BsidesNola2014


 

BsidesNOLA 2014 was a great success.  Find information about BSidesNOLA 2015 here!

 

Event details

 

When:

May 17, 2014

 

Where:

Hilton Garden Inn New Orleans Convention Center
1001 South Peters Street / New Orleans, LA 70130

Note: The venue is a 5-10 minute walk from the French Quarter

 

Cost: $10

 

Registration

 

Registration for BSidesNOLA 2014 is closed.  Register information for BSidesNOLA 2015 can be found here!

 

CFP

 

The CFP ended on February 1st. Thanks to all who submitted!

 

 

Sponsors

 

Sponsor Logos




[Your Company's Logo Here!]
[Your Company's Logo Here!]
[Your Company's Logo Here!]

 

To request a sponsorship packet, please email bsidesnola [@] gmail.com.

 

Schedule

 

   Track 1
Track 2
Track 3
8:15 
Registration Opens
8:45

Opening Remarks

Andrew Case (@attrc)

Volatility Foundation

9:00

Keynote

Dionysus Blazakis (@justdionysus)

Staff Software Engineer, FireEye

10:00

Glenn Edwards (@hiddenillusion) & Ian Ahl (@tekdefense)

Mo' Memory No' Problems

Gillis Jones (@Gillis57)

AppSec Tl;Dr

Shannon Sistrunk (@shannonsistrunk)

Interpersonal Manipulation

11:00

Brian Baskin (@bbaskin)

Introducing Intelligence into Malware Analysis

Davi Ottenheimer (@daviottenheimer)

Baby Got Risk: I like Big Data and I Can Not Lie

 

Dhia Mahjoub (@DhiaLite)

Quest for Botnets using DNS

12:00
Lunch!!
1:15

Firetalks 

10 five minute talks with the winner chosen by the audience at the end. Signups for firetalks will be available at the registration desk.

2:15

David Stampley

Who Defines "Reasonable Security"?
Lessons from the Field and Courtroom

Patrick Perry (@pjbperry)

Security Analysis of a Fingerprint Fuzzy Vault

Chris Sistrunk (@chrissistrunk) & Adam Crain

How 2 Good Guys Changed an Industry

 

3:15

J. J. Guy (@jjguy)

The Changing Face of Intrusion Response

Dr. Golden Richard (@nolaforensix)

Reverse Engineering Go

 

4:15

Sarah Edwards (@iamevltwin)

Reverse Engineering Mac Malware

Amol Sarwate (@amolsarwate)

2014 - The year in which we cannot ignore SCADA

Chad Olivier (@techariah)

Responding to APT

5:15

Closing Remarks

Conference Organizers

 

 

Talk Abstracts

 

Mo' Memory No' Problems

 

Memory forensics is an area that is increasingly gaining popularity; however, it is still something that is not leveraged as much as it should be.  Often times we find out that organizations/analysts either lack the capability to incorporate it into their analysis processes or they just do not truly understand or have a good knowledge of its usefulness.  

If people are applying the Pareto Principle (80-20 rule) to host based artifacts for their investigations then why can’t the same thought be applied to memory forensics?  In our experience, by grabbing this single artifact from an endpoint a majority of the questions we are tasked with are able to be answered.  We’re not saying everything can be answered in every instance, but enough for us to ask/take a memory dump any chance we can because we have had that much success.

This talk will touch on why/how we use memory forensics, some issues/limitations and odd use cases we have encountered and wrap up with some of our own war stories that have resulted in custom scripting, rules and plugins to be developed.

 

Introducing Intelligence into Malware Analysis

 

Malware analysis is the current en vogue topic for computer security companies and careers. However, many are still approaching malware the same way their forefathers did a decade ago. Malware analysis without intelligence leads to slower responses, duplication of effort, and disparate results for each incident. These issues are mitigated by taking a systematic, layered approach to analysis that can then be applied to your organization's overall security posture through Free Open Source Software.

 

Security Analysis of a Fingerprint Fuzzy Vault

 

Given revelations of the last year there has been much discussion surrounding what encryption schemes are vulnerable to attack.  While I am an incident responder by trade, I studied a popular fingerprint fuzzy vault looking for vulnerabilities in the implementation of this specific form of biometric authentication.  As I am not a professional cryptographer I used some unique approaches drawing on my experiences in network security to help me show that a particular fingerprint fuzzy vault is not as secure as advertised and propose a solution to the problem.  In this talk you will learn things you did not know about fingerprints, how they are used for biometric authentication and hopefully gain an appreciation of the inherent difficulty with this system.  Finally, you will see the process I went through, as someone without a PhD in math, in trying to show that a crypto system is flawed.

 

Who Defines "Reasonable Security"? Lessons from the Field and Courtroom

 

Under prevailing legal standards, organizations must implement “reasonable” safeguards to control “material” security risks. Those terms are hard to define, and enforcement cases tend to focus on the outer bounds of what not to do. However, by reading between the lines, the cases reveal some outside-the-box, affirmative steps security practitioners can take, individually and collectively, pre- and post-event.

 

Baby Got Risk: I like Big Data and I Can Not Lie

 

We are meant to measure and manage data with more precision than ever before using Big Data. Are we taking on too much risk too fast? Companies are getting Hadoopy often with little or no consideration of security. 
 
 
The Changing Face of Intrusion Response

Intrusion Response has traditionally been an ad hoc, as-needed activity, rarely required by most enterprises.   But the increasing volume of targeted attacks repeatedly demonstrates the “inevitability of compromise,†painfully exposing the immaturity of most intrusion response programs.   As a result, more and more enterprises are developing organic, in-house intrusion response programs.  (or increasing the contact with their existing IR contract support to be closer to an MSSP)

As organizations mature, they are rapidly finding the traditional IR tools and procedures are woefully inadequate for sustained, day to day operations.   I'll present a roadmap for where I see IR going over the course of the next several years.

Reverse Engineering Mac Malware

Dynamic malware reverse engineering helps forensic analysts and reverse engineers gather quick data points such as callout domains, file download URLs or IP addresses, and dropped or modified files. These methods have long been used on Windows malware...so why not Mac malware? This presentation introduces the audience to methods, tools, and resources to assist reversing Mac binaries with a Mac. Topics include Mach-O file format, virtualization, analysis VM setup, and various analysis tools (native and 3rd-party). This presentation is intended for those  familiar with dynamic analysis (with a touch of static thrown in) or for those reverse engineering masters of the Windows executable to get a introductory idea of how to start analyzing Mac malware.

2014 - The year in which we cannot ignore SCADA

This session is the result of a yearlong study of the most recent SCADA vulnerabilities that affected industrial control systems and critical infrastructure. The study includes root cause analysis, attack vector scrutiny, consequence of successful attack and finally remediation study for SCADA vulnerabilities in the past year.

Since this talk does not intend to target any one specific SCADA vendor, I will discuss 1 vulnerability for each vendor including Emerson, Siemens, Schneider, GE, Matrikon, Schweitzer, Invensys Wonderware, Triangle Research, RuggedCom, Monroe Electronics, Advantech , OSIsoft, Korenix, Galil, SUBNET, IOServer, Cogent, SafeNet, Weidmüller, Moxa and others.

Attendees will get an insight into the factors that resulted in the nature, magnitude and timing of the harmful outcomes in order to identify what actions need to be taken to prevent recurrence of similar harmful outcomes. The presentation will study different attack vectors and payloads by which a malicious entity can gain access or completely compromise critical infrastructure or industrial control systems. It will also study in detail the immediate consequences of a successful attack and the repercussions that it can have on SCADA network and organization. The presenter will discuss many real life vulnerability case studies as well as present aggregate results for all vulnerabilities included in the study. Based on this aggregation the presenter will offer strategies, policies and best practices for attack mitigation which can be used by attendees in their day-to-day field of work. The presentation will conclude with guidance on how these best practices can be leveraged by control system owners to get to an acceptable security. Attendees who are in charge of control system infrastructure will get insight on vulnerabilities that affected their systems. Engineers who are in-charge of security for control systems will get a better technical insight of attacks. Attendees who are new to control systems will get an excellent overview of security complexities of control systems.

Reverse Engineering Go

go is an expressive, powerful language with a well-developed set of standard packages, in development by Rob Pike and others at Google.  go exhibits sufficient performance to replace C for a wide range of application types, while being arguably much easier to develop in, and go is sufficiently expressive to replace popular scripting languages like Python, Ruby, and Perl, while providing much better performance.  go generates statically compiled executables for a number of platforms, including Mac OS, Windows, FreeBSD, and Linux. As might be expected, there's evidence that malware is now being written in go and the attraction is obvious: portability, powerful libraries and executables w/o external dependencies.  This talk focuses on an aspect of go that has so far received little attention: reverse engineering go applications.  The talk covers the basics of go, quirks that may impair reverse engineering attempts, and several detailed examples.  Attendees are assumed not to be prone to psychotic episodes when exposed to Intel assembler and to be at least a little bit interested in go.

AppSec Tl;Dr

Have you ever wondered what it takes to get one of those "Elusive" bug bounties that people are always snapping up? In this presentation, Gillis Jones will walk you through the fundamentals of the web, and on to the art of hacking the planet. Complete with war stories, examples, secrets that the professionals try and keep quiet, and suggestions on "How to Hack"- this presentation aims to bring you to a level of proficiency in hacking the web in 60 minutes or less.

Responding to APT

In 2012, one of the largest data breaches took place. This talk covers the entire process of incident response to the APT from day one on site, through mitigation and finally remediation. The attackers were inside the network of a major credit card processor for months without their knowledge, using interesting techniques for data exfiltration including IP V6 tunneling and DNS look ups and responses for data exfiltration as well as command and control. The attackers modified several known exploit and payload packages to accomplish their task including tools such as stacheldraht and stuxnet. The talk will begin with the first day of our arrival onsite to find little to no security in place, tracking down the entry points, running forensics on database systems and discovered malware, setting up security tools and assisting redesign the security department, placing a SOC in the organization,  and hardening the entire network.

How 2 Good Guys Changed an Industry
 
Adam Crain @jadamcrain and I have been fuzz testing SCADA devices for almost a year.  We have been focusing on DNP3 protocol to start.  We all know fuzzing/negative testing isn't new...and other SCADA researchers have done this starting about 10 years ago.  We have 30 tickets in with ICS-CERT and 17 have been made public and a patch is available.  Why are vendors responding now?  Why didn't they respond and start testing a decade ago?  I will talk about my theories as to why and talk about some war stories and lessons learned.

It should be a fun and less technical

Quest for Botnets using DNS

Botnets present a significant threat on the Internet. A botnet consists of a large collection of bots typically running on compromised hosts that receive instructions from Command and Control (CnC) servers. Botnets are used for various malicious tasks such as spam distribution, click-fraud, malware distribution, DDoS attacks, or stealing and exfiltrating sensitive data.

In this talk, we investigate a few current botnets and describe original methods to track and identify them based on DNS traffic analysis, graph clustering and threat intelligence feeds. The studied botnets have different characteristics and profiles, e.g. Fast flux and DGA botnets. We examine examples like Kelihos, Zeus, Ramnit, Pushdo, Sality, etc.

Interpersonal Manipulation

This talk will explore Interpersonal Manipulation and the theories that  support it. During the talk we will look at how competency in nonverbal communication and your emotional IQ effect your ability to effectively
detect and use deception. We will also unpack the term Social Engineering and see what it really means.

 

Speaker Bios

 

Glenn Edwards

 

Glenn P. Edwards Jr. (@hiddenillusion) is a Senior Incident Response Consultant with FireEye Labs where he specializes in Incident Response, Digital Forensics and Malware Analysis. Glenn holds a M.S degree in Digital Forensics from the University of Central Florida as well as a B.S. degree in Information Security and Privacy from High Point University.

 

Ian Ahl

 

Ian Ahl (@TekDefense) is a Senior Incident Response Consultant with FireEye Labs. While responsible for many facets of DFIR, his areas of focus are Network and Memory forensics. Ian holds a M.S. degree in Information Technology. Additionally he writes article and produces video tutorials on Information Security topics at http://www.TekDefense.com

 

Gillis Jones

 

A giant of a man, Gillis Jones is currently employed as a Security Consultant at Accuvant Labs. He has been engaged in web application security for the last four years, and has worked with companies to increase their security posture all the way from a Stealth Startup to a multi-million dollar business with hundreds of employees. He is the founder of the Badmin Project,  and has worked with dozens of entry level security people to assist them in becoming "1337".

 

Chris Sistrunk

 

Chris is a Sr. Consultant at Mandiant/FireEye on their new ICS/SCADA team. Before joining Mandiant, Chris was at Entergy for 11+ years as an Engineer, with the last 5 as SCADA SME for Transmission. Chris is a Sr. Member of the IEEE, a registered Professional Engineer, and is a member of the DNP3 Technical Committee. He also was partnered with Adam Crain on Project Robus - An ongoing search for vulnerabilities in SCADA/ICS protocols.  He has his BS in Electrical Engineering and MS in Engineering and Technology Management from Louisiana Tech University. Chris also founded and organizes BSidesJackson, Mississippi’s only security conference, since 2012.  

 

Shannon Sistrunk

 

Shannon Sistrunk has a B.A. in Speech Communication from Louisiana Tech University and a M.S. in Applied Communication from Mississippi College.  She is the owner of Bayou Communications LLC, specializing in corporate, interpersonal & nonverbal communication, social-engineering, and more.  Most importantly she is married to Chris Sistrunk for almost 15 years, it's been a blast! They have two children, ages 10 and 6. Shannon gets to test her skills daily against the best SE's ever. Her kids.  

 

Brian Baskin

 

Brian Baskin is a digital forensics professional and incident responder with RSA. Brian was previously an intrusions analyst and malware analyst/reverse engineer for the Defense Computer Forensics Laboratory, part of the Defense Cyber Crime Center. For nearly 15 years Brian has worked to research, develop, and train responses to growing network threats. Brian devotes much of his time to researching malware, network protocols, and Linux and UNIX intrusion responses. He has authored numerous books on computer security and developed software to allow for more efficient intrusion and malware analysis. Brian is also a ginger.

 

Kati Rozdon

 

Kati Rodzon has over a decade of experience in statistics, research methodology, cognition, behavior, and all things human. She has managed content development and helped create security awareness programs that focus on experimentation, data collection and analysis for programs that unique to each organizations culture. She also has experience in the creation and implementation of customized enterprise behavioral content/modification plans, has created and tested methodology for cultural gap analysis services and has consulted in creating effective social engineering tools and testing penetration testing scenarios. As an independent contractor Kati continues to work in the security industry creating tools and program that effectively reach users across entire organization and motivates them to learn as well as engage in the material.

 

Dhia Mahjoub

 

Security researcher at OpenDNS, Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. Dhia holds a PhD in Computer Science from Southern Methodist University, Dallas with a specialty in graph theory applied on Wireless Sensor Networks. He presented at BSides NOLA, APWG eCrime, BSides Raleigh, BotConf and will be talking at the upcoming BSides San Francisco. He is also part of the non-profit security research group MalwareMustDie helping track botnets and other malicious sources on the Internet.

 

David Stampley

 

Dave Stampley, a partner at KamberLaw in New York, represents plaintiffs nationwide in information-technology-related class actions. Previously, he has served as general counsel and  compliance specialist for Chicago-based Neohapsis and director of privacy for a Fortune 1000 retail management technology vendor. In public service, as an Assistant Attorney General in New York, he led landmark privacy and security enforcement actions to protect consumers’ interests. He began his legal career as a prosecutor in the Manhattan D.A.’s office.


Patrick Perry

 

Patrick is a Systems Engineer at Mandiant.  He has a strong background in digital forensics and incident response and an interest in network security monitoring.  He has worked in federal law enforcement, consulting and as a member of the GE-CIRT where he got to learn from some of the best people in the field.  He received an MS in Computer Science from James Madison University in 2013 where his thesis work was on the fingerprint analysis he is discussing here.

 

J. J. Guy

 

J.J. spent twelve years in federal cyber operations, including an active duty tour with the Air Force’s Information Warfare Center and as Director/General Manager of one of the top providers of federal CNO R&D services, with about one hundred kernel programmers, reverse engineers and vulnerability researchers supporting a dozen different federal programs.

J.J.'s time in the Air Force gave him an intimate understanding of the shortfalls of enterprise network defense technology.  Frustrated by the “state of the art†and narrow thinking of industry, he has been a strong advocate for shifting investment from protection to detection and response since 2002.  As a full-stack engineer, proven leader and public speaker, he can move from the lab to the podium to the boardroom and back.  J.J. has a BS in computer engineering from Case Western and a MS in Computer Science from Johns Hopkins.

 

Dr. Golden Richard

 

Golden G. Richard III has over 35 years of experience in computer systems and computer security and is currently Professor of Computer Science, University Research Professor, and Director of the Greater New Orleans Center for Information Assurance (GNOCIA) at the University of New Orleans, where he has taught and conducted research for the past 20 years.  He's also the founder and owner of Arcane Alloy, LLC, a private digital forensics and computer security company.  Golden earned a B.S. in Computer Science (with honors) from the University of New Orleans and an M.S. and Ph.D. from The Ohio State University. His first floppy drive cost $600 and required financing. Golden is also a professional music photographer--you can check out his work at High ISO Music.

 

Sarah Edwards

 

Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counterâ€intelligence, counter-narcotic, and counterâ€terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at the following industry conferences; Shmoocon, CEIC, TechnoSecurity, HTCIA and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College.  

 

Davi Ottenheimer

 

Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is author of "The Realities of Big Data Security" and co-author of the book "Securing the Virtual Environment: How to Defend the Enterprise Against Attack".

 

Amol Sarwate

 

Amol heads Qualy's team of security engineers who manage vulnerability research. His team tracks emerging threats and develop new vulnerability signatures for Qualys’ vulnerability management service. Amol is a veteran of the security industry and has devoted his career to protecting, securing and educating the community from security threats. At Network Associates, he contributed in the development of security products like CyberCop Scanner and Gauntlet Firewall. At Hitachi Semiconductor, Amol managed a team that developed device drivers for RISC processor based boards. Amol has presented his research on Vulnerability Trends, Security Axioms and SCADA security at numerous security conferences, including RSA Conference, BlackHat, Hacker Halted, BSides, InfoSec Europe, NullCon, GrrCon, Homeland security Network HSNI and FS/ISAC. He regularly contributes to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. He writes the “HOT or NOT†column for SC Magazine.
Web: http://security-pulse.blogspot.com/

 

Chad Olivier

 

Chad Olivier is the owner of Shades of Gray Security. He has over a decade of experience in IT security. He has worked in every industry performing social engineering, reverse engineering, penetration testing, vulnerability research, and has been involved with incident response to some of the largest breaches in history.

 

 

Planners

 

     Organizers:

  • Vico Marziale - @vicomarziale
  • Andrew Case  - @attrc
  • Joe Sylve       - @jtsylve
  • Diana Hellickson 

Volunteers

 

  • Registration Desk 1 -
  • Registration Desk 2 -
  • Breakfast                -

 

If you would like to fill any of the volunteer spots or just volunteer in general then please contact us.

 

Registration

 

Registration can be found on our eventbrite page: https://www.eventbrite.com/e/bsides-nola-2014-tickets-9618726871

 

Task List

 

Tech

 

Wifi

Projector

Photo

Video

Audio

Streaming or Stickam or Skype or Ustream or Livestream

 

Non-tech

 

Coffee & Beignets   -

Beverages              -

Badges & Lanyards -

Venue                    -

A/V Equipment       -

T-Shirts                  -

 

 

 

Tags for flickr, twitter, blog, etc.

Please use the tag #BSidesNola for content related to this event