Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Friday, May 3
 

8:00am

Registration and Breakfast
Friday May 3, 2019 8:00am - 9:00am
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

8:45am

Opening Remarks
Friday May 3, 2019 8:45am - 9:00am
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

8:45am

Opening Remarks Simulcast
Friday May 3, 2019 8:45am - 9:00am
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

9:00am

Dear Blue Team: Forensics Advice to Supercharge your DFIR capabilities and timing
In an age where data breaches and malware infections are quickly becoming the norm, we must prepare for Digital Forensics and Incident Response (DFIR). Most DFIR talks and advice discuss what to do once an incident has occurred. Instead, this talk provides Security Architects, System Administrators, SOC teams, and management new techniques and advice to supercharge their IR capabilities by preemptively collecting forensic evidence as a baseline.

The content provided in this presentation goes beyond the age-old advice of verbose logging and asset inventories. It will promote a cooperative relationship between DFIR and the rest of the Blue Team. We will kick this presentation off with a discussion about Threat Hunting versus Forensics. During this presentation, blue teamers and management will be armed with actionable advice as to how to pre-emptively capture artifacts as baselines BEFORE anything ever happens and the actions to take WHEN something happens.

Speakers
avatar for Joe Gray

Joe Gray

Senior Security Architect, IBM
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys... Read More →


Friday May 3, 2019 9:00am - 10:00am
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

9:00am

Extracting the Attacker: Getting the Bad Guys Off Your SaaS
The Microsoft Office 365 suite contains many applications that can help organizations do some amazing things. But every once in a while, a user account will get compromised by an attacker. You can (and should) reset the user password, but is that enough? If that was all you needed to do, this would be a VERY short session. Regaining control of a user account does take a little more effort to ensure the attacker isn't just temporarily inconvenienced.

How do you extract the attackers and get them off your SaaS?

I'll walk you through some sneaky areas where attacker can retain access, and show you how to shut it down.

I can almost guarantee I'll show you some attack methods you haven't thought of before!

Speakers
avatar for David Branscome

David Branscome

Security Architect, Microsoft
David is a 10 year veteran of Microsoft, currently working as a security architect, helping Microsoft partners learn and deploy the latest Microsoft security technologies in Office 365, Windows 10 and Azure. David holds numerous certifications, including CISSP, GCWN, GISP, GCED, CCSP... Read More →


Friday May 3, 2019 9:00am - 10:00am
Preservation Pub 28 Market Square, Knoxville, TN 37902, United States

9:00am

Investigating IPv6 via UPnP
Projects like ZMap and Masscan have made scans of the entire IPv4 Internet very practical and have resulted in interesting insights into the state of the Internet. However, with growing adoption of IPv6, very little has been done in the way of IPv6 scans because exhaustive scans cannot be performed due to the size of the address space.

Motivated by this, a number of projects have came up with different ideas to unmask in-use IPv6 addresses. Shodan organization had set up IPv6 network time protocol servers so random clients would connect to them and reveal their IPv6 address which Shodan would then scan and make accessible in their database. IPv6.farm project has abused certain properties of DNS and DNSSEC to reveal in-use IPv6 addresses and presented their analysis in a number of papers (https://ipv6.farm/).

In 2015 Martin Zeiser and I presented a joint talk about client-side UPnP attacks at PacSec. Martin talked about interesting UPnP scans he was exploring at the time and I covered memory corruption vulnerability that we had found previously. Recalling this, we had an idea to use UPnP to unmask IPv6 addresses.

By sending a specific UPnP packet, we can have the target connect back to an URL of our choosing. Supplying an IPv6 URL and sending the packet to an IPv4 address of a dual-stack host would make it connect back to us over IPv6 thus divulging it's IPv6 address. By doing this over the whole IPv4 address space we would get back a sizable amount dual-stack UPnP hosts that would reveal their IPv6 address to us.

Further analyzing the gathered data revealed some interesting facts. Doing this across all of IPv4 address space results in IPv4-IPv6 address pairs, which lets us perform interesting additional scans. This revealed a number of hosts with interesting firewall discrepancies between IPv4 and IPv6 side. Also, with UPnP usually being used for local network discovery, the dataset consists of mostly end consumer devices/hosts, IoT devices and similar which is in contrast to the types of hosts scanned in IPv6.farm and Shodan NTP projects giving us a glimpse into this previously unexplored category of targets.

In this presentation we would talk about the IPv6 scanning problem and previous research as motivating examples, we would present our methodology for conducting the initial IPv6 address discovery and subsequent scanning and present our analysis and interesting findings: the unexpected filtering, discrepancies between actual and reported IPv4/IPv6 pairs, cases of lack of filtering on IPv6 side where IPv4 is properly firewalled as well as some facts about the dynamic nature of hosts in this category (usage of teredo, 6to4, ipv6 mac mappings...).

Speakers
avatar for Aleks Nikolic

Aleks Nikolic

Security Researcher, Cisco Talos
Aleks is a security researcher mostly interested in reverse engineering, code auditing and program analysis with focus on vulnerability discovery. As part of a Cisco Talos vulnerability research team, his tasks involve developing novel fuzzers, tools and techniques for finding software... Read More →


Friday May 3, 2019 9:00am - 10:00am
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

10:00am

Starting from Scratch: Building a security program from the ground up in 365 days
Scenario: You’ve been put in charge of InfoSec for a business with no existing security posture and the executive team thinks that Antivirus and Firewall is a sufficient InfoSec budget. They expect results in one year.

At the end of this talk you will have a roadmap for the first year of implementing a security program, with some understanding of what those who have come before you have done. I hope to explain my mistakes so that you don’t have to make mine, you can make your own.

Speakers
avatar for Hudson Bush

Hudson Bush

Senior Information Security Architect, K2 Soluctions, Inc.
Hudson Bush is a Senior Information Security Architect at K2 Solutions, Inc. in Southern California. When not homebrewing, Hudson spends his time assisting small and medium businesses with securing their networks. 


Friday May 3, 2019 10:00am - 11:00am
Preservation Pub 28 Market Square, Knoxville, TN 37902, United States

10:00am

The sound of evil
Our ears are the original nexus of information security. The environments we're in are constantly streaming valuable information to us. All we have to do is listen properly. "Let he who has ears" and all that. Join me as we explore the fascinating world of audio security. We'll cover:
  • some meta information about audio
  • the basics of digital signal processing
  • the fascinatingly complex world of determining what "silence" means
  • modern machine learning approaches to sound event detection
  • attacks on audio interfaces like Alexa

Speakers
avatar for Wes Widner

Wes Widner

Crowdstrike
Wes Widner engineers clouds with Crowdstrike. Large-scale distributed threat intelligence systems that span a range of threat vectors are his bread and butter. His work history includes data engineering with McAfee Labs' Global Threat Intelligence department and malware pipelining... Read More →


Friday May 3, 2019 10:00am - 11:00am
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

10:00am

The Many Faces of Emotet: Annoyance or Threat?
Emotet has been around for several years. For some it is considered "commodity" malware, while for others it is a real threat to their financial accounts or even their enterprise. Meanwhile it continues to evolve and present new and different threats.

My interest in Emotet as a threat sparked this year as I continued to see variants of it slip past security controls with mixed success and a wide variety of payloads.

In this talk we will explore the origins of Emotet and how it has evolved. We will explore the TTPs associated with it and motivations of those behind it. We will discuss various methods of defense against this attack and responses for systems that have been compromised. Finally, we will speculate about the types of future attacks we might see from and related to Emotet

Speakers
avatar for John Helt

John Helt

Global Security Operations Center Manager, Discovery Networks
My introduction to infosec began when I hooked up my first 300 baud modem to a Texas Instruments 99/4a computer, discovered bulletin boards, and the Compuserve username & password someone had noted on the underside of the keyboard at my local Radio Shack.   My education includes... Read More →


Friday May 3, 2019 10:00am - 11:00am
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

11:00am

UNIX: the Other White Meat
As the targets in many penetration tests and red team activities as well as being the focus of much of the active research being performed in the InfoSec arena, Windows takes center stage. However, we are not going to be talking about Windows; we are here to discuss Unix (and Unix like OSes). While these systems can and do contain some of the most critical information on many networks, we feel they do not get enough time in the spotlight. So, if you want to learn a bit more about Unix and what you can do to/with it as a pentester, then please stop by and have a listen.

Speakers
avatar for David Boyd

David Boyd

Security Consultant, TrustedSec
David Boyd (@fir3d0g) has been working as a penetration tester in Knoxville since 2013. He is a Christian, husband, and father that also enjoys geek culture, video games and Mountain Dew. He has worked in several environments including education, military, retail, government, media... Read More →
avatar for Adam Compton

Adam Compton

Senior Security Consultant, TrustedSec
Adam Compton has been a programmer, researcher, professional pentester, father, husband, and farmer.  Adam has around 2 decades of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam's career, he has worked for... Read More →


Friday May 3, 2019 11:00am - 12:00pm
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

11:00am

Regions are types, types are policy, and other ramblings
Semantically related objects often get grouped together in memory, and it is about time we take advantage of this in developing software hardening measures.  Types can be naturally assigned to regions of memory in a flexible manner.  Such types can form the basis of a practical and intelligible access control policy. This observation allowed me to retroactively harden an instance of the U-Boot bootloader, to model the bootloader's intentions and build an access control policy that mediated its behavior.

Typed region-based hardening measures can be applied to other kinds of software to not only protect against low-level memory vulnerabilities but also to help protect and address high-level logic-based attacks (i.e., instances of weird machines).

Speakers
avatar for Rebecca

Rebecca

Senior Security Researcher, Narf Industries
Rebecca (bx) Shapiro enjoys tinkering with systems in undocumented manners to find hidden sources of computation. She has previously studied the weird machines present in application linkers and loaders, publishing some nifty PoC along the way, but has since turned her focus towards... Read More →


Friday May 3, 2019 11:00am - 12:00pm
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

11:00am

Talking Cars: from Can't to CAN
Modern vehicles can be incredibly vulnerable to cyber exploitation. Researchers across the world have demonstrated scary manipulations such as remote control of an unaltered vehicle, unsigned code execution, and the ability to interfere with cars in traffic. Largely, this problem stems from the inherently vulnerable networks which exists on automobiles manufactured after 2008--Controller Area Networks (CANs).

Some security implications of a CAN are that it is a broadcast bus network, allowing all nodes to receive messages with no explicit addressing, and it has no way to authenticate and identify nodes on the network. Therefore, it is extremely straightforward to induce physical changes on an automobile with potentially dangerous consequences.

When CAN was mandated in 2008, it was not particularly concerning that one could develop after-market solutions using the intra-vehicular network. After all, CAN requires proprietary tools (a CAN Controller and CAN Transceiver) along with the knowledge required to program and interface these tools. In recent years, however, automotive CANs have been a topic of interest for homebrew hackers and security professionals. This has been facilitated by the widespread use of inexpensive single-board computers, such as Raspberry Pis and Arduinos.

This presentation will detail the technical aspects of CAN. Particularly, we will discuss messaging at the bit level, arbitration and error handling, common CAN tools and libraries, and network patterns which exist across many makes/models. By the conclusion, attendees will be equipped to build their own automotive interfaces and begin engineering their own after-market solutions.

Speakers
avatar for Samuel Hollifield

Samuel Hollifield

Student Researcher, ORNL
Samuel Hollifield is a student researcher at the Oak Ridge National Laboratory with the National Security Sciences Directorate. His work has contributed to the development of cybersecurity applications that impact the safety and reliability of automotive systems. He's an advocate... Read More →


Friday May 3, 2019 11:00am - 12:00pm
Preservation Pub 28 Market Square, Knoxville, TN 37902, United States

12:00pm

Lunch
Friday May 3, 2019 12:00pm - 1:00pm
Oodles Uncorked 18 Market Square, Knoxville, TN 37902, United States

1:00pm

Keynote Simulcast
Friday May 3, 2019 1:00pm - 2:00pm
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

1:00pm

What Can League of Legends Teach Us About Cybersecurity?
In this talk, I put together two things we don’t often associate with cybersecurity: The League of Legends game and human psychology.

As an avid gamer, I often saw parallels between the tactics used to win games like League of Legends and the mentality that guides human behavior in general. Thus, when the subject of security awareness and end-users came up, I began to think about how we could address cybersecurity challenges in ways similar to how challenges are addressed in a game.

This realization allowed me to connect League of Legends, human behavior, and cybersecurity in a way that could make us think twice about how we approach the “end-user problem”.

Speakers
avatar for Fareedah Shaheed

Fareedah Shaheed

Fareedah Shaheed was born in Maryland but spent most of her childhood outside of the US. She returned to the States in 2013 and attended the Community College of Baltimore County (CCBC), where she majored in Cybersecurity. Her experiences with different cultures and the tech field... Read More →


Friday May 3, 2019 1:00pm - 2:00pm
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

2:00pm

Reverse Engineering Small Radios for Compatibility
Suppose that you have a small radio, such as a wireless sensor or a digital walkie talkie, and you'd like to talk to it. This action packed talk will show you how to rip the configuration from the airwaves, the firmware, or the SPI bus of an embedded radio, then write them into your own hardware to receive and transmit packets. Learn how to extract keys when crypto is good, or how to efficiently crack it when it's not. Learn how to track down the interesting parts of firmware for patching, and how to rewrite the firmware from scratch and a few notes. These examples are taken from real hardware.

Speakers
avatar for Travis Goodspeed

Travis Goodspeed

Travis Goodspeed is ecstatic to live in Knoxville again, where he drives an Ectomobile and a '64 Studebaker.  He collects reverse engineering tricks.


Friday May 3, 2019 2:00pm - 3:00pm
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

2:00pm

Building a Bridge to a Legacy Application - How Hard Can that Be?
My team loves working on legacy code projects. It's all that we do. That's why a friend of mine reached out to us for some help. _x000D_
_x000D_
His startup was building out a universal API across a very fragmented industry with little to no interoperability or standards. Up until now, integrating with the systems in that industry had been pretty easy, because the companies that built them were willing to help. _x000D_
_x000D_
But now he'd found one that wasn't willing to help. There was no obvious API for getting data out of the legacy application so that it could be exposed via his company's API. A big client for his company was riding on his ability to be able to pull this off. He remembered how much I loved a challenge and how much my team loved legacy code, so he figured we were his best shot._x000D_
_x000D_
The goal was to be able to read from the application's database. _x000D_
_x000D_
In this talk, I'll cover _x000D_
* the different approaches that we took_x000D_
* the one we really wanted to try because we thought it would be fun_x000D_
* the approaches that we needed to try before we could attempt the fun one_x000D_
* the excitement that we felt while working on it_x000D_
* the grind toward completion once the big technical hurdle was crossed_x000D_
* the sense of achievement when we got a read-only solution built_x000D_
* the hope that we'd get the green light to start working on a read-write solution_x000D_
* the disappointment when the plug got pulled and we weren't authorized to proceed any further_x000D_
_x000D_
It was a fun journey, and I'd love to be able to share it.

Speakers
avatar for M. Scott Ford

M. Scott Ford

CTO, Corgibytes
Leading the Corgibytes technical team is Scott, who has been called the "Bob Vila of the internet.” Scott is a polyglot developer who, at last count, is fluent in over twenty programming languages. Scott’s love of software restoration and remodeling began in college where he and his team were responsible for retrofitting the testing tools for the X-31 jet fighter. Since th... Read More →


Friday May 3, 2019 2:00pm - 3:00pm
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

3:00pm

Beyond the Buzzwords: How Security Can Use Marketing Concepts to Prosper
Beyond the Buzzwords: How Security Can Use Marketing Concepts to Prosper
Given today’s cybersecurity shortage and the hype that accompanies it (“1.5 million jobs will be unfilled by 2020! No, It’s 3 million!”), it would be easy to conclude that learning or keeping up with networking, coding, incident response, threat hunting, and the like is the critical factor for finding and retaining security employment. While it’s certainly true that cybersecurity practitioners will need technical skills—it’s a technical field, after all—there is another aspect to succeeding in the field in the future.
Marketing.
Yes, “marketing” is a dirty word to most security practitioners. Everyone who hears the term immediately conjures up images of vendor marketing departments — the people scorned by many hackers for not having an adequate level of technical knowledge, or the team that relies on catchy buzzwords to sell a product rather than focusing on actual features, capabilities, and technical differentiators. Though marketing people have been known to go overboard on jargon, taking a page out of marketing playbooks can help security practitioners ensure they are meeting the demands of the modern security team, one that understands and is aligned with business needs (vs. one focused on blocking and tackling security threats), and one that enables organizations to move faster with requisite levels of cybersecurity protection.
What will people learn from this talk:
Marketing isn’t about buzzwords (when done right); it’s about conveying information accurately, in a way that resonates with your audience.
Why is this important for security employment? Most non-security people don’t know the minute technical details about how security works and they don’t care. They don’t need to care (just like security pros don’t need to care about the nuances of building web traffic or conversion rates). People do care, however, if they can’t access their stuff. Executives care a lot when the company is distracted from making money. Cyber attacks, breaches, data loss all contribute to distractions from that goal. 


Ultimately, this talk will share marketing concepts you can easily apply to your security program and to ensuring future job security.

Speakers
avatar for Katherine Teitler

Katherine Teitler

Director of Content, Edgewise
Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global... Read More →



Friday May 3, 2019 3:00pm - 4:00pm
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

3:00pm

The Race to Secure Texas Instruments Graphing Calculators
Over the years, Texas Instruments graphing calculators have evolved from simple programmable devices with fixed ROMs to complex, USB- and wifi-capable Flash upgradeable computers. Because of their widespread adoption for use in classrooms, Texas Instruments is forced to implement security measures that prevent tampering of the calculator's operating system, storage and usage of notes during tests, temporarily crippling or disabling built-in features, and even outright code execution.

For well over a decade, I have implemented and released exploits that enable writing to Flash memory, allow unsigned code execution, bypass teacher restrictions (which can be enabled by anyone, not just teachers), and open up the hardware to its full potential, even going so far as using it to jailbreak a PS3 or boot a desktop PC via USB flash drive simulation.

In this talk, I will provide a technical overview of the history of achieving and maintaining unsigned code execution on the various graphing calculator models Texas Instruments has released over many years, as well as a personal recollection on how the first Flash unlock exploits were created and evolved to keep up with TI's fixes, how the 512-bit RSA OS signing keys were factored and the legal fallout, and the current challenge to find and utilize new vulnerabilities for the latest models.

Speakers
avatar for Brandon Wilson

Brandon Wilson

Brandon Wilson is an East Tennessee State University graduate, software developer, application security consultant, and hacker of random things like game consoles and TI graphing calculators. An avid tinkerer of anything USB-related, he has spoken at DerbyCon about BadUSB and appeared... Read More →


Friday May 3, 2019 3:00pm - 4:00pm
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

4:00pm

Exploit development for penetration testers
Where is the line between misconfiguration and vulnerability? Red team attacks generally succeed by exploiting well-worn paths, as the resources required to discover new zero-days tend to be more fruitfully spent elsewhere. But does this mean that red team coders don't get to write any interesting new exploits? Far from it!

In this talk, we will walk you through the process of developing a novel file format exploit and using it to root a public cloud service during a 2018 red team. This research, which the authors first presented at Derbycon 8.0, will be accompanied for the first time by the release of a new open source tool.

Speakers
avatar for Adam Reiser

Adam Reiser

Security engineer, Cisco ASIG
Adam is a security engineer with Cisco's Advanced Security Initiatives Group. His work includes pentesting, redteaming, and exploit research. He cultivated an early interest in infosec as a sysadmin at the Open Computing Facility at UC Berkeley, while there completing his physics... Read More →



Friday May 3, 2019 4:00pm - 5:00pm
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States

4:00pm

Hacker Jeopardy
Did you know that we’re having Hacker Jeopardy? Email info@bsidesknoxville.com with your team of up to 4 contestants! We just need a team name and a list of people on your team.

Don’t know what Hacker Jeopardy is? There are many examples of it on YouTube, though our version will be notably ’cleaner’ than anything DEF CON puts on :)

Friday May 3, 2019 4:00pm - 6:00pm
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

5:00pm

Find out what happens when 70 universities and 1000 volunteers participate in a cyber security competition
Oak Ridge National Lab, in cooperation with six other National Labs, has now twice held a cyber security competition across the nation, involving 70 university teams, and 1000 volunteers. The most recent event was in December 2018. The competition expanded from one held at Argonne National Lab involving schools and resources local to the Chicago area. The Department of Energy now sponsors the competition and changed its name to CyberForce (tm) (cyberforcecompetition.com) in order to emphasize its goal of workforce development. A unique feature of this competition is each team receives a physical Industrial Control System that is part of what they have to defend. The remainder of their systems are in the cloud - the last two competitions have used Microsoft Azure. The Blue Teams are in the role of making sure their power plant remains operational in spite of attack by Red Team professionals. The hybrid of cloud and physical resources is part of the challenge the students face when competing in this competition. Another unique feature of the competition is the role of Green Teams who are non-specialists who come in on competition day, read the documentation, and operate the power plant. They do not have direct connection to the Blue Teams, except through whatever help desk system is specified and maintained by the Blue Teams. The teams have a month beforehand with their competition environment in order to prepare for the day of competition

This talk will describe the full competition environment and structure, the various ways that this competition helps with workforce development, datasets captured competition day, and the relationships between businesses, universities, military, and laboratories that are a part of this competition. In addition, for this B-Sides talk, we will describe the technical details behind the competition. Especially interesting to the audience will be:
  • The role of the Red Team attackers. In the most recent competition the Red Teams operated as an inside threat.
  • The technical details for how Azure was used to facilitate the hybrid structure of the competition.
  • The preparation of the computer systems given to the students.
  • The ICS devices and how SCADA protocols are implemented for the contest.
  • Some overall story arcs of how vulnerabilities were built-in, found, and exploited.
The competition put the students into the scenario of being new employees in an unfamiliar environment, charged with supporting and protecting a vital business, using systems that they did not set up. This scenario describes what most security professionals face often in their careers.

The speakers are Jeff Nichols, Ph.D., Chris Craig, M.S., and Raymond Borges, M.S.. All are members of the National Security Sciences Directorate at Oak Ridge National Lab. Jeff is the lead at ORNL for the competition. Chris and Raymond led the Red Teams.

Speakers
avatar for Chris Craig

Chris Craig

ORNL
Christopher Craig is a cyber security software engineer in the Vulnerability Research Group at Oak Ridge National Laboratory. Christopher gained 5 years of experience as a penetration tester and security analyst for Cisco Systems. For the past three years, his work at Oak Ridge National... Read More →
avatar for Jeff Nichols

Jeff Nichols

Cyber Security Research Scientist, ORNL
I have been a research scientist at Oak Ridge since 2008. I wanted to be a scientist since I was a kid. I liked graduate school so much that I went twice taking 18 years to complete my Ph.D.


Friday May 3, 2019 5:00pm - 6:00pm
KEC 17 Market Square Suite 101, Knoxville, TN 37902, United States