Please go to:

 

BSidesPGH

 

for information on current events!

 

When: June 14-15, 2013

 

Where:

June 14: Left Field Meeting Space, 116 Federal St., Pittsburgh 15212 (www.leftfieldmeetings.com)

 

June 15: TechShop, 192 Bakery Square Boulevard Pittsburgh, PA 15206

(http://www.techshop.ws/pittsburgh.html)

 

Cost: Free!

Contact: bsidespgh@gmail.com

 

Needed: Volunteers, Speakers, Sponsors, Ideas!

 

 

New This Year! BSides Pittsburgh is adding a SECOND DAY on Saturday, focused on highly technical workshops and demos.

 

Extras!

All, We have a bit of a funding shortfall this year.  Call it "BSidesPGH sequestration."  Therefore, we are doing some crowdsourced fundraising.  Attendance to both days is still free.  Breakfast and lunch on Friday, and possibly Saturday, are still free.  What we're asking is that if you want some of the "extras", you cover the cost.  We usually have a lot of waste on these items.

 

The following extra perks are available for purchase via paypal:

A) Custom cassette badge with mystery audio-encoded secret message - $5

B) BSides Pittsburgh 2013 T-shirt - $15

 

All of the above PLUS "Friends of BSides" Sponsorship listing - $100

 

The T-shirt and badge must be ordered no later than May 20.

 

To order, email bsidespgh@gmail.com with PURCHASE in the subject line.  Your support is greatly appreciated and will help us have the best BSides Pittsburgh ever.

 

About

BsidesPittsburgh is a free, volunteer-run computer security conference held every summer in Pittsburgh, PA.  Security Bsides is  a global series of community-driven conferences presenting a wide range of information security topics from technical topics, such as dissecting network protocols, to policy issues such as managing information leakage via social networks.  In keeping with the community-driven theme and to help minimize event costs, the conference format, talks, and activities are agreed upon by all attendees.  We’re currently looking for presenters, ideas and topics.  Please post your ideas at the BsidesPittsburgh website. 

 

Pittsburgh has a flourishing information security community; this is a great chance to meet each other, share ideas and work together.  Many of those professionals in Pittsburgh as well as nationally recognized experts are doing awesome things in the field; let's get together to learn,  collaborate, and protect.  Please see our web page for more information, to RSVP, or to submit a talk or suggestion.  The event is free – even the food and drinks – and held in full view of the City of Pittsburgh and PNC Park at the Left Field Meeting Space on the north shore. 

 

This year we are adding a second day of events.  Friday will be at Left Field and will focus more on policy, best practices, security management, and legal issues (although technical submissions are still welcome.)  Saturday will be at a different location and will be entirely technical deep-dives.  Attendance at either or both is free.

 

 

Sponsors

 

We are once again asking for sponsors to choose a sponsorship level.  Please contact bsidespgh@gmail.com if you are interested in sponsoring at any level.  

 

Platinum

 

 

 

 

Gold

 

 

  as the Sponsor of <dual core>!

 

  

 

 

 

Silver

 

 

 

 

 

 

Friends of BSides

 

     

 

     

 

Andy Johnson

 

Premier - $5,000.00 
Platinum - $1,500.00 
Gold - $750.00 
Silver - $500.00 

 

 

 

 

Call For Presenters (CFP)

 

The CFP for 2013 is closed.

 

 

Schedule

Subject to change

 

Day 1

9:00	Keynote: SSA J. Keith Mularski	Cyber Threat Landscape
10:00	Dave Kennedy	Getting Creative - A Story in Thinking Outside of the Box
11:00	Eve Adams	Hack The Hustle! Career Strategies For Information Security Professionals
12:00	Lunch
1:00	Randy Trzeciak	Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks
2:00	Jake Liefer	Building a Better Pond: Tactically Thwarting Spear Phishing Attacks
3:00	Kevin Poniatowski	How I Stopped Worrying and Learned to Love BYOD
4:00	Dave Ries	What Is Reasonable Security from a Legal Perspective?
5:00	After Party with Ali Spagnola's Power Hour and Dual Core!

 

Day 2 

	Room 1		Room 2		Room 3
10:00	John Geyer	We Need More D-Fence	Brent Kennedy	Pentester's Playground*	Raphael Mudge	Armitage and Cobalt Strike Penetration Testing Lab** (4 hours)
11:00	Dr. Charles Wood	The Dangers of Steganography: What Worked for Bin Laden can Work Against You
12:00	David Warren	Software Defined Radio	Brandon Morris	Eating the Elephant - Using Nessus and Microsoft Office to analyze and compare large host scans
1:00	Joshua Schwartz	Making attacks Go Backward	Sid Faber / George Warnagiris	A Profile of Traffic on my Home Network
2:00	Brandon Franklin / Justin Zimmerman	Skeletons in the Closet: Is Your Crypto Keeping You Safe?			Andy Cooper	iptables, and doing stuff with it

 

* This is a hands-on workshop!

Students must bring a laptop with a VMWare product installed.

 

 

** This is a hands-on workshop!

Students must bring a laptop with a VMWare product installed. VMWare player is OK. The instructor will provide attack and target virtual machines on a DVD. A USB DVD drive will be available to use. Student systems must have 12GB of free space and at least 2GB of RAM.

 

 

  

 

Speakers / Abstracts

 

Keynote: Supervisory Special Agent Keith Mularski, Federal Bureau of Investigation

Cyber Threat Landscape

 

A discussion of the cyber threat landscape, with examples of what the FBI is seeing in the areas of Advanced Persistent Threats, organized cyber criminal gangs, underground forums, Anonymous and other hacktivists, and cyber terrorism.

 

Randy Trzeciak, CERT Insider Threat Center

Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

The Insider Threat Center at CERT, which was formed in 2001, has built an extensive library and comprehensive database containing hundreds of actual cases of insider cybercrimes. This presentation will describe findings from our analysis of three primary types of insider cybercrimes: IT sabotage, theft of intellectual property (e.g. trade secrets), and fraud.  All CERT insider threat research focuses on both the technical and behavioral aspects of actual compromises. The presentation will describe who committed the crimes, their motivation, organizational issues surrounding the incidents, methods of carrying out the attacks, impacts, and precursors that could have served as indicators to the organization in preventing the incident or detecting it earlier. In addition, this session will outline nineteen practices organizations should consider implementing to prevent, detect, and respond to insider threats. It will convey the "big picture" of the insider threat problem - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time.

 

Eve Adams, a.k.a. @HackerHuntress, Halock Security Labs

Hack The Hustle! Career Strategies for Information Security Professionals

While information security is widely considered a negative-unemployment industry (it's actually closer to 3%), most of us will look for a job at some point. Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that attract the kind of attention you want, getting short-listed for cool positions before they're even posted, strategically riding infosec employment trends, and how to most effectively work with those delightful recruiters. This talk will have something for those just entering the workforce, mid-career security professionals, and former VAX hackers alike!

 

Dave Kennedy, a.k.a @dave_rel1k, TrustedSec

Getting Creative - A Story in Thinking Outside of the Box

Ever run in to a crazy configuration and secure setup that you just couldn't break in to? It's rare, but it happens. As penetration testers, we need to think outside of the box and get creative. We are hackers and we need to think like them. This presentation goes over some examples that I've run in to during penetration tests that made me get creative and think outside the box. Often times we get complacent when we can't find MS08-67, the latest and greatest exploit, or a default password. We chalk it up and walk away as if they're secure. Instead, let's fight, work for it, and most importantly, pop a box. This presentation will have lots of demos, tricks that I use during penetration tests, and more.

 

Kevin Poniatowski, Director of Instructor Led Services, Safelight Security

How I Stopped Worrying and Learned to Love BYOD

“Tweeting from the pub using my work Twitter account seemed like a good idea at the time.”

“How could our customer data be stolen? No one knows my iPhone pin except me.”

“After I send off this email to sales, I’m going to download Angry Chinese Birds. It’s free!”

It’s becoming more and more common for staff to bring their own devices to work, and blending their personal data with sensitive organizational data. What could possibly go wrong? Lack of user education concerning both physical and cyber threats to mobile devices and the sensitive data stored within them is creating an epidemic of embarrassment to organizations. This presentation will highlight the dangers of an untrained staff bringing their own devices to work and the steps that could be taken to mitigate the risk of lost data, compromised devices, and embarrassing Twitter posts.

 

Learning Objectives:

Attendees will become much more paranoid about the common practice of blending personal and organizational data and applications within their mobile devices.  They will also be introduced to coping skills, also known as secure best practices, for dealing with this paranoia. 

 

Brandon Morris

Eating the Elephant - Using Nessus and Microsoft Office to analyze and compare large host scans

Chances are you've heard of the Tenable Nessus Vulnerability scanner. It slices, it dices, it can run over 50,000 security checks against a wide range of targets.  However, if you've ever tried to use it to assess 500, 1000, 2000 hosts it can quickly become an overwhelming endeavour.  This presentation is how to tame the Nessus beast using Powershell to import multiple scans into a Microsoft Access Database, Easily Review/Filter/Query Results, Create comparative finding matrices in Microsoft Excel, and much much more.

 

Sivaram Rajagopalan, Independent Security Consultant, Powernet Group

Cloud Security Governance and Risk Management Controls

This presentation will try addressing the current Cloud Computing adoption trends, cloud economy, security risks, GRC approaches and relevant information security controls. Cloud Governance from the perspective of Enterprise Risk Management (ERM), Legal issues, Compliance/Audit Management, Data Security, and Interoperability/Portability standards will be discussed. Control guidelines and mappings utilizing CSA GRC Stack, CSA STAR, FedRAMP, NIST SP 800-53, ISACA and other cloud assurance metrics will also be reviewed.

 

Dave Ries, Partner, Clark Hill Thorp Reed

What Is "Reasonable Security"? Emerging Legal Standards

Corporate officers and boards, security professionals, and attorneys advising them regularly face the challenge of defining and implementing “reasonable security” for the business or enterprise. The answers are complicated by rapidly developing technologies, increasing threats, advances in available safeguards, and changes in regulatory requirements. This session will explore current legal requirements and evolving standards for “reasonable security” under them. 

 

Jake Liefer, Security Risk Advisors

Building a Better Pond: Tactically Thwarting Spear Phishing Attacks

While you were busy reviewing your onerous firewall rules, an attacker just bypassed all your best efforts and gained internal access on your network thanks to a simple, well crafted malicious email that took 10 minutes to create. From high profile attacks on corporations such as RSA, to the thousands of unreported and unknown attacks, spear phishing has become a formidable threat. However, in the midst of these mounting attacks, many security teams best effort is to simply tell users to not open malicious emails. Evidence shows that this is not working.

 In this session, we'll discuss the tactical and technical details to thwarting spear phishing attacks. We'll look at real world attacks and how to stop them. From developing a network infrastructure that detects these threats in-bound to fingerprinting what these attacks look like, we'll go beyond simple user awareness training to actively detect and mitigate spear phishing attacks. 

 

John Geyer

We Need More D-Fence

Mid size and small businesses require teamwork to get the job done. Not every company has a dedicated security team, and operations staff usually share the work load. We will discuss why your defense still sucks, why rock stars do not fit in, why zealots ruin such a potentially awesome defensive career candidates, and why we train for offensive security when we need more d-fence.

 

Dr. Charles Wood, Duquesne University

“The Dangers of Steganography: What Worked for Bin Laden can Work Against You”

Osama Bin Laden transmitted messages embedded inside porn pictures through the Internet.  His methods are still hard to detect. The same techniques that Bin Laden used to transmit secret messages to terrorists can be used to do the following:

 

• Steganography can be used to transmit customer lists secretly from the CRM system from your site!

 

• Steganography can be used to transmit private Visa card information from the accounts receivable department from your site!

 

• Steganography can be used to transmit engineering plans or future business opportunities to domestic and foreign competitors from your site!

 

And there is little in place to stop it.  Email filters won’t work.  Viewing the emails won’t detect anything amiss.  It is truly, truly scary!

 

This presentation will incorporate some PowerPoint with some examples of tool use to encrypt and embed secret messages, and will illustrate what steganography is, how it works, why it works so well(!) and is so undetectable(!),  and what you can do to stop it.  Further, the presentation discusses what tools need to be developed that are not currently available to protect ourselves from our secret information being transmitted.  The presentation will start out managerial, move to computer science as we go to the bit-level representation of information and how that can be used to embed information, and then move back to managerial to discuss the tools that are readily available to hackers, and the lack of tools that are readily available to managers.

 

Josh Schwartz (@FuzzyNop)

Making Attacks Go Backwards

 

Imagine a pentest where there is no scope, no time restraints, and no budget. How would you do it? Would you write your own tools? Would you get detected? And if you did would they know what you stole and what was owned? As time went on, would you get lazy?

 

It sounds like a dream gig for most pentesters out there and lucky for some threat actors, this is the 9 to 5 job. By now we shouldn't have to mention the advanced persistent buzzword for you to know what we are talking about. Targeted threat actors are people too, they make mistakes, their judgement is bad sometimes, they get lazy, and sometimes their skills are bad and they should feel bad.

In this talk we will cover how attacker tactics can leave behind obvious evidence, how their tools can be identified and analyzed quickly, and how the human side of every attacker can lead to some great lulz. Attendees should leave armed with a variety of examples from the trenches of incident response and malware analysis that will give them an edge against the less advanced of advanced attackers. Key takeaways will include tips and tricks for identifying and reverse engineering malware and utilities used in targeted attacks as well as the forensic evidence they leave behind.

 

Brandon Franklin and Justin Zimmerman

Skeletons in the Closet: Is Your Crypto Keeping You Safe?

Cryptography, like many areas of security, has the devil in the details.  Most of us know better than to develop our own crypto algorithms, but there are a host of gotchas that come with the implementation of any secure protocol.  Properly applying secure algorithms is critical for maintaining safe harbor under regulations such as HIPAA.  The presentation will cover a set of common cryptography anti-patterns we have encountered in security assessments and how to fix these broken architectures.    Less technical folks should expect to walk away with a checklist of things to watch for in their daily practice.  More technical folks will come away with a better understanding of how to critically think about architecting crypto solutions.

 

Salvador "grecs" Grec (@grecs)

Malware Analysis: N00b to Ninja in 60 Minutes

Knowing how to perform basic malware analysis can go a long way in
helping infosec analysts do some basic triage to either crush the
mundane or recognize when its time to pass the more serious samples on
to the the big boys. This presentation covers several analysis
environment options and the three quick steps that allows almost
anyone with a general technical background to go from n00b to ninja
(;)) in no time. Well … maybe not a "ninja" per se but the closing
does address follow-on resources on the cheap for those wanting to
dive deeper into the dark world of malware analysis.

 

David Warren

Software Defined Radio

TBD

 

Sidney Faber and George Warnagiris, A Profile of Traffic on My Home Network

TBD

 

 

 

 

Hands On Labs! (Saturday)

 

Raphael Mudge (@armitagehacker), Developer of Armitage and Cobalt Strike

Armitage and Cobalt Strike Penetration Testing Lab

The Metasploit Framework is a must-have tool for penetration testers. Armitage builds a workflow on top of the Metasploit Framework and exposes its most advanced capabilities. Cobalt Strike augments Armitage with tools to simulate advanced persistent threat-style targeted attacks. This lab oriented class will introduce you to the penetration testing process from the perspectives of Armitage and Cobalt Strike. You'll learn how to craft an attack package, deliver it to a target, spy on a user, attack systems from a foothold, and abuse trust relationships to gain access.

 

Student Requirements:

Students must bring a laptop with a VMWare product installed. VMWare player is OK. The instructor will provide attack and target virtual machines on a DVD. A USB DVD drive will be available to use. Student systems must have 12GB of free space and at least 2GB of RAM.

 

Andy Cooper

iptables, and doing stuff with it

 

Abstract TBD.

 

Brent Kennedy (@bk_up)

Pentester's Playground

After learning about Armitage and Cobalt strike from Raphael Mudge's awesome class, come and try your skills in a brand new virtual environment.  This free-for-all playground will allow you to think and act like a penetration tester while you try to conquer as many boxes as possible.  Think you're already a ninja?  We'll see about that...

 

 

Other Activities

 

Lockpick Village

 

 

After Party

 

 

Local Interest Talks

 

 

 

Topics I would like to hear about

 

Potential Sponsors

Over the past two years, a series of information security events called BSides has been organized across the U.S. and internationally (www.securitybsides.com).  These events vary in format, but share the common philosophies that they are free, open to anyone, and entirely organized and run by volunteers.  Another common trait they share is that they focus on the community where they are held, with mostly local speakers, local sponsors, and local vendors.

We are putting together a third BSides event for Pittsburgh, scheduled for June 2013.  Pittsburgh has a substantial presence in the information security world, with major universities, CERT, the NCFTA and an FBI Cyber Crime unit, and numerous software developers in a variety of industries.  Our goal is to bring many of them together to learn from each other, share information, and network.

In order to do this, and keep it free for all attendees, we are looking for both local and national organizations who are interested in sponsoring some portion of the event.  All BSides events are required to abide by a policy that there be no vendor booths or sales presentations; however, sponsors can be recognized at the event and in its materials.  Representatives from sponsor organizations are encouraged to participate in the event, as it's a great opportunity to meet other information security professionals in the area.  If you're interested in sponsoring Bsides Pittsburgh, please email bsidespgh@gmail.com.

 

 

Planners (bsidespgh@gmail.com)

 

• Dan Klinedinst (@dklinedinst) 
• Joe Wynn (@wynnjoe)
• Scott Kriebel (@smkriebel) 
• Scott Thomas (@notscottthomas)
• Tracy Cassidy 

 

Volunteers

 

•  add yourself...

 

Task List

(please -cross out- when it's done)

 

Tech

 

Wifi

Projector, White Boards

Photo

Video

Audio

Streaming or Stickam or Skype or Ustream or Livestream

 

Non-tech

 

Breakfast

Lunch

Coffee/Tea

Tables and chairs

 

 

Tags for flickr, twitter, blog, etc.

Please use the tag #BsidesPGH for content related to this event

 

• Thanks, @garignack for pictures:  http://www.flickr.com/photos/96395129@N08/sets/72157634127226917/
• https://plus.google.com/u/0/photos/113341126562760639366/albums/5890165159668974273?authkey=CNO6san0jPvoXw