or want a magic wand to solve all your computering problems because everyone is medicating with the cloud these days, but not every cloud platform is created equal. Much like security conference attendees each cloud has its own special sauce, and “idiosyncrasies”. Azure has a shadow twin no one likes to discuss, GCP hands out public IPs like it’s 1983 again, and AWS is praised as the golden child because they did their homework. While ranting about these quirks Cara and Andy plan on presenting some of the solutions that they have written to deal with a few of the more annoying issues that can rear their ugly heads when deploying in the cloud.

Cara Marie: Cara has been traveling the world breaking networks, applications, and protocols professionally for over 5 years. Currently, she is a Security Engineer at Datadog working on building out their offensive security. When she isn’t breaking networks, building bombs (, or giving talks, she can be found baking ugly pies and killing zombies. Andy Cooper: Andy Cooper is a pentesting consultant turned blue team try-hard. Currently he works for Datadog as a Security Engineer working with AWS security primarily. If he isn’t working he is often found in his Dallas home electrocuting himself on accident or building cool things with high voltage.

Andy Cooper - @integgroll, Cara Marie - @bones_codes

Track 4
Track 4
Disaster Strikes: A Hacker's Cook book
9:00 am - 9:50 am

Jose Quinones, Carlos Perez

Go back in time to September 21, 2017 after Hurricane Maria passed over Puerto Rico and two guys flew from Louisville Kentucky back to a disaster stricken home island. No communications, No Power, almost no technologies worked. What can a Hacker do? First, call on the community or as it happened, the community responded without calling. Derbycon, various B Sides, Hackers for Charity and many individuals gave money and time to help out. But, once on ground zero you are basically on your own and you have to hack your way back to civility and survive.

José L. Quiñones has 20+ years of experience in the IT field and holds a Bachelors in Science in Electronic Engineering Technology and various professional certifications in systems administration and cybersecurity. Jose has mainly worked in the Health and Education industries, works as an independent consultant in IT infrastructure, cloud and security architecture. In addition, Jose has worked with the start-up community and in the creation of the first IoT Lab in the Caribbean towards the goal of research and development of new technologies and solutions to build Smart Cities. He is President/Co-Founder of Obsidis Cosortia, Inc a not for profit organization which mission is to promote professional development of information security for IT professionals, students and enthusiasts, and security awareness to the general public. Finally Jose, runs the local Defcon Group 787, is the head organizer of “Security B Sides Puerto Rico” and runs a personal blog about systems administration and security Carlos Perez has over 20 years experience in the security field. He is currently the Research Lead at TrustedSec helping develop new TTPs for the Force team. Carlos is best known for his contribution to the Metasploit, tools like DNSRecon and the overall Windows PowerShell security community. He is a co-host in the SecurityWeekly Podcast. He is Co-Founder of Obsidis Cosortia, Inc a not for profit organization which mission is to promote professional development of information security for IT professionals, students and enthusiasts, and security awareness to the general public.

@josequinones, @carlos_perez

Ninja Looting Like a Pirate
10:00 am - 10:50 am


There is a vast amount of information that exist in the modern world. More so than has ever existed in any society at any time in the history of mankind. Companies, individual, organizations, and nations keep adding to this massive sea of data. Wouldn’t you like to get your hands on some of it? This presentation will show you how to do just that very thing with no tools. Simply using the right browser, search commands and Boolean logic. You will learn how to navigate and surf this ocean of information and find repositories that others a have placed online. Repositories a.k.a. loot which they believe to be safe from others but, in fact they are not. You will learn a few simple techniques that allow you to find their loot and take it for yourself or others. The techniques to accomplish this are not new, in fact they are very old by Information Technology time. However they are as relevant today as they were more than thirteen years ago when people first started to compile them. The techniques will enable you to sift through the haystack of information that you normally get when web searching to find the specific needles that you seek. These techniques will optimize your search time and provide a greater focus of the desired target than you have ever had before. All accomplished from a "search engine" you use every day.

A senior security systems engineer with 25+ years’ experience currently employed at a fortune sixty company in the Washington DC area. Day job, responsible for world-wide evaluation, certification, penetration and integrity testing of a variety of current and emerging technologies, networks, architectures, and devices. Night hobbies - monitors major trade shows like CES in Las Vegas for the train-wreck factor as new technology seems to be developed and deployed with some if not most of the existing vulnerabilities, bugs, and issues of today. Some issues dating back more than twenty years ago that should have been resolved. When not stifled by my company’s legal team I have been permitted to speak on certain subjects to the security community on issues that I see in technology. I'm an active member of the Northern Virginia Hackers association (NoVaH) a collective of security professionals, hackers, authors, makers, and tool developers.


11:00 am - 12:00 pm

Hacking Mobile Applications with Frida
12:00 pm - 12:50 pm

David Coursey

Scientists have estimated by the year 2033 the entire solar system will be made up of mobile apps. Be prepared by mastering Frida, the mobile instrumentation (cough hacking) toolkit. Testing beyond traffic analysis can be extremely useful for any form of mobile pentest or bug bounty. In this talk we are going to cover getting up and running with Frida for hacking mobile applications. We will look at several of the built-in Frida tools, as well as some very helpful projects that utilize Frida. This will include being able to examine the live, running functionality of both iOS and Android apps to learn how they work, and hopefully how to alter they way they work. You will walk away with a new methodology for attacking mobile apps, and a lifelong friendship.

David is a family man that takes time out for Xbox, woodworking, and good whiskey. He forgets things due to years of rugby but is old enough to appreciate keeping notes in a paper notebook. After high school, Army service, and dropping out of college, David got a job as a web developer. Since then, his work has taken him through positions in the DoD, IC, USSOCOM, the VA, and now as an Application Pentester. David enjoys dissecting software and helping developers better understand how to create resilient applications. You can find him speaking at conferences or rambling about meaningless junk on Twitter.


Victor or Victim? Strategies for Avoiding an InfoSec Cold War
1:00 pm - 1:50 pm

Jason Lang, Stuart McIntosh

Is your internal red team withholding their TTPs from the defense? Defenders, are you constantly trying to “win” your pentests by fixing vulns on the fly? Have you been on engagements where the blue team starts blocking your ips and targeting you just to prove that they are better, or had pentesters that mock your environment on twitter like you are the butt of an InfoSec joke. These approaches are not working, not only from a personal level but from an industry level. How we choose to work with each other needs to grow if our goal is to protect those around us rather than make a name for ourselves. Come hear stories of offensive engagements done right (and really really wrong), and learn from a seasoned defender and attacker how partnerships should be forged to be most impactful. Victims complain, Victors adapt. Which are you?

With over 10 years of industry experience, Jason Lang (@curi0usJack) has worked in both offensive and defensive roles. Before switching to red teaming, he spent 8 years working as a technical Security Architect for a Fortune 500, specializing in Active Directory and .Net/database development. Stuart has over 15 years in IT and Security. A recovering Security Architecture manager turned frontline blue teamer, he strives to stop threats using every tactic in the playbook and making a few new ones.

@curi0usJack, @Contra_BlueTeam

Ubiquitous Shells
2:00 pm - 2:50 pm

Jon Gorenflo

Ubiquiti network gear has become a favorite among tech enthusiasts. Unfortunately, various Ubiquiti products have had some serious vulnerabilities in recent history, and like most products, there are deployment decisions that can dramatically reduce the security of the network. There are even features that can provide shell access to the network from the internet. Listen in as we discuss how to go from zero access from the Internet to a root shell via Ubiquiti gear. We'll also explore methods to weaponize the Unifi APs and Unifi Cloud Key devices to for use as attack platforms.

Jon is the Founder and Principle Consultant of Fundamental Security, a small consulting firm focused on penetration testing, incident response, and strategic security consulting. He started working with technology in High School as a student of the Cisco Networking Academy, and has focused on Information Security since 2006. He has performed security engineering, security architecture, incident response, and penetration testing in the government, retail, insurance, and financial sectors. He has managed a team of Penetration Testers at a Fortune 500 financial institution, and served as a Security Architect and Penetration Tester for an international Fortune 500 retailer. Jon also travels the country as an instructor for the SANS Institute. Currently, he teaches two of SANS’s seminal courses, SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and SEC560: Network Penetration Testing and Ethical Hacking. He is proud to have served in the Army Reserve for 11 years, where he became a Warrant Officer and served one tour in Afghanistan. He currently maintains the GCIH, GPEN, GAWN, GMOB, CISSP, and Security+ certifications.


99 Reasons Your Perimeter Is Leaking - Evolution of C&C
3:00 pm - 3:50 pm

John Askew

From the venerable bind shell, to the reverse shell, the IRC bot channel, the icmp/dns/custom UDP tunnel, and the asynchronous HTTP C&C server, remote access has taken many forms since we first began remotely exploiting software. Even today, many traditional methods will still frequently bypass firewalls and detection, and additional methods continue to be devised. But as an attacker, what do I do when my favorite method is blocked? What are my options other than reusing a stale python script from github or creating my own ad-hoc, informally-specified, bug-ridden, slow implementation of a high-level messaging protocol? And as a defender, how can I measure my ability to detect the diverse C&C traffic that may be seen today, and also prepare for new and unexpected channels? In this talk, we will discuss the evolution of command and control methods, their strengths and weaknesses from an attacker's perspective, and the capabilities of a defender to detect and respond to them. We will identify what aspects a forward-thinking C&C framework might require, and then demonstrate a proof-of-concept with 99(ish) different interchangeable methods for communication. Finally, we will discuss some of the shortcomings of egress filtering in enterprise environments that should be addressed in order to mature our detection and response in kind.

John Askew is a founder and principal of Graywolf and a native of Kentucky. After 12 years in infosec, he has probably spent too much time breaking things and not enough fixing them.

Off-grid coms and power
4:00 pm - 4:50 pm

Justin Herman

You want ways to stay connected even when not being on the grid. Join me in a rundown of what should be in your bug out bag for emergency communications and off grid power. We will cover ham radio as well as other methods of communications. In addition we will discuss how you can make your own off grid power solution easily acquired scrap.

Justin Herman, KD8ASA, is a lifetime learner, tinkerer, infosec nut, and self described "breaker of things". He is an organizer of BSidesCleveland, a board member of NEOISF - the Northeastern Ohio Information Security Forum.


Code Execution with JDK Scripting Tools & Nashorn Javascript Engine
5:00 pm - 5:50 pm

Brett Hawkins

There are several languages and methods used to execute code on a computer system, such as C#, Powershell, Python, VBA, and many more. The defense is getting better, which has caused the offense to adapt and look for innovative ways to “live off the land”. One area that has not been explored deeply is utilizing tools that the Java Development Kit (JDK) provides. According to a statement by Oracle, Java runs on 3 billion devices. Enterprises depend on Java running on their user endpoints and servers in order to keep their businesses running. This makes using tools installed with the JDK very enticing to attackers. This talk will explore using JDK command-line scripting tools and the Nashorn Javascript Engine to perform several actions, such as downloading files, executing scripts locally and remotely, and gaining a remote interactive shell to a computer system. Detective and preventive controls will also be discussed for the usage of these JDK scripting tools.

Brett has been in Information Security for several years in the private sector working for multiple Fortune 500 companies across different industries. He has focused on both offensive and defensive disciplines, with more of a focus on the offensive side recently. He holds several industry recognized certifications from SANS and Offensive Security, and has spoken at BSides Cleveland previously. His extensive knowledge and experience in a breadth of different areas in Information Security give him a unique and well-rounded perspective. When not at his day job, he enjoys doing security research, programming, and playing sports and video games.


PHONOPTICON - leveraging low-rent mobile ad services to achieve state-actor level mass surveillance on a shoestring budget
6:00 pm - 6:50 pm

Mark Milhouse

By now we all know that mobile advertisements aren't secure. How would an attacker take advantage of that, though, and spy on people without their consent, knowledge or interaction, and how do we defend against it? Let's take a journey through the demand-side of advertising as we put ourselves in the role of an attacker, build an ad-based surveillance system, and unleash it on the masses. I'll demonstrate how, using the built-in features of advertising Demand Side Platforms (DSPs), it's easy to build a surveillance system that can track unsuspecting people. I'll demonstrate that some platforms make it much easier than it needs to be, and I'll show that there's more than just geo-locations at risk here. Finally I will discuss some ways that everyone can help mitigate this, from the users, all the way up to the ad networks and software developers. Like every good spy story, this one includes Russian ad networks, hastily written code, and GPS coordinates - lots of GPS coordinates. By now if you're still clinging desperately to the hope that your location is safe then this talk is for you!

Mark Milhouse is a Computer Forensics Investigator at Edelson PC where he investigates high-profile tech-related consumer class action cases (namely digital privacy, security and fraud) and supports ongoing litigation. Prior to his current position he served in the United States Marines as a 2651 (Intelligence Systems), deploying to Iraq, and supporting various elements within II Marine Expeditionary Force. In his free time he enjoys cycling, traveling, and endless projects like building obscure web apps.


Stable Talks
Stable Talks
Tales From the Bug Mine - Highlights from the Android VRP
9:00 am - 9:25 am

Brian Claire Young

Every month, Google releases the Android Security Bulletin, the latest collection of public vulnerabilities found in Android, along with their patches that must be accepted if a device can be considered up-to-date. Join us for this fast-paced, light-hearted retrospective of some of the most subtle, complicated, or interesting bugs from the last year of the Bulletin. Many of these bugs were submitted through the Android Vulnerability Rewards Program, with cash rewards going to the researchers that discovered them.

Brian has been a software engineer and vulnerability analyst in the Android Security Development Lifecycle group at Google since 2016. They review bugs and features and determine which ones are which.


Decision Analysis Applications in Threat Analysis Frameworks
9:30 am - 9:55 am

Emily Shawgo

In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. This research seeks to develop a framework which adapts existing methods such as the cyber kill chain to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor. In addition, the framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.

Emily has recently graduated from Carnegie Mellon University with a master's degree in Public Policy and Management with a concentration in Cybersecurity Management. She also has an undergraduate degree in Psychology and Political Science from Carlow University. Emily's interests lie in penetration testing, threat analysis, and applying the study of human behavior to the field of cybersecurity.


How Russian Cyber Propaganda Really Works
10:00 am - 10:25 am

Jonathan Nichols

How does PSYOP really work? Did the Russians actually influence anyone? Could they do it again? This talk will use NATO counter propaganda methodologies to answer the burning questions about online propaganda, given by the former Chief Counter Propagandist for United States Forces - Iraq.

Jonathan Nichols is an independent Security Contractor. He has played a role in predicting, detecting, and mitigating some of the largest hacking campaigns in recent years. As part of Operation Iraqi Freedom and Operation Enduring Freedom, Jon spent 10 years deployed with or working in support of US Psychological Operations (PSYOP) and NATO Special Operations. Merging the capabilities of PSYOP and Cyber, Jon has years of experience in building cyber security teams which focus on the humans behind the keyboards and the underlying influences which motivate their actions. He can be seen discussing cyber security topics on CNN and Vice documentaries, and regular contributes to many mainstream media articles on cyber security issues.


Make Me Your Dark Web Personal Shopper!
10:30 am - 10:55 am

Emma Zaballos

Ever wondered what it would be like to have a personal shopper on the black market? This is your chance. This talk outlines everything you need to know about the goods and services available on the dark web - from human skulls and Sephora points to identity data and payment cards. This talk will provide attendees with a comprehensive overview of the the variety of physical and digital goods available on the dark web, along with a framework to evaluate the the structure and size of dark web marketplaces. Attendees will come away with an understanding of the dark web supply chain, the role the dark web plays in demand for physical and digital goods, and the social structure of dark web marketplaces. This session will also cover the day-to-day realities of transacting on the dark web: sourcing, pricing, scamming, and the lengths buyers will go to shop safely - and anonymously - on these underground marketplaces. This talk is ideal for professionals interested in the trade of data and goods on the dark web, cyber-enabled fraud, or emerging trends in the trade of exploits and vulnerabilities amongst cyber criminals.

Emma Zaballos is an Analyst at Terbium Labs, working on evaluating and contextualizing threats to customer data. She specializes in visualizing trends in the sale and trade of stolen payment cards, reading forum drama on the dark web, and studying the many ways companies fail to secure user data. Terbium Labs provides proactive data monitoring solutions - beginning with the assumption that your critical data is always at risk - and specializes in systems designed to detect your sensitive information wherever it may appear on the dark web.


11:00 am - 12:00 pm

Driving Away Social Anxiety
12:00 pm - 12:25 pm

Joey Maresca

Social anxiety can be a common problem and one that can be detrimental in a field where it may be necessary to interact with people as part of our jobs.This talk looks at how I managed to help deal with my personal anxiety issues by being a ride-sharing driver for nearly a year. Why I feel like this method of social interaction and pseudo-therapy help me, and what lessons I learned if I were to repeat the process in the future.

One does not simply write a biography about l0stkn0wledge. He is a life-long hacker and twelve year information security professional who has his own twisted way to approach life's problems. From being a nervous know nothing at his first conference to a multi-time speaker who still knows mostly nothing, he has learned a lot and still has a lot more to discover.


Fighting RTF file format obfuscations: Staying one step ahead of attackers
12:30 pm - 12:55 pm

Vladislav Stolyarov, Boris Larin

RTF is probably one of the oldest document file formats, yet it remains widely used on many platforms. The ability to include OLE objects has made Rich Text Format a perfect delivery container for malware and exploits, as these can contain a wide range of files, including executables, scripts and macros. Furthermore – unlike any other Office document file format, RTF is easily obfuscated to evade detection by security products. In the last year alone, more than 10 vulnerabilities exploited in the wild were delivered in RTF documents, and we believe that this makes RTF possibly the most abused file format today. This presentation will demonstrate most interesting tricks and techniques that we discovered being exploited by malware authors to bypass static antivirus detection. Most of the obfuscation techniques we encountered were abusing Microsoft Office Word’s own implementation of the RTF parser, and so the only reliable way to achieve parsing exactly like that in MS Office was to reverse engineer it.

Boris Larin is malware analyst with a focus on exploits detection and vulnerability research. At free time from work he likes to examine security of embedded devices. Vladislav Stolyarov is a Malware Analyst at Kaspersky Lab, where he is focused on all sorts of vulnerability research, advanced exploit detection and prevention with all modern antivirus technologies. In his free time he enjoys Capture The Flag information security competitions.

Vlad - @lalkaboltalka , Boris - @oct0xor

CTFs: Leveling Up Through Competition
1:00 pm - 1:25 pm

Alex Flores

CTFs are fun and informative enough as they are, but if you approach them from a deliberate angle, you can use them to level up your career. This talk aims to break down the pedagogy behind competitive learning and how acquired knowledge can be applied in real life to chase an offensive security job.

Last year, during a 6 week hiatus while his bosses staged some Red Wedding shit with the company, he went heads down into OSCP, and CTFs for a year after that. He emerged having attained a long-held dream of belonging to the InfoSec community. Alex started out supporting tech as IT, building it as a SysAdmin, creating it as a Software Engineer, and now breaking it as a Red Teamer for WalMart.


Mapping wifi networks and triggering on interesting traffic patterns
1:30 pm - 1:55 pm

Caleb Madrigal

Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area AND see all devices connected to each network? Or maybe you want to know who's hogging all the bandwidth (and maybe deauth them if they use too much)? Or, what if you want to know when a certain someone's cell phone is nearby. Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud? For all these use-cases, I've developed a new tool called "trackerjacker". In this talk, we'll use this tool to explore some of the surprisingly-informative data floating around in the radio space, and you'll come away with a new skill point or two in your radio hacking skill tree, as well as a new magical weapon... I mean tool.

Caleb Madrigal is a programmer who enjoys hacking and mathing. He is currently working as an applied security researcher/senior software engineer at Mandiant/FireEye. Most of his recent work has been in Python, Jupyter, Javascript, and C. Caleb has been into security for a while... in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". Recently, Caleb has been finding "evil" on the endpoint with Machine Learning (and other things) and hacking various wireless devices (including many IoT devices) with SDR, WiFi, packet crafting, etc.


Extending Burp to Find Struts and XXE Vulnerabilities
2:00 pm - 2:25 pm

Chris Elgee

How do you test for Struts vulnerabilities in clients' web apps? Have you tried writing a Burp plug-in to help? Extending Burp is easier than you might think. We'll cover Burp Extension programming in Python, the power of Burp's Collaborator, and adapting Struts and XXE exploits to find vulnerabilities automatically. This will culminate in the discovery of a web app zero day.

Chris is a full time husband, father of four, and pen tester; he's a part time Army officer, an aspiring SANS instructor, and the back-up church bass player. He is active in (ISC)2 and has brought online safety presentations to dozens of Maine schools. CISSP, OSCP, GPEN, GWAPT.


Introduction to x86 Assembly
2:30 pm - 2:55 pm


Windows, Linux, and Mac all run x86 assembly. From your favorite software application down to their system kernels. Ever wondered what happens under the hood when programs execute? What does printf("Hello World!"); actually do? Whether your focused on improving the efficiency of your applications, securing your applications against known exploitation techniques, reverse engineering software or going on the offensive with exploitation development a firm grasp on assembly is essential. Come get an introduction to the world of x86 Assembly, learn how to write, build, debug, and tear apart your first x86 assembly application.

Stephanie Domas has been doing x86 security research for a decade. She is Vice President of Research and Development at MedSec, where they perform a plethora of security services for medical devices. Christopher Domas "@xoreaxeaxeax" is a cyber security researcher, currently investigating low level processor exploitation. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), and Turing-machines in the vi text editor. His more relevant work includes the binary visualization tool ..cantor.dust.. and the memory sinkhole x86 privilege escalation exploit.


Pacu: Attack and Post-Exploitation in AWS
3:00 pm - 3:25 pm

Spencer Gietzen

Cloud infrastructure security and configuration has been shown to be a difficult task to master. Sysadmins and developers with years of traditional IT experience are now being pushed to the cloud, where there is a whole new set of rules. This is what makes AWS environments particularly exciting to attack as a penetration tester. Best practices are often overlooked or ignored, which can leave gaps throughout an AWS environment that are ripe for exploitation. With an increasing number of breaches leaking AWS secret keys, companies are working to be proactive and are looking for red-team-like post exploitation penetration tests, so that they can be sure that their client data is as safe as possible post-breach.Due to this need and the lack of AWS specific attack tools, I wrote Pacu, an open source Amazon Web Services post exploitation attack tool created and used for Rhino Security Labs pentests.In this talk I will cover how red teamers can use Pacu to simulate real-world attack scenarios against AWS environments, starting from IAM enumeration and scanning through exploitation, privilege escalation, data exfiltration and even providing reporting documentation.

With a background in software development, Spencer Gietzen is a penetration tester with Rhino Security Labs. His primary focus as a penetration tester is security relating to Amazon Web Services post exploitation and configuration, where he has found success in discovering vulnerabilities and attack vectors through extensive research.


An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
3:30 pm - 3:55 pm

Soya Aoyama

The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.

Soya Aoyama is security researcher at Fujitsu System Integration Laboratories Limited. Soya has been working for Fujitsu more than 20 years as software developer of Windows, and had been writing NDIS drivers, Bluetooth profiles, Winsock application, and more, and started security research about 3 years ago.Soya has gave presentation in AVTOKYO 2016 and BSides Las Vegas 2017 in the past.


Brutal Blogging - Go for the Jugular
4:00 pm - 4:25 pm

Kate Brew

Blogging in InfoSec is a great way to improve your visibility in the community and build personal brand. It's easy to do, but hard to do exceptionally well. I've been editor of a corporate blog for over 4 years and been blogging in InfoSec for 6 years, and I'd like to share what I've learned. Talk will focus on how to search engine optimize (SEO) your blog, how to select topics, using graphics, how to socialize and how to measure the impact of your blogs. I’ll cover the essence of an excellent job and show some examples of great blogs versus good blogs. Basically, don’t be tentative in your blogging. Have deliberate intention (what you want to accomplish) deliver with findings, research and helpful info. Don’t do clickbait! Make it so those humorless Google spiders can find your content.

Kate Brew has over 15 years experience in product management and marketing, primarily in information security. She's been editor of AlienVault's blog for over four years.


RID Hijacking: Maintaining Access on Windows Machines
4:30 pm - 4:55 pm

Sebastián Castro

The art of persistence is (and will be...) a matter of concern when successfully exploitation is achieved. Sometimes it is pretty tricky to maintain access on certain environments, especially when it is not possible to execute common vectors like creating or adding users to privileged groups, dumping credentials or hashes, deploying a persistent shell, or anything that could trigger an alert on the victim. This statement ratifies why it's necessary to use discrete and stealthy techniques to keep an open door right after obtaining a high privilege access on the target. What could be more convenient that only use OS resources in order to persist an access? This presentation will provide a new post-exploitation hook applicable to all Windows versions called RID Hijacking, which allows setting desired privileges to an existent account in a stealthy manner by modifying some security attributes. To show its effectiveness, the attack will be demonstrated by using a module which was recently added by Rapid7 to their Metasploit Framework, and developed by the security researcher Sebastián Castro.

Sebastián Castro (@r4wd3r) is the R&D Leader at CSL Labs. Born in Bogotá, Colombia, has been an information security researcher, network & application pentester and red-teamer for 6 years, providing cybersecurity services to global financial institutions and local defense government organizations. This guy has presented at national and international conferences, such as BSides, ISC² and recently Black Hat, exposing password cracking and Windows security own research. Sometimes a tenor, sometimes a hacker, Sebastián also works as an opera singer at the Opera of Colombia Chorus, participating on many national and international fancy performances with well-known singers whose names he can’t even spell.


Your Training Data is Bad and You Should Feel Bad
5:00 pm - 5:25 pm

Ryan J. O'Grady

Everyone is using Big Data and Machine Learning these days. Not sure how to solve a problem? Train a classifier! But beware the old axiom: Garbage In, Garbage Out. This talk will present three key findings from original research on the effects of training data recency in Twitter classifiers so that your next Twitter bot classifier can start off on the right footing.

Ryan O’Grady has worked in cyber security for over 10 years and is a research scientist in Soar Technology’s Cyberspace Operations business area. He is the principal investigator for a project to develop an intelligent training system for cyberspace operators that enables individualized, personalized training in realistic environments. He has a BSE in Computer Science from the University of Michigan and is currently pursuing a MS in Information Security Engineering from SANS Technology Institute

So many pentesting tools from a $4 Arduino
5:30 pm - 5:55 pm

Kevin Bong, Michael Vieau

Arduinos are cool, but making LEDs blink and monitoring the water in your houseplants can quickly get boring. Have no fear! In this talk we will show you a bunch of penetration testing tools you can build from an inexpensive Arduino Leonardo, Arduino Pro Micro or similar Arduino clone.

Kevin is a Senior Manager, Penetration Testing Lead with Sikich focusing on information security and compliance issues faced by organizations of all types and sizes. Prior to joining Sikich, Kevin spent 12 years as a Vice President of a multi-billion-dollar financial group, leading the bank’s security and IT risk management activities. Kevin is the creator of the MiniPwner, a pocket-size penetration testing device used to gain remote access to a network, and enjoys building tools and toys from Arduino and other embedded systems. He’s also an author, instructor and a speaker at conferences like RSA, DerbyCon, Security BSides and WACCI. Michael is a Managing Consultant and Penetration Tester at Sikich LLP with over 17 years of experience in information security. Michael currently maintains the MiniPwner project and works with Kevin to build and modify electronics at The Mayhem Lab. When not performing penetration tests, Michael is an adjunct professor at MSOE and enjoys presenting at different security conferences.

Michael Vieau - @michael_vieau, @minipwner, @mayhemlab