Day two at BSidesSF was a bit more mellow, and less hectic than day one. The crowd slowly started dwindleing down as some attendees likely made their way to RSA. Regardless, today’s sessions did not dissappoint, and there was a lot to learn from the experts on stage.
Below are a few short summaries on some of the sessions I attended, including the fun visuals created by our sponsored artist Sunny from Kingman Ink.
Also, many of the speakers have shared their slides online, and videos of the talks are expected to be posted soon.
Digital Intelligence Gathering: Using the Powers of OSINT for Both Blue and Red Teams
Speaker: Ethan Dodge (@_eth0)
Ethan Dodge, an aspiring malware analyst, kicked off day two demonstrating just how much personal information we make publicly available on the internet – whether it be intentional or not.
Leveraging the power of OSINT (open source intelligence), Dodge shared with us a recent experiment he conducted to prove how easy it could be to find sensitive data of a given person
In this case, Dodge explained how he was able to attain a person’s home address; her class locations; an unsalted hash (which he was able to crack); her close friends; job history; home IP address; and date of birth.
The majority of this information was gathered from her posts on social media, including Twitter, Instagram, LinkedIn, Facebook, Reddit, as well as her Etsy page and from Have I Been Pwned?
Dodge concluded by going through several possible use cases for OSINT, noting that for blue teams, OSINT could definitely help with training users to protect themselves against social engineering attacks. He also recommended companies monitor the most active employees online more closely.
Sweet Security: Deploying a Defensive Raspberry Pi
by Travis Smith (@MrTrav)
Travis Smith, a senior security researcher at Tripwire, reflected on the difficulty of securing the Internet of Things (IoT).
He observed that IoT devices are often shipped with out-of-date operating systems and unmaintained, vulnerable code. It is also difficult to install security tools onto these devices, he explained.
Notwithstanding these difficulties, a variety of open-source and commercial tools can help protect networks that provide access to the Internet of Things. These include:
- Bro IDS
- Elasticsearch, Logstash, and Kibana
- Nmap and OpenVAS
Smith provided attendees with scripts and configurations that can help them get this type of secure environment up and running.
Click here to learn more about his presentation.
The Ransomware Threat: Tracking the Digital Footprints
by Kevin Bottomley (@k3v_b0t)
Kevin Bottomley, a security analyst at OpenDNS, gave an overview of the continuing evolution of ransomware threats – beginning from the classic FBI lock screen to cryptolocker and the GameOver ZeuS botnet to other more current variants.
Bottomley went on to explain the most common exploitation methods, such as phishing, a compromised domain and malvertising techniques. Most importantly, though, he offered a few tips on how to defend against such attacks.
His recommendations included:
- Keeping backups often, and disconnecting them from the network whenever not in use
- Using Adblock or No-Script
- Training end-users about social engineering techniques through phishing exercises
- Never pay the ransom.
Check out his presentation deck here.
Fuzz Smarter, Not Harder (An Afl-Fuzz Primer)
by Craig Young (@CraigTweets) – Main Room
Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), discussed the importance of fuzz testing for bug hunters everywhere.
Fuzzers can test 24×7 (without rest or overtime payment) and help identify many bugs that are not apparent from reviewing code.
Young went on to explain the different techniques one can leverage, such as parallel fuzzing, where more workers often leads to more success; distributed fuzzing, parallel fuzzing across systems; and dictionary-based fuzzing, a time saver when dumping input strings.
As he provided specific example steps, the researcher touched on the following discussion topics:
- Selecting a good fuzz target
- Identifying ideal test cases
- Using persistent mode to increase execution rate
- Finding cross-platform bugs with AFL chaining
- Dealing with checksums and other blockers
- Assessing the impact of crashes
To learn more about Young’s presentation, please click here.
The Art of the Jedi Mind Trick
by Jeff Man (@MrJeffMan)
We all know too well that not a week goes by without hearing of yet another data breach. To make matters worse, the cause of these compromises is often default settings or weak passwords. In this session, security evangelist Jeffrey Man suggested that maybe the part of the problem is us.
For many security professionals, it’s difficult to get their point across in terms non-technical people will clearly understand. It’s important to get the right message to the right people in order for change to happen, he said.
“It’s easy to give a talk at a conference where you’re ‘preaching to the choir’ and everyone speaks your language, but how do you fare when you are trying to give the message to your boss, or your bosses’ boss, or C-Level management?”
Man gave some excellent pointers on how to become a better communicator, and ensuring your message is getting across:
- Know your target audience;
- Learn to speak their language;
- Tell stories using analogies;
- Don’t assume understanding; and
He also emphasized that as a community, we should work towards changing this culture. Ending with an inspiring note, Man urged us to lead by example and be the change we want to see – to be confident but humble and earn the trust of others.
Scan, Pwn, Next! – Exploiting Service Accounts in Windows Networks
By Andrey Dulkin and Matan Hart (@machosec)
Craig Young, Sr. Security Researcher at Tripwire, attended the session and said, “This research from CyberArk explores how common misconfigurations and mismanagement in Windows services can lead to very deep cutting weaknesses within enterprise networks. One of the big messages from this talk was that services should be configured to run with lower-privileged computer accounts rather than potentially higher privileged user accounts. They also demonstrated how a failure to enable more than just default settings when creating accounts can make it possible for a network attacker to query active directory for Service Principal Names (SPNs) and then abuse kerberos to obtain a password hash which can be cracked offline with oclHashCat.
Adding to the gravity of this problem, is that their analysis of real enterprise networks revealed far too many organizations having services running with privileged accounts, often at times without password expiration and making use of the weak NTLM hash format. Using this information they were able to map out how attackers could move laterally through networks by scraping hash tokens and other authentication material from a single point of compromise.
Administrators need to be aware of the risks posed by SPNs and implement appropriate policies for configuring and using computer accounts with modern password encryption.”