BSidesOK 2017

Sounds of a Scammer This presentation will include actual audio recordings of telephone calls and voicemails from scammers, collected by the FBI. The main feature will be a series of telephone calls a fraudster makes to a bank, pretending to be a bank customer. There will also be several voicemails left for money mules which had been hired by overseas front companies in order to facilitate the movement of electronically stolen funds to points overseas. If there is time, I will give a brief cyber crime presentation, and discuss topics of interest to the audience.

Sniffing Out Security Flaws in Your Web App A skilled attacker is probably not going to throw a sheer volume of different attacks at your app to see what sticks. Much like a skilled coder learns to recognize "code smells" - certain symptoms that suggest a problem; a skilled attacker recognizes specific things that may indicate a vulnerability. A simple example would be a querystring argument containing a url. It may be an open HTTP redirect, an API call that can be hijacked, a cross-site scripting flaw, or perhaps nothing at all. One of the best tools developers and application owner can use to secure their own apps is the ability to spot potential vulnerabilities the same way an attacker would.

The Beginner's Guide to ICS: How to Never Sleep Soundly Again Are you tired of missing the Modbus? Do you think DALI is a weird artist? You want to bring sexy BAC? Go from noob to clueful on the hottest new hacking targets of 2017, and see what all the fuss is about. Learn what exactly is SCADA/ICS/PCN, why it's important, and just how horrifyingly ancient it all is. If you've ever wondered why Stuxnet was so devastatingly effective, or want to lose sleep over chemical plants on your commute, this is your chance.

Scary Tech that Tracks You Online Abstract: There are over 5,000 online trackers that use and abuse web technology to identify and follow users online. From the humble HTTP cookie to WebVR to abusing the web's own security features to attack its users' privacy. This talk will demystify the technology that powers online tracking, show how developers can help protect users, and emphasize the important of privacy in online life.

Eating the Elephant: Leveraging Data Analytics to Tackle Everyday Security Tasks and Provide Actionable Intelligence n the fast paced world of information security, analysts are tasked to perform seemingly and often improbable feats of data analysis, and produce actionable results. Actionable could mean, things to block, collect, or be-on-the-look-out (BOLO). Data sources can range from data obtained on-line, device log files, PCAPs, and miscellaneous CSV files to name a few. Seldom does the data align properly, and it could be missing vital contextual information. On the surface, the various data sets may not appear to have any relationship. Not to mention, the small problem, the information totals are in the millions. As if your day was not already turbulent. When, where, why and how do we begin to make sense of the madness? The answer lies in in the solution to this question: How do we eat an elephant? One byte at a time.

How one line of Python can bring your network to its knees - and how to prevent it. In this talk, we’ll cover how to create a script that will cause Denial of Service throughout the network by creating IP address conflicts. After demonstrating the effects, we’ll discuss how to prevent this from happening in your network. Internal networking weaknesses are well known, and strategies to mitigate the problems have been around for a long time. What is new today is the ease with which attackers can cause massive chaos inside your network, and how many IoT devices are probably running free throughout your environment. Fortunately for the Blue Team, the Python language, and specifically the Scapy library, make it incredibly easy to craft and send fake packets, so mocking up attacks in the lab is easier than ever. Covered topics include how ARP works, an quick intro to Python and SCAPY, a script to cause chaos, and some tips on configuring your network to fight back.

Canary Tokens: Attacks and Defense Canary tokens can be thought of as web bugs for documents, executables, or even database records and source code repositories -- canaries that fire when a victim or attacker interacts with a tokened resource. This talk discusses techniques to use canaries for offense and defense, detecting interactions with your token when they occur on any system that isn't fully isolated from the internet.
For defense, these grant visibility into successful attacks in a manner similar to honeypots, but focus on the information attempting to be obtained rather than a network asset. They are particularly interesting for the feedback provided in cloned site phishing attacks and other areas that are usually "dark" to defenders.
But tokens are also highly useful for attackers. They've become indispensable in our attacks against live networks, granting valuable debug information on failed exploits, failed and successful phishing attempts, the specific types of network defenses getting in the way, and similar useful information.
This talk will cover typical setups, modifications to the open source repos and configs you'll want to make, and fun examples of all of the above.
I mean, what attacker wouldn't open the file 'Netsec_passwords_all_Q1_2017.xlsx'?

How did that get there? The ICS attack surface you may be missing With media attention and the advent of IIoT, awareness of control system vulnerabilities is arguably at an all-time high. What you may not be aware of, however, are the lesser known technologies and attack opportunities lurking in many industrial control environments. While you’ve probably heard about fragile IP stacks in embedded devices, unpatched Windows, and rampant MS08-067 in ICS, the story doesn’t end there. In this presentation, we'll examine overlooked and often undiscovered attack surface based on a decade of ICS assessment and testing experience in the oil and gas, electric power, and manufacturing industries.

Pirates Be Lurkin' at the Single Sign-On Watering Hole Enterprises have standardized on offering web-based applications for their user community and are using Single Sign-On to make accessing them simple and secure. But if an attacker finds a weakness in the Single Sign-On environment, they can access all web applications as though they were legitimate users. This talk discusses a mass-compromise scenario in certain real Single Sign-On environments and more importantly how to avoid it.

Panel: Description

Security Risk Management: Risk Assessment and Beyond My presentation will concentrate on using the results of Information Security Risk management activities to drive strategic and tactical outcomes. The material will include the use of components of the Octave Allegro Information Risk Assessment methodology to perform threat scenario modeling, with the results driving investments in information security tools and capabilities. There will be general discussions on how risk assessments are used in different organizational gates that introduce risk, including Vendor Management, Project and Data Protection.

Crypto: 500 BC - WWII "Crypto Before Computers": A 60-minute overview of content from The Code Book by Simon Singh, covering secrecy from ancient Greece to Enigma machines used in World War II. This is a cursory, high-level, mostly-non-mathematical survey of centuries of crypto - good as an intro to crypto for developers and non-devs alike.

Uncovering IoC using PowerShell, Event Logs, and Nagios What security concerns keep you up at night? Is it pivoting, persistent access, the time to detect compromise, or one of a thousand other possibilities? What if you were told that without a doubt, you have tools at your disposal to periodically verify your security posture and you are not presently using them? Why spend more hours and more budget implementing a new product with new agents and new headaches that will not effectively reduce your workload or anxiety level? Even if you have commercial tools already monitoring your systems for security events, how do you know they are working? Is it even practical to use a customized PowerShell scripts/plugins, built-in event logs, and a traditional monitoring tool such as Nagios to monitor for indicators of compromise on Windows systems? In addition, you will be presented with some applied research as well as easy-to-follow guidelines you can integrate into your own environment(s).

Tracking Down the R0uge N0de We live in a world today where most security analyst only respond to the blinking lights or the RED pie charts on a dashboard. What if you really wanted to find some real silent actors? Where would look and what would it even look like and what tools are available? During this presentation, we will go through a few scenarios of different attacks, what they look like and what you can do to stop, track and intellectual crush attacker!

Ransomware: History, Analysis, & Mitigation Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac, and mobile platforms are all ripe for extortion.
This humorous and entertaining talk teachest everyone, from Mom and Pops to large enterprise organizations, what's really happening and how to protect themselves.

Your Crypto is Broken Cryptography provides protection of data that is inside one trusted unit which can be delivered to another trusted unit via a channel controlled by an active attacker. When done properly, this allows communication of data which can be trusted by both sides and has no value to an attacker. When done poorly, this is nothing more than the illusion of security and history has its share of bad implementations of cryptography. These were accidental issues, or mistakes made by creating home-grown algorithms by someone who knew just a little about cryptographic theory.
While the Blue Team is struggling to stay on top of the never-ending chaos of log messages from every script-kiddie around the world, there is a continuing struggle to determine whether the trusted communication channels can actually be trusted. Additionally, there’s always the nightmare scenario of the code simply walking out the door. What secrets would be exposed in that case and is cryptography really helping?
In this talk we show why home-grown cryptography should not be trusted and even third-party code should be examined with a skeptical eye. Practical tips are given for doing audits related to cryptography and how to have an early warning on breaches.

The Machines are NOT Out to Get Us! How Machine Learning and Artificial Intelligence are Changing the Security Game We’ve all been using machine learning and artificial intelligence for some time now with such things as facial recognition in Facebook to voice recognition on our smart phones. What many are not aware of is that there are significant innovations occurring in the security space that utilize machine learning and artificial intelligence to provide the next evolution of tried and true security tools like anti malware, network forensics, and user identity.
This presentation will start with an overview of machine learning and how it works at a high level. We will then take a brief look at one use case – antimalware, that is currently displacing traditional antimalware solutions at an increasing pace. We will then discuss some up and coming use cases that are being still developed, and provide some examples of existing tools in these spaces.