BSidesSF 2018: Full Schedule

9:00am PDT

Breakfast

Sunday April 15, 2018 9:00am - 10:00am PDT
City View - Presidio

9:00am PDT

Resume Rewriting

Peerlyst volunteers will help you improve your resume and re-write it with you. Make sure to have your resume as an email attachment you can forward to the volunteers if you're interested in this service. There will be a calendar on the wall with time slots. Just put your name/handle in the slot that suits you to schedule resume rewriting.

Sponsors

Peerlyst

Sunday April 15, 2018 9:00am - 11:00am PDT
City View - Embarcadero

Special Event

9:00am PDT

IoT Village

Villagers

Independent Security Evaluators

Sponsors

Salesforce

Sunday April 15, 2018 9:00am - 5:00pm PDT
City View - Embarcadero

Village

9:00am PDT

Lockpick Village

Lockpick Extreme and TOOOL SF will be hosting a lockpick village and pop-up shop this year. TOOOL will have locks and picks to borrow, along with volunteers to help you learn, so you can pick to your heart's content. Lockpick Extreme will have a pop-up shop so you can take your love of lockpicking home with you. Lockpick sets, practice locks, their lockpick earrings, and other gear will be available. Whether you've never picked before or you're a pro, you're welcome to stop by!

Villagers

Lockpick Extreme

Bob and Christine’s Lockpick Extreme provides fun, informative, entertaining hands-on training in the arts of lockpicking and handcuff escape. Participants learn how to open real world locks and handcuffs using professional tools and techniques. Once mastering the basic skills... Read More →

TOOOL SF

TOOOL SF is The Open Organisation Of Lockpickers San Francisco Bay Area Chapter, a group of locksport hobbyists dedicated to the advancement of locks and lockpicking.

Sponsors

Flashpoint

Sunday April 15, 2018 9:00am - 5:00pm PDT
City View - Embarcadero

Village

9:00am PDT

Spymaster Challenge

Like to pick locks? Think you have what it takes to escape? Come join Cisco's CSIRT on our Gringo Warrior-inspired IoT'd Spymaster Challenge and see how your picking skills stack up against other conference attendees. Role-play your escape as a captured spy by navigating a timed course consisting of a series of locks of varying difficulty.

Villagers

Cisco CSIRT

Sponsors

Cisco Systems

Sunday April 15, 2018 9:00am - 5:00pm PDT
City View - Embarcadero

Village, Contest

9:00am PDT

Capture The Flag

Our CTF (capture the flag) competition will be running from 9am Sunday till 4pm Monday. It'll have a range of challenges at all difficulty levels, and we'll have folks on-site in the CTF room for hints and guidance. Everyone is welcome! Individuals, teams, or whatever! Bring your laptop!

The server will be available for the full duration of the conference, including overnight, and anyone is allowed to play and help. Note that at least one player must be on-site to claim your prize, though!

Sponsors

Google

HackerOne

Sunday April 15, 2018 9:00am - 6:00pm PDT
City View - SoMa

Capture The Flag

9:00am PDT

Information Desk

Sunday April 15, 2018 9:00am - 6:00pm PDT
City View - Lobby

General

9:00am PDT

Registration

Sunday April 15, 2018 9:00am - 6:00pm PDT
City View - Lobby

General

9:00am PDT

Sponsor Registration

Sunday April 15, 2018 9:00am - 6:00pm PDT
City View - Coat Check

General

9:00am PDT

T-shirt Sales

Sunday April 15, 2018 9:00am - 6:00pm PDT
City View - Coat Check

General

9:00am PDT

Coat Check

Sunday April 15, 2018 9:00am - Monday April 16, 2018 12:00am PDT
City View - Coat Check

General

10:00am PDT

Opening Remarks

Presenters

Reed Loden

VP of Security, Teleport

Reed Loden is the Vice President of Security at Teleport, a technology company that helps organizations securely access their infrastructure. He is an information security expert, researcher, hacker, and developer. Reed bring over 15+ years of security experience to his role at Teleport... Read More →

Sunday April 15, 2018 10:00am - 10:10am PDT
AMC - IMAX

Track 1

10:10am PDT

From Bounties to Bureaucracy - The Hidden Market Factors of Exploit Economics

Bug bounty programs are nearly ubiquitous today, but that wasn’t always the case. When the Zero Day Initiative (ZDI) was founded in 2005, bug bounty programs were considered to be a rare and somewhat controversial commodity. Now they are seen as an indispensable means for companies to acquire bug reports. Our initial goals were similar. The ZDI program extended our own research team by leveraging the methodologies, expertise, and time of others around the globe. Imagine adding more than 3,000 independent researchers from around the world to your team. Having the program asymmetrically enhanced our research capabilities through vulnerability acquisition. The program also provided the data needed to protect our customers while the affected vendor worked on a patch. Since that time, the program has awarded more than $15 million USD while ensuring nearly 4,000 0-day exploits were patched by vendors, all of which makes the computing landscape a safer space and makes ZDI the world’s largest vendor-agnostic bug bounty program.

Even if you don’t participate in a bounty program, they impact you and the systems you defend. Over the last decade, mature bug bounty programs have evolved from simply acquiring bug reports to providing real insights into vulnerability and exploit trends. Bug submissions to the available bounty programs had the unintended consequence of effectively crowd-sourcing vulnerability intelligence by showing industry trends and state-of-the-art exploitation methodologies. Bounty programs impact the exploit marketplace while disrupting exploit efforts of advanced threats and persistent actors. These programs have tracked the rise and fall of bug classes over the years, and they’ve tracked the rise and impact of government regulations in different regions of the globe. As shown in recently leaked government documents, bug reports that come through bounty programs disrupt various pieces of the exploit market and force bad actors to change their exploit techniques. When combined with top-tier, in-house researchers, the best programs are capable of predicting the next major attack surface that will become popular based on what bugs are submitted to the program.

Join ZDI Director Brian Gorenc as he covers the current landscape of bounty programs and the winding, often controversial road that led us here. We also cover the vulnerability economy and the role bug bounties play in shaping the exploit marketplace. Finally, he’ll show how effectively run programs have disrupted exploit usage in the wild.

Presenters

Brian Gorenc

Director of Vulnerability Research, Trend Micro

Brian Gorenc is the director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds... Read More →

Sunday April 15, 2018 10:10am - 10:50am PDT
AMC - IMAX

Keynote, Talk

11:00am PDT

Starting a security program: Thrills and Spills

Building a security program sounds exciting and exhilarating. Security practitioners tend to focus on technology and policy skills in preparation for such an opportunity. But, developing good emotional intelligence is critical for this role of a security program builder.

Why would the engineering team dedicate cycles to turn on find-sec-bugs, resolve all findings and then be willing to fail the build pipeline on errors? Why would the product team design strong authentication mechanisms that could negatively impact user registration funnel? How to identify and engage key personnel in incident response tabletop exercises? How to rally company resources to resolve the findings of penetration tests? What would encourage employees to report issues and help investigations without the fear of blame or shame?

This presentation discusses the journey of the first security engineer at Lyra Health who had the prerogative and responsibility of setting the security aspirations for the management, employees and customers. With that one single engineer focused on security and supported by a flourishing culture of shared responsibility, Lyra Health achieved HITRUST compliance in the first year of the security program and continues to satisfy stringent requirements from customers.

The key to achieving such cohesion at Lyra Health was an emotional awareness of the purpose, process and demands at each team. With that understanding in place, security gets invited early on to projects, participates creatively in problem solving and contributes as a determined enabler for the collective success of the company.

Presenters

Poornaprajna Udupi

CISO, LyraHealth, Inc.

Poornaprajna is currently the CISO at Lyra Health, responsible for Security, Compliance, Cloud Infrastructure, IT and facilities. Previously, he managed product and application security at Netflix, developed scalable, multi-tier, web systems for cloud security and API development... Read More →

Starting a security program Thrills and Spills pdf

Sunday April 15, 2018 11:00am - 11:30am PDT
AMC - IMAX

Track 1, Talk

11:00am PDT

Deconstructing APT28's XAgent for OSX

Until now APT28 was only available for Windows, Linux and iOS operating systems. Now we've discovered macOS version that which brings more spying capabilities such as key-logging, screen grabbing and file exfiltration and stealing iOS backups from Mac computers, which contain messages, contacts, voicemail, call history, notes, calendar and Safari data.

The macOS version, is the most advanced version of APT28 in terms of cyber espionage capabilities.

Presenters

Tiberius Axinte

Team Lead, Cyber Threat Intelligence Lab, Bitdefender

With eight years’ experience in the security industry, Tiberius Axinte is a Team Lead, Cyber Threat Intelligence Lab leading the macOS/iOS/Linux detection team.

Sunday April 15, 2018 11:00am - 11:30am PDT
City View - Presidio

Track 2, Talk

11:00am PDT

Keep it Like a Secret: When Android Apps Contain Private Keys

We all have secrets. And the way we keep them secrets is by not telling them to others. Either because of inappropriate design, or by sheer accident, many publicly-available Android applications include private keys in them. By processing over 1 million applications from the Google Play Store, I have found thousands of private key files that are not private. Discovered private keys include PGP private keys, SSH private keys, OpenVPN keys, Android app signing keys, iOS app signing keys, HTTPS web server keys, and more. Password cracking techniques will also be discussed. Especially with password-protected private keys that are not used by the Android applications themselves, the key details and potential uses for them cannot be known until they are cracked.

Presenters

Will Dormann

Software Vulnerability Analyst, CERT Coordination Center (CERT/CC)

Will Dormann has been a software vulnerability analyst with the CERT Coordination Center (CERT/CC) since 2004. His focus areas include web browser technologies, ActiveX, and fuzzing. Will has discovered thousands of vulnerabilities using a variety of tools and techniques.

Keep it like a secret pdf

Sunday April 15, 2018 11:00am - 11:30am PDT
AMC - Theatre 7

Track 3, Talk

11:00am PDT

Living Security Escape Room (Session 1.1)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

The Living Security Escape Room is a unique and fun way to network with security professionals while solving security-related challenges and puzzles to complete the game in time.

If you are signing up with friends/co-workers, you will have an opportunity to set how many during the sign-up process. The Escape Room will run with a max of 8 participants and min of 4 participants.

See https://www.livingsecurity.com/escape-room/ for more information.

Presenters

Drew Rose

CSO, Living Security

Living Security specializes in intelligence driven and engaging security awareness solutions that reduce risk by increasing security culture and changing employee behavior.Check out all Living Security has to offer at livingsecurity.com... Read More →

Villagers

Drew Rose

CSO, Living Security

Sunday April 15, 2018 11:00am - 11:30am PDT
City View - Embarcadero

Village, Contest

11:00am PDT

Violent Python

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Even if you have never programmed before, you can quickly and easily learn how to make custom hacking tools in Python. In hands-on projects, participants will create tools and hack into test systems, including:

* Port scanning
* Login brute-forcing
* Port knocking
* Cracking password hashes

What You Need

* A laptop with any OS. We'll use Python, Burp, and Wireshark, all of which run on any OS.

All materials and challenges are freely available at samsclass.info, including slide decks, video lectures, and hands-on project instructions. They will remain available after the workshop ends.

Presenters

Sam Bowne

Instructor, CCSF

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, HOPE, BSidesSF, BSidesLV, RSA, and many conferences and colleges. Formal education: B.S. and Ph.D. in Physics Industry credentials... Read More →

Sunday April 15, 2018 11:00am - 2:15pm PDT
City View - Twin Peaks

Workshop 1

11:00am PDT

Iron Clad Development: Building Secure Web and Webservice Applications

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Jim’s secure coding training classes are designed to benefit any web developer, architect, security professional or other software development professional who needs to build and maintain secure web and webservice software. We will spend the day reviewing several of the core web security topics that all developers must master. Demos and other group activities will round out the course. These include...

- HTTP Security Basics
- OWASP Top Ten 2017
- SQL and other Injection
- Cross Site Request Forgery
- File Upload and File IO Security
- XSS Defense
- Authentication and Access Control
- HTTPS
- Webservice/REST programming

NOTE: OWASP Bay Area members have already had a chance to register. We're accepting 30 people total.

Presenters

Jim Manico

Founder, Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices... Read More →

Sunday April 15, 2018 11:00am - 6:00pm PDT
City View - Twin Peaks

Workshop 2

11:40am PDT

Caught my WebApp cheating on me!

We trust that the web application code executed inside the browser is exactly the code that was sent by our application servers, but that is often not the case. The reality is that current WebApps are very susceptible to client-side injections and tampering. This can be performed by malicious extensions, Man-in-the-Browser trojans, or any kind of injection attack (e.g. reflected XSS).
These attacks are very concerning not only because they change the behavior of the webpage right on the website that the user trusts, but can also be used to leak sensitive information that the webpage has access to. All of this, without the web application owner knowing anything about it.
In this talk, based in our work, we demo a new set of techniques that can be used to monitor a webpage for malicious modifications (DOM-tampering, code injection, event-hijacking, code poisoning, etc) and how to remove them in real-time. The techniques are a combination of recent browser features (such as Mutation Observers) and integrity checks from tamper-resistant JavaScript code running in the webpage.

Presenters

Pedro Fortuna

CTO and Founder, Jscrambler

Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →

Sunday April 15, 2018 11:40am - 12:10pm PDT
AMC - IMAX

Track 1, Talk

11:40am PDT

Overcoming obstacles in operationalizing security: A tale from the trenches

So you got an offer letter to manage or lead a security team at a startup. You create a lofty security strategy that encompasses all of the advice you got from your peers together with textbook security principles. As you roll up your sleeves and get going, you quickly realize that an ambitious strategy, even when combined with genuine security expertise and advice, won’t take you too far if it does not anticipate all the obstacles you are likely to face. And this is where the rubber meets the road.

This talk will describe some of these obstacles, contrasting the textbook strategies often discussed or written about with the real world challenges faced by security teams, particularly at smaller startups. It is based on actual first few months of a startup CISO on the job, chronicling the experiences related to operationalizing the security strategy while battling limited budgets, vendor fatigue, and talent shortage. Using illustrative scenarios, it will guide security professionals on what challenges to anticipate when implementing their security strategy, and provide practical pointers on how and when to make sensible trade-offs.

Presenters

Rafae Bhatti

Head of Security and Privacy, HealthTap

Rafae is the Head of Security and Privacy at HealthTap, a startup on a mission to deliver healthcare for everyone- at the right time, right place, and right cost. He is responsible for building a metrics-based security program on a limited budget, creating and executing a security... Read More →

Sunday April 15, 2018 11:40am - 12:10pm PDT
City View - Presidio

Track 2, Talk

11:40am PDT

The Memory of a Meltdown, and no we don't mean Britney

Software bugs can be patched as soon as the vendor pushes an update and the user updates their system. Hardware bugs are a bit more difficult to patch. Within the past few months, Spectre and Meltdown have provided hackers the ability to access memory outside the scope of their permissions. We will be getting our hands dirty with memory to demonstrate how both these vulnerabilities work and how we use a PoC to exploit these vulnerabilities.

Presenters

Shane Cota

Security Researcher

We are both Independent Security Researcher with interest in Malware Analysis, Reverse Engineering, Machine Learning, and Cryptocurrencies. Shane, the President The Hacking Club @ SFSU and I, the Co-Founder, share the dream to provide students the opportunity to learn about InfoSec... Read More →

Chris Magistrado

Security Researcher

Security Researcher with interest in Malware Analysis, Reverse Engineering, Machine Learning, and Cryptocurrencies. I Co-Founded The Hacking Club @ SFSU to provide students the opportunity to learn about InfoSec Careers and provide them the necessary skills to enter InfoSec upon completion... Read More →

Sunday April 15, 2018 11:40am - 12:10pm PDT
AMC - Theatre 7

Track 3, Talk

12:00pm PDT

Living Security Escape Room (Session 1.2)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Sunday April 15, 2018 12:00pm - 12:30pm PDT
City View - Embarcadero

Village, Contest

12:10pm PDT

Lunch

Sunday April 15, 2018 12:10pm - 1:30pm PDT
City View - Presidio

Food & Drink

12:45pm PDT

Raffle

Sunday April 15, 2018 12:45pm - 1:15pm PDT
City View - Presidio

Special Event, Contest

1:00pm PDT

Living Security Escape Room (Session 1.3)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Sunday April 15, 2018 1:00pm - 1:30pm PDT
City View - Embarcadero

Village, Contest

1:00pm PDT

Resume Rewriting

Sponsors

Peerlyst

Sunday April 15, 2018 1:00pm - 3:00pm PDT
City View - Embarcadero

Special Event

1:30pm PDT

So you think you can patch: The game show that questions your security assumptions

Few people know that the game show was actually a Victorian invention, although they were a bit more erudite in the airship era. In this week’s episode of “So you think you can patch,” we explore what happens when patching isn’t so simple. Contestants and the audience will face situations when security updates may not be the straightforward solution, for end users or modern enterprises. How will they handle notice, failure, and bricking? Should this sort of thing be mandated by law, contract, or risk of lawsuit? What policies, technologies and market solutions can help? Our contestants will be humiliated for wrong answers and failing to appreciate the nuance of security, and everyone will win as they gain a better understanding of how solutions need to reflect and build on the realities on the ground.

Presenters

John Banghart

Senior Director, Venable LLP

Former government lackey, current private sector lackey. Has spent 25 years patching systems, developing standards for vulnerabilities, developing infosec policy, and telling other people why they should or shouldn’t patch their stuff.

Allan Friedman

Director of Cyber Security Initiatives, NTIA

Wearing the hats of both a technologist and a policy maker, Allan has over 15 years of experience in international cybersecurity and technology policy. His experience and research focuses on economic and market analyses of information security. On the practical side, he has designed... Read More →

Kent Landfield

Chief Standards & Technology Policy Strategist, McAfee

Former chief vulnerability architect turned policy wonk (sliding to the dark side) working with and developing vulnerability-related standards and initiatives such as CVE. Identification and remediation rules!

Wendy Nather

Director, Advisory CISOs, Duo Security

Former gnome of Zurich, government lackey, industry analyst, and threat intel sharer — which means she is never surprised by a lack of patching. She’s now trying to make things better by playing for Duo Security.

Sunday April 15, 2018 1:30pm - 2:00pm PDT
AMC - IMAX

Track 1, Panel

1:30pm PDT

Netrepser – A JavaScript targeted attack

The discovery of Stuxnet in a uranium enrichment facility in Natanz opened a new era in tactical military operations. For seven years, advanced espionage and sabotage operations have been carried out with the help of extremely complex code written especially for the job, and then discarded.

The Netrepser threat we have analyzed and documented in the following pages is the exact opposite: a complex, targeted malware framework that, unlike a military-grade APT, is “stitched together” with freeware utilities to carry a complex job through to completion. The approach the team behind Netrepser took is extremely unusual for an espionage campaign: they play the simplicity card to better blend in with the environment, even at the cost of triggering alarms.

Netrepser is the perfect example of a very advanced espionage tool used to target a number of high-profile institutions and exfiltrate information in a novel way. We have isolated and dissected it to better understand its early stages, its communication techniques and, ultimately, its impact on the victim’s data.

Presenters

Cristina Vatamanu

Senior Team Lead, Cyber Threat Intelligence Lab, Bitdefender

Cristina Vatamanu graduated from the Faculty of Computer Science at the University of 'Gheorghe Asachi'. She has been working with the same Global Security Vendor for almost eight years. Some of her responsibilities (and hobbies) include reverse engineering, exploit analysis, and... Read More →

Sunday April 15, 2018 1:30pm - 2:00pm PDT
City View - Presidio

Track 2, Talk

1:30pm PDT

Crimeware Chaos: Empirical Analysis of HTTP-based Botnet C&C Panels

Cybercriminals deploy crimeware for conducting nefarious operations on the Internet. Crimeware is managed on a large scale through deployment of centralized portals known as Command and Control (C&C) panels. C&C panels are considered as attackers’ primary operating environment through which crimewave is controlled and updated at regular intervals of time. C&C panels also store information stolen from the compromised machines as a part of the data exfiltration activity. This empirical study highlights
the analysis of thousands of real world C&C web Uniform Resource Locators (URLs) used for deployment of Crimeware such as botnets, key-loggers, ransomware, Point-of-Sales (PoS) malware, etc., to unearth the characteristics of HTTP-based C&C panels. This study gives a statistical view on design and technologies opted by the crimeware authors to deploy HTTP-based C&C panels.

Presenters

Aditya K Sood

Director, Symantec

Dr. Sood is an information security practitioner and researcher by profession. Dr. Sood has research interests in malware automation and analysis, cloud security, secure software design and cybersecurity. He is also a founder of SecNiche Security Labs, an independent web portal for... Read More →

Sunday April 15, 2018 1:30pm - 2:00pm PDT
AMC - Theatre 7

Track 3, Talk

2:00pm PDT

Living Security Escape Room (Session 1.4)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Sunday April 15, 2018 2:00pm - 2:30pm PDT
City View - Embarcadero

Village, Contest

2:10pm PDT

No more XSS: Deploying CSP with nonces and strict-dynamic

XSS, one of the most common web vulnerabilities, can be completely prevented with a strict Content Security Policy (CSP). Older versions of CSP involved the tedious process of building a whitelist of domains where scripts lived. It is very common for these whitelists to contain sites that allow for arbitrary code execution and developers cannot use inline scripts without disabling the XSS protections. Version 3 of CSP introduced a mechanism called strict-dynamic that makes applying content security policy to an existing web page possible without having to do major refactors. This talk will cover how we applied a strict CSP to pinterest.com and instapaper.com including how easy it is and some things to watch out for. I'll also cover what kinds of attacks are still possible after a strict CSP is deployed.

Presenters

Devin Lundberg

Lead, Application Security, Pinterest

Lead of Application Security at Pinterest

Sunday April 15, 2018 2:10pm - 2:40pm PDT
AMC - IMAX

Track 1, Talk

2:10pm PDT

Building Intelligent Automatons with Semantic Reasoning and Horse Glue

Proper data modeling is probably the most underrated aspect of security data analysis. Our addiction to logs and string pattern matching as a primary source of knowledge have painted the security industry practitioners into a corner. The data never tells the full story, and the path to discovery is laborious and painful.

We'll discover how graph based ontologies can help consolidate all relevant information across technical verticals, model expert knowledge, and serve as a single source of knowledge. We'll discuss how semantic reasoning can revolutionize low-level data analysis and reduce 'zombie workflows' by automatically drawing hard logical conclusions the same way a human analyst does. And lastly, we'll touch on how Bayes belief networks can help trace cause and effect in events reported by common monitoring and detection tools, establishing chains of events.

Presenters

Anton Goncharov

Manager, Six Jay

Anton Goncharov is a solution strategist in the area of machine intelligence with focus on SecOps, analytics, and GRC. A veteran practitioner in the field of information security data management, Anton most recently had been focused on practical applications of semantic graph and... Read More →

20180415 BSides SF Talk pdf

Sunday April 15, 2018 2:10pm - 2:40pm PDT
City View - Presidio

Track 2, Talk

2:10pm PDT

Blue Team Fundamentals

Noob friendly! While new technical vulnerabilities are found continuously, malicious actors often rely on tried and true methods to exploit. These exploits are surprisingly uncomplicated. In this talk, we’ll share attempts we’ve seen from malicious actors. We’ll break down actual attacks and share what’s been most effective in mitigating credential stuffing, phishing, and common RCE attempts. At the end of this talk, you’ll walk away with simple takeaways to raise the cost to attackers for these simple attacks.

Presenters

Benjamin Hering

Manager, Security Engineering, ASAPP

Benjamin Hering leads Security Engineering at ASAPP. His career focuses on leveraging technology to improve organizations and people in both the for-profit and non-profit spheres; making technology meet people where they are rather than the other way around. He graduated from Grinnell... Read More →

Sunday April 15, 2018 2:10pm - 2:40pm PDT
AMC - Theatre 7

Track 3, Talk

2:45pm PDT

Fundamentals of Corporate Physical Access: Attack Surface and Approach

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

There’s many sessions and spaces that teach skills to attack locks, but few focus on the electronic side. Fewer focus on the overall organizational environment and what might be encountered – culture, policy, architecture. Heading into an engagement with a medium to large enterprise, you need to have a solid understanding across a wide spectrum or the path chosen likely won’t be the most effective one.
This session will take a different approach. It will focus on the reality of how physical security programs, people and systems operate with an emphasis understanding the broad attack surface. We’ll review how physical security practitioners view and classify the assets they’re protecting and the practices they employ to build controls.
Then we’ll look at it from two aspects – mechanical and electronic.
Part 1: Electronic:
Physical security doesn’t subscribe to information security principles and as a result, the systems, culture, policies and processes are very different. Not necessarily in a better way, but different enough for most people to make false assumptions that cause significant blind spots for red teams. This session will break down what real enterprises “look and smell like” to set the table for understanding the fundamentals of what you’ll be walking into.
Hacking an RFID badge to gain access may work, but what about when it doesn’t – there are other ways to break the badge without actually ever targeting it. Therefore, we’ll cover the holistic architecture of a typical Fortune 500 company, from control systems to door readers and everything in between. We’ll discuss how each component is architected, range of configuration and shortcomings. We will review aspect of social engineering and logic manipulation (or policy and process). We’ll discuss a fairly large attack surface across and in combination between all of them. Last, we’ll review what should be in a report, best way to approach delivering findings to this audience, and overview fundamentals of remediation.
Technologies: Access control systems, controllers, reader models and configurations, badges, badge technologies and payloads, Cameras, VMS, Alarms. Assessing opportunity.
Program Management: GSOC operations, system operations, process, policy, supply chain of custody, vendor practices
Social aspects: Areas to exploit in and outside the target, barriers.
Industry Direction: Variance of legacy and new technology being deployed. Impact on methods and areas of opportunity.

Part 2: Mechanical
Mechanical locking systems are as old as the pyramids, and there has been very little in the way of innovation, regardless of the marketing you see online or in print. There have a variety of variations and a flurry of patents, and in the the last decade or so has seen an explosion of almost every brand of lock providing a electromechanical component that provide extra layers security but what does that mean at scale?
There said there are countless ways to go about defeating a Electro/Mechanical locking systems such as picking direct bypass, picking, cloning keys (through photographs, obtaining key codes, impressioning (filing/clay), etc), bespoke(discreet precision tools that start at 5k and up), digital attacks, or just plain circumventing the systems all together by attacking the infrastructure around the system. The problem with each of these methods change as you scale.
What works in a residential, small/medium business, etc is very different from large enterprises because of culture, policies, and procedures in place which may limit or give you different opportunities to access privileged areas.

We’ll cover master key systems, low to high security locking systems, common flaws, when you should skip certain systems during an audit and often finding other ways to reach your objectives. Many of the techniques from part 1 will apply to circumventing these technologies. Lastly, what should be covered in your report and remediation strategies.

Presenters

Terry Gold

Principal Analyst, D6 Research

Terry Gold has spent nearly 20 years in intersection of information and physical security and is recognized as an authority in the enterprise community regarding physical security attacks and real-world applied remediation. He’s the founder of D6 Research where he focuses on cause... Read More →

Eric Michaud

CEO & Founder, Rift Recon

Founder and CEO of Rift Recon, previously Director of Hardware Curation at ExploitHub, and Computer and Physical security at Argonne National Laboratory Michaud has advised on physical security, computer security, lockpicking, and hackerspaces for over a decade. He is a professional... Read More →

Sunday April 15, 2018 2:45pm - 6:00pm PDT
City View - Twin Peaks

Workshop 1

2:50pm PDT

Hacking the Law: Are Bug Bounties a True Safe Harbor?

In the wake of recent media headlines, bug bounties emerge as a murky legal landscape to navigate. While the vulnerability economy is booming, a novel survey of bug bounty terms reveals that platforms and companies sometimes put hackers in “legal” harm’s way, shifting the risk for civil and criminal liability towards hackers instead of creating safe harbors. This practice already resulted in one public story concerning a bug hunter being allegedly threatened with legal action under the CFAA. This is a call for action for industry stakeholders to influence this emerging landscape of cyberlaw, since hackers’ actions speak louder than scholars’ words. I suggest simple steps that could be taken to minimize the legal risks of more than 120,000 hackers participating in bug bounties. I further suggest that the industry should move towards standardization of legal terms, in light of the recent DOJ framework. Hackers will learn not only which terms they should beware of in light of recent developments in anti-hacking laws, but which terms they, individually and through the platform, should demand to see to ensure “authorized access.” Contracts and laws will continue to play a role in this murky landscape, therefore hackers should start paying attention to the fine print and demand better terms.

Presenters

Amit Elazari

Director, Global Security Policy, Intel Corporation

Amit Elazari Bar On is a Director of Global CybersecurityPolicy at Intel Corporation and a Lecturer at UC Berkeley’s Schoolof Information Master in Information and Cybersecurity. She holds aJSD from UC Berkeley School of Law and graduated summa cum laude threeprior degrees. Her... Read More →

Sunday April 15, 2018 2:50pm - 3:20pm PDT
AMC - IMAX

Track 1, Talk

2:50pm PDT

Machine Learning: Too smart for its own good.

Wouldn't it be awesome to build a machine learning device that ran on tubes, valves, and gears?

Terms like machine learning, deep learning, and neural nets are often brought up as if they are a magical cure for security problems. Unfortunately, machine learning systems have fundamental, inescapable limitations. Exploring the limitations is normally done through discussion of the mathematics involved. Instead of using math, we will explore the limitations using a steampunk model.

In this presentation we cover the essential elements of neural nets used for machine learning. Instead of using math, we will go over how to build a physical implementation of a machine learning system using tubes, valves, and gears. With the model we will then explore how and why the machine generates false positives.

Presenters

Thomas Phillips

CTO, Ridgeback Network Defense

Thomas is currently CTO at Ridgeback Network Defense, where he researches novel methods for interactive defense. He is a computer scientist, linguist, and polymath with over 30 years developing software in over a dozen programming languages.From 1988 to 2013, Thomas worked for the... Read More →

phillips bsidessf pdf

Sunday April 15, 2018 2:50pm - 3:20pm PDT
City View - Presidio

Track 2, Talk

2:50pm PDT

Using ancient math to speed up security assessments of Windows executables

This is about greatly speeding up risk reduction when evaluating Windows programs. Reverse engineering binary programs tends to go one of two ways: either a quick static analysis using utilities like "strings", or a time consuming dive down the rabbit hole monitoring API calls or debugging with tools like IDA Pro. The payoff from reverse engineering can be great, *if* one picks the right targets. Over several years performing assessments in a highly regulated environment, often under pressure, it became imperative to quickly triage Windows programs to decide which are worth the effort.

I found no tool to do this triage, so I gradually developed one. Eventually I settled on applying the math of Euclidean Distance and Bayes Theorem to static metadata taken from Windows executables. This can identify within seconds which executable (out of dozens or hundreds) to focus on. That triage used to take hours or days. I will demonstrate the tool, give a couple of success stories (anonymized by necessity) and explain the learnings from its evolution. The underlying approach can be applied by individuals with slim resources to many areas of security analysis.

Presenters

Cole Thompson

Cyber Security Consultant, Kaiser Permanente

I'm a cyber security consultant with Kaiser Permanente. About 22 years total in information technology. Have been a UNIX sysadmin, Java/C developer, and now fulltime security guy for six years.

Assessing Windows Ancient Math pdf

Sunday April 15, 2018 2:50pm - 3:20pm PDT
AMC - Theatre 7

Track 3, Talk

3:00pm PDT

Living Security Escape Room (Session 1.5)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Sunday April 15, 2018 3:00pm - 3:30pm PDT
City View - Embarcadero

Village, Contest

3:30pm PDT

Data Driven Bug Bounty

In a single sentence: if you're not collecting metrics from your bug bounty program then you're missing out on half of the value - it's not enough to simply triage, assign, and resolve individual bugs.

You should collect as much data as you can - things like first response/triage/payout/resolution time, what components are vulnerable and what bug classes are they vulnerable to, which teams are bugs originating from, how often do vulnerabilities go past SLA, and so on. This data can then be used for:
- assessing your company security posture
- figuring out which teams are fast responders and which teams consistently go past ticket SLA, and why
- starting dialogs with problematic teams, and getting alignment on resolving issues
- figuring out your security weak spots, and addressing those areas (feeding the data into your quarterly planning process)
- measuring improvement (or lack of improvement) over time

In this talk I'll share some of the metrics and graphs that we collect, and how we use them internally to improve our security process.

Presenters

Arkadiy Tetelman

Staff Application Security Engineer, Lob

Arkadiy is a security engineer, currently running the security program at Lob and previously working on application security at Airbnb, Twitter, and CardSpring. Arkadiy is passionate about all things appsec, including running bug bounty programs, static analysis, building secure-by-default... Read More →

Sunday April 15, 2018 3:30pm - 4:00pm PDT
AMC - IMAX

Track 1, Talk

3:30pm PDT

Rise of coinminers

Coinminers have been on the rise in 2017, causing slow down on home computers, massive overage to cloud providers, Highjacking someone else’s CPU power for money. This rise of Coinminers have set me on a journey diving into this new world, trying to shed some light on this emerging threat and finding ways to eradicate it. Our journey begins by exploring the magnitude of this phenomenon, its technical pieces, discovering ways to capture these vicious creatures and extracting vital intelligence from them. Using this intelligence, we are able to put the spotlight on (some of) the people behind it and automate doxing tactics to hunt crypto-miners in scale. But we could not stop at just doxing them, diving deeper into the rabbit hole we have found ways to
track profits and revenue of this campaigns. To our astonishment, we have found some millionaires. We will use all of our discoveries to share generic defensive tactics to detect, prevent and remediate Coinminers from as many computers as possible. Finally, we will share key predictions of what’s coming next from this new evasive threat.

Presenters

Omri Segev Moyal

VP of Research, Minerva

Omri is a curiosity-driven researcher and malware expert. Prior to Minerva Labs, Omri served as CTO of ClearSky Cybersecurity, where he led the development and implementation of a wide spread cyber intelligence monitoring network and was head of the Incident Response Team. In his... Read More →

Rise of CoinMiners reduced size pdf

Sunday April 15, 2018 3:30pm - 4:00pm PDT
City View - Presidio

Track 2, Talk

3:30pm PDT

Six degrees of infiltration: Using graph to understand your infrastructure and optimize security decision making

Current infrastructures depends on multiple technologies and third party infrastructures that increase security complexity and makes it very difficult to have a clear end to end view of the overall state and possible risks. Existing approaches were good investments but a few challenges were observed
Some duplication - Broad set of dedicated services that collect and visualize similar data.
View of the environment relies on broad set of tribal knowledge
Recurrent questions difficult to quickly answer
“What is my exposure”
“Does this vulnerability affect us and in what way?”
What priority should we allocate to this issue?
Moving target problem - Does infrastructure match expectations at all time?
Transitive risks or lateral movements exploration not possible cross dependencies
Overall state of the infrastructure hard to visualize and validate
Difficult to apply internal context to external intelligence feed

The talk will provide insight on a graph solutions explored by Lyft Security Intelligence team to tackle knowledge consolidation and improve decision making. Attendees of this session will be introduced to methodologies and off the shelf tools like Neo4j, we use along with the release our open source graph based security intelligence platform they can use to get started and collaborate.

Presenters

Sacha Faust

Manager, Product Security, Lyft

Sacha Faust is the engineering manager for Lyft's Security Intelligence team and previously led the Microsoft Cloud + Enterprise (C+E) Red Team. His mission is to empower organizations to make informed and automated security decisions through democratizing and automating security... Read More →

Sunday April 15, 2018 3:30pm - 4:00pm PDT
AMC - Theatre 7

Track 3, Talk

4:00pm PDT

Living Security Escape Room (Session 1.6)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Sunday April 15, 2018 4:00pm - 4:30pm PDT
City View - Embarcadero

Village, Contest

4:10pm PDT

Tales of Red Teaming, aka "Continuous Intrusion Continuous Deception"

This talk explores various avenues of techniques used to attack a large scale corporate networks. It begins by discussing about the compromise of misconfigured deployment systems to obtain access to production servers. We will also show how it is possible to backdoor software packages with minimal to no effort and gain SYSTEM level access to many of production boxes. Then we will move on to show methods to break out of containers such as docker & we talk about misconfigurations in Kubernetes clusters that can be useful in compromising sensitive assets in multi-tenant systems. This talk also explores webhook trickery in slack for phishing and we end this talk by exploring the implementation of a technique for real-time 2FA bypass that we used in a red team exercise.

Presenters

Aladdin Mubaied

Sr. Principal Security Engineer, Oath Inc

Aladdin Mubaied (@0xshellrider) is a Sr. Principal Security Engineer in Oath’s Red Team. He enjoys exploiting vulnerabilities and getting shells. Aladdin has conducted research in various areas, including web security, exploit development, public key cryptography and distributed... Read More →

Rahul Nair

Security Engineer, Oath Inc

Rahul Nair (0xrnair) works as a Security Engineer in Oath’s Red team. He likes working on various things such as ugly JS frameworks, binary exploitation,crackmes and dabbling with the human aspect of security. Once in a while he tinkers around with sandboxes and stares at kernel... Read More →

Sunday April 15, 2018 4:10pm - 4:40pm PDT
AMC - IMAX

Track 1, Talk

4:10pm PDT

KubeScope for the Extraordinary World of Containers

Google’s Kubernetes has become the de facto standard for software container orchestration. As development teams have rapidly embraced it, the Kubernetes feature set has exploded and the importance of securing the Kubernetes ecosystem has come into focus. Security teams find themselves scrambling to identify potential threat vectors, establish best practices, and enable DevOps teams to accelerate without compromising their position against attackers.

To address these challenges, we've built KubeScope, a tool that leverages a combination of machine learning and rule-based detection strategies to profile orchestrator behavior. In this talk, we will demonstrate how to use this tool to secure Kubernetes deployments against new and existing exploitation vectors such as malformed input attacks targeting Kubernetes services, DDoS attacks which manipulate individual pods into flooding the orchestrator with traffic, and credential leaks. Perhaps more importantly, we will also demonstrate how our approach to detection enables us to identify adversarial behavior not only with respect to well-known exploitation patterns, but also within the context of novel attack scenarios.

Presenters

Tongbo Luo

Security Engineer, StackRox

Tongbo Luo is a security engineer at StackRox, and was most recently senior principal security researcher at Palo Alto Networks. He obtained his MS and PhD in computer science from Syracuse University in 2014. He is active on docker security, cyber security, IoT security and applied... Read More →

Zhaoyan Xu

Security Engineer, StackRox

Zhaoyan Xu is a security engineer at StackRox, and was most recently research engineer at Palo Alto Networks, CA, United States. He earned his PhD degree from Texas A&M University, College Station in 2014. His research interests include web security, malware analysis, detection and... Read More →

Sunday April 15, 2018 4:10pm - 4:40pm PDT
City View - Presidio

Track 2, Talk

4:10pm PDT

The Bucket List: Experiences Operating S3 Honeypots

2017 was a blockbuster year for breaches, with everything from Russian espionage to Equifax. However, if you read between the eye-popping headlines you'll notice another concerning trend - this was the year of S3 bucket incidents.

Extensive research has been published about hunting for publicly exposed buckets, and several open source tools exist that make it easy.
Unfortunately, not a lot of research has been published from the defensive side. Who is hunting for my buckets, what are they looking for, and what tools are they using? How do I know if someone is attempting to access my S3 assets?

In order to answer these questions, I've been operating a fleet of honeypot S3 buckets for months and closely monitoring who accesses them. During my presentation I will go over my findings as well as some of the tools, techniques, and practices that researchers use to find public buckets plus what they did once they found them. Also, I will discuss how to monitor access to your S3 assets and how to operationalize S3 honeypots within your own organization.

Presenters

Cameron Ero

Security Engineer, Okta

Cameron Ero is a Security Engineer based in San Francisco, currently working with Okta as part of their Detection and Response Team. He has previously been a member of several blue teams including the Mandiant CIRT and FireEye Advanced Detection Team. Cameron is an alumnus of Towson... Read More →

Sunday April 15, 2018 4:10pm - 4:40pm PDT
AMC - Theatre 7

Track 3, Talk

4:50pm PDT

Ask the EFF

"Ask the EFF" will be a panel presentation and unrecorded question-and-answer session with several staff members of the Electronic Frontier Foundation, the nation’s premiere nonprofit digital civil liberties group. Each staffer will discuss a particular issue that has been in the news or on EFF’s docket this year.

Presenters

Nate Cardozo

Senior Staff Attorney, Electronic Frontier Foundation

Nate Cardozo is a Senior Staff Attorney on EFF’s civil liberties team where he focuses on cybersecurity policy and defending coders’ rights.Nate has litigated cases involving electronic surveillance, freedom of information, digital anonymity, online free expression, and government... Read More →

Andrew Crocker

Staff Attorney, Electronic Frontier Foundation

Andrew Crocker is a staff attorney on the Electronic Frontier Foundation’s civil liberties team. He focuses on EFF’s national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society... Read More →

Gennie Gebhart

Researcher, Electronic Frontier Foundation

Gennie Gebhart does research and advocacy for the Electronic Frontier Foundation on consumer privacy, surveillance, and security issues. Her work revolves around the conviction that, as access to information and communication technologies expands and becomes more complex, so too do... Read More →

Stephanie Lacambra

Criminal Defense Staff Attorney, Electronic Frontier Foundation

Stephanie Lacambra is a criminal defense staff attorney for the Electronic Frontier Foundation. Stephanie is a long-time indigent criminal defense trial attorney and immigration defense activist who graduated from UC Berkeley’s Boalt Hall School of Law in 2004. Before coming to... Read More →

Sydney Li

Electronic Frontier Foundation

Kurt Opsahl

Deputy Executive Director and General Counsel, Electronic Frontier Foundation

Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders... Read More →

Sunday April 15, 2018 4:50pm - 5:20pm PDT
AMC - IMAX

Track 1, Panel

4:50pm PDT

Your Secrets are Showing! -- How to find if your developers are leaking secrets?

This talk will zoom in to the cache of goodies which developers leave lying around that an attacker could leverage access valuable information and / or to pivot through a target environment. It will also highlight some of the tools available to developers and InfoSec professionals to find and prevent these sorts of information leakages.

Every day, developers interact with a variety of source code repositories and environments, often both inside their corporate firewalls and outside on public hosting platforms such as GitHub.com and Amazon AWS. These source code repositories can provide a wealth of information about a target environment, in addition to being of potential value all on their own.

Are you able to find this information in your environment? Do you know how to help your developers prevent these leakages in the first place? Remember "prevention is ideal, but detection is a must!"

Prepared by LLNL under Contract DE-AC52-07NA27344.

Presenters

Ian Lee

Computer Engineer, Lawrence Livermore National Laboratory

Ian Lee is a Computer Engineer working in the High Performance Computing (HPC) facility at Lawrence Livermore National Laboratory (LLNL), which is home to some of the largest supercomputers on the planet. There he has created a role performing cyber assessment, penetration testing... Read More →

2018 04 15 Your Secrets are Showing BSidesSF pdf

Sunday April 15, 2018 4:50pm - 5:20pm PDT
City View - Presidio

Track 2, Talk

4:50pm PDT

Fighting Secrets In Source Code With TruffleHog

Secrets in source code have lead to breaches in the past. They make it really easy to move laterally and escalate privileges once inside an environment, and it's a problem the entire industry faces. I'm going to talk about the tool I wrote to help identify secrets: TruffleHog. I'll be talking about different ways to use the tool, how it can be used in devops pipelines, and the future of the tool going forward. I'll also talk about a new type of problem I don't think anyone has looked at before: Secrets in old packages. I've tweaked truffleHog to scan package managers like npm and pypi, and found tons of secrets accidentally uploaded to the package manager, that weren't ever even in the git history. I'll be releasing the tweaked version of truffleHog and walk through how to use it, and why we need to pay more attention to this problem.

Sunday April 15, 2018 4:50pm - 5:20pm PDT
AMC - Theatre 7

Track 3, Talk

5:00pm PDT

Women in Security Mixer

Apple invites (all women/you) to join us at our BSidesSF 2018 Women in Security Mixer. It’s an opportunity to get together as industry professionals, relax and share our experiences. We invite you to meet the women in our team (at Apple) and connect with women in security across the Bay Area. Drink tickets will be handed out by Apple team members. Please come and find us by our Apple badges and introduce yourself! We look forward to meeting you!

Sponsors

Apple

Sunday April 15, 2018 5:00pm - 6:30pm PDT
City View - Terrace

Special Event, Mixer

6:30pm PDT

Party!

Join us for our Steampunk-themed party Sunday night sponsored by CloudPassage!
DJ Pumpkin Spice will be keeping us hopping.
We'll have music, food, drinks, and, of course, mini donuts!

Artists

Pumpkin Spice

Pumpkin Spice's entire life has revolved around music. From choir to wind ensemble to his love affair with piano, he brings to the table a quality that is rare nowadays, thoughtfulness. Everything he does on the dance floor is a part of a journey, an adventure, a story. The DJ's primary... Read More →

Sponsors

CloudPassage

Sunday April 15, 2018 6:30pm - 11:00pm PDT
City View - Presidio

Food & Drink, Party

9:00am PDT

Breakfast

Monday April 16, 2018 9:00am - 10:00am PDT
City View - Presidio

Food & Drink

9:00am PDT

Resume Rewriting

Sponsors

Peerlyst

Monday April 16, 2018 9:00am - 11:00am PDT
City View - Embarcadero

Special Event

9:00am PDT

Capture The Flag

Sponsors

Google

HackerOne

Monday April 16, 2018 9:00am - 4:00pm PDT
City View - SoMa

Capture The Flag

9:00am PDT

Registration

Monday April 16, 2018 9:00am - 4:00pm PDT
City View - Lobby

General

9:00am PDT

Sponsors Registration

Monday April 16, 2018 9:00am - 4:00pm PDT
City View - Coat Check

General

9:00am PDT

T-shirt Sales

Monday April 16, 2018 9:00am - 4:00pm PDT
City View - Coat Check

General

9:00am PDT

IoT Village

Villagers

Independent Security Evaluators

Sponsors

Salesforce

Monday April 16, 2018 9:00am - 4:00pm PDT
City View - Embarcadero

Village

9:00am PDT

Lockpick Village

Villagers

Lockpick Extreme

TOOOL SF

TOOOL SF is The Open Organisation Of Lockpickers San Francisco Bay Area Chapter, a group of locksport hobbyists dedicated to the advancement of locks and lockpicking.

Sponsors

Flashpoint

Monday April 16, 2018 9:00am - 4:00pm PDT
City View - Embarcadero

Village

9:00am PDT

Spymaster Challenge

Villagers

Cisco CSIRT

Sponsors

Cisco Systems

Monday April 16, 2018 9:00am - 4:00pm PDT
City View - Embarcadero

Village, Contest

9:00am PDT

Coat Check

Monday April 16, 2018 9:00am - 7:30pm PDT
City View - Coat Check

General

10:00am PDT

Opening Remarks

Presenters

Reed Loden

VP of Security, Teleport

Monday April 16, 2018 10:00am - 10:10am PDT
AMC - IMAX

Track 1

10:10am PDT

Fix All The Things: Rapid-fire Stories of Creative Solutions to InfoSec Problems

Rapid-fire stories of creative solutions to infosec problems.

Presenters

Katie Ledoux

Attentive

Katie Ledoux is the CISO at Attentive where she oversees information security and IT. She previously built the security program at analytics unicorn Starburst Data, and spent many years at security SaaS vendor Rapid7. She obtained her undergraduate degree from Villanova University... Read More →

Monday April 16, 2018 10:10am - 10:50am PDT
AMC - IMAX

Keynote, Talk

11:00am PDT

Building a Predictive Pipeline to Rapidly Detect Phishing Domains

Registering a new domain, obtaining a legitimate SSL certificate, and deploying it on a web server got much cheaper for threat actors thanks to free SSL services like Let's Encrypt. Detecting new phishing domains has always been a reactive process for security teams; just like malware, one cannot provide threat intelligence on phishing domains before they're registered and operationalized.

The development of the Certificate Transparency log network adds an interesting dimension for how this process can be improved. SSL certificates, and the domains for which they are issued to, can now be monitored in real-time... and security analysts already have intuition on what phishing domains look like when they see them. Building a predictive pipeline to detect SSL certificates issued to new phishing domains can be reasonably accomplished using supervised machine learning. In this talk, I'll introduce a Python-based framework for building this predictive pipeline from scratch.

Presenters

Wes Connell

Security Analytics Lead, PatternEx

Wes currently leads threat research efforts for PatternEx, a security startup in Silicon Valley. He previously spent 5 years doing machine learning and intrusion analysis for a threat analytics team at Northrop Grumman. He is especially motivated and passionate for dramatically improving... Read More →

BSidesSF PredictivePipeline Connell pdf

Monday April 16, 2018 11:00am - 11:30am PDT
AMC - IMAX

Track 1, Talk

11:00am PDT

Supply Chain Attack Through CCleaner - Evidence Aurora Operation Still Active

Last September, hackers broke into as many as 2.27 million accounts of a computer cleaning program while targeting telecom equipment companies in the United States, Japan, South Korea and Taiwan.
When Avast, which owns the program, looked at the computer logs, it found just 23 compromised computers at eight different companies. The hackers' program was specifically looking for companies on a list of telecom equipment manufacturers and a few telecommunication companies, attacking many but only infecting a portion.

Avast’s CCleaner software had a backdoor encoded into it by someone who had access to the supply chain, the main executable in v5.33.6162 had been modified.

The attack's analysis we did, showed a strong code connection between a unique implementation of base64 only previously seen in APT17 making a strong case about attribution to the same threat actor. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted specializing in supply chain attacks.

Our investigation got us to the conclusion that the complexity and quality of the CCleaner attack was most likely state-sponsored most probably to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout.

Presenters

Itai Tevet

CEO, Intezer

Itai possesses a combination of in-depth technical expertise and leadership experience in mitigating state-level cyber threats. He previously served as the head of IDF CERT, the Israeli Defense Force’s Cyber Incident Response team, where he led an elite group of cyber security professionals... Read More →

Intezer BSidesSF 2018 CCleaner pdf

Monday April 16, 2018 11:00am - 11:30am PDT
City View - Presidio

Track 2, Talk

11:00am PDT

Simple. Open. Mobile: A Look at the Future of Strong Authentication

In recent years, a growing demand to replace passwords and better protect online users has fueled the creation of new, open authentication standards that would deliver on the simplicity and security consumers require. Unlike early predecessors, newly-developed FIDO U2F and FIDO 2 standards provide strong authentication and high privacy with characteristics that have eluded previous hardware tokens – elegance and simplicity. Impossible you think? This session will change your mind and eventually protect your online accounts.

Presenters

Jerrod Chong

Chief Solutions Officer, Yubico

Jerrod Chong is Chief Solutions Officer at Yubico focusing on accelerating solutions development with YubiKeys to solve customer's account life cycle challenges and evolve the state of authentication in the industry. Jerrod has delivered numerous presentations on modern authentication... Read More →

Monday April 16, 2018 11:00am - 11:30am PDT
AMC - Theatre 7

Track 3, Talk

11:00am PDT

Living Security Escape Room (Session 2.1)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Monday April 16, 2018 11:00am - 11:30am PDT
City View - Embarcadero

Village, Contest

11:00am PDT

Crypto Hero

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Learn cryptography with a series of hands-on projects in a fun, CTF-style environment. Covers the main cryptosystems in use today: AES, RSA, ECC, SHA, Bitcoin, and Ethereum. The first challenges are easy enough for beginners (Binary, XOR, Cryptokitties), and the later ones get difficult enough to interest intermediate security professionals (Padding Oracle, Smart Contracts). We will demonstrate the challenges and help participants get through them as needed.

Technical requirements: some challenges require only a Web browser, but to do them all you will need a computer that can host virtual machines. Some projects require Windows, and some require 64-bit Ubuntu Linux. Thumbdrives with appropriate virtual machines will be available.

All materials and challenges are freely available at samsclass.info, including slide decks, video lectures, and hands-on project instructions. They will remain available after the workshop ends.

Presenters

Sam Bowne

Instructor, CCSF

Monday April 16, 2018 11:00am - 2:15pm PDT
City View - Twin Peaks

Workshop 1

11:00am PDT

Modern Red Team Immersion Bootcamp, Condensed

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

The Modern Red Team Immersion Bootcamp is designed to expose students to the types of attacks that long term persistent Red Teams have deployed against modern organizations. This is a condensed version of a two day course. In this workshop we will focus on post exploitation, lateral movement, and escalation techniques within modern environments comprised of OSX, Linux, Continuous Integration Systems, and elastic compute services.

Requirements: Some familiarity with basic penetration testing concepts will be helpful, but is not absolutely required. Proficiency using a command line and search engine in conjunction to solve problems is highly recommended to enjoy the class. Access to both an OSX and Linux laptop or virtual machine with internet connection is required to access labs and complete course content. The recommended setup is an OSX laptop with a Kali or Ubuntu Virtual Machine. If you are unable to meet this requirement you can still take and enjoy the class but please be advised that approximately 20% of the course’s hands-on lab content will require a Mac OS system. It is advised to have VMWare Fusion or VMWare Workstation installed in advance.

Outline:

Perimeter Breach

Public Credential Reuse Tricks

Targeted Social Engineering and Spear Phishing

Social / Physical

Malware Considerations

Escalation

Post Exploitation 101

Userland Password Stealing Techniques

Application Secret Stealing Techniques

2FA Bypass Techniques

AWS Post Exploitation

Lateral Movement

Lateral Movement Path Visualization

Credential Harvesting Techniques

Piggybacking Users to Bypass 2FA

Tunneling and Proxying

Continuous Dis-integration Techniques

Persistence

Live Fire Persistence

Presenters

Josh Schwartz

Director of Offensive Engineering, Oath

FuzzyNop is a computer that knows how to computer.

Monday April 16, 2018 11:00am - 6:00pm PDT
City View - Twin Peaks

Workshop 2

11:40am PDT

The SecDevOpronomicon - Arcane Secrets for Scaling your Company’s Security

In Victorian San Francisco, we provision fleets of servers with Chef or Puppet and push new code to production dozens of times a day, our laptops illuminated by candle light and backlit Macbook keyboards. You twirl your LED monocle and focus your attention once more on your most pressing challenge: how can you scale your company’s security efforts given the rapid pace of development with a security team outnumbered by developers 100 to 1 or more?

Fear not, for I have studied countless blog posts, white papers, and conference talks the world over to aggregate and summarize their content. Further, I’ve met with security practitioners at companies ranging from startups to large enterprises to discuss their arcane practices in detail - what they’ve tried, what works, and what didn’t.

Join us for an unfiltered, un-hands washed discussion of the current state of the art in SecDevOps, from publicly discussed content to pro-tips from in-person discussions with security engineers at numerous Bay Area companies. Topics will include: high value engineering efforts to solve classes of bugs, high-signal ways to use custom static and dynamic analyses, hooking into the CI/CD pipeline to find potential dangers quickly and reduce risk, and much more.

Presenters

Clint Gibler

Senior Security Consultant, NCC Group

Clint Gibler is a research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies... Read More →

Monday April 16, 2018 11:40am - 12:10pm PDT
AMC - IMAX

Track 1, Talk

11:40am PDT

Honeypots 2.0: A New ‘Twist’ on Defending Enterprise Networks with Dynamic Deception at Scale

The concept of honeypots and deception has been leveraged by cyber-defenders for many years. Today, though, the emergence of maturing technologies allows us to add a new twist on the classic honeypot approach. Some argue that honeypots were ahead of their time. In the past, honeypots were useful but scale was a limiting factor for the amount of benefit and return on investment achieved from their use. However, with modern technologies like virtualization, cloud computing, containers and DevOps tool chains, we can now scale honeypots to make them statistically relevant in modern large-scale enterprise networks. Furthermore, we can utilize existing programming frameworks to develop interesting types of honeypot technologies. In particular, this presentation describes the notion of dynamic deception at scale using the Python-based Twisted networking framework. The talk will provide details on honeypot essentials and how scale can be achieved with new technologies. The primary discussion will be focused on Twisted, and how it can be used to rapidly create both static and dynamic honeypots.

Presenters

Lane Thames

Senior Security Researcher and Software Engineer, Tripwire

Lane Thames is a senior security researcher and software engineer with Tripwire’s Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management... Read More →

Thames BSidesSF18 pdf

Monday April 16, 2018 11:40am - 12:10pm PDT
City View - Presidio

Track 2, Talk

11:40am PDT

Managing secrets in your cloud environment: AWS, GCP, and containers (and beyond)

Applications often require access to sensitive data at build or run time, known as secrets. As a cloud application developer, you have many options to store these secrets, such as in code, environment variables, or purpose built solutions. We’ll discuss what a secret is, how secrets are stored today and some common mistakes in secret management, identity as it relates to accessing secrets, criteria to evaluate a secret management solution, and common solutions for containers in AWS, GCP, and Azure, and lastly, unsolved security risks.

Users should walk away from the talk as experts on secrets management in the cloud. How to improve their secret management practices, and understand their current security and usability tradeoffs.

Presenters

Evan Johnson

Senior Security Engineer, Cloudflare

Evan Johnson is a member of the Product Security team at Cloudflare. He loves diet pepsi, chicken nuggets, and golang. No relation to the prolific Linkedin content producer, Mike Johnson.

Maya Kaczorowski

Product Manager, Software Supply Chain Security, Tailscale

Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she... Read More →

Managing secrets in your cloud environment BSidesSF 2018 PUBLIC pdf

Monday April 16, 2018 11:40am - 12:10pm PDT
AMC - Theatre 7

Track 3, Talk

12:00pm PDT

Living Security Escape Room (Session 2.2)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Moderators

Drew Rose

CSO, Living Security

Monday April 16, 2018 12:00pm - 12:30pm PDT
City View - Embarcadero

Village, Contest

12:10pm PDT

Lunch

Monday April 16, 2018 12:10pm - 1:30pm PDT
City View - Presidio

Food & Drink

12:45pm PDT

Raffle

Monday April 16, 2018 12:45pm - 1:15pm PDT
City View - Presidio

Special Event, Contest

1:00pm PDT

Living Security Escape Room (Session 2.3)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Monday April 16, 2018 1:00pm - 1:30pm PDT
City View - Embarcadero

Village, Contest

1:00pm PDT

Resume Rewriting

Sponsors

Peerlyst

Monday April 16, 2018 1:00pm - 3:00pm PDT
City View - Embarcadero

Special Event

1:30pm PDT

Fuzzing Ruby and C Extensions

Intro to fuzzing, and specifics in Ruby lang:, security implications of vulnerabilities that might be found (ex: https://hackerone.com/reports/499). Intro to AFL fuzzer, basic concepts on how it works, and how to run it against Ruby lang, and potentially target gems with C extensions.

Presenters

Claudio Contin

Security Consultant, ZX Security

I come from a back end web development background: java, php, javascript, ruby. I used to work as a Ruby/Rails developer for around 7 years, before switching to a full time security consultant role. Since a couple of years I help organisations securing their networks and applications... Read More →

Fuzzing Ruby C Extensions pdf

Monday April 16, 2018 1:30pm - 2:00pm PDT
AMC - IMAX

Track 1, Talk

1:30pm PDT

Securing DNSSEC with Ritual and Ceremony (or for steampunks, How Neo-Victorians Keep Out Cads and Bounders)

Which social factors are crucial for key signing ceremonies to build and maintain a chain of trust in the cryptographic operation and to establish credibility among the relying parties? Using Packet Clearing House’s DNSSEC key signing ceremonies as examples, this talk examines the process of selecting and vetting crypto officers and other individuals in trusted roles, the formal and informal hierarchies among the ceremony participants, and the formal separation of duties and privileges needed to secure the ceremony without entrusting too much control to any one actor. It then describes the functions of the informal networks and hierarchies among participants, how these facilitate coordination and social cohesion among the participants, and govern the distribution of trust and mutual control between human and nonhuman actors in the ceremony (HSM, code, etc.) Finally, the talk demonstrates how highly ritualized ceremony behavior, meticulously spelled out in a ceremony script, has less to do with achieving instrumental technical ends than with creating a context in which individual behavior transforms into social action, embodying trustworthiness of a cryptographic operation.

Presenters

Smiljana Antonijevic

Research Anthropologist, PCH

Smiljana Antonijevic (PhD, Cultural Anthropology) explores the intersection of technology, culture, and communication through research and teaching in the U.S. and the EU. She is the author of three books and more than twenty journal articles. Smiljana currently works as a consultant... Read More →

Monday April 16, 2018 1:30pm - 2:00pm PDT
City View - Presidio

Track 2, Talk

1:30pm PDT

Demystifying DNS Security – Practical Steps for Reducing Exposure and Detecting Compromise

The Internet as we know it would come to a screeching halt if DNS failed for any extended period yet we give little thought to the configuration, monitoring and security of our critical DNS services. From a practical standpoint, DNS is extremely insecure and can be exploited in many nefarious ways. This talk will examine some to the more common ways that DNS can be exploited. We will then discuss some strategies for securing DNS both from an authoritative as well as a recursive perspective.

This will cover both directed attacks against DNS services as well as attacks designed to mislead or misdirect service users. We will also examine ways to protect our networks against some of the more common DNS attacks. Finally, we will look at some ways in which we can easily monitor our DNS traffic for signs of compromise. The goal is for everyone to come away with a better appreciation for the need to secure DNS and have a road map for doing just that.

Presenters

Jim Nitterauer

Director Information Security, Graylog, Inc.

Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf DNS infrastructure and the SecureTide spam & virus filtering platform, internal applications and security operations. He holds a CISSP certification... Read More →

BSides San Francisco 2018 Demystifying DNS Security pdf

Monday April 16, 2018 1:30pm - 2:00pm PDT
AMC - Theatre 7

Track 3, Talk

2:00pm PDT

Living Security Escape Room (Session 2.4)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Monday April 16, 2018 2:00pm - 2:30pm PDT
City View - Embarcadero

Village, Contest

2:10pm PDT

A Case Study of MacOS Supply Chain Compromise

Supply chain compromises remain an effective technique for attackers to get their malware on a wide array of victims. In this talk we will discuss some of the free and open source MacOS tooling that we use to help defend our networks. We will then walk through how one can use these tools and others to build context around the data they generate to find new, unknown threats and independently identify malware in your environments.

You can identify the next supply chain compromise yourself, proactively.

Presenters

Jason Craig

Lead, Detection and Response Team, Dropbox

Jason leads the Detection and Response Team at Dropbox.

Michael George

Security Engineer, Dropbox

Mike is a Security Engineer at Dropbox where he mostly works on host-based detection systems.

Monday April 16, 2018 2:10pm - 2:40pm PDT
AMC - IMAX

Track 1, Talk

2:10pm PDT

Bring in the $$ : Moving Security from Cost Center to Revenue Generator

Security is expensive. A security team requires a number of highly paid people and a myriad of expensive tools. For most business executives (read: non-security people), security is also scary and efforts never seem to be enough to get ahead of attackers. It’s easy to see why budget-makers view security as a money-sinkhole, forever appropriating valuable company resources. How can we, as security professionals, change the dialog so security is viewed as an asset to the company, rather than a constant liability?

The solution is to communicate, in dollars, the benefits of doing security well. The biggest area that needs to be highlighted is revenue enabled by security.

Most security teams can articulate the cost of a security event and the cost of controls to prevent an event. What most teams are lacking, and the key to moving from cost center to revenue generator, is the revenue enabled by security. This information is surprisingly easy to obtain. Walk away from this talk prepared to shine the light on the value of your security program in a way that even the least technical CEO will understand.

Presenters

Arianna Willett

Lead, Security Trust & Risk, Twilio

Arianna Willett is the Security Trust & Risk leader at Twilio, having built the programs from the ground up. Over the course of her career, she has created and run security programs for companies ranging in size from Fortune 200 to startups. She's an advocate for using quantifiable... Read More →

Monday April 16, 2018 2:10pm - 2:40pm PDT
City View - Presidio

Track 2, Talk

2:10pm PDT

The IoT Hacker's Toolkit

IoT and embedded devices provide new challenges to security engineers hoping to understand and evaluate the attack surface these devices add. From new interfaces to uncommon operating systems and software, the devices require both skills and tools just a little outside the normal security assessment. I'll show both the hardware and software tools, where they overlap and what capabilities each tool brings to the table. I'll also talk about building the skillset and getting the hands-on experience with the tools necessary to perform embedded security assessments.

Presenters

David Tomaschik

Senior Security Engineer, BSidesSF CTF Organizer

David is a Senior Security Engineer on the Google Offensive Security team and has been helping to organize the BSidesSF CTF for 7 years. He focuses on red teaming, embedded device security, web security, and security education. https://www.twitter.com/matir

Monday April 16, 2018 2:10pm - 2:40pm PDT
AMC - Theatre 7

Track 3, Talk

2:45pm PDT

How to Hack Radios: A Practical Approach to RF Physical Layers

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

This workshop offers a tutorial on how to apply Software Defined
Radio, with an emphasis on the “Radio” part. Rather than glazing over
RF basics, we will frame our entire discussion about reverse
engineering wireless systems around digital radio fundamentals.

The session will begin with a short crash course in digital signal
processing and RF communication, covering just enough to be dangerous,
before introducing a reverse engineering workflow that can be applied
to just about any low complexity IoT wireless system. The bulk of
this session will demonstrate how this workflow can be applied to
recover and inject packets from/into a variety of devices with
proprietary modulations by walking through it, live and in detail,
with attendees actively contributing to reverse-engineered solutions
and working along in parallel.

Attendees should expect to come away with practical knowledge of how
to apply SDR to examine and deconstruct proprietary wireless
protocols. Those who wish to participate should come prepared with
the following:
- USB 3.0 flash drive with this live USB image:
https://wiki.gnuradio.org/index.php/GNU_Radio_Live_SDR_Environment
- SDR hardware, such as an RTL-SDR.

Presenters

Matt Knight

Security Researcher, Cruise Automation

Matt Knight (@embeddedsec) is a software engineer and security researcher with specific interests in RF protocols and embedded systems. As a security engineer at Cruise Automation, he is focused on securing the next generation of transportation technology. Matt holds a BE in Electrical... Read More →

Monday April 16, 2018 2:45pm - 6:00pm PDT
City View - Twin Peaks

Workshop 1

2:50pm PDT

You want to step outside? What we can learn from Google’s fight with phishing

Phishing is the great public plague of the web, and attacks are on the rise. In the first longitudinal measurement of the underground ecosystem fueling credential theft, Google identified 12.4 million potential victims of phishing kits, and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Our researchers estimated that 7–25% of stolen passwords in the dataset would enable an attacker to log in to a victim's Google account and take over their online identity.

Phishing threats can be mitigated, though, with user education and controls like anti-virus software, two-factor authentication, password managers, and security keys. For example, the data showed that techniques like blocking login attempts that fail to match a user’s historical login behavior or device profile can help.

In this discussion, we'll describe this recent Google research on stolen credentials in detail, and demonstrate phone slamming and phishing kits. We'll use these topics as a jumping off point for a discussion on the pros and cons of each prevention method, with the goal of providing a customized, weighted phishing scorecard based on participants' specific user environments.

Presenters

Neal Mueller

Product Lead, Google

Neal Mueller is the product lead for Google Cloud Platform working on BeyondCorp.

Bsides SF 2018 You want to step outside What we can learn from Google’s fight with phishing Neal Mueller pdf

Monday April 16, 2018 2:50pm - 3:20pm PDT
AMC - IMAX

Track 1, Talk

2:50pm PDT

An Open Source Malware Classifier and Dataset

Research in machine learning for static malware detection has been stymied because of stale, biased, and otherwise limited public datasets. In this talk, I will introduce an open source dataset of labels for a diverse and representative set of Windows PE files. The dataset also includes feature vectors for machine learning model building, a high-performing pre-trained model for research, and source code to reproducibly generate the features and model. I’ll also detail the reasoning behind the features and labels and demonstrate how the machine learning model performs on samples in the wild.

Presenters

Phil Roth

Data Scientist, Endgame

Dr. Phil Roth is a senior data scientist at Endgame, where he develops products that help security analysts find and respond to threats. This work has ranged from tuning a machine learning algorithm to best identify malware to building a data exploration platform for HTTP request... Read More →

ember pdf

Monday April 16, 2018 2:50pm - 3:20pm PDT
City View - Presidio

Track 2, Talk

2:50pm PDT

Logging, Monitoring, and Alerting in AWS (The TL;DR)

With AWS’ ever-increasing number services and ever-growing complexity, individuals and organizations are desperately seeking the “TL;DR” of what services are available to protect them from and respond to attacks, and how to best configure them for effective and efficient monitoring, alerting, and incident response. The first part of this presentation will walk the audience through the core services and capabilities that are critical to logging, monitoring, alerting, and responding to threats. The second part will walk the audience through specific monitoring and alerting configurations that the audience can immediately apply to their infrastructure to begin and/or improve their path toward securing their AWS infrastructure. Whether you’re just starting out in AWS or have been using it for years, there is something for everyone to learn or brush up on in ensuring your org is best prepared to monitor for and respond to a compromise.

Presenters

Jonathon Poling

Managing Principal Consultant, Incident Response & Forensics, Secureworks

Jonathon Poling has 10+ years of experience in Network Security Monitoring, Digital Forensics, and Incident Response. With a career spanning government, contractor, and private sectors, he serves as a DFIR SME in all major operating systems (Windows, Linux, Mac), to include Cloud... Read More →

BSidesSF 2018 Logging, Monitoring, and Alerting in AWS (The TL;DR) pdf

Monday April 16, 2018 2:50pm - 3:20pm PDT
AMC - Theatre 7

Track 3, Talk

3:00pm PDT

Living Security Escape Room (Session 2.5)

Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Presenters

Drew Rose

CSO, Living Security

Villagers

Drew Rose

CSO, Living Security

Monday April 16, 2018 3:00pm - 3:30pm PDT
City View - Embarcadero

Village, Contest

3:30pm PDT

Unraveling the Threat of Chrome Based Malware

Most leading web browsers, including Google Chrome, offer users the ability to install extensions, web based applications that have the ability to execute javascript/HTML in the context of the browser. Software extensibility is both a cherished feature by end users to enhance their application experience, and in the case of Chrome extensions, also a potential threat to the security of the networks in which they are used. Many organizations simply accept the risk of user control over browser extensions with few controls and no auditing. This talk will present a technical analysis of an (allegedly) friendly Chrome extension that enabled a potentially massive click fraud campaign with over 200k+ users in its short lifetime. We will explore more broadly how Chrome extensions function and can be used maliciously to enable remote compromise of an enterprise network. Next, we will demonstrate the potential impact of a malicious Chrome extensions by demoing custom extensions and releasing sample techniques. Finally, we will discuss methods to which organizations can identify, detect, hunt, and control the use of extensions in their enterprise. We hope the audience will no longer face this threat unprepared.

Presenters

Spencer Walden

Member, Security Research Team (SRT), ICEBRG

Spencer Walden is an ICEBRG intern emeritus and a current member of the Security Research Team (SRT). He has primarily been focused on detection research and tracking criminal threat groups, most notably FIN7. Spencer is a graduate of the University of Washington where he studied... Read More →

Justin Warner

Security Engineer, ICEBRG

Justin Warner (@sixdub) is a Security Engineer at ICEBRG where he researches and develops network threat detection capabilities while also regularly assisting partners in performing network forensics during incident response engagements. Justin is an Air Force Academy graduate, former... Read More →

Monday April 16, 2018 3:30pm - 4:00pm PDT
AMC - IMAX

Track 1, Talk

3:30pm PDT

Introduction to Windows Kernel Mode Debugging

Debugging is a very practical science, and an underappreciated component of creating secure software. Specifically, debugging in the kernel is extremely useful for creating efficiencies, finding the root cause of problems, and crafting more secure software. It also helps us to establish a deeper understanding of the operating system internals, which is one of the fundamentals for security experts. Moreover, there is a growing movement toward ‘baking’ in security from the beginning, and debugging in the kernel is essential toward making this a reality.

The audience will gain insight on the overarching thought processes for approaching different types of software issues, including identifying which command or tool to use and how to root cause the issue, as well as better understanding on how the operating system internally works and how to improve software quality and security. I hope to encourage others to explore the exciting world of debugging in the kernel, and show how these skills are a core component of resilient security. This talk assumes an introductory c programming background, and a general understanding of operating systems.

Presenters

Yamin Tian

Kernel Developer, Endgame

Yamin Tian is a kernel developer at Endgame. She has 16 years of experience in the security industry. Before joining Endgame, she worked on the Detection Engine R&D team at FireEye, where she was responsible for designing and implementing a number of dynamic detection features. Prior... Read More →

Introduction to Windows Kernel Debugging pdf

Monday April 16, 2018 3:30pm - 4:00pm PDT
City View - Presidio

Track 2, Talk

3:30pm PDT

PostgreSQL Threats and Attacks in the Wild

We developed two PostgreSQL honeypots, pghoney (low-interaction) and Sticky Elephant (medium-interaction). This talk presents our findings (exploits! malware! brute force!) to the security community. We will also discuss the development of our honeypots and their integration into MHN & HPFeeds.

Presenters

AJ Bahnken

Security Engineer, Mozilla

AJ is a Security Engineer at Mozilla.

Forrest Fleming

Security Engineer, Procore Technologies

Forrest and AJ are the security team at Procore Technologies; they were poached from the Identy & Access Management and Site Reliability teams at Procore, respectively, due to their interest (and success) in hardening Procore's security profile. Their past projects include Kala (a... Read More →

PostgreSQL Threats and Attacks in the Wild pdf

Monday April 16, 2018 3:30pm - 4:00pm PDT
AMC - Theatre 7

Track 3, Talk

4:10pm PDT

privacy for safety - opsec when the threat is in the home

We live in a hyper connected world, security awareness for most people means protecting against SE or clicking on links. What happens if you need to protect yourself against someone who has your personal information or can access your devices? How can we inform people better and how can we help them? Can we improve existing apps and processes to protect people in abusive relationships or vulnerable groups? What are the dangers to them? I will show how simple irritations for most people can be life threatening for others and how we can improve this.

Presenters

Stella

Training Specialist

I have a background in teaching and training with a focus on Inclusion. I am interested in applying this to infosec, to make it more inclusive and empathetic. I am British but live in California. USA is my spiritual home but I do miss tea.

Monday April 16, 2018 4:10pm - 4:40pm PDT
AMC - IMAX

Track 1, Talk

4:10pm PDT

Prospecting Ransomware Tech

2017 was a year with a large increase of ransomware families and malware technologies. Some malware technologies are not dangerous enough unless they get mixed with others, yet somehow most of them end up into ransomwares and botnets. Wannacry and Not-Petya were empowered with SMB exploits for mass spreading. Not-Petya, GoldenEye and Armalocky make use of low-level disk encryption to alter the user data at sector level. GlobeImposter, BTCWare and Troldesh/Crysis was spread using RDP sessions. We also have a large number of the first two of them, packed with the packer used by the Emotet polymorphic packer. Some of the ransom families get sold through RaaS portals, allowing any end-user to become a potential ransomware owner; Satan ransomware is an example of such a case. A strange one, UIWIX ransomware which probably was reshaped, was distributed by the Adylkuzz coinminer in certain circumstances by October 2017. The coinminer is known for its SMB exploit component and its preference for monero coin. In this presentation we will evaluate the mix of malware technologies used by the ransomwares born in 2017, both for their distribution and the encryption algorithms, in an attempt to picture what’s coming next.

Presenters

Vlad Craciun

Senior Team Lead, Cyber Threat Intelligence Lab, Bitdefender

Vlad Craciun was born in Piatra Neamt in 1986. He has been analyzing different types of malware and file infectors in an R&D lab since 2009. He finished his Master's degree in 2012 at the "Gh. Asachi" technical University of Iasi with a thesis entitled "Advanced binary analysis using... Read More →

Monday April 16, 2018 4:10pm - 4:40pm PDT
City View - Presidio

Track 2, Talk

4:10pm PDT

Lessons learned implementing meaningful access controls to customer data

There exists an unfortunate open secret in our industry: that companies are often quite old and advanced in nature before they implement meaningful internal access controls to sensitive customer data. The reasons for this are numerous, ranging from lack of tools to lack of prioritization in the face of other engineering needs in startups. At Intercom we decided to undertake a significant body of work over a 9 month period to holistically address this issue internally resulting in an over 70% reduction in the number of people with such access and dramatically improved tooling, processes, and automation. This presentation will describe Intercom's journey with this work, the methods used, and the lessons learned which we think would be helpful for other companies.

Presenters

Patrick O'Doherty

Security Engineer, Intercom

Patrick O'Doherty is a Security Engineer at Intercom in San Francisco where he works on all aspects of securing the Intercom platform. When not working on security he can be found hacking things at Noisebridge or attempting to produce very bad electronic music.

bsidessf 2018 pdf

Monday April 16, 2018 4:10pm - 4:40pm PDT
AMC - Theatre 7

Track 3, Talk

4:50pm PDT

Pensieve: Finding malicious artifacts in container environments

Traditional forensic investigation tools such as LiME, fmem (memory imaging), dd, dcfldd (disk imaging), volatility are not suited for ephemeral and immutable infrastructure. In this session, we’ll show how to make use of Checkpoint and Restore in UserSpace (CRIU), docker techniques, and other tools for evidence retention and gathering to help security operators gather artifacts from known malicious containers and understand the causes and effects of the adversarial activities in their environment.

Presenters

Yathi Naik

Software Engineer, StackRox

Yathi is experienced in building security for microservices and Docker containers, and is passionate about low-level software and systems engineering. He is a software engineer at StackRox.

Monday April 16, 2018 4:50pm - 5:20pm PDT
AMC - IMAX

Track 1, Talk

4:50pm PDT

Listen to your Engine: Unearthing Security Signals from the Modern Linux Kernel

Observing all kernel events can be like descending into the steam-engine of an airship – the machinery of system calls can be arcane, complicated and very, very noisy. Buried in this cacophony, though, can be indicators of privilege escalation, resource abuse or side-channel attacks. In this talk, we revisit the well-trodden system call but with fresh eyes (goggles). In a cloud-native world, sandboxing and deployment tools like containerization enable us to gain context for system calls so that we can both understand intent and surface anomalies.

This session will outline the tools needed for “engine work”, ancient and new; from ptrace and kprobes to tracepoints and eBPF. We will walk through system call logs observed during recent attacks including: Shellshock, Apache Struts, and Meltdown. For each attack, I will highlight the system call events that are indicators of the exploit. Then, I’ll generalize a set of high-grade signals that serve as useful indicators for future attacks and propose needed work to improve system call analysis. Finally, using learnings from our deployment of system call logging and analysis at global financial institutions, I’ll share recommendations for applying these methods in your own environments.

Presenters

Robby Cochran

Engineer, StackRox

Robby Cochran is an engineer at StackRox. He obtained his Ph.D. from University of North Carolina at Chapel Hill in 2016 and has co-authored security research that has been presented at the USENIX Symposium on Networked Systems Design and Implementation (NSDI) and the Network and... Read More →

BSidesSF18 rc pdf

Monday April 16, 2018 4:50pm - 5:20pm PDT
City View - Presidio

Track 2, Talk

4:50pm PDT

Navigating the Vast Ocean of Browser Fingerprints

This talk is about how to combine browser fingerprinting and machine learning to create *general purpose* models for blue team applications (e.g. fraud detection/prevention/response). Level: beginner to intermediate. No prerequisites.

Presenters

Russell Thomas

Senior Data Scientist

Senior Data Scientist at a Regional Bank. PhD Candidate in Computational Social Science at George Mason University. BS in Electrical Engineering and Management from WPI. A few decades experience in the computer industry in design, manufacturing, marketing, and consulting.

BSidesSF Browser Fingerprinting pdf

Monday April 16, 2018 4:50pm - 5:20pm PDT
AMC - Theatre 7

Track 3, Talk