CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Filtering by Category: 2019-talks

The Spy Who Liked Me: Grooming and Recruiting Assets in the Age of Social Media

November 05, 2019  /  Jessica Solper

We've all seen really cool OSINT talks, folks can grab basically all the details of your life and lay it out for the world to see, but what's often missing from these talks is the why? So many times when speaking on this topic I hear people say "So what?" I don't care if people know my birthday, or my address...the threat isn't real. This talk draws on my experience at NATO Counterintelligence where we used similar training to help soldiers and families resist nation-state grooming and protect their families.

In this talk I'll walk you through creating a dossier on a random public person (don't worry obfuscated because duh), how I learned where his kids went to school, where his class reunion was, where his wife worked and how I would use that information to approach him to be an asset for foreign intelligence.

Next I'll walk through how seemingly trivial information shared in Facebook Groups, Meetups and other public forums helps to gain access to restricted areas, classified information and work against national interests.

Finally, we'll walk through some common sense precautions you can take to avoid these types of attacks and protect your identity online.

Tracie Martin

Tracie Martin is a Staff Technical Program Manager at Twitter. Her previous roles included working on Android Security for Google and running the Information Security section of Allied Command Counterintelligence (NATO) and incident response for Microsoft Security Response Center.

categories / 2019-talks
tags / Tracie Martin

Exploiting IAM in GCP

November 05, 2019  /  Jessica Solper

In this talk, we will take a closer look at the Google Cloud Platform (GCP) IAM model. You’ll be introduced to the relevant concepts to understand the different types of identities, IAM permissions, and scopes. Did you know that the default IAM policy for the compute engine service account includes the ability to impersonate other service accounts, among other things?

Most importantly, we’ll learn how to leverage certain configurations of the service account to escalate privileges from a virtual machine. I will show a demo where I use a shell on a virtual machine to tear down another security control to allow data exfiltration out of the environment. By the end of the talk, you’ll understand how to impersonate service accounts, conduct recon, and escalate your privileges from a virtual machine. You’ll also get some ideas on how to mitigate against these attacks.

Colin Estep

Colin Estep is currently a threat researcher at Netskope focused on AWS and GCP. He researches the challenges with securing AWS and GCP, informing product direction for Netskope's IaaS product. Colin was previously the CSO at Sift Security (acquired by Netskope), where he built cloud-native intrusion detection for AWS and GCP. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. Colin was also a FBI Agent specializing in Cyber crime, where he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators.

categories / 2019-talks
tags / Colin Estep

Return to the Hundred Acre Woods, what I've learnt in 3 years, or, 3 Eeyore 5 You

November 04, 2019  /  Jessica Solper

In 2016 I gave a talk about how everything in appsec was broken and there was no hope for the future. In the intervening years, I have worked in adversary simulation, formal & program analysis, as well as even more threat modeling. This talk is an answer to the problems I presented in 2016, as well why everything is still broken.

Lojikil

Lojikil is a principal security consultant at a boutique security firm. He works in threat modeling, vCISO services, program analysis with symbolic execution/abstract interpretation, and technical assessments.

categories / 2019-talks
tags / Lojikil

Cryptography Pitfalls

November 03, 2019  /  Jessica Solper

We often do a poor job of implementing cryptography and other security measures in our systems. Often the primitives used are out of date and overlook very subtle flaws. These mistakes lead to systems that are hopelessly insecure despite our perception that we’ve built an impenetrable fortress. Fortunately, there are a few tools and techniques at our disposal that can ease some of the pain. In this talk, we’ll explore some of the most common pitfalls developers encounter with cryptography and restore some of our sanity.

John Downey

John Downey is the Head of Business Unit Information Security for PayPal. He joined PayPal as part of their acquisition of Braintree. Before working on security at Braintree, he worked on their highly available infrastructure and integrations into the banking system. In his free time, he contributes to open-source projects and mentors high school students in the FIRST Robotics Competition.

categories / 2019-talks
tags / John Downey

Extract and Visualize Data from URLs using Unfurl

November 03, 2019  /  Jessica Solper

Unfurl takes a URL and expands (“unfurls”) it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up into components, extracting as much information as it can from each piece, and presenting it all visually. This “show your work” approach (along with embedded references and documentation) makes the analysis transparent to the user and helps them learn about (and discover) semantic and syntactical URL structures.

Unfurl has parsers for URLs from popular search engines, mail services, and chat applications. It also has more generic parsers (timestamps, UUIDs, base64, etc) helpful for exploring new URLs or reverse engineering. It’s also easy to build new parsers, since Unfurl is open source (Python 3) and has an extensible plugin system.

No matter if you extracted a URL from a memory image, carved it from slack space, or pulled it from a browser’s history file, Unfurl can help you get the most out of it.

Ryan Benson

Ryan Benson works at Google doing DFIR and open source tool development. He has previously held DFIR roles at Exabeam, Stroz Friedberg, and Mandiant. He has experience investigating insider threats, responding to intrusions, and performing digital forensics in support of legal proceedings. He is the author of Hindsight, an open source web browser forensics tool, and researches and blogs about DFIR topics with an emphasis on browser forensics.

categories / 2019-talks
tags / Ryan Benson

APT33: A Case Study on Current Geopolitical Tensions and Cyber Espionage

November 03, 2019  /  Jessica Solper

As political tensions between the United States and Iran continued to rise over the course of 2019, the Iranian-based threat actor, known as APT33, became more active. Increasing geopolitical tensions resulted in backlashes against the private sector as a method to disable, disrupt, and destabilize governments. Throughout Mandiant’s investigation, we observed ties between U.S. sanctions, military operations, and cyber activity. APT33’s tradecraft included trojanized executables, Run keys, scheduled tasks, services, and Windows Management Instrumentation (WMI). Evidence showed that APT33 strategically harvested credentials from thousands of systems, performed data staging, and remained undetected for years.

APT33 has shown specific interest in aerospace & defense, energy & utilities, and oil & gas industries. We believe that Iranian-based threat actors, such as APT33 will continue to become more prolific as political tensions with Iran continue to rise. Raising industry awareness of this attacker’s methodology is critical to protect companies from this threat.

This presentation will recount Mandiant’s investigation from the perspective of the incident responders and will detail how it scoped, contained, and eradicated APT33 from the environment. Attendees of this presentation will come away with a deep technical understanding of the persistence, lateral movement, and data staging techniques used by APT33.

Daniel Chun and Steve Rasch

Daniel Chun is a Senior Incident Response Consultant in Mandiant’s Phoenix office. As a part of the Incident Response team, Mr. Chun provides emergency services to clients when a security breach occurs.

Prior to joining Mandiant, Mr. Chun spent time as a consultant where he helped build security programs, conducted investigations, and delivered training. He has been involved in malware analysis, payment card forensic investigations (PFI), and security operations development in various industries; including healthcare, industrial, financial, aerospace, and hospitality.

Steve Rasch is a Principal Incident Response Consultant in Mandiant’s Phoenix office.  As part of the Incident Response Team, Mr. Rasch focuses on incident response, compromise assessments, and computer forensics.

Prior to joining Mandiant, Mr. Rasch was a Senior Information Security Engineer for General Dynamics Missions Systems for over 4 years.  During this time, Mr. Rasch’s primarily served as an incident response lead and computer forensics analyst.

categories / 2019-talks
tags / Daniel Chun, Steve Rasch

The Impact and Standards of Data Protection Regulations

November 03, 2019  /  Jessica Solper

With breaches becoming "when" statements and not "if", the focus on Data Protection Regulations and their impact on business/people gained momentum. This discussion will focus on the Data Protection Standards established in the early 2000s and how they have evolved since that time. The EU GDPR and California CCPA Regulations will be used as examples of a trend towards making data privacy law and what that means for the businesses and people who use the technologies/data impacted.

Samantha K.

Samantha K. is certified in the General Data Protection Regulation (GDPR) established by the EU May 25th, 2018. She currently works as a Governance/Risk/Compliance IT Security Analyst for an Educational Services Corporation. She is familiar with SOX Audit practices, Arizona State Data Protection Regulation HB 2154 along with infrastructure policies/practices on an Enterprise level. She worked from the ground up in IT Services and is constantly on the hunt for new and impending Data Protection Laws/Regulations.

categories / 2019-talks
tags / Samantha K.

Paying for Risk: How to Stay Objective in a Subjective World

November 03, 2019  /  Jessica Solper

As Bug Bounty programs continue to mature and evolve, we're faced with a problem: How do we incentivize the right things, and how do we ensure that our incentives are fair and consistent? PayPal's program has had many iterations, and in this talk we'll go behind the scenes to see how we determine what award to set.

Pax Whitmore

Pax started working on PayPal's Bug Bounty program in 2016. Prior to this role, he was a penetration tester for the US Courts and a security engineer for a major registrar and hosting provider. Before starting his IT career a decade ago, he was a photographer and film reviewer. He will argue about CVSS and movies with equal delight.

categories / 2019-talks
tags / Pax Whitmore

Tunneling to Freedom

November 03, 2019  /  Jessica Solper

If you've been in security for a while, you've probably heard about using tunnels to pivot segmented networks and exfiltrate data, but do you know the details or techniques currently in use? Do you know how to identify holes in your firewalls and understand the protocols that may allow an attacker or insider threat to bypass your proxies and transfer data out of your environment? Would you know how to detect it? "Tunneling to Freedom" takes you through the process of understanding tunnels and identifying the holes in your firewalls and security controls. Together we will explore ICMP tunneling, practical DNS tunneling, advanced SSH tunneling techniques and finally identifying protocols that could allow for data egress. Grab a shovel and a hard hat and come see how far this rabbit hole goes.

John Freimuth

John Freimuth - A security professional in the valley since 2012, currently performing penetration testing with a health care company in the valley. His previous CactusCon talks include: "Return of the Dork", "Wrangling Malware for Fun and Pentesting", and "Weaponizing your Pi".

categories / 2019-talks
tags / John Freimuth

Automated Dylib Hijacking

November 03, 2019  /  Jessica Solper

Applications on macOS use a common and flawed method of loading dynamic libraries (dylib), which leaves them vulnerable to a post-exploitation technique known as dylib hijacking. Dylib hijacking is a technique used to exploit this flawed loading method in order to achieve privilege escalation, persistence, or the ability to run arbitrary code. This talk provides an overview of the attack vector and the process involved in exploiting vulnerable applications. Additionally, the process of automating the exploitation of vulnerable applications will be demonstrated and discussed in depth.

Jimi Sebree

Jimi Sebree is a senior security research engineer on Tenable’s Zero Day Research team. With a strong background in software engineering and security, he bounces between research disciplines in an effort to appear knowledgeable about a variety of topics. Occasionally he succeeds in tricking someone into listening to his ramblings.

categories / 2019-talks
tags / Jimi Sebree

Signed, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks

November 03, 2019  /  Jessica Solper

The first rule of defending networks is that a determined adversary will not be denied. This has been proven time and time again, with each high profile compromise there is a new and clever way that an advanced adversary penetrated an enterprise of interest. Whether it be through the use of 0-days, social engineering, or kompromat adversaries are going to do whatever it takes to achieve their mission objectives - whatever those might be. As organizations have gotten better at defending their networks, adversaries have recognized that in many cases it is quicker, cheaper, and easier not to target the organization directly, but to compromise a third party with a trusted relationship with the actual organization they are attempting to compromise. Enter supply chain attacks.

This talk will discuss one of the techniques we are seeing an increase in frequency supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. We will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and finally where we see this attack technique moving in the future.

Nick Biasini and Edmund Brumaghin

Nick Biasini’s interest in computers and technology started at a young age when he tore apart his parents brand new 486SX PC. Ever since he has been tinkering with computers in one way or another. Nick got his start in security helping protect the National Air Space and has been working in security in one role or another ever since. In his time with Talos, Nick has been responsible for exposing new details to major threats, with a focus on crimeware. This includes exposing the Angler exploit kit, identifying new techniques like Domain Shadowing, helping to stop a large scale exploit kit campaigns, and revealing clever spam campaigns delivering malware. Nick has a master’s degree in digital forensics from the University of Central Florida and has worked for government and private sector environments in his career.

Edmund Brumaghin is a threat researcher with Cisco Talos. He has spent the past several years protecting environments across a number of different industries including nuclear energy, financial services, etc. He currently spends his days hunting malware and analyzing various threats as they emerge and continue to evolve. In his time with Talos he has researched ransomware and other threats being distributed using various attack vectors. He has also worked to expose large scale malware campaigns and raise awareness of security threats observed across the threat landscape.

categories / 2019-talks
tags / Nick Biasini, Edmund Brumaghin

Designing Secure Implants

November 03, 2019  /  Jessica Solper

Security tools often have very poor security, this talk will cover our attempts at creating a reasonably secure implant framework. This talk will cover the motivations, reasoning, design, and tricks of building secure custom implants and covert C2 channels.

Sliver is an open source general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Sliver uses an embedded version of the Go compiler to dynamically generate implant binaries with per-binary X.509 certificates, per-binary obfuscation, and per-binary DNS canaries (unique domain strings that are deliberately not obfuscated and the server trigger alert if it's ever resolved, indicating the implant has been discovered). Other features include in-band TCP tunnels (e.g. TCP over DNS), procedurally generated HTTP C2 messages, automated Let's Encrypt integration, and more.

Sliver supports Windows-specific post-exploit features such as: user token manipulation in-memory .NET assembly execution, process migration, and privilege escalation features.

The Sliver GUI features a reasonably secure Electron design, leveraging sandboxed webviews, custom protocol handlers, context isolation, content-security-policy, and sandbox-to-native-IPC communication.

moloch and ronan

I like computers

Associate at Bishop Fox

categories / 2019-talks
tags / moloch, ronan

Bug Hunting with Structural Code Search

November 03, 2019  /  Jessica Solper

Searching through source code is key to vulnerability hunting and performing code audits. Regular expression search (e.g., grep) remains the fastest and most accessible way to quickly search for buggy code patterns. But writing or understanding regular expressions is still hard. For example, this pattern was used to find an integer overflow in the libssh2 library (circa 2013): "ALLOC[A-Z0-9_]*\s*\([^,]*,[^;]*[*+-][^>][^;]*\)\s*;". Although useful, what it does is not obvious. Besides being difficult to read, regular expressions like these are rudimentary: they cannot generally match nested expressions (like code blocks) and can easily lead to noisy or spurious matches. If you are interested in a new way for matching code, its applications for bug hunting, and related static analysis techniques, then this talk is for you.

This talk presents a new technique and tooling to match code in a way that is simpler and more powerful than regular expressions. Patterns are expressed as declarative syntax templates where the key ideas are that (1) patterns match code structurally (e.g., they can match content inside balanced braces or parentheses, which can nest arbitrarily) and (2) patterns understand the difference between code, data (such as strings), and comments on a per-language basis. While more sophisticated, many existing static analyzers and frameworks require users to program custom checks in order to reason over these code properties (i.e., by accessing the abstract syntax tree), leading to increased effort. I will discuss some of these design tradeoffs, and explain and demo how using declarative templates for bug hunting can take less effort compared to existing approaches (e.g., for finding suspicious code like arrays being written into inside a loop, or unchecked function return values).

In this talk you will learn about a new declarative way to search over richer code structures and see practical examples for bug hunting. You will learn about a new open source tool, comby, that implements these ideas and can complement your toolkit for code auditing tasks. You will also walk away with a high-level understanding of tradeoffs and effectiveness in the design of static analysis tools in the context of this work.

Rijnard van Tonder (@rvtond)

Rijnard holds a PhD in Computer Science from Carnegie Mellon University, where his research focused on automated bug finding and bug fixing. He is currently a software engineer at Sourcegraph, where he works on large scale code search, analysis, and modification. Previously, Rijnard worked on improving analysis reasoning and performance of state-of-the-art static analyzers at Facebook (e.g., Pyre for Python). He continues to have a research interest in the overlap of automated program repair, program analysis, and program transformation, with an emphasis on bringing new advances in these areas to practice.

categories / 2019-talks
tags / Rijnard van Tonder

One If By Land, Two If By Uber - Lessons Learned From the Worst Physical Assessment Ever

November 03, 2019  /  Jessica Solper

No car, no contacts, no problem - this 20-minute talk is meant to entertain and discuss the flexibility and perception skills that are a requirement for a professional penetration tester. While relaying several anecdotes about the worst physical penetration assessment ever performed, this talk will provide a high-level discussion on applied improvisation and how it relates to security assessments. Timing permitting, it will also go into ways for the audience to sharpen that skillset.

Witch

A Security Consultant and penetration tester for a private firm, Meag is also known as Witch_Sec on Slack and Twitter.

categories / 2019-talks
tags / Witch

Hacking Your Anxiety

November 03, 2019  /  Jessica Solper

Anxiety/Stress is known to cause people to leave our field. Burnout is one of the most common problems as to why leadership/senior employees choose to move on to something else. I have wanted to put a collection of my experiences and feelings together for a long time in the hope that it could help people just coming into the business so they make better decisions than what I have during incidents/time of employment. If we can get even one person to seek out help, or utilize some of the suggestions during high stress periods in their life, we can say that we have successfully improved the stability of our field, even if it's just by a little bit.

Destruct_Icon

I am Jason Azzarella and I work with Bechtel as part of the CIRT (Computer Incident Response Team). I have been part of this family for over seven years and have worked in the security field for a little over eight. Security has been more than a job for me. It has been an escape from the scary world we live in.

categories / 2019-talks
tags / Destruct_Icon

Owning a Security Camera

November 03, 2019  /  Jessica Solper

I will be attacking the merit lilin security camera suite. This includes the NVR and a dozen cameras. This is not your typical amazon special, its much more complex. I will be covering how to extract binaries from the firmware, how to use Ghidra / Ida / binutils to find vulnerabilities, and then cover found vulnerabilities of the stack smashing variety as well as other found vulnerabilities such as exposed keys, weak passwords, web vulnerabilities and the like.

Joe Giron

Local hacker / 2600 organizer / smuggler of spice.
Find out more of his exploits on his website https://gironsec.com

categories / 2019-talks
tags / Joe Giron

Overcoming the 3 Common Failures Within Vulnerability Management Programs

November 03, 2019  /  Jessica Solper

Over my many years of security consulting with organizations, I've always had a love for helping to create effective vulnerability management programs. The reality within both Fortune 100 and SMB organizations is that vulnerability management programs often struggle (and sometimes fail) within three common areas. My presentation will focus around how I've found success in addressing these program failures. I'm planning to include a lot of stories based on my experiences along with a few stories I've heard from other industry experts. My goal is to provide guidance and an approach so that members of the audience will be able to help build effective vulnerability management programs of their own.

Andy Jordan

Andy Jordan (CISSP, CISM, MCSA, MCP, Security+, Network+, ITIL v3, LeanIT) has built and managed multiple security programs for numerous large and small organizations throughout his 12-year career. He uses lean and agile methodologies to create demonstrable value within complex infrastructure and security programs. He is an active figure in the information security community, having presented at several venues as well as contributing to SC Magazine.

categories / 2019-talks
tags / Andy Jordan

DIRE: Renaming Variables in Decompiled Code with Neural Nets

November 03, 2019  /  Jessica Solper

Decompilers transform binaries into high-level source code, and are a critical part of the working hacker's arsenal of tools for malware analysis, reverse engineering, and exploit development. Over time, decompilers have become increasingly sophisticated in reconstructing information lost during the compilation process (e.g., code structure and type information). A longstanding issue is recovering meaningful variable names that correspond to the intent of the original code.

This talk presents DIRE (the Decompiled Identifier Renaming Engine), a new probabilistic technique that uses both lexical and structural information to recover variable names. Where current state-of-the-art tools recover variable names like "a1" or "iVar", DIRE correctly recovers meaningful variable names like "filename". We present our approach for training and evaluating models of decompiled code using a large corpus of 164,632 unique x86-64 binaries mined from C projects on GitHub. We share our results of DIRE's large scale application and show that it can predict variable names identical to the names in the original source code up to 74.3% of the time.

You'll leave this talk with knowledge of new techniques in binary decompilation, and practical tooling for more accurate variable name recovery. You'll also learn about state-of-the-art approaches in decompilation, outstanding challenges, and new ways for addressing these challenges.

Jeremy Lacomis

Jeremy Lacomis is a Ph. D. student in the Institute for Software Research at Carnegie Mellon University. His research interest is in search-based software engineering, automated code and binary transformation, and improving tooling for reverse engineers. Jeremy holds a B.A., Computer Science from the University of Virginia and an A.S., Computer Science from Piedmont Virginia Community College.

categories / 2019-talks
tags / Jeremy Lacomis

Deception-NET: Build Your Own Deception

November 03, 2019  /  Jessica Solper

The security of cloud applications using traditional/reactive defense mechanisms such as Signature-based Detection (IDS/IPS), vulnerability scanning and software patching alone are not useful against the intelligent adversary. The reactive security can be bypassed by using variants of known attacks, fragmentation of network traffic, etc. Our framework "Deception-NET" utilizes intelligent learning approach to collect network flows, host, and access logs, IDS alerts to train a model which can detect the different variants of attacks. The game-theoretic decision is used to deceive adversaries. Deception-NET utilizes a situation-aware game-theoretic framework. The deception redirects the persistent adversaries into accessing fake web applications, cryptographic keys and dummy documents. We showcase how cybersecurity practitioners and researchers can set up such a training environment using light-weight and modular services such as Docker ELK, vulnerable docker containers, and docker honeypots. In effect, small scale security providers
will benefit by setting up a modular on-premise deception network instead of using third-party services.

Ankur Chowdhary, PhD Candidate, Arizona State University

Ankur Chowdhary is a PhD Candidate at ASU, and coach for ASU's National Cybersecurity Defense Competition (NCCDC) team. Ankur is co-founder and CEO of cybersecurity startup CyNET LLC. He also co-founded hacking club DevilSec at ASU aimed at teaching offensive and defensive security. He is interested in advancement of Cybersecurity by application of multi-disciplinary approach - Artificial Intelligence, Machine Learning, and Game Theory. Ankur has co-authored one Cybersecurity textbook titled "Software-Defined Networking and Security: From Theory to Practice", and 24 peer-reviewed research papers in the field of Cybersecurity. In past Ankur has worked for Blackberry Ltd. as Security Research Intern (2016) , InfoSec Intern at RSG (2015), and Software Engineer at CSC (2011-13). He received my MS in CSE from ASU in 2015 with specialization in Cybersecurity, and B.Tech in IT from GGSIPU in 2011. Details of his research works and current activities can be found at his website https://www.public.asu.edu/~achaud16/.

categories / 2019-talks
tags / Ankur Chowdhary

Threat Hunting Like a Scientist

November 03, 2019  /  Jessica Solper

As environments become more complex and robust, how do threat hunters stay on their toes to remain quick and effective? The scientific method allows a threat hunter to develop a flow to their working process that ensures they remain on target while deepening their knowledge of the environment they're working in. This presentation will give an overview of how to adapt the scientific method to a threat hunting position on an IT Security defense team, while providing a methodology for more effective detection of malicious actors.

Kimber Duke

As a security analyst working for Stage 2 Security, Kimber's security interests range from social engineering to network defense, with the addition of SDR and IoT manipulation in between. She is a member of DC801, founded Defcon Girl Gang, and is currently developing blue-team curriculum for a community college in Tucson, Arizona.

categories / 2019-talks
tags / Kimber Duke