• Day 1
    June 8th
    8:00 - 8:45
    8:45 - 9:00
    Philip Tully
    9:00 - 9:50
    Philip Tully - Data Loss Prevention in a Social Media World
    We’re hard-wired to maximize likes, shares, +1s, endorsements, retweets, repins and upvotes on social networks. In doing so, we inadvertently overexpose PII on a massive scale. In fact, business models of the networks themselves are explicitly predicated upon this behavior; revenue generated from user-tailored advertising annually exceeds hundreds of billions of dollars and growing. But the security implications of readily accessible personal data are often overlooked and underestimated.
    9:50 - 10:20
    Morning Break
    Kevin Johnson
    10:20 - 11:20
    Kevin Johnson - Royal Testing: Purple Teaming to Build and Secure Applications Better!
    Applications are one of the most exposed parts or any organization, but most companies fall short on knowing how and what to monitor within them.  In this presentation, Kevin Johnson of Secure Ideas will use his background as both a developer and a penetration tester to show attendees how to determine these methods.  Combining application testing with security control tuning, Kevin will help organizations improve their application monitoring and attack detection.
    11:20 - 11:30
    A message from our sponsors...
    Johnny Xmas
    11:30 - 12:30
    Johnny Xmas - Dark Web Economies (...and you can too!)
    Since the infamous Silk Road take down by the FBI in 2013, the Darkweb economy has been exponentially increasing in both user base and revenue year-over-year. The need for esoteric knowledge in order to engage in transactions via this shadow Internet has subsided greatly, allowing average computer users access to the vast underground of illicit economies. 2016 in particular has seen turbulent growth and high-profile media coverage, putting it in the forefront of everybody’s minds. In this talk, we’ll present the cold hard truth behind the various commodities being bought and sold via this pseudo-anonymous marketplace, with a depth and insight The Media is simply not able to provide. Topics covered will include: money laundering via cryptocurrency, Hacking as a Service, hitmen for hire, human trafficking, and much, much more!
    12:30 - 1:30
    1:30 - 2:00
    Matt Thelen
    2:00 - 2:50
    Matt Thelen - DIY CTF - How to Gain momentum on Your Security Awareness Program by Hosting a CTF
    Learn how to create a CTF for non-security folks within your organization to help increase security awareness, get exposure for your security program, or just to give the IT folks something fun to do.  I will walk you through initial goals that were set as well as the challenges we faced,  such as how we picked 30 people from among thousands to participate.
    Daniel Stiegman
    2:00 - 2:50
    Daniel Stiegman -Deconstructing Chaos: …through “Behavioral Detection”
    Most discussions on Cyber Threats and how they relate to the conflict between nation-states, or the companies vs. the lone hacker, bring the reader to thinking in the future. In this discussion, I will bring you backward. In their attempt to understand cyber threats, security professionals typically grasp the minimalist understanding of “Bad Guys do Bad Things.” Information Security Professionals sometimes lock themselves into a reaction state that implies a response. That isn’t necessarily the fault of those individuals, as it is a strength within the industry to have what is called “spotlight thinking.” Thinking in a way to read numbers, code, structured scientific reasoning can be rigid and responsive. Where it becomes a weakness for organizations is on how to predict, assess, and deter threats to their organization. Working on the “floodlight thinking” processes create professionals who can see indicators, vulnerabilities and associated processes, as it relates to the illicit actors in the national and international focus.
    Aamir Lakhani
    2:00 - 2:50
    Aamir Lakhani - The Threat Actor Studio
    The movies Sneakers, Hackers, and Swordfish were always exciting to me because it showed how smart people could use technology to overcome the most monumental odds, fight a system of injustice, and prevail like a super hero. When I was growing up I wanted to color outside lines, be an outlier, and explore all the places I wasn't supposed to. I wanted to be a hacker.
    2:45 - 3:15
    Afternoon Break
    Cliff Smith
    3:10 - 4:00
    Cliff Smith - Something Died Inside Your Git Repo: Recognizing the Smell of Insecure Code
    Code in need of refactoring is easy to recognize because it has a bad smell.  Insecure code often has a distinct smell as well.  Using real-world examples, both from the developer’s perspective and the attacker’s perspective, this talk will help you recognize vulnerable code and avoid the mental errors that lead to insecure applications.
    Raul Alvarez
    3:10 - 4:00
    Raul Alvarez - Reversing a Polymorphic File-Infecting Ransomware
    Virlock is a polymorphic file-infecting ransommware. It is capable of infecting executable files and at the same time, holding your computer hostage.
    Dan Bougere
    3:10 - 4:00
    Dan Bougere - The Beginner's Guide to ICS:  How to Never Sleep Soundly Again
    Are you tired of missing the Modbus? Do you think DALI is a weird artist? You want to bring sexy BAC? Go from noob to clueful on the hottest new hacking targets of 2016, and see what all the fuss is about.  Learn what exactly is SCADA/ICS/PCN, why it's important, and just how horrifyingly ancient it all is.  If you've ever wondered why Stuxnet was so devastatingly effective, or want to lose sleep over chemical plants on your commute, this is your chance.
    4:00 - 5:00
    Michael Gough - Windows IR Made Easier and Faster - Find The Head of The Snake Using AutoRuns, Large Registry Keys, Logs, IP/WhoIs and Netflow
    Windows systems are still king of the desktop and server operating systems, thus the #1 target of hackers, malware, ransomware, and phishing attacks.  Hunting for malicious activity is something we all must get better at or the hackers will win; hell, the hackers are already winning.  Learning what to look for is hard enough with all the ways Windows can get infected and hide malicious payloads.  Worse, there are few tools to help us effectively hunt, short of buying expensive enterprise solutions which many, if not most, organizations find hard to afford.  Doing it quickly is also difficult and we need to get faster at it.
    Andrew Metzger
    4:00 - 5:00
    Andrew Metzger - Homebrew Powershell: Where to Begin With Data Sources and Baseline Data
    We're going to slow up a bit with this one and take it back to the basics. There's a ton of really cool Powershell scripts available anywhere you look, but most of it looks really intimidating. I'm going to show you the basics of how to get data and work with Powershell so you can bridge the gap between newbie script dependence and confident Powershell pro.
    4:00 - 5:00
    Ben Brown - Where Cypherpunk Meets Organized Crime: The Shifting Landscape of Underground Economies and Crypto-driven Privacy
    It has been six years since the first Tor market opened shop. The period between then and now has been one marked by violent growth, innovation, and adaptation. With more than thirty active darkweb markets and countless individual shops in operation, we are far from the end of this wild ride. In this talk I will differentiate between the oft confused terms 'deepweb', darkweb', and 'darknet'. I will then explore some of the different darknet frameworks in use (that's right, it's not just Tor being leveraged for cybercrime commerce). I'll provide a quick dive into the history of cybercrime, from weed on ARPANET to newsgroups and IRC. Then I'll address the early underground commercial moves to the darkweb. I'll give a current State of the Darkweb and then we can see how governments and law enforcement are responding to this new front for crime. I'll highlight some recent legislation and international control regimes that impact and target core technologies utilized by the darkweb and it's denizens. Finally, I'll reveal some of the emerging technologies that will fuel the next evolution of underground economies on the darkweb.
  • Day 2
    June 9th
    8:00 - 9:00
    Arnar Gunnarsson
    9:00 - 9:50
    Arnar Gunnarsson - VR-Bleeding Edge of Development and Technology-But Are We Making Old Mistakes?
    Everything last year, this year and, at least for the next 10 years, is VR, VR, VR and it‘s finally here to stay. We are used to the idea that new software and hardware for current technology has to go through a lot of security procedures/processes and testing during development. But now here‘s a completely new technology and we‘re so immersed in the idea that our childhood fantasies are becoming reality that we've forgotten some of our most basic security practices and are accepting what we‘re given. The field started out with industry giants that we trust (even though experience has shown us not to), developing this industry from scratch. But, these days you can buy Chinese made VR headsets from AliExpress for 14$ and we all know how much thought was put into that development. In this talk I will go over privacy issues with current generation VR and show you what data is available to be gathered and sent to the manufacturer. We will also go over internal security measures in the VR datastream and what can be compromised and used maliciously, and what features of the VR platform helps to make us secure. We‘ll then end the lecture by looking into our close future and talk about the features that are confirmed to be coming and what that means and why psychiatrists are excited and why the rest of us should be wary.
    Bobby Kuzma
    9:00 - 9:50
    Bobby Kuzma - The Network Sorcerer's Workbench
    Vulnerability hunting on network devices has long been an arcane, occult art-form owing to squeamish hardware, strange software, and operating systems that seem to defy both logic and good software development practices. The challenges are great, but the allure of binding such strategically placed devices to your will is strong. This talk will walk you through building an effective toolset to explore and exploit these network devices, by getting into their very essence, debugging them and using the latest in freely available tools and some very low cost hardware. We’ll look at a variety of devices from Juniper and Cisco and how to poke around their innards before demonstrating how to work out an exploit to the now well-known SNMP overflow vulnerability in Cisco ASAs works by using the tools and techniques live.
    9:50 - 10:10
    Morning Break
    Timothy De Block
    10:10 - 11:00
    Timothy De Block - Kickstarting an Application Security Program
    Management wants a security program setup in the software development life cycle (SDLC). You have very little programming experience. What do you do? This talk will walk through my experience of setting up appsec programs with minimal programming experience. The first part of the journey will cover tools. How a dynamic and static analyzer fit into an appsec program. Working with developers to remediate findings. Options for tracking vulnerabilities. Training developers to use the tools. The second part of the journey will focus on strategy. Understanding the environment. Implementing assessments and processes. Training developers to improve their security mindset. Finally, the talk will touch on potential next steps. This talk is for those looking to make an impact in the SDLC.
    10:10 - 11:00
    Adrian Crenshaw - Of Flags, Frogs & 4chan: OPSec vs. Weaponized Autism
    This talk will tell the stories of people who got their data leaked, or trolled hard by 4chan because of bad OPSec, and what they could have done better. Internet Hate Machine: Because none of us as are cruel as all of us.
    Aaron Mog
    10:10 - 11:00
    Aaron Mog - Intro to Threat Hunting
    Getting told by outsiders you’re breached is everyone’s nightmare. Don’t wait for someone to tell you that you are compromised. Discover it for yourself so you can kill it and clean it before the problem gets worse.
    Hudson Harris
    11:00 - 12:00
    Hudson Harris - The Good, the Bad, and the Ugly: HIPAA in an InfoSec World (Panelists: Dan Adams, Elizabeth Ortmann-Vincenzo, Rebecca Romines, Dan Yarger)
    best practices and pro-tips on how to mitigate risk and navigate the coming changes to the HIPAA enforcement landscape. The talk will host 4 panelists from diverse backgrounds that will provide an in-depth, boots on the ground approach to HIPAA. The panel will include privacy counsel from a Fortune 500 company, a shareholder from a national top health care law firm, a privacy officer from a company with more than 100 service locations, and a HIPAA Auditor from a top gap analysis consulting firm. This panel will provide attendees a unique opportunity to interact with four very different perspectives on HIPAA compliance, from corporate privacy to audits to investigation response and recovery.
    Joshua Crumbaugh
    11:00 - 12:00
    Joshua Crumbaugh - How to Patch Stupid - A Modern Approach To Securing Users
    The bar is set too low when it comes to human security. This talk presents methodologies that are effective in remediating human vulnerabilities. This is part of a larger project called the HumanSAMM project, which aspires to provide methodologies to remediate all forms of human insecurity.
    Igor Matlin
    11:00 - 12:00
    Igor Matlin - The Node.js Highway: Attacks Are At Full Throttle
    Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month. Before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language. In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language. Attacks include: • Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests. • Password exposure attacks. Leveraging the “Forgot My Password” feature of applications in order to reveal the passwords of all the application’s users. • Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature.
    12:00 - 1:00
    1:00 - 1:30
    Dave Chronister
    1:30 - 2:30
    Dave Chronister - Dear Blue Team, This is Why I Always Win. Love, A Hacker
    Dave has spent over two decades in IT. The last ten years have focused on offensive security. Throughout his career as a penetration tester and incident responder, he has concluded companies will always lose. In this talk he will discuss the five points of security in which most organizations have given up. These key areas ensure that malicious forces will always win. In this talk, Dave will discuss how an organization can control these key areas and defeat malicious forces. At the end of the discussion, the information security professional will need to ask, do we cede defeat or defend our assets.
    Jayson Street
    2:30 - 3:30
    Jayson Street - Strategies on Securing Your Banks & Enterprises (From Someone Who Robs Banks & Enterprises For a Living!)
    Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk Jayson will show how an attacker views your website & employees, then uses them against you. We'll start with how a successful spear phish is created. By using the information gathered from the companies own 'about' page as well as scouring social media sites for useful information to exploit employees. The majority of the talk will be covering successful counter-measures to help stave off or detect attacks. This discussion will draw on the speaker's 15 years experience of working in the US banking industry on the side of defense. Also, at the same time he'll be drawing on over 6 years of doing engagements where he took on the role of the attacker. If everything turns out well, everyone will have learned something new that they can immediately take back to their networks and better prepare it against attacks!
    3:30 - 3:50
    Afternoon Break
    3:50 - 4:50
    Tim Malcomvetter - How I Inadvertently Outsourced My IT Job to a Fancy Bear
    As I plan this talk, Twitter can’t seem to shut up about Russian hackers and Fancy Bears, except perhaps long enough to talk about organizations paying to remove ransomware off of everything from mass transit systems to Android Smart TVs. Current events remind me of both the childhood game, King of the Hill, and the news story from 2013 in which a Verizon auditor caught an employee named “Bob” outsourcing his software development job to a Chinese programmer in exchange for 20% of his 6 figure salary, so “Bob” could watch cat videos instead of work. Somehow, I envision a future niche where these concepts are all linked. In this talk, we will mix the TTPs (Tactics, Techniques, and Procedures) of red-team-worthy adversaries with the get-rich-quick goals of ransomware to head into a new direction: king of the enterprise hill in which your IT job was just outsourced to an APT. Is your blue team ready for it and can your red team deliver an adequate simulation to make sure they are?
    6:00 - 9:00
    Friday Night Party! - Hackers: The Secret Lives of Today's Superheroes (Dress to Impress)
    4:50 - 5:00
    Closing Remarks - Parameter Security & Hacker University