CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Filtering by Category: 2021 Talks

MQTT: Tiny Protocol, Big Vulnerabilities

Have you ever wondered about how your IoT device talks to your phone? Or how industrial factories collect data from sensors? Odds are pretty good they use a tiny protocol called Message Queuing Telemetry Transport (MQTT). Join me as we learn more about this tiny protocol and discuss common implementations and vulnerabilities. Learn how to find open mqqt brokers using Shodan and then learn how to build your own internet scanner using Masscan and nmap.

Tracie Martin is a Principal Security Engineer at a really big book store. Previously she's worked in a variety of roles in various tech companies such as Google, Microsoft and Twitter. She is passionate about making security accessible and approachable to everyone and changing the culture of no.

She also runs a womxn focused security conference in Seattle called DefendCon.

Reverse Engineering Websites

In the ideal world, every engagement would grant you source code access and a copy of the application/environment. Having 100% visibility into the static and dynamic environment of an application is incredibly powerful. By its nature, it eliminates the need for guessing and will make attacks significantly more informed and reliable. Simply put, a better job can be done because this is a position of advantage. In all situations less than that ideal, we can use reverse engineering to get into that position.

This talk outlines the concepts, strategies, and specific methods I have used to learn the inner workings websites for exploitation. We will specifically cover:

  • pattern matching to quickly identify technologies

  • deductive and inductive reasoning as ways to dial in our understanding

  • how to ask informed questions to prove out those assertions

  • walkthrough of how code structures look, and what the rendered website will show

  • demonstration of decomposition techniques

kuzushi

I have spent nearly two decades working with technology. The first half of my career was spent as a professional developer, and the last 10 years of my career I have worked as an ethical hacker / cyber security professional / offensive security consultant. I have personally performed hundreds of penetration tests throughout the last decade, and I have led even more. I specialized in application security and secure developer training. For the last few years I've continued my growth into executive leadership; where I have built and lead international and national teams of security testers to deliver the highest quality penetration tests. I currently am the Vice President of security consulting services for Bishop Fox.

Extracting a Bootloader’s AES Key via a Power Analysis Side Channel Attack

As manufacturers fortify their IOT devices, security validation from a third party has become difficult. Encrypted updates on secure devices makes firmware extraction close to impossible on many microcontrollers. A researcher may spend months hacking the interfaces, trying to find a software vulnerability without success. Power Analysis based Side Channel Attacks (SCA) follow a systematic approach to recover the bootloader’s keys without relying on the device to have a vulnerability.

This talk will summarize the technique we used to extract a secure Microchip ATSAMD21 bootloader key via a Power Analysis based SCA. I will be going over the broad details of my article, “A Practical Guide for Cracking AES-128 Firmware Updates,*” which will provide attendees the steps needed to perform a SCA on our target. Fortunately for a researcher, this flow can be used to extract keys from most secure microcontrollers.

Mark Kirschenbaum owns and operates Hypoxic, an action sports electronics company. Primarily developing camera controllers, Mark has continuously reverse engineered products to add hardware and software functionality for his clients. Prior to Hypoxic, Mark developed programmers and debuggers for a leading embedded microcontroller company. Side Channel Attacks have become Mark’s area of interest and he looks forward to sharing his real world experiences with other like minded hackers.

Linux IR: Windows of Opportunity

This talk aims to expose individuals to incident response in a Linux environment. Many talks and trainings primarily focus on Windows environments with little to no mention of the unique challenges that exist within Linux environments. We will be working through a sample from the SystemdMiner family and highlighting it's behavior as captured by open source tooling (ELK/OSQuery/Suricata/Zeek). I'll showcase how Linux incident response differs from Windows as well as where both worlds collide.

Jon Wade has spent close to the last decade wearing as many security hats as possible while being a security engineer at GoDaddy. He enjoys tackling interesting challenges and punching miscreants whenever possible. He believes that all you need to perform initial triage in Linux is the lsof command.

Introduction to Car Hacking Basics

Ever wanted to learn about the basics of car hacking but don't have a car or don't want to break your only car? This presentation will give a quick overview of basic car hacking and where to start as a beginner.

K "Turb0Yoda" Singh is an Associate Incident Response with Blackberry Security Services - specifically in Incident Response and Digital Forensics. He spends his small amount of free time time tinkering on cars, computers, and sometimes security.

Stealing a password through interpretive dance, and other wild video game hacks

Like you, I play a lot of video games. The thing is, computers have this weird habit of breaking whenever I'm near them. It's a gift and a curse.

Here I'll be dropping six really fun remotely exploitable hacks for Super Smash Bros: Melee and Magic: the Gathering open source applications and libraries. I'll walk through each of them with exploits and examples for your enjoyment. They run the gamut from memory corruption vulnerabilities in esoteric embedded environments to subtle networking interactions with large consequences.

It's all fun and games until someone loses a password.

Dan "AltF4" Petro is Lead Researcher at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and network penetration testing.

Dan likes to hear himself talk, often resulting in conference presentations including many consecutive talks at Black Hat USA and DEF CON in addition to appearances at HOPE, BSides, ToorCon, CactusCon, and probably more. He is widely known for the tools he creates: the Rickmote Controller (a Chromecast-hacking device), Untwister (a tool used for breaking pseudorandom number generators) and SmashBot (a merciless Smash Bros noob-pwning machine).

Dan holds has a Master of Science in Computer Science from Arizona State University and still doesn't regret it.

Worst-of Cybersecurity Reporting 2021

In this session, two tech writers who roasted the worst tech reporting of 2019 are back on the grill to discuss...the worst tech reporting of 2020! Instead of just hating on the media, though, we’ll talk about ways that technologists can speak to journalists and the public to dispel misconceptions and stop the spread of misinformation.

Yael Grauer is an investigative tech reporter covering online privacy and security, digital freedom and mass surveillance. She’s written for Ars Technica, The Intercept, WIRED, Motherboard, Slate, Wirecutter, OneZero and other publications. She’s co-organized events and spoken on panels about digital security, source protection, ethics, and more. She holds a Master of Mass Communication degree from ASU, which was an interesting way to kill time between DEF CONs.

David Huerta is a Digital Security Trainer at the Freedom of the Press Foundation (FPF), where he trains journalists in privacy-enhancing technology to empower a free press. He’s taught hundreds of trainings across the world and organizes the digital security track at the National Association of Hispanic Journalists conference. He also occasionally writes for Motherboard, The Outline and FPF’s own security blog. He dropped out of ASU in 2010 to co-found HeatSync Labs, Arizona’s first hackerspace.

The Crimeware Arms Race: Modern Techniques in Malware Armoring and Evasion

As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection.

Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies in an effort to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed as well as how to defend against them more effectively.

Nick Biasini’s interest in computers and technology started at a young age when he tore apart his parents brand new 486SX PC. Ever since he has been tinkering with computers in one way or another. In his time with Cisco Talos Nick has been responsible for exposing new details to major threats, with a focus on crimeware. This includes exposing the Angler exploit kit, identifying new techniques like Domain Shadowing, helping to stop large scale malware campaigns, and revealing clever spam campaigns delivering ransomware. Nick has a master’s degree in digital forensics from the University of Central Florida and has worked for government and private sector environments in his career.

Edmund Brumaghin is a threat researcher with Cisco Talos. He has spent the past several years protecting environments across a number of different industries including nuclear energy, financial services, etc. He currently spends his days hunting malware and analyzing various threats as they emerge and continue to evolve. In his time with Talos he has researched ransomware and other threats being distributed using various attack vectors. He has also worked to expose large scale malware campaigns and raise awareness of security threats observed across the threat landscape.

Analyzing Suspicious Artifacts (deep dive)

The talk builds upon our previous talk, 'Triaging Suspicious Artifacts'. We dive deeper into a suspicious artifact learning as much as we can about its capability, purpose, and origin. We will demonstrate how the output from our analysis serves as input into threat intelligence and threat hunts.

Ttheveii0x specializes in malware analysis, cyber threat intelligence and threat hunting. He has extensive experience with malware analysis, binary reverse engineering, Linux, Unix, and Windows operating systems, software development, application security, digital forensics and incident response. Ttheveii0x is deeply involved in the infosec/hacker community as both a leader and organizer of several security groups. Ttheveii0x is a Director of Blue Team Village, which has been part of DEF CON and other security conferences since 2018. He also leads the DC215 security community and is one of the organizers of WOPR Summit. Ttheveii0x enjoys creating capture the flag exercises, training, and mentoring in the information security community. Ttheveii0x works to develop cybersecurity training that is released to the public in the interest of developing new cybersecurity talent and training current practitioners.

Jonas Eichinger currently works as a Sr. Consultant for Security Risk Advisors. His focus is Digital Forensics & Incident Response, malware reverse engineering, defensive tool development, and cloud security. Any time not spent taking apart payloads, investigating security incidents, or knowledge sharing is divvied up between fermenting cabbage, collecting vintage computers, and fixing old Volvo station wagons. Those are normal hobbies, right… right?


When Your Memory Forensics Tools Only Tell Half the Story

Malware authors are becoming ever more clever in regards to creating malicious binaries which are successful at both compromising a system and hiding from the incident responders analysis tools. This presentation will demonstrate techniques and methods that the forensic analyst can use to dig deeper when their tools are telling half the story and yet they know there is more of the story to be told. Using lessons learned from previous cases I will demonstrate how to use various open source tools such as volatility 2.6, volatility 3, malwoverview, capa, binee, stringsifter, Yara and many others to complete the story and locate the malicious binaries for further analysis. Participants will gain new insights into how various tools provide the analyst information and what gaps they have to fill without the automation of a forensic tools or scripts in order to complete the investigation.

Aaron Sparling is an Officer with the Portland Police Bureau in Portland Oregon where he serves in the Investigations Branch, Forensic Evidence Divisions Digital Forensic Unit. Prior to serving in the Digital Forensic Unit, Aaron was assigned to the Criminal Intelligence Unit where he focused on Open Source Intelligence. Aaron has been working in digital forensics for the past eight years and has served as a Task Force Officer on the United States Secret Service Electronic Crimes Task Force and the Portland FBI/Oregon Cyber Crimes Task Force. Aaron currently serves as the Chairman of the Technical Advisory Council for the United States Secret Service National Computer Forensics Institute (NCFI). Aaron holds a GREM, GFCA, GFCE, GSEC, and CFCE.

Hacking with Skynet - How AI is Empowering Adversaries

It's no question that modern advances in AI and Deep Learning technologies have allowed organizations to greatly scale their defensive capabilities. Between detecting evolving threats, automating discovery, fighting dynamic attacks, and even freeing up time for IT professionals; AI-fueled automation has been a boon for system defenders. But before we get too comfortable, we need to remember that there is another side to this fight.

In this talk, we'll take a look at how AI technologies are enhancing adversarial capabilities and how challenges in defensive machine learning are opening up new attack surfaces.

Gavin Klondike is a senior consultant and researcher who has a passion for network security, both attack and defense. Through that passion, he runs NetSec Explained; a blog and YouTube channel which covers intermediate and advanced level network security topics, in an easy to understand way. His work has given him the opportunity to be published in industry magazines and speak at conferences such as Def Con, Def Con China, and CactusCon. Currently, he is researching into ways to address the cybersecurity skills gap, by utilizing machine learning to augment the capabilities of current security analysts.

The full purple juice, not the watered down stuff

This talk is a real use case of a 6 week Purple Team Exercise performed for a client that allowed us to share their story. Everyone has heard of Purple Team by now, but how many have been able to quantify the value? In this talk, we cover the time we were asked to perform all the roles of a Purple Team: Cyber Threat Intelligence, Red Team, Blue Team, and Exercise Coordination. We were asked to emulate various adversaries, with an increasing order of sophistication, while implementing defenses for the adversary TTPs. We were also asked to not spend a single dollar on new technology. Instead, we had to tune the current security controls.

This talk will cover those 6 weeks. Our baseline showed 94% of adversary behaviors/TTPs were not detected. At the end of the engagement, 64% of TTPs were detected. How did we accomplish this? Come to our talk and we will share the details.

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.

He also co-authored Common Vulnerability Scoring System (CVSS) and A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry, and author of Microsoft Windows 7 Administrator’s Reference. Jorge holds post-graduate degrees from Stanford and Florida International University in Advanced Computer Security & Master of Science. Jorge speaks English, Spanish, and Portuguese, in decreasing levels of fluency. When he’s not hacking, teaching, or writing, you’ll find him watching and playing soccer.

Bryson Bort is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow for Cybersecurity and National Security at R Street and the National Security Institute and an Advisor to the Army Cyber Institute and DHS/CISA. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain. ‍ Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.

Learning Offensive Security with Project V^3: VulnHub + VirtualBox + Vagrant

We are currently working on a project of porting all VulnHub VMs to VirtualBox and creating/uploading Vagrant boxes to the Vagrant Cloud. The idea is to lower the setup time of each machine and also lower the bar to entry for those that lack the skills to configure each vulnerable machine for use. This talk is to announce the project, how people can use it, and where to get it. This will include a demo setup.

Anthony Radzykewycz (@RedHatAugust) is a part-time professor at GateWay Community College, where he leads the Linux and Cybersecurity Programs. He obtained 17 industry certifications in his career, so far, and enjoys sharing his knowledge and making the learning experience easier for others.

James Green (@Thefeesh7) is an adjunct professor at Gateway Community College. James enjoys teaching others about computers, security, and chess. When not being a systems administrator he spends his time playing chess, poker, and learning about security.

Can Artificial Intelligence (AI) detect Advanced Persistent Threats?

There is a huge surge in marketing of Artificial Intelligence-based solutions that claim detection of Advanced Persistent Threat (APT) attacks using AI- algorithms. Often, the data backing the detection results of these algorithms are biased towards known attack patterns. To test existing AI-models, we developed a benchmark dataset extracted from packet capture of APT attacks we performed and benchmarked popular machine learning algorithms such as support vector machine (SVM), Stacked Autoencoder (SAE), and Long-term short memory-based Stacked Autoencoder (SAE-LSTM). We observed that existing datasets and network setup used for benchmarking machine learning models perform poorly in terms of detection accuracy when analyzed for different phases of APT. This talk will discuss what are limitations of current AI and ML, how we can develop better machine learning models for detection of slow and low attacks like APT. We will also introduce a new dataset DAPT 2020 which is first attempt towards building an Advanced Persistent Threat (APT) dataset.

Dr. Ankur Chowdhary is a cybersecurity researcher. He received Ph.D. (2020) and M.S. (2015) with specialization in cybersecurity from Arizona State University (ASU). His research interests include Cloud Security, Software Defined Networks, and application of Artificial Intelligence and Machine Learning in the field of cybersecurity. Ankur has co-authored over 25 research papers and one textbook in the field of cybersecurity. Ankur co-founded cybersecurity startup CyNET LLC (2017). Ankur has been quite active in cybersecurity education. Ankur was ASU’s National Cybersecurity Defense Competition (NCCDC) captain (2015-2018), and he is current team coach (2018-). He co-founded hacking club DevilSec in 2019 to teach offensive and defensive security to students at ASU. For more information about his work and research activities please visit ankurchowdhary.com.