CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Keynote: Eva Galperin

headshot leather jacket.jpg

CactusCon is proud to announce CactusCon 2021 keynote speaker: Eva Galperin! Eva is the Director of Cybersecurity at the Electronic Frontier Foundation (EFF). She also serves as a technical advisor to the Freedom of the Press Foundation and the Callisto project. Eva has conducted pivotal research on the privacy and security of vulnerable populations, and we here at CactusCon could not be happier to have her on board!

For more info about Eva, please see her EFF staff page:
https://www.eff.org/about/staff/eva-galperin

Eva’s Twitter: https://twitter.com/evacide


Keynote: How to Build a Threat Lab

EFF's Director of Cybersecurity will talk about her experience as a public interest technologist, working with activists, journalists, and other vulnerable populations all over the world. She will discuss the origins of EFF's Threat Lab and talk about its work, including the Atlas of Surveillance and Dark Caracal. Most importantly, she will talk about how you can become a public interest technologist yourself and help to speak tech to power.

Keynote: April C. Wright

cc9-keynote-april_wright-profile_photo_pic.jpg

CactusCon is proud to announce CactusCon 2021 keynote speaker: April C. Wright! April is “a hacker, author, teacher, and community leader who has been breaking, making, fixing, and defending the security of global critical communications and connections for over 25 years.” She is an international speaker and trainer, educating and advising on matters of privacy and information security with the goal of safeguarding both individuals' online rights, and the digital components we rely on every day. We here at CactusCon appreciate April’s work and are delighted to have her on board.

 

For more info about April, please see the About section of her Webpage:
https://architectsecurity.org/

April’s Twitter:
https://twitter.com/aprilwright


Keynote: Personal Branding, Safely:  Protect yourself from a world of creeps and criminals

As you set forth on your personal branding journey, it is important to not only consider the amazing and fulfilling advantages and opportunities, but also to consider the possible risks and threats you may face. Ask any celebrity, well-known Twitter personality, or vocal hacker, and they will all tell you that there are people out there who may, at one time or another, want to make you unhappy. They may do this by exposing your personal information publicly or by harassing, bullying, or stalking you. When you understand who could pose a threat and why, as well as what harm they could do and how they would do it, you can perform a Personal Risk Assessment and remediate many vulnerabilities your personal info may have.

There is no such thing as perfect security or perfect privacy, however there are important actions you can take to prepare, active measures you can practice, and ways to monitor for threats and compromises. Knowing what to do if something does happen will also prepare you to respond appropriately. This process will help empower you to be less worried and confident that you have done all you could and are ready to take on the world. Join us to learn step-by-step how to bolster your personal privacy, assess your online footprint like a criminal would, defend against future attacks, and handle privacy threats that may (hopefully never) come your way.

MQTT: Tiny Protocol, Big Vulnerabilities

Have you ever wondered about how your IoT device talks to your phone? Or how industrial factories collect data from sensors? Odds are pretty good they use a tiny protocol called Message Queuing Telemetry Transport (MQTT). Join me as we learn more about this tiny protocol and discuss common implementations and vulnerabilities. Learn how to find open mqqt brokers using Shodan and then learn how to build your own internet scanner using Masscan and nmap.

Tracie Martin is a Principal Security Engineer at a really big book store. Previously she's worked in a variety of roles in various tech companies such as Google, Microsoft and Twitter. She is passionate about making security accessible and approachable to everyone and changing the culture of no.

She also runs a womxn focused security conference in Seattle called DefendCon.

Reverse Engineering Websites

In the ideal world, every engagement would grant you source code access and a copy of the application/environment. Having 100% visibility into the static and dynamic environment of an application is incredibly powerful. By its nature, it eliminates the need for guessing and will make attacks significantly more informed and reliable. Simply put, a better job can be done because this is a position of advantage. In all situations less than that ideal, we can use reverse engineering to get into that position.

This talk outlines the concepts, strategies, and specific methods I have used to learn the inner workings websites for exploitation. We will specifically cover:

  • pattern matching to quickly identify technologies

  • deductive and inductive reasoning as ways to dial in our understanding

  • how to ask informed questions to prove out those assertions

  • walkthrough of how code structures look, and what the rendered website will show

  • demonstration of decomposition techniques

kuzushi

I have spent nearly two decades working with technology. The first half of my career was spent as a professional developer, and the last 10 years of my career I have worked as an ethical hacker / cyber security professional / offensive security consultant. I have personally performed hundreds of penetration tests throughout the last decade, and I have led even more. I specialized in application security and secure developer training. For the last few years I've continued my growth into executive leadership; where I have built and lead international and national teams of security testers to deliver the highest quality penetration tests. I currently am the Vice President of security consulting services for Bishop Fox.

Extracting a Bootloader’s AES Key via a Power Analysis Side Channel Attack

As manufacturers fortify their IOT devices, security validation from a third party has become difficult. Encrypted updates on secure devices makes firmware extraction close to impossible on many microcontrollers. A researcher may spend months hacking the interfaces, trying to find a software vulnerability without success. Power Analysis based Side Channel Attacks (SCA) follow a systematic approach to recover the bootloader’s keys without relying on the device to have a vulnerability.

This talk will summarize the technique we used to extract a secure Microchip ATSAMD21 bootloader key via a Power Analysis based SCA. I will be going over the broad details of my article, “A Practical Guide for Cracking AES-128 Firmware Updates,*” which will provide attendees the steps needed to perform a SCA on our target. Fortunately for a researcher, this flow can be used to extract keys from most secure microcontrollers.

Mark Kirschenbaum owns and operates Hypoxic, an action sports electronics company. Primarily developing camera controllers, Mark has continuously reverse engineered products to add hardware and software functionality for his clients. Prior to Hypoxic, Mark developed programmers and debuggers for a leading embedded microcontroller company. Side Channel Attacks have become Mark’s area of interest and he looks forward to sharing his real world experiences with other like minded hackers.

Linux IR: Windows of Opportunity

This talk aims to expose individuals to incident response in a Linux environment. Many talks and trainings primarily focus on Windows environments with little to no mention of the unique challenges that exist within Linux environments. We will be working through a sample from the SystemdMiner family and highlighting it's behavior as captured by open source tooling (ELK/OSQuery/Suricata/Zeek). I'll showcase how Linux incident response differs from Windows as well as where both worlds collide.

Jon Wade has spent close to the last decade wearing as many security hats as possible while being a security engineer at GoDaddy. He enjoys tackling interesting challenges and punching miscreants whenever possible. He believes that all you need to perform initial triage in Linux is the lsof command.

Workshop: Analysis 101 and 102 for the Incident Responder

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and cloud log analysis, we will review numerous quick methods to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren’t meant to be found, but we’ll also discuss how to make the best of any conclusion that you reach.

Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk is currently employed as the Vice President, CSIRT at a large financial institution. Specializing in leadership and program development, specific expertise in security areas includes: process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis and policy development.

Introduction to Car Hacking Basics

Ever wanted to learn about the basics of car hacking but don't have a car or don't want to break your only car? This presentation will give a quick overview of basic car hacking and where to start as a beginner.

K "Turb0Yoda" Singh is an Associate Incident Response with Blackberry Security Services - specifically in Incident Response and Digital Forensics. He spends his small amount of free time time tinkering on cars, computers, and sometimes security.

Stealing a password through interpretive dance, and other wild video game hacks

Like you, I play a lot of video games. The thing is, computers have this weird habit of breaking whenever I'm near them. It's a gift and a curse.

Here I'll be dropping six really fun remotely exploitable hacks for Super Smash Bros: Melee and Magic: the Gathering open source applications and libraries. I'll walk through each of them with exploits and examples for your enjoyment. They run the gamut from memory corruption vulnerabilities in esoteric embedded environments to subtle networking interactions with large consequences.

It's all fun and games until someone loses a password.

Dan "AltF4" Petro is Lead Researcher at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and network penetration testing.

Dan likes to hear himself talk, often resulting in conference presentations including many consecutive talks at Black Hat USA and DEF CON in addition to appearances at HOPE, BSides, ToorCon, CactusCon, and probably more. He is widely known for the tools he creates: the Rickmote Controller (a Chromecast-hacking device), Untwister (a tool used for breaking pseudorandom number generators) and SmashBot (a merciless Smash Bros noob-pwning machine).

Dan holds has a Master of Science in Computer Science from Arizona State University and still doesn't regret it.

Workshop: Machine Learning for Security Analysts

Today, over a quarter of security products for detection have some form of machine learning built in. However, “machine learning” is nothing more than a mysterious buzzword for many security analysts. In order to properly deploy and manage these products, analysts will need to understand how the machine learning components operate to ensure they are working efficiently. In this talk, we will dive head first into building and training our own security-related models using the 7-step machine learning process. No environment setup is necessary, but Python experience is strongly encouraged.

Gavin Klondike is a senior consultant and researcher who has a passion for network security, both attack and defense. Through that passion, he runs NetSec Explained; a blog and YouTube channel which covers intermediate and advanced level network security topics, in an easy to understand way. His work has given him the opportunity to be published in industry magazines and speak at conferences such as Def Con, Def Con China, and CactusCon. Currently, he is researching into ways to address the cybersecurity skills gap, by utilizing machine learning to augment the capabilities of current security analysts.

Worst-of Cybersecurity Reporting 2021

In this session, two tech writers who roasted the worst tech reporting of 2019 are back on the grill to discuss...the worst tech reporting of 2020! Instead of just hating on the media, though, we’ll talk about ways that technologists can speak to journalists and the public to dispel misconceptions and stop the spread of misinformation.

Yael Grauer is an investigative tech reporter covering online privacy and security, digital freedom and mass surveillance. She’s written for Ars Technica, The Intercept, WIRED, Motherboard, Slate, Wirecutter, OneZero and other publications. She’s co-organized events and spoken on panels about digital security, source protection, ethics, and more. She holds a Master of Mass Communication degree from ASU, which was an interesting way to kill time between DEF CONs.

David Huerta is a Digital Security Trainer at the Freedom of the Press Foundation (FPF), where he trains journalists in privacy-enhancing technology to empower a free press. He’s taught hundreds of trainings across the world and organizes the digital security track at the National Association of Hispanic Journalists conference. He also occasionally writes for Motherboard, The Outline and FPF’s own security blog. He dropped out of ASU in 2010 to co-found HeatSync Labs, Arizona’s first hackerspace.

The Crimeware Arms Race: Modern Techniques in Malware Armoring and Evasion

As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection.

Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies in an effort to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed as well as how to defend against them more effectively.

Nick Biasini’s interest in computers and technology started at a young age when he tore apart his parents brand new 486SX PC. Ever since he has been tinkering with computers in one way or another. In his time with Cisco Talos Nick has been responsible for exposing new details to major threats, with a focus on crimeware. This includes exposing the Angler exploit kit, identifying new techniques like Domain Shadowing, helping to stop large scale malware campaigns, and revealing clever spam campaigns delivering ransomware. Nick has a master’s degree in digital forensics from the University of Central Florida and has worked for government and private sector environments in his career.

Edmund Brumaghin is a threat researcher with Cisco Talos. He has spent the past several years protecting environments across a number of different industries including nuclear energy, financial services, etc. He currently spends his days hunting malware and analyzing various threats as they emerge and continue to evolve. In his time with Talos he has researched ransomware and other threats being distributed using various attack vectors. He has also worked to expose large scale malware campaigns and raise awareness of security threats observed across the threat landscape.

Analyzing Suspicious Artifacts (deep dive)

The talk builds upon our previous talk, 'Triaging Suspicious Artifacts'. We dive deeper into a suspicious artifact learning as much as we can about its capability, purpose, and origin. We will demonstrate how the output from our analysis serves as input into threat intelligence and threat hunts.

Ttheveii0x specializes in malware analysis, cyber threat intelligence and threat hunting. He has extensive experience with malware analysis, binary reverse engineering, Linux, Unix, and Windows operating systems, software development, application security, digital forensics and incident response. Ttheveii0x is deeply involved in the infosec/hacker community as both a leader and organizer of several security groups. Ttheveii0x is a Director of Blue Team Village, which has been part of DEF CON and other security conferences since 2018. He also leads the DC215 security community and is one of the organizers of WOPR Summit. Ttheveii0x enjoys creating capture the flag exercises, training, and mentoring in the information security community. Ttheveii0x works to develop cybersecurity training that is released to the public in the interest of developing new cybersecurity talent and training current practitioners.

Jonas Eichinger currently works as a Sr. Consultant for Security Risk Advisors. His focus is Digital Forensics & Incident Response, malware reverse engineering, defensive tool development, and cloud security. Any time not spent taking apart payloads, investigating security incidents, or knowledge sharing is divvied up between fermenting cabbage, collecting vintage computers, and fixing old Volvo station wagons. Those are normal hobbies, right… right?


When Your Memory Forensics Tools Only Tell Half the Story

Malware authors are becoming ever more clever in regards to creating malicious binaries which are successful at both compromising a system and hiding from the incident responders analysis tools. This presentation will demonstrate techniques and methods that the forensic analyst can use to dig deeper when their tools are telling half the story and yet they know there is more of the story to be told. Using lessons learned from previous cases I will demonstrate how to use various open source tools such as volatility 2.6, volatility 3, malwoverview, capa, binee, stringsifter, Yara and many others to complete the story and locate the malicious binaries for further analysis. Participants will gain new insights into how various tools provide the analyst information and what gaps they have to fill without the automation of a forensic tools or scripts in order to complete the investigation.

Aaron Sparling is an Officer with the Portland Police Bureau in Portland Oregon where he serves in the Investigations Branch, Forensic Evidence Divisions Digital Forensic Unit. Prior to serving in the Digital Forensic Unit, Aaron was assigned to the Criminal Intelligence Unit where he focused on Open Source Intelligence. Aaron has been working in digital forensics for the past eight years and has served as a Task Force Officer on the United States Secret Service Electronic Crimes Task Force and the Portland FBI/Oregon Cyber Crimes Task Force. Aaron currently serves as the Chairman of the Technical Advisory Council for the United States Secret Service National Computer Forensics Institute (NCFI). Aaron holds a GREM, GFCA, GFCE, GSEC, and CFCE.

Workshop: Hands-On Purple Team

In this two hour hands-on workshop you will play the role of both the red team and the blue team. We have set up an isolated environment for each attendee to go through a Purple Team Exercise. Attendees will be able to create adversary emulation campaigns with SCYTHE and run them in a small environment consisting of a domain controller, member server, and a Linux system. While the attendee is the red team operator, they will also play the role of the blue team looking for Indicators of Compromise and adversary behavior mapped to MITRE ATT&CK Tactics, Techniques, and Procedures. Attendees will learn the basics of adversary emulation (powered by SCYTHE) and blue team tools such as Sysmon, WireShark, and others. It will be a fun two hours of hands-on learning!

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.

He also co-authored Common Vulnerability Scoring System (CVSS) and A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry, and author of Microsoft Windows 7 Administrator’s Reference. Jorge holds post-graduate degrees from Stanford and Florida International University in Advanced Computer Security & Master of Science. Jorge speaks English, Spanish, and Portuguese, in decreasing levels of fluency. When he’s not hacking, teaching, or writing, you’ll find him watching and playing soccer.

Hands on Purple Team Workshop note: the environments mentioned were provisioned specially for the con, and are no longer accessible

Hacking with Skynet - How AI is Empowering Adversaries

It's no question that modern advances in AI and Deep Learning technologies have allowed organizations to greatly scale their defensive capabilities. Between detecting evolving threats, automating discovery, fighting dynamic attacks, and even freeing up time for IT professionals; AI-fueled automation has been a boon for system defenders. But before we get too comfortable, we need to remember that there is another side to this fight.

In this talk, we'll take a look at how AI technologies are enhancing adversarial capabilities and how challenges in defensive machine learning are opening up new attack surfaces.

Gavin Klondike is a senior consultant and researcher who has a passion for network security, both attack and defense. Through that passion, he runs NetSec Explained; a blog and YouTube channel which covers intermediate and advanced level network security topics, in an easy to understand way. His work has given him the opportunity to be published in industry magazines and speak at conferences such as Def Con, Def Con China, and CactusCon. Currently, he is researching into ways to address the cybersecurity skills gap, by utilizing machine learning to augment the capabilities of current security analysts.

The full purple juice, not the watered down stuff

This talk is a real use case of a 6 week Purple Team Exercise performed for a client that allowed us to share their story. Everyone has heard of Purple Team by now, but how many have been able to quantify the value? In this talk, we cover the time we were asked to perform all the roles of a Purple Team: Cyber Threat Intelligence, Red Team, Blue Team, and Exercise Coordination. We were asked to emulate various adversaries, with an increasing order of sophistication, while implementing defenses for the adversary TTPs. We were also asked to not spend a single dollar on new technology. Instead, we had to tune the current security controls.

This talk will cover those 6 weeks. Our baseline showed 94% of adversary behaviors/TTPs were not detected. At the end of the engagement, 64% of TTPs were detected. How did we accomplish this? Come to our talk and we will share the details.

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.

He also co-authored Common Vulnerability Scoring System (CVSS) and A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry, and author of Microsoft Windows 7 Administrator’s Reference. Jorge holds post-graduate degrees from Stanford and Florida International University in Advanced Computer Security & Master of Science. Jorge speaks English, Spanish, and Portuguese, in decreasing levels of fluency. When he’s not hacking, teaching, or writing, you’ll find him watching and playing soccer.

Bryson Bort is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow for Cybersecurity and National Security at R Street and the National Security Institute and an Advisor to the Army Cyber Institute and DHS/CISA. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain. ‍ Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.

Learning Offensive Security with Project V^3: VulnHub + VirtualBox + Vagrant

We are currently working on a project of porting all VulnHub VMs to VirtualBox and creating/uploading Vagrant boxes to the Vagrant Cloud. The idea is to lower the setup time of each machine and also lower the bar to entry for those that lack the skills to configure each vulnerable machine for use. This talk is to announce the project, how people can use it, and where to get it. This will include a demo setup.

Anthony Radzykewycz (@RedHatAugust) is a part-time professor at GateWay Community College, where he leads the Linux and Cybersecurity Programs. He obtained 17 industry certifications in his career, so far, and enjoys sharing his knowledge and making the learning experience easier for others.

James Green (@Thefeesh7) is an adjunct professor at Gateway Community College. James enjoys teaching others about computers, security, and chess. When not being a systems administrator he spends his time playing chess, poker, and learning about security.

Workshop: Violent Python 3

Level: Beginner

Even if you have never programmed before, you can quickly and easily learn how to make custom hacking tools in Python. We build tools that perform port scanning, brute-force attacks, crack password hashes, and XOR encryption. Python is among the top three programming languages in the world, for good reason: it's the easiest language to use for general purposes.

This workshop is structured as a CTF, so each participant can proceed at their own pace. The techniques will be briefly demonstrated, and we will provide tips and help as needed to make sure everyone is able to solve at least some of the challenges.

Participants need only a computer and a Web browser.

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000, and is the founder of Infosec Decoded, Inc. He has given talks and hands-on trainings at Black Hat USA, RSA, DEF CON, DEF CON China, HOPE, and many other conferences.

Credentials: PhD, CISSP, DEF CON Black Badge Co-Winner

Elizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She is a senior instructor for Infosec Decoded, Inc. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs.

Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.

Can Artificial Intelligence (AI) detect Advanced Persistent Threats?

There is a huge surge in marketing of Artificial Intelligence-based solutions that claim detection of Advanced Persistent Threat (APT) attacks using AI- algorithms. Often, the data backing the detection results of these algorithms are biased towards known attack patterns. To test existing AI-models, we developed a benchmark dataset extracted from packet capture of APT attacks we performed and benchmarked popular machine learning algorithms such as support vector machine (SVM), Stacked Autoencoder (SAE), and Long-term short memory-based Stacked Autoencoder (SAE-LSTM). We observed that existing datasets and network setup used for benchmarking machine learning models perform poorly in terms of detection accuracy when analyzed for different phases of APT. This talk will discuss what are limitations of current AI and ML, how we can develop better machine learning models for detection of slow and low attacks like APT. We will also introduce a new dataset DAPT 2020 which is first attempt towards building an Advanced Persistent Threat (APT) dataset.

Dr. Ankur Chowdhary is a cybersecurity researcher. He received Ph.D. (2020) and M.S. (2015) with specialization in cybersecurity from Arizona State University (ASU). His research interests include Cloud Security, Software Defined Networks, and application of Artificial Intelligence and Machine Learning in the field of cybersecurity. Ankur has co-authored over 25 research papers and one textbook in the field of cybersecurity. Ankur co-founded cybersecurity startup CyNET LLC (2017). Ankur has been quite active in cybersecurity education. Ankur was ASU’s National Cybersecurity Defense Competition (NCCDC) captain (2015-2018), and he is current team coach (2018-). He co-founded hacking club DevilSec in 2019 to teach offensive and defensive security to students at ASU. For more information about his work and research activities please visit ankurchowdhary.com.