Loading…
BSidesSF 2017 has ended
Sunday, February 12
 

12:15am PST

Break
Sunday February 12, 2017 12:15am - 12:25pm PST
Break

8:30am PST

Breakfast
Sponsors

Sunday February 12, 2017 8:30am - 9:30am PST
DNA Lounge and BuzzWorks

8:30am PST

Registration
Sunday February 12, 2017 8:30am - 5:00pm PST
DNA Lounge

10:30am PST

Illusion vs Reality: An FBI Agent’s take on how private sector realities are masked by government sector illusions of intelligence sharing, public-private partnerships and best practices
I will be sharing illusions and realities that I have observed as a veteran FBI agent, who has worked hundreds of cyber incidents, and what I see today having assimilated into the innovative world of Silicon Valley tech. We all know that cybersecurity threats are evolving faster than the world can consume them and that requires passionate and dedicated people to help advance us forward and protect our assets. The reality is government alone cannot move at the pace that is needed to protect their constituents. Often there is a disconnect from what government perceives as a problem versus what private industry categorizes as a risk. Government and technology companies must work together to solve the breach pandemic we have today. I will be highlighting how enterprises are truly preparing their security teams, what valuable metrics they are capturing, what tools are most useful, and what government best practices and standards have been the most sticky. I will be covering the realities of applying threat intelligence, big data analytics and artificial intelligence at scale. Then we will take a step forward and think about what new security problems might be awaiting us in the near future. My goal is to expose the facts of what organizations are actually experiencing, which should help government focus their efforts in the areas that will be most effective at combating the threats that face us daily.

Speakers
avatar for Jason Truppi (@NotTruppi)

Jason Truppi (@NotTruppi)

Jason Truppi is a career technologist turned FBI agent and now tech entrepreneur. Jason has many years of experience working in information systems and security. More recently, Jason was an FBI Cyber Agent in New York City where he worked some of the Nation's largest national security... Read More →


Sunday February 12, 2017 10:30am - 11:30am PST
DNA Lounge

10:45am PST

Capture The Flag
CTF is coming back to BSidesSF 2017!

Pre-registration is open! Visit the CTF scoreboard to register, then come back on February 11th to play!

We will be running a CTF this year! Sweet!

The game runs from Saturday, February 11 at 4pm PST, to Monday, February 13 at 4pm PST. You can play on-site in the CTF room during the conference, or you can play online by coming back here.

It’ll be targeted towards beginner and intermediate players, but there will be a couple harder challenges as well!

There will be folks on-site in the CTF room and in our Slack room (#ctf) to answer any questions.

CTF sponsored by Google. Prizes are sponsored by Synack.


Sponsors

Sunday February 12, 2017 10:45am - 6:00pm PST
DNA Lounge

10:45am PST

Lockpick Village
Villagers
avatar for Christine Bachman

Christine Bachman

Lockpick Extreme
Bob and Christine's Lockpick Extreme provides fun, informative, entertaining hands-on training in the arts of lockpicking and handcuff escape. Participants learn how to open real world locks and handcuffs using professional tools and techniques. Once mastering the basic skills, students... Read More →

Sponsors

Sunday February 12, 2017 10:45am - 6:00pm PST
DNA Lounge

10:45am PST

Spymaster Challenge
Like to pick locks? Think you have what it takes to escape? Come join Cisco's CSIRT on our Gringo Warrior-inspired IoT'd Spymaster Challenge and see how your picking skills stack up against other conference attendees. Role-play your escape as a captured spy by navigating a timed course consisting of a series of locks of varying difficulty.


Sunday February 12, 2017 10:45am - 6:00pm PST
DNA Lounge

10:45am PST

Resume Rewriting
Peerlyst volunteers will help you improve your resume and re-write it with you. Make sure to have your resume as an email attachment you can forward to the volunteers if you're interested in this service. There will be a calendar on the wall with time slots, you need to put your name/handle in the slot that suits you to schedule resume rewriting.

Sponsors

Sunday February 12, 2017 10:45am - 6:00pm PST
BuzzWorks

11:45am PST

DNS attacks, a history and overview
An outline of the often overlooked applications of DNS attacks both hypothetical and as they appear in the wild and how they can be used during pentests.


Speakers
NM

Nick Mckenna

Nick Mckenna is a student and security researcher who has had an interest in all things red team for the past 5 years.


Sunday February 12, 2017 11:45am - 12:15pm PST
DNA Lounge

11:45am PST

Reducing “Mixtape to Master Key” Scenarios: How to block the Dark Army from mayhem using API-driven access control

After tenure of a year or two at many companies, a senior engineer’s access level is often maxed out. He or she probably has full root permissions across the entire infrastructure. We call these privileges ‘master keys’ and, just like a building’s master key, they are very dangerous if they fall into the wrong hands.

Instead, privileged access should granted only on a temporary basis. Sometimes this means requesting increased access from a manager, or a peer. But sometimes the increased access can be imputed from another input. For example, sudo permissions can be automatically granted and revoked in accordance with an on-call schedule. Or a Jira ticket must be open and approved before a user can log into a sensitive database for scheduled maintenance. 

This talk will cover how to quickly and easily build API-driven access control into your environment and eliminate your “master keys”.


Speakers
avatar for Aren Sandersen

Aren Sandersen

Founder, Foxpass
Aren Sandersen has had engineering, operations, and security roles at various startups for the last 15 years. He founded Foxpass in 2015 to bring enterprise security practices to companies of all sizes.


Sunday February 12, 2017 11:45am - 12:15pm PST
BuzzWorks

12:00pm PST

Lunch
Sponsors

Sunday February 12, 2017 12:00pm - 1:30pm PST
DNA Lounge and BuzzWorks

12:25pm PST

Building an Effective Intrusion Detection Program

Modern breaches are often undetected for hundreds of days.  Effective intrusion detection doesn't need to be so hard.  This talk will outline how one can build an effective intrusion detection program on the cheap using free and/or inexpensive tools, and some brains.  We'll compare and contrast some of the techniques employed in newsworthy breaches over the recent past and how we can catch them in a timely manner.  We'll cover cloud apps, endpoints, network security monitoring, and how to crowd source incident response.


Speakers
avatar for Jason Craig

Jason Craig

Lead, Detection and Response Team, Dropbox
Jason leads the Detection and Response Team at Dropbox.


Sunday February 12, 2017 12:25pm - 12:55pm PST
DNA Lounge

12:25pm PST

Assessing the Embedded Devices On Your Network

Embedded devices (including the so-called Internet of Things) pose unique problems for those responsible for managing and assessing their security.  The devices tend to be less transparent and more tightly integrated than typical software and generally lack the host-based security controls (privilege separation, host firewalls, etc.) found on desktop or server applications.  This talk will cover some of the unique constraints for threat modeling and assessing these devices, then walk through an assessment of a VoIP phone and discuss the issues found there, including potential mitigations that can be applied if a device cannot be updated.


Speakers
DT

David Tomaschik

Senior Security Engineer, BSidesSF CTF Organizer
David is a Senior Security Engineer on the Google Offensive Security team and has been helping to organize the BSidesSF CTF for 7 years. He focuses on red teaming, embedded device security, web security, and security education. https://www.twitter.com/matir


Sunday February 12, 2017 12:25pm - 12:55pm PST
BuzzWorks

1:30pm PST

Make Alerts Great Again

Why can’t this be easier? Writing good alerts and keeping them actionable is hard. Ask anyone on any security team, ever. Alerts are notoriously either too noisy or don’t have enough coverage, and finding the sweet spot is nearly impossible. Additionally, some alerts are idly sitting there functionally incorrect and don’t actually work as expected (when was the last time you tested some of yours?). To make matters worse, there is a general lack of industry standard for alert definitions, priorities, and incident response steps. 

At Yelp, we have created tools and processes that enable the security team to keep a handle on our alerts, thus making the alerts actionable and maintainable. We do this by making sure we know which alerts are firing at what frequencies, having a run-book for writing new alerts, and utilizing self-service alerts whenever possible. 

Certainly no alerting solution is perfect. However, by implementing some of these tools, we’ve effectively improved the signal-to-noise ratio for most of our important alerts. This  in turn relieves the security team of tedious tasks and enables us to work on more important (and interesting!) things.


Speakers
avatar for Daniel Popescu

Daniel Popescu

Security Engineer, Yelp
Daniel Popescu works at Yelp where he is responsible for security infrastructure and operations. Previously he worked at Microsoft on non-security products, but has maintained a passion for security since his undergrad years at the University of California, Santa Barbara. Professionally... Read More →


Sunday February 12, 2017 1:30pm - 2:00pm PST
DNA Lounge

1:30pm PST

Weathering the Storm: The Art of Crisis Communications

How do you react during a crisis? Working in security, the unfortunate reality is that you’ll likely find out the answer to that question at some point. Dealing with high-pressure situations is part of the job; however, how you communicate through the process can greatly influence the outcomes, and may determine just how stressful the experience ends up being. This session will walk through the basics of crisis management, with a strong emphasis on the communications pieces – both internal with core stakeholders, and external with the community and customers. We will talk through strategies you can apply in your organization to prepare for crisis situations and ensure you are better able to weather the storm.


Speakers
avatar for Jen Ellis

Jen Ellis

VP, Community and Public Affairs, Rapid7
Jen Ellis is Rapid7’s Vice President of Community and Public Affairs. She believes security practitioners are the guardians of Society’s trust in technology, and works extensively with security professionals, technology providers/operators, and various Government entities to promote... Read More →
JF

Josh Feinblum

Josh Feinblum is the Vice President of Information Security at Rapid7. Josh is deeply involved in the security community, with a lifelong passion in the space that culminates in 13 years of information security experience. Prior to his role at Rapid7, Josh spent time starting security... Read More →


Sunday February 12, 2017 1:30pm - 2:00pm PST
BuzzWorks

1:30pm PST

Exploiting Broken Webapps
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Web applications can fail in a variety of ways, from Cross-Site Scripting to SQL Injection and more. Join us for a look at a variety of common web vulnerabilities, including Cross-Site Scripting, Cross-Site Request Forgery, Weak Authentication, Logic Errors, and more -- and an opportunity to test your web hacking skills against a simulated online bank. We’ll be covering the vulnerabilities from the ground up, but a basic understanding of web applications (i.e., HTTP, HTML, and JavaScript) and browsers would be useful background.

Participants will need to bring a laptop. Prior experience with server-side programming and an understanding of how web apps are built is recommended.

Speakers
DT

David Tomaschik

Senior Security Engineer, BSidesSF CTF Organizer
David is a Senior Security Engineer on the Google Offensive Security team and has been helping to organize the BSidesSF CTF for 7 years. He focuses on red teaming, embedded device security, web security, and security education. https://www.twitter.com/matir


Sunday February 12, 2017 1:30pm - 4:30pm PST
DNA Lounge

2:00pm PST

Break
Sunday February 12, 2017 2:00pm - 2:10pm PST
Break

2:10pm PST

Security through Visibility: Organizational Communication Strategies for InfoSec Teams

As organizations scale, collaborating with the rest of the business can become increasingly complicated for InfoSec teams. I spoke with individuals across several industries and job functions about their experiences working with InfoSec, and these interviews (along with data gathered through plenty of personal failures) revealed two ways we can step up our game.

1.       Increase visibility: Make sure the rest of the organization knows where to find us, and ensure we’re operating alongside them… not waiting get looped in once something is on fire.

2.       Communicate effectively: We can make ourselves super visible by sending 15 mass emails every day, but that’s not especially effective. Using the right strategies will ensure our communications are impactful.

We will explore how team visibility and effective communication can improve the security posture of our organizations, and you will leave this session with straightforward strategies that are simple to implement.

 


Speakers
avatar for Katie Ledoux

Katie Ledoux

Attentive
Katie Ledoux is the CISO at Attentive where she oversees information security and IT. She previously built the security program at analytics unicorn Starburst Data, and spent many years at security SaaS vendor Rapid7. She obtained her undergraduate degree from Villanova University... Read More →


Sunday February 12, 2017 2:10pm - 2:40pm PST
DNA Lounge

2:10pm PST

BeyondCorp: Beyond “fortress” security

Almost every company today uses some variation of the firewall, or “fortress,” model to enforce perimeter security. This model assumes that everything on the outside is dangerous, and everything in the inside is safe. It worked relatively well when most employees worked in facilities owned by the company, and primarily did their work on desktop and laptop computers. 

Now, however, this model is outdated and ineffective. With mobile and cloud technologies transforming how companies work, the way they are secured has to change, too. Companies have to assume that their internal network is as vulnerable to danger as the public Internet, and build enterprise applications based on this assumption.

 

 

Google’s BeyondCorp presents a new model for this new paradigm. It dispenses with the privileged corporate network, instead granting access based on device and user credentials, regardless of physical location. The result is employees that can work from any network without needing a traditional VPN connection into the privileged network. 

This presentation and discussion will focus on how BeyondCorp accomplishes this new model, and how it can best be applied by businesses.   


Speakers
avatar for Neal Mueller

Neal Mueller

Product Lead, Google
Neal Mueller is the product lead for Google Cloud Platform working on BeyondCorp.


Sunday February 12, 2017 2:10pm - 2:40pm PST
BuzzWorks

2:40pm PST

Break
Sunday February 12, 2017 2:40pm - 2:50pm PST
Break

2:50pm PST

Better SSH management with ephemeral keys

SSH is a great, safe protocol that almost everyone uses for managing their servers and infrastructure. However, failures in SSH user management has lead to multiple news-worthy infrastructure compromises. This talk introduces the audience to Netflix’s Bless and Lyft’s Blessclient, which Lyft is open-sourcing. The combination of these tools has allowed Lyft to improve the security of our SSH accounts, as well as empowering engineers to manage their SSH keys themselves.


Speakers
VH

Vivian Ho

Vivian Ho is a software engineer on the security team at Lyft. Fresh out of university, Vivian is interested in designing and building cool software to protect all the things. A fan of RPG games and molecular gastronomy.
CS

Chris Steipp

Chris Steipp is a long-time security engineer with a background in development, penetration testing, and building secure software. He is passionate about open source and open culture, and formerly managed security for the Wikimedia Foundation. He likes breaking things in his spare... Read More →


Sunday February 12, 2017 2:50pm - 3:20pm PST
DNA Lounge

2:50pm PST

Live Dissection: Anatomy of a Browser Based Botnet

Browser based botnets are used for various types of attacks; from application DDoS to credentials stuffing. In this session I'll demo, share my research results, and explain the anatomy of a browser-based botnet comprising browser caching, proxy servers and the web proxy autodiscovery protocol (WPAD). I'll also explain what users and organizations can do to protect themselves from being pwned.


Speakers
avatar for Ilya Nesterov

Ilya Nesterov

Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermeasures... Read More →


Sunday February 12, 2017 2:50pm - 3:20pm PST
BuzzWorks

3:20pm PST

Break
Sunday February 12, 2017 3:20pm - 3:30pm PST
Break

3:30pm PST

The Cyber Insurance Emperor Has No Clothes

Conventional wisdom: cyber insurance improves incentives and if everybody had it we would get better security. Wrong! Taking a behavioral view (e.g. how decision are made), this talk describes ten ways that cyber insurance is a misfit for the 'job to be done', and suggests better incentive instruments.


Speakers
RT

Russell Thomas

Senior Data Scientist
Senior Data Scientist at a Regional Bank. PhD Candidate in Computational Social Science at George Mason University. BS in Electrical Engineering and Management from WPI. A few decades experience in the computer industry in design, manufacturing, marketing, and consulting.


Sunday February 12, 2017 3:30pm - 4:00pm PST
DNA Lounge

3:30pm PST

Advanced Internet dataset combinations for #ThreatHunting & Attack Prediction

Have you ever had to look up an IP address, domain name, or URL to decide if it is a threat, and if it is targeting you?, Do you ever need to analyze what what malicious action it just took on your potentially-compromised users? If yes - this session is for you! 

It's time to move beyond simple Whois & PDNS lookups, and noisy threat feeds. Learn how to combine SSL cert facet data with tracking IDs like Google Analytics, ad-trackers, performance management trackers; host-pair relationships; technology stack fingerprints; detect, verify, and stop your adversaries' next attacks.


Speakers
AJ

Arian J Evans

VP Product Strategy, RiskIQ
Arian Evans is an 18-year #infosec veteran. As VP of Product Strategy Arian guides RIskIQ technology to enable enterprises to manage their attack surface & detect external threats.Prior to RiskIQ Arian spent 8 years at WhiteHat Security as VP of Ops & Product Strategy, building WhiteHat's... Read More →


Sunday February 12, 2017 3:30pm - 4:00pm PST
BuzzWorks

4:00pm PST

Break
Sunday February 12, 2017 4:00pm - 4:10pm PST
Break

4:10pm PST

Linux Monitoring at Scale with eBPF

The latest Linux kernels have implemented a Berkeley Packet Filter (BPF) virtual machine which can provide safe and efficient syscall hooking. There are many logging systems in Linux that provide security relevant data, and several excellent open source tools that sit on top of these. These existing options provide many features that are useful during response, but at scale we focus on lightweight alerting across the fleet, to be followed up with heavy scrutiny of a subset for a limited time. We landed on the need for three basic monitoring capabilities - process execution, network connections and file integrity. Our goal is to provide meaningful security monitoring at under 1% overhead. 


Speakers
BG

Brendan Gregg

Brendan Gregg is a senior performance architect at Netflix, where he does large scale computer performance design, evaluation, analysis, and tuning. He is the author of Systems Performance published by Prentice Hall, and has created performance analysis tools included in multiple... Read More →
AM

Alex Maestretti

Alex Maestretti leads the Security Intelligence and Response Team at Netflix, with previous gigs at Apple and the US Government. Our SIRT reflects Netflix’s culture and technology stack. We are a small team rather than a multi-tiered SOC. We don’t do large volume alerts and instead... Read More →


Sunday February 12, 2017 4:10pm - 4:40pm PST
DNA Lounge

4:10pm PST

How to Build a Security Team and Program

I will share how I was able to build a security team and program from scratch at Twilio, an SF startup that just recently went IPO.  I will be telling war stories that demonstrate what problems they will face and how I was eventually able to overcome them (hint: it wasn't easy, but I'll be giving up my secrets).  At the end of the presentation, the security practitioners in attendance will have a guide they can use when trying to accomplish the same thing at their own company.  Ultimately, we're all on the same side, and if I can give security practitioners an advantage with my experience, I sure will.


Speakers
EC

E. Coleen Coolidge

I started out in security because I wanted to influence how people's personal information was protected. Every customer deserves to have a Security organization who’s advocating for the protection of their data. Data is everything: it’s our credit, it’s our medical history and... Read More →


Sunday February 12, 2017 4:10pm - 4:40pm PST
BuzzWorks

4:40pm PST

Break
Sunday February 12, 2017 4:40pm - 4:50pm PST
Break

4:50pm PST

Tired of Playing Exploit Kit Whack-A-Mole? Let's automate

Exploit Kits (EKs) have been very successful in delivering tailor made exploits and spreading malware. EK as a service has lowered the bar of entry for attackers, enabling wide-spread malware infections. Defenders have been using dynamic analysis tools like Cuckoo sandbox and JavaScript de-obfuscators like JSDetox and Revelo to detect and analyze EKs, but these approaches don’t scale very well across billions of websites. In this talk, I'll discuss a new technique to crawl the web at scale and detect EKs using headless browsers equipped with JavaScript and DOM inspectors. I’ll demonstrate a proof of concept and unravel the behavior of some of the latest EKs hiding in plain sight.

 


Speakers
AA

Anjum Ahuja

Anjum is a Threat Researcher at Endgame, working on problems related to network security, malwares, and large scale data analysis. He has a background in computer networks, routing and IOT security, and holds multiple patents in these fields. Anjum holds a Masters in computer science... Read More →


Sunday February 12, 2017 4:50pm - 5:20pm PST
DNA Lounge

4:50pm PST

Should I Pay or Should I Go? Game Theory and Ransomware

Ransomware infections are nasty and potentially devastating events that can cripple large companies and home computers alike. Ransomware comes in many varieties and works in different ways, but the basic scenario is the same: cybercriminals infect your computer with malicious software that blocks access to your system or important files until you pay the ransom. You have a finite amount of days to pay if you ever want to see your files again.

Should you pay? The answer is a little more nuanced than “never pay” or “always pay.” The decision is a complex scenario of incentives and payoffs that can be analyzed with game theory. Game theory is a branch of mathematics that models conflict and cooperation between parties and is used in many real-world scenarios, inside and outside the Information Security field, including machine learning, poker games, allocation of security resources, kidnappings and nuclear war.

This talk will use the familiar topic of ransomware to introduce participants to game theory concepts like rational decision-making, zero-sum games, incentives, utility and Nash Equilibrium – all important tools that can help solve security problems. By analyzing ransomware decision-making with a game theory mindset, participants will learn a new set of skills and a new way of incentive-driven thinking.  Participants may be surprised to find that ransomware response isn’t black or white.


Speakers
avatar for Tony Martin-Vegue

Tony Martin-Vegue

Tony Martin-Vegue works for Bay Area financial institution leading their security risk management program. His enterprise risk and security analyses are informed by his 20 years of technical expertise in areas such as network operations, cryptography and system administration. Tony... Read More →


Sunday February 12, 2017 4:50pm - 5:20pm PST
BuzzWorks

5:20pm PST

Ask the EFF
Ask the EFF is a Q&A panel with EFF staffers, with short presentations on EFF's ongoing work, then opening the floor for questions from the audience.

Speakers
avatar for Nate Cardozo

Nate Cardozo

Senior Staff Attorney, Electronic Frontier Foundation
Nate Cardozo is a Senior Staff Attorney on EFF’s civil liberties team where he focuses on cybersecurity policy and defending coders’ rights.Nate has litigated cases involving electronic surveillance, freedom of information, digital anonymity, online free expression, and government... Read More →
avatar for Gennie Gebhart

Gennie Gebhart

Researcher, Electronic Frontier Foundation
Gennie Gebhart does research and advocacy for the Electronic Frontier Foundation on consumer privacy, surveillance, and security issues. Her work revolves around the conviction that, as access to information and communication technologies expands and becomes more complex, so too do... Read More →
avatar for Kurt Opsahl

Kurt Opsahl

Deputy Executive Director and General Counsel, Electronic Frontier Foundation
Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders... Read More →
avatar for Erica Portnoy

Erica Portnoy

Staff Technologist, Electronic Frontier Foundation
Erica develops Certbot, the web's https-enabling robot buddy. She earned her BSE in computer science at Princeton, where she researched oblivious computation for messaging privacy and took two different classes where she had to watch Star Trek for homework. Upon graduating, she protected... Read More →
JW

Jamie Williams

Jamie is is a staff attorney on the civil liberties team, who focuses on the First and Fourth Amendment implications of new technologies.


Sunday February 12, 2017 5:20pm - 5:50pm PST
DNA Lounge

5:30pm PST

Queercon Mixer
Calling all LGBTQ Hackers and Allies! Join Queercon for a BSidesSF Mixer and meet and mingle with everyone.

New to Queercon? The mixer is a great place to meet new friend in a safe and friendly atmosphere.

Look for the Queercon t-shirts to find the group.

Sponsors

Sunday February 12, 2017 5:30pm - 8:00pm PST
DNA Lounge

6:00pm PST

Hacker Happy Hour
Have a drink on HackerOne!

Join HackerOne and your fellow hackers for a small happy hour while you wait for the Sunday Night Party to begin. The bar is open until the tab runs out!

We will be relaxing and chatting in "Above DNA". This is the same area where the CTF is located. We hope to see you there, and you are welcome to participate in the CTF while you drink.

To enter, use the stairs to the left of DNA Pizza with the HackerOne banner outside.

Sponsors

Sunday February 12, 2017 6:00pm - 8:00pm PST
Above DNA 375 11th St, San Francisco, CA 94103

6:00pm PST

Hacker Jeopardy
Sponsors

Sunday February 12, 2017 6:00pm - 8:00pm PST
BuzzWorks

8:00pm PST

Sunday Night Party
Join us for our Mr. Robot-themed party Sunday night! We'll be turning DNA Lounge into SF Society complete with arcade games and popcorn machines. DJ Andrew Gibbons and DJ Erik Withakay will both be playing as will Episodes 1 and 2 of Mr. Robot. We'll have music, drinks, and, of course, a GIANT 8 foot Lite Brite.

Artists
avatar for Andrew Gibbons

Andrew Gibbons

San Francisco-based DJ ANDREW GIBBONS has become a dance floor favorite from Australia to across North America with his energizing sets, melding EDM, tribal, progressive, and tech house beats with big room diva vocals.Andrew has performed in many bars, clubs and events in San Francisco... Read More →
EW

Erik Withakay

Moving to San Francisco from the midwest in 2006, Erik started producing sets for a wide array of fitness classes around the Bay Area and Los Angeles, giving him a broad base of genres and styles to experiment with. After watching the SF scene drop off in terms of relevance and creativity... Read More →

Sponsors

Sunday February 12, 2017 8:00pm - Monday February 13, 2017 1:00am PST
DNA Lounge
 
Monday, February 13
 

8:30am PST

Breakfast
Monday February 13, 2017 8:30am - 9:30am PST
DNA Lounge and BuzzWorks

8:30am PST

Registration
Monday February 13, 2017 8:30am - 1:00pm PST
DNA Lounge

9:30am PST

Swimming Upstream: Regulation vs Security
Companies that operate in heavily regulated industries oftentimes run into conflicting directives around tactical decisions that need to be made, potentially hindering overall security posture in order to meet regulatory requirements. This talk will explore strategies that security teams and leaders can use to navigate the murky waters of bureaucracy, compliance, and politics to achieve the security goals they’re striving for. Throughout this talk I will pull from examples in my own career that span some of the largest industries in the US.

Speakers
avatar for Robert Wood

Robert Wood

Chief Security Officer, Simon Data
Robert Wood is a security technologist, strategic advisor, and speaker. He currently leads the security efforts at Simon Data where he is responsible for security, privacy, compliance, and overall risk management. After working as a consultant for many years, Robert made the switch... Read More →


Monday February 13, 2017 9:30am - 10:30am PST
DNA Lounge

10:30am PST

Break
Monday February 13, 2017 10:30am - 10:45am PST
Break

10:45am PST

Witchcraft Compiler Collection : Towards programs self awareness

With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code 'reuse' by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. 

Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it. The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses).

 


Speakers
JB

Jonathan Brossard

Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second... Read More →


Monday February 13, 2017 10:45am - 11:15am PST
DNA Lounge

10:45am PST

How Secure are your Docker Images?

This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me. 

Ref:  https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100 

Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition.  The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future.

 

Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes in-detailed into security of “Docker Images” explaining various security issues that can happen in each stage of Docker image life cycle and how each of them can be fixed. It also provides security benchmark to enterprises/personal users who want to maintain their own in-house registry and need a security compliance set for generating/consuming/maintaining images securely.


Speakers
avatar for Manideep Konakandla

Manideep Konakandla

Security Researcher, Carnegie Mellon University
" Manideep K www.manideepk.comIs an Author, Security Researcher, Speaker and a J.N Tata Scholar. He is current Security Researcher + Masters student in Information Security @Carnegie Mellon University, USA and is currently researching on "Security... Read More →



Monday February 13, 2017 10:45am - 11:15am PST
BuzzWorks

10:45am PST

Capture The Flag
CTF is coming back to BSidesSF 2017!

Pre-registration is open! Visit the CTF scoreboard to register, then come back on February 11th to play!

We will be running a CTF this year! Sweet!

The game runs from Saturday, February 11 at 4pm PST, to Monday, February 13 at 4pm PST. You can play on-site in the CTF room during the conference, or you can play online by coming back here.

It’ll be targeted towards beginner and intermediate players, but there will be a couple harder challenges as well!

There will be folks on-site in the CTF room and in our Slack room (#ctf) to answer any questions.

CTF sponsored by Google. Prizes sponsored by Synack.


Sponsors

Monday February 13, 2017 10:45am - 4:00pm PST
DNA Lounge

10:45am PST

Lockpick Village
Villagers
avatar for Christine Bachman

Christine Bachman

Lockpick Extreme
Bob and Christine's Lockpick Extreme provides fun, informative, entertaining hands-on training in the arts of lockpicking and handcuff escape. Participants learn how to open real world locks and handcuffs using professional tools and techniques. Once mastering the basic skills, students... Read More →

Sponsors

Monday February 13, 2017 10:45am - 5:20pm PST
DNA Lounge

10:45am PST

Spymaster Challenge
Like to pick locks? Think you have what it takes to escape? Come join Cisco's CSIRT on our Gringo Warrior-inspired IoT'd Spymaster Challenge and see how your picking skills stack up against other conference attendees. Role-play your escape as a captured spy by navigating a timed course consisting of a series of locks of varying difficulty.


Monday February 13, 2017 10:45am - 5:20pm PST
DNA Lounge

10:45am PST

Resume Rewriting
Peerlyst volunteers will help you improve your resume and re-write it with you. Make sure to have your resume as an email attachment you can forward to the volunteers if you're interested in this service. There will be a calendar on the wall with time slots, you need to put your name/handle in the slot that suits you to schedule resume rewriting.

Sponsors

Monday February 13, 2017 10:45am - 5:20pm PST
BuzzWorks

11:15am PST

Break
Monday February 13, 2017 11:15am - 11:30am PST
Break

11:30am PST

Fighting Email Phishing with a Custom Cloud IDS

Phishing is one of the largest and most difficult challenges for any enterprise security team. It’s the great equalizer of security -- we all have to deal with it. We built our own email IDS at Uber with control over features and alerts means we can adjust to evolving threats in real-time. But just as important, we demonstrated that security investments can also drive operational benefits in price, extensibility, and performance. This talk will walk through how building our own email IDS in AWS helped guard against phishing and improve operations.


Speakers
DB

Dan Borges

Dan Borges is a security response engineer at Uber, where he is responsible for building and refining core incident response capabilities. He has more than a decade of computer science experience and is also a member of the National CCDC Red Team.


Monday February 13, 2017 11:30am - 12:00pm PST
DNA Lounge

11:30am PST

Five Keys to Building an Application Security Program in the Age of DevOps

Security’s goal of minimizing enterprise risk sometimes seems to be at odds with development’s mandate for change. In reality, there is a middle path that can allow development to deliver more secure code at DevOps speed, but it requires security to adapt to the principles that have proven successful for DevOps.


Speakers
avatar for Tim Jarrett

Tim Jarrett

Director, Enterprise Security Strategy, Veracode
Tim Jarrett is Senior Director of Product Management at CA Veracode. A Grammy-award winning product professional with more than 20 years of experience building and marketing software, he joined Veracode in 2008 and has a Bacon number of 3. He has previously spoken at the RSA Conference... Read More →


Monday February 13, 2017 11:30am - 12:00pm PST
BuzzWorks

12:00pm PST

Lunch
Sponsors

Monday February 13, 2017 12:00pm - 1:30pm PST
DNA Lounge and BuzzWorks

1:30pm PST

#securityselfie (size up your appsec program with new metrics)

Hacking around to find cool bugs is one thing; securing a codebase is another. How do you measure the overall effectiveness of your application security work? Focus inward to take a security snapshot using data that you may not realize you already have.

This talk proposes several approaches for generating metrics that measure and improve your appsec work, from monitoring bug-bounty operational health to incentivizing long-term secure framework bets. Come hear how data is applied to secure the systems and code that power Facebook, WhatsApp, Instagram, and Oculus. There will be science. There will be code. You will learn new ways to use concrete numbers to assess the beautiful craft that is security engineering.


Speakers
avatar for Jim O'Leary

Jim O'Leary

Security Engineering Manager, Facebook
Jim O'Leary (@jimio) works on Facebook's product-security team; he delights in short biographies.


Monday February 13, 2017 1:30pm - 2:00pm PST
DNA Lounge

1:30pm PST

When Bandit(s) Strike - Defend your Python Code

Bandit is an open-source tool designed to discover common security flaws in Python code.  Although Bandit was originally developed to find issues in OpenStack (a large open-source cloud platform) it has since been adopted by many Python developers outside of OpenStack.  It has found dozens of critical security issues including: command injection, SQLi, insecure temporary file usage, and usage of insecure libraries. 

Join Travis McPeak, one of the core developers on the Bandit project to find out: how Bandit works, how to customize it for different workflows, how to create a Security CI pipeline with Bandit, and even how to extend it.

 


Speakers
avatar for Travis McPeak

Travis McPeak

Sr. Security Engineer, Netflix
Travis McPeak is a Sr. Security Engineer at Netflix. He is a core developer of the Bandit, Repokid, and Aardvark projects. In his spare time he loves travel, snowboarding, and quality food/beer.


Monday February 13, 2017 1:30pm - 2:00pm PST
BuzzWorks

1:30pm PST

Exploiting Websites Hands-On
Limited Capacity full
Adding this to your schedule will put you on the waitlist.

Exploiting Websites Hands-On Participants will do a series of challenges including: Command Injections Buffer overflows InageMagick exploitation SQL injection Defeating client-side validation with Burp Exploiting ECB-Encrypted Tokens PHP Insecurities

You will need a computer with any OS. All you need is a Web browser, Java, and Burp.


Speakers
avatar for Sam Bowne

Sam Bowne

Instructor, CCSF
Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, HOPE, BSidesSF, BSidesLV, RSA, and many conferences and colleges. Formal education: B.S. and Ph.D. in Physics Industry credentials... Read More →


Monday February 13, 2017 1:30pm - 3:30pm PST
DNA Lounge

2:00pm PST

Break
Monday February 13, 2017 2:00pm - 2:10pm PST
Break

2:10pm PST

Opinionless Enforcement of Opinions on Operational Secrets

The problem with providing unopinionated tools to a wide range of developers with minimal hand holding is you will quickly end up with the configuration equivalent of winding darkened tunnels, staircases that go nowhere, and rooms with no doors. As part of developing an internal "Secret Key Service" we quickly realized that allowing everyone at our organization free form access to the underlying tooling could rapidly result in a irreconcilable mess of operational secrets. We quickly created a new tool to provide a data driven approach for provisioning secrets into Vault, our secret storage tool of choice. 

This tool was created internally and then open sourced as aomi. It provides two key concepts which have been aiding our efforts - data driven management of secrets and the ability to easily extract these secrets in a way which can be consumed by existing UNIXish applications. We have strived to create a tool with as few of it's own opinions as possible, all while aiming to have this tool enforce our own rigorously held opinions.


Speakers
avatar for Jonathan Freedman

Jonathan Freedman

Autodesk
Like many Nova Scotians, Jonathan went down the road to find work. Along the way he found many gigs including systems administration, security consulting, teaching, and software development. These past few years, after going so far down the road to find work he ended up at the Pacific... Read More →


Monday February 13, 2017 2:10pm - 2:40pm PST
DNA Lounge

2:10pm PST

Securing Kubernetes

The talk will begin with an overview of Kubernetes concepts and individual components. Next, I will walk through how authentication and authorization work in Kubernetes. Finally, I will explain how Hashicorp Vault’s PKI backend can be used to issue certificates for Kubernetes transport security and authentication, and assist with authorization (by embedding group membership information within client certificates).


Speakers
avatar for Jesse Endahl

Jesse Endahl

CSO & CPO, Fleetsmith
Jesse is co-founder, CPO, and CSO at Fleetsmith. He previously worked at Dropbox, where he spent a year as an IT Engineer and two and a half years as an Infrastructure Security Engineer. Prior to Dropbox, he was the IT Manager at C&T Publishing, a publishing house in the Bay Area... Read More →


Monday February 13, 2017 2:10pm - 2:40pm PST
BuzzWorks

2:40pm PST

Break
Monday February 13, 2017 2:40pm - 2:50pm PST
Break

2:50pm PST

AtomBombing: Injecting Code Using Windows’ Atoms

In this talk we present a code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). At the time of its release (October 2016), AtomBombing went undetected by common security solutions that focused on preventing infiltration.

AtomBombing affects all Windows versions. In particular, we tested it against Windows 10 and Windows 7. 

Unfortunately, this issue cannot be patched by Microsoft since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.


Speakers
avatar for Tal Liberman

Tal Liberman

Security Research Team Leader, enSilo
Tal has a strong interest in cyber-security, mainly focusing around OS-internals, reverse-engineering and low-level research. As a cyber security research team lead at enSilo, Tal’s team is responsible for reverse engineering OS internals, exploits, and malware and integrating their... Read More →
avatar for Udi Yavo

Udi Yavo

CTO, enSilo
Udi Yavo has more than 15 years of experience in security with a proven track record in leading cutting edge cyber-security R&D projects. Prior to enSilo, Udi spearheaded the direction of the cyber-security unit at the National Electronic Warfare Research & Simulation Center of Rafael... Read More →


Monday February 13, 2017 2:50pm - 3:20pm PST
DNA Lounge

2:50pm PST

Hijacking .NET to Defend PowerShell

You need to have the mind of a hacker to know how to defend. With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The presentation will start with a light intro into .NET and PowerShell, then a deeper look into various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class & method injection, compiler profiling, and C based function hooking. 


Speakers
avatar for Amanda Rousseau

Amanda Rousseau

Malware Research Unicorn, Endgame
Amanda absolutely loves malware. She works as a Malware Researcher at Endgame who focuses on attacker technique application to dynamic behavior detection both on Windows and OSX platforms.


Monday February 13, 2017 2:50pm - 3:20pm PST
BuzzWorks

3:20pm PST

Break
Monday February 13, 2017 3:20pm - 3:30pm PST
Break

3:30pm PST

Bypassing malware analysis sandboxes is easy, let’s discuss how they are doing it and why it works

Have you ever received a piece of malware and wanted to know what it did?  You may have used an automated cloud malware analysis sandbox like VxStream/Reverse.It, Malwr or built your own Cuckoo sandbox.  There are also high-end commercial solutions available such as ReversingLabs, Lastline and those integrated into Email, Web proxies and Next Gen Firewalls.  

What about malware that uses documents such as .DOC and .PDF files versus a regular .EXE binary?  Some sandboxes do multiple file formats, some do not and some claim to mimic user behavior.  In comparing commodity malware, what we get in email and drive-by surfing to the advanced custom malware in targeted attacks I found some interesting things while doing manual and sandbox analysis.  This talk will look at free, commercial and gateway (Email/Web) solutions and what can be learned from comparing the results to your own manual malware analysis.  

Are these sandboxes worth it?  Should you use them?  What are the gaps?  How much should you rely on the output?  Do these solutions provide us what we need for Incident Response?  Or enough data to improve the defense of our networks?  Do they give us enough artifacts to remediate the infection?  


Speakers
avatar for Michael Gough

Michael Gough

Founder, Malware Archaeology
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free... Read More →


Monday February 13, 2017 3:30pm - 4:00pm PST
DNA Lounge

3:30pm PST

Access Control with Concierge: One Tool to Rule Them All

A lot of startups, like the one I work in, use a lot of third-party SaaS services as part of their day-to-day job. Services like Google Apps, AWS, Slack, Salesforce GitHub, Atlassian Suite, etc. are commonplace. The ITOps teams, however, have to live the nightmare of managing access to all of these different tools and services - especially during onboarding and offboarding. Add to this mix internal services such as VPN, SSH Servers, internal tools, etc., it becomes almost impossible to handle access control manually. Faced with this very same problems, we created a tool called Concierge. Concierge aims to be the one-stop-shop for all access control related solutions - sync with the HR directory, automatically sync with AD/LDAP and add people to appropriate groups, as well as grant access to various tools and services based on their roles, and provide the ITOps team a holistic view of who has access to what. Concierge also revokes access upon offboarding, role change, or any other event as necessary.


Speakers
KR

Karthik Rangarajan

Karthik Rangarajan is an experienced security engineer with a focus on application and infrastructure security. Karthik has worked in various roles in the past, and has a unique perspective on securing and attacking applications. Currently, Karthik works at Addepar, helping secure... Read More →


Monday February 13, 2017 3:30pm - 4:00pm PST
BuzzWorks

4:00pm PST

Break
Monday February 13, 2017 4:00pm - 4:10pm PST
Break

4:10pm PST

Look Ma, No Hands! - Decentralizing security for scale

What does your security operations team look like? A bunch of folks sitting in a blue-lit room starting at telemetry data from systems they didn’t even design let alone operate? That’s what ours looked like too, until we learned that decentralizing most security functions is far more effective than dedicated teams. In order to scale security without the bottleneck of security team headcount, we need to think different. Everyone needs to be a security engineer. In this talk I’ll describe some of the organizational changes that have worked for us, as well as show off few internal security tools we’ve built to put usable security into the hands of developers.


Speakers
CD

Chris Dorros

Chris Dorros spends his days at OpenDNS (Cisco) as a Tech Lead in Security Engineering, where he designs resilient infrastructure supporting over 80 billion DNS requests per day. In a past life Chris worked in security at NASA JPL, CERT/CC, Lockheed Martin, and studied infosec in... Read More →


Monday February 13, 2017 4:10pm - 4:40pm PST
DNA Lounge

4:10pm PST

Does DoD Level Security Work in the Real World?

After spending nearly 13 years working for the Department of Defense, I ventured out into the private sector to consult and advice on matters of information security. On many occasions, after explaining some basic security concept to a customer and outlining what they need to do to be secure, I often heard the retort, “yeah, but we don’t need DoD level security.” Well, after twenty years in the private sector, and especially over the past 2-3 years with the proliferation of data breaches against major companies, I find myself wanting to reply, “yeah, you really DO need DoD level security!”

What does this mean? Probably not what you are thinking. This talk will start with an overview of the foundational nature of data security, highlight the major tenets or goals of data security, discuss how and why so many companies so often fail at implementing the basics of data security, and explore some ways that a DoD-centric approach to data security might be implemented in the private sector. Brainstorming, discussion, dissention all welcome. Note: This ain’t about Cyber!


Speakers
avatar for Jeff Man

Jeff Man

Information Security Curmudgeon, Currently Unaffiliated
Jeff is a respected Information Security expert, advisor, speaker, teacher, advocate, and curmudgeon. He has over 33 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment... Read More →


Monday February 13, 2017 4:10pm - 4:40pm PST
BuzzWorks

4:40pm PST

Break
Monday February 13, 2017 4:40pm - 4:50pm PST
Break

4:50pm PST

The Underground Economy of Apple ID

Apple ID is the keystone of all services and apps running on Apple platforms. It is the most important credential to access iCloud, to purchase apps or music, to talk with friends or families by Messages/FaceTime, to remotely manage iPhone and Mac, to synchronize our mail, photo, calendar and documents among devices and cloud. Since its extreme importance, Apple ID has become one of the most favorite goods in the underground market!

In this topic, we will present several real world attacks to or based on Apple IDs, affecting a huge number of users globally. Some of them even led to arresting and judgement. We are going to present our observations and investigations on these questions: 1) how could attacker grab large amounts of Apple IDs? 2) how could them make profit from those stolen Apple accounts (there are many ways!)? 3) what Apple have done and could do in further to mitigate the issue? 4) how can we protect ourselves by existing solutions?


Speakers
CX

Claud Xiao

Sr Distinguished Researcher, Palo Alto Networks


Monday February 13, 2017 4:50pm - 5:20pm PST
DNA Lounge

4:50pm PST

Dormant DOMination

Traditional attacks to air-gapped networks have looked at vectors such as USB memory sticks (thanks Stuxnet), audio signals (thanks BadBIOS) and even cellular frequencies (thanks GSMem). But it's not entirely uncommon for portable devices (laptops, smart phones) to go from network to network, even connecting to potentially sensitive corporate networks. In fact, every day many corporate devices connect to the local coffee shop wifi on the way into the office. And it's here where things get interesting. Advanced mitigations to these vectors include things like host-health check, upon re-connecting to ‘secure’ networks. But what’s the chance that these scans will pick up on JavaScript that may be running in the DOM?

 

Leveraging a number of existing browser technology, such as WebRTC, Web-Workers and good old fashioned XMLHttpRequest objects we have everything we need to plant a JavaScript hook and monitor the local network interface for changes in connectivity. From here, we can start scanning different local subnets looking for available hosts. Once identified, we can even determine if they have any listening ports.

 

This presentation will discuss existing methods of subnet discovery & scanning, persistence methods and ways in which dormant JavaScript objects can periodically scan the local browser's network to discover new attack surfaces, even those that may be air-gapped. (Bloody JavaScript...)


Speakers
avatar for xntrik

xntrik

Director, Company
Christian is an app sec nerd who currently works at , previously at LinkedIn. Originally from Australia, Christian helped start an awesome, Perth-based security consulting firm, Asterisk Information Security. Christian has a deep love/hate relationship with JavaScript, and his involvement... Read More →


Monday February 13, 2017 4:50pm - 5:20pm PST
BuzzWorks

5:20pm PST

Happy Hour
Sponsors

Monday February 13, 2017 5:20pm - 6:30pm PST
DNA Lounge
 
Filter sessions
Apply filters to sessions.