BSidesSF 2017

Pre-registration is open! Visit the CTF scoreboard to register, then come back on February 11th to play!

We will be running a CTF this year! Sweet!

The game runs from Saturday, February 11 at 4pm PST, to Monday, February 13 at 4pm PST. You can play on-site in the CTF room during the conference, or you can play online by coming back here.

It’ll be targeted towards beginner and intermediate players, but there will be a couple harder challenges as well!

There will be folks on-site in the CTF room and in our Slack room (#ctf) to answer any questions.

CTF sponsored by Google. Prizes are sponsored by Synack.

After tenure of a year or two at many companies, a senior engineer’s access level is often maxed out. He or she probably has full root permissions across the entire infrastructure. We call these privileges ‘master keys’ and, just like a building’s master key, they are very dangerous if they fall into the wrong hands.

Instead, privileged access should granted only on a temporary basis. Sometimes this means requesting increased access from a manager, or a peer. But sometimes the increased access can be imputed from another input. For example, sudo permissions can be automatically granted and revoked in accordance with an on-call schedule. Or a Jira ticket must be open and approved before a user can log into a sensitive database for scheduled maintenance. 

This talk will cover how to quickly and easily build API-driven access control into your environment and eliminate your “master keys”.

Modern breaches are often undetected for hundreds of days.  Effective intrusion detection doesn't need to be so hard.  This talk will outline how one can build an effective intrusion detection program on the cheap using free and/or inexpensive tools, and some brains.  We'll compare and contrast some of the techniques employed in newsworthy breaches over the recent past and how we can catch them in a timely manner.  We'll cover cloud apps, endpoints, network security monitoring, and how to crowd source incident response.

Embedded devices (including the so-called Internet of Things) pose unique problems for those responsible for managing and assessing their security.  The devices tend to be less transparent and more tightly integrated than typical software and generally lack the host-based security controls (privilege separation, host firewalls, etc.) found on desktop or server applications.  This talk will cover some of the unique constraints for threat modeling and assessing these devices, then walk through an assessment of a VoIP phone and discuss the issues found there, including potential mitigations that can be applied if a device cannot be updated.

Why can’t this be easier? Writing good alerts and keeping them actionable is hard. Ask anyone on any security team, ever. Alerts are notoriously either too noisy or don’t have enough coverage, and finding the sweet spot is nearly impossible. Additionally, some alerts are idly sitting there functionally incorrect and don’t actually work as expected (when was the last time you tested some of yours?). To make matters worse, there is a general lack of industry standard for alert definitions, priorities, and incident response steps. 

At Yelp, we have created tools and processes that enable the security team to keep a handle on our alerts, thus making the alerts actionable and maintainable. We do this by making sure we know which alerts are firing at what frequencies, having a run-book for writing new alerts, and utilizing self-service alerts whenever possible. 

Certainly no alerting solution is perfect. However, by implementing some of these tools, we’ve effectively improved the signal-to-noise ratio for most of our important alerts. This  in turn relieves the security team of tedious tasks and enables us to work on more important (and interesting!) things.

How do you react during a crisis? Working in security, the unfortunate reality is that you’ll likely find out the answer to that question at some point. Dealing with high-pressure situations is part of the job; however, how you communicate through the process can greatly influence the outcomes, and may determine just how stressful the experience ends up being. This session will walk through the basics of crisis management, with a strong emphasis on the communications pieces – both internal with core stakeholders, and external with the community and customers. We will talk through strategies you can apply in your organization to prepare for crisis situations and ensure you are better able to weather the storm.

As organizations scale, collaborating with the rest of the business can become increasingly complicated for InfoSec teams. I spoke with individuals across several industries and job functions about their experiences working with InfoSec, and these interviews (along with data gathered through plenty of personal failures) revealed two ways we can step up our game.

1.       Increase visibility: Make sure the rest of the organization knows where to find us, and ensure we’re operating alongside them… not waiting get looped in once something is on fire.

2.       Communicate effectively: We can make ourselves super visible by sending 15 mass emails every day, but that’s not especially effective. Using the right strategies will ensure our communications are impactful.

We will explore how team visibility and effective communication can improve the security posture of our organizations, and you will leave this session with straightforward strategies that are simple to implement.

Almost every company today uses some variation of the firewall, or “fortress,” model to enforce perimeter security. This model assumes that everything on the outside is dangerous, and everything in the inside is safe. It worked relatively well when most employees worked in facilities owned by the company, and primarily did their work on desktop and laptop computers. 

Now, however, this model is outdated and ineffective. With mobile and cloud technologies transforming how companies work, the way they are secured has to change, too. Companies have to assume that their internal network is as vulnerable to danger as the public Internet, and build enterprise applications based on this assumption.

Google’s BeyondCorp presents a new model for this new paradigm. It dispenses with the privileged corporate network, instead granting access based on device and user credentials, regardless of physical location. The result is employees that can work from any network without needing a traditional VPN connection into the privileged network. 

This presentation and discussion will focus on how BeyondCorp accomplishes this new model, and how it can best be applied by businesses.   

SSH is a great, safe protocol that almost everyone uses for managing their servers and infrastructure. However, failures in SSH user management has lead to multiple news-worthy infrastructure compromises. This talk introduces the audience to Netflix’s Bless and Lyft’s Blessclient, which Lyft is open-sourcing. The combination of these tools has allowed Lyft to improve the security of our SSH accounts, as well as empowering engineers to manage their SSH keys themselves.

Browser based botnets are used for various types of attacks; from application DDoS to credentials stuffing. In this session I'll demo, share my research results, and explain the anatomy of a browser-based botnet comprising browser caching, proxy servers and the web proxy autodiscovery protocol (WPAD). I'll also explain what users and organizations can do to protect themselves from being pwned.

Conventional wisdom: cyber insurance improves incentives and if everybody had it we would get better security. Wrong! Taking a behavioral view (e.g. how decision are made), this talk describes ten ways that cyber insurance is a misfit for the 'job to be done', and suggests better incentive instruments.

Have you ever had to look up an IP address, domain name, or URL to decide if it is a threat, and if it is targeting you?, Do you ever need to analyze what what malicious action it just took on your potentially-compromised users? If yes - this session is for you! 

It's time to move beyond simple Whois & PDNS lookups, and noisy threat feeds. Learn how to combine SSL cert facet data with tracking IDs like Google Analytics, ad-trackers, performance management trackers; host-pair relationships; technology stack fingerprints; detect, verify, and stop your adversaries' next attacks.

The latest Linux kernels have implemented a Berkeley Packet Filter (BPF) virtual machine which can provide safe and efficient syscall hooking. There are many logging systems in Linux that provide security relevant data, and several excellent open source tools that sit on top of these. These existing options provide many features that are useful during response, but at scale we focus on lightweight alerting across the fleet, to be followed up with heavy scrutiny of a subset for a limited time. We landed on the need for three basic monitoring capabilities - process execution, network connections and file integrity. Our goal is to provide meaningful security monitoring at under 1% overhead. 

I will share how I was able to build a security team and program from scratch at Twilio, an SF startup that just recently went IPO.  I will be telling war stories that demonstrate what problems they will face and how I was eventually able to overcome them (hint: it wasn't easy, but I'll be giving up my secrets).  At the end of the presentation, the security practitioners in attendance will have a guide they can use when trying to accomplish the same thing at their own company.  Ultimately, we're all on the same side, and if I can give security practitioners an advantage with my experience, I sure will.

Exploit Kits (EKs) have been very successful in delivering tailor made exploits and spreading malware. EK as a service has lowered the bar of entry for attackers, enabling wide-spread malware infections. Defenders have been using dynamic analysis tools like Cuckoo sandbox and JavaScript de-obfuscators like JSDetox and Revelo to detect and analyze EKs, but these approaches don’t scale very well across billions of websites. In this talk, I'll discuss a new technique to crawl the web at scale and detect EKs using headless browsers equipped with JavaScript and DOM inspectors. I’ll demonstrate a proof of concept and unravel the behavior of some of the latest EKs hiding in plain sight.

Ransomware infections are nasty and potentially devastating events that can cripple large companies and home computers alike. Ransomware comes in many varieties and works in different ways, but the basic scenario is the same: cybercriminals infect your computer with malicious software that blocks access to your system or important files until you pay the ransom. You have a finite amount of days to pay if you ever want to see your files again.

Should you pay? The answer is a little more nuanced than “never pay” or “always pay.” The decision is a complex scenario of incentives and payoffs that can be analyzed with game theory. Game theory is a branch of mathematics that models conflict and cooperation between parties and is used in many real-world scenarios, inside and outside the Information Security field, including machine learning, poker games, allocation of security resources, kidnappings and nuclear war.

This talk will use the familiar topic of ransomware to introduce participants to game theory concepts like rational decision-making, zero-sum games, incentives, utility and Nash Equilibrium – all important tools that can help solve security problems. By analyzing ransomware decision-making with a game theory mindset, participants will learn a new set of skills and a new way of incentive-driven thinking.  Participants may be surprised to find that ransomware response isn’t black or white.

With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code 'reuse' by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. 

Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it. The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses).

This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me. 

Ref:  https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100 

Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition.  The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future.

Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes in-detailed into security of “Docker Images” explaining various security issues that can happen in each stage of Docker image life cycle and how each of them can be fixed. It also provides security benchmark to enterprises/personal users who want to maintain their own in-house registry and need a security compliance set for generating/consuming/maintaining images securely.

Pre-registration is open! Visit the CTF scoreboard to register, then come back on February 11th to play!

We will be running a CTF this year! Sweet!

The game runs from Saturday, February 11 at 4pm PST, to Monday, February 13 at 4pm PST. You can play on-site in the CTF room during the conference, or you can play online by coming back here.

It’ll be targeted towards beginner and intermediate players, but there will be a couple harder challenges as well!

There will be folks on-site in the CTF room and in our Slack room (#ctf) to answer any questions.

CTF sponsored by Google. Prizes sponsored by Synack.

Phishing is one of the largest and most difficult challenges for any enterprise security team. It’s the great equalizer of security -- we all have to deal with it. We built our own email IDS at Uber with control over features and alerts means we can adjust to evolving threats in real-time. But just as important, we demonstrated that security investments can also drive operational benefits in price, extensibility, and performance. This talk will walk through how building our own email IDS in AWS helped guard against phishing and improve operations.

Security’s goal of minimizing enterprise risk sometimes seems to be at odds with development’s mandate for change. In reality, there is a middle path that can allow development to deliver more secure code at DevOps speed, but it requires security to adapt to the principles that have proven successful for DevOps.

Hacking around to find cool bugs is one thing; securing a codebase is another. How do you measure the overall effectiveness of your application security work? Focus inward to take a security snapshot using data that you may not realize you already have.

This talk proposes several approaches for generating metrics that measure and improve your appsec work, from monitoring bug-bounty operational health to incentivizing long-term secure framework bets. Come hear how data is applied to secure the systems and code that power Facebook, WhatsApp, Instagram, and Oculus. There will be science. There will be code. You will learn new ways to use concrete numbers to assess the beautiful craft that is security engineering.

Bandit is an open-source tool designed to discover common security flaws in Python code.  Although Bandit was originally developed to find issues in OpenStack (a large open-source cloud platform) it has since been adopted by many Python developers outside of OpenStack.  It has found dozens of critical security issues including: command injection, SQLi, insecure temporary file usage, and usage of insecure libraries. 

Join Travis McPeak, one of the core developers on the Bandit project to find out: how Bandit works, how to customize it for different workflows, how to create a Security CI pipeline with Bandit, and even how to extend it.

Exploiting Websites Hands-On Participants will do a series of challenges including: Command Injections Buffer overflows InageMagick exploitation SQL injection Defeating client-side validation with Burp Exploiting ECB-Encrypted Tokens PHP Insecurities

You will need a computer with any OS. All you need is a Web browser, Java, and Burp.

The problem with providing unopinionated tools to a wide range of developers with minimal hand holding is you will quickly end up with the configuration equivalent of winding darkened tunnels, staircases that go nowhere, and rooms with no doors. As part of developing an internal "Secret Key Service" we quickly realized that allowing everyone at our organization free form access to the underlying tooling could rapidly result in a irreconcilable mess of operational secrets. We quickly created a new tool to provide a data driven approach for provisioning secrets into Vault, our secret storage tool of choice. 

This tool was created internally and then open sourced as aomi. It provides two key concepts which have been aiding our efforts - data driven management of secrets and the ability to easily extract these secrets in a way which can be consumed by existing UNIXish applications. We have strived to create a tool with as few of it's own opinions as possible, all while aiming to have this tool enforce our own rigorously held opinions.

The talk will begin with an overview of Kubernetes concepts and individual components. Next, I will walk through how authentication and authorization work in Kubernetes. Finally, I will explain how Hashicorp Vault’s PKI backend can be used to issue certificates for Kubernetes transport security and authentication, and assist with authorization (by embedding group membership information within client certificates).

In this talk we present a code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). At the time of its release (October 2016), AtomBombing went undetected by common security solutions that focused on preventing infiltration.

AtomBombing affects all Windows versions. In particular, we tested it against Windows 10 and Windows 7. 

Unfortunately, this issue cannot be patched by Microsoft since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.

You need to have the mind of a hacker to know how to defend. With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The presentation will start with a light intro into .NET and PowerShell, then a deeper look into various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class & method injection, compiler profiling, and C based function hooking. 

Have you ever received a piece of malware and wanted to know what it did?  You may have used an automated cloud malware analysis sandbox like VxStream/Reverse.It, Malwr or built your own Cuckoo sandbox.  There are also high-end commercial solutions available such as ReversingLabs, Lastline and those integrated into Email, Web proxies and Next Gen Firewalls.  

What about malware that uses documents such as .DOC and .PDF files versus a regular .EXE binary?  Some sandboxes do multiple file formats, some do not and some claim to mimic user behavior.  In comparing commodity malware, what we get in email and drive-by surfing to the advanced custom malware in targeted attacks I found some interesting things while doing manual and sandbox analysis.  This talk will look at free, commercial and gateway (Email/Web) solutions and what can be learned from comparing the results to your own manual malware analysis.  

Are these sandboxes worth it?  Should you use them?  What are the gaps?  How much should you rely on the output?  Do these solutions provide us what we need for Incident Response?  Or enough data to improve the defense of our networks?  Do they give us enough artifacts to remediate the infection?  

A lot of startups, like the one I work in, use a lot of third-party SaaS services as part of their day-to-day job. Services like Google Apps, AWS, Slack, Salesforce GitHub, Atlassian Suite, etc. are commonplace. The ITOps teams, however, have to live the nightmare of managing access to all of these different tools and services - especially during onboarding and offboarding. Add to this mix internal services such as VPN, SSH Servers, internal tools, etc., it becomes almost impossible to handle access control manually. Faced with this very same problems, we created a tool called Concierge. Concierge aims to be the one-stop-shop for all access control related solutions - sync with the HR directory, automatically sync with AD/LDAP and add people to appropriate groups, as well as grant access to various tools and services based on their roles, and provide the ITOps team a holistic view of who has access to what. Concierge also revokes access upon offboarding, role change, or any other event as necessary.

What does your security operations team look like? A bunch of folks sitting in a blue-lit room starting at telemetry data from systems they didn’t even design let alone operate? That’s what ours looked like too, until we learned that decentralizing most security functions is far more effective than dedicated teams. In order to scale security without the bottleneck of security team headcount, we need to think different. Everyone needs to be a security engineer. In this talk I’ll describe some of the organizational changes that have worked for us, as well as show off few internal security tools we’ve built to put usable security into the hands of developers.

After spending nearly 13 years working for the Department of Defense, I ventured out into the private sector to consult and advice on matters of information security. On many occasions, after explaining some basic security concept to a customer and outlining what they need to do to be secure, I often heard the retort, “yeah, but we don’t need DoD level security.” Well, after twenty years in the private sector, and especially over the past 2-3 years with the proliferation of data breaches against major companies, I find myself wanting to reply, “yeah, you really DO need DoD level security!”

What does this mean? Probably not what you are thinking. This talk will start with an overview of the foundational nature of data security, highlight the major tenets or goals of data security, discuss how and why so many companies so often fail at implementing the basics of data security, and explore some ways that a DoD-centric approach to data security might be implemented in the private sector. Brainstorming, discussion, dissention all welcome. Note: This ain’t about Cyber!

Apple ID is the keystone of all services and apps running on Apple platforms. It is the most important credential to access iCloud, to purchase apps or music, to talk with friends or families by Messages/FaceTime, to remotely manage iPhone and Mac, to synchronize our mail, photo, calendar and documents among devices and cloud. Since its extreme importance, Apple ID has become one of the most favorite goods in the underground market!

In this topic, we will present several real world attacks to or based on Apple IDs, affecting a huge number of users globally. Some of them even led to arresting and judgement. We are going to present our observations and investigations on these questions: 1) how could attacker grab large amounts of Apple IDs? 2) how could them make profit from those stolen Apple accounts (there are many ways!)? 3) what Apple have done and could do in further to mitigate the issue? 4) how can we protect ourselves by existing solutions?

Traditional attacks to air-gapped networks have looked at vectors such as USB memory sticks (thanks Stuxnet), audio signals (thanks BadBIOS) and even cellular frequencies (thanks GSMem). But it's not entirely uncommon for portable devices (laptops, smart phones) to go from network to network, even connecting to potentially sensitive corporate networks. In fact, every day many corporate devices connect to the local coffee shop wifi on the way into the office. And it's here where things get interesting. Advanced mitigations to these vectors include things like host-health check, upon re-connecting to ‘secure’ networks. But what’s the chance that these scans will pick up on JavaScript that may be running in the DOM?

Leveraging a number of existing browser technology, such as WebRTC, Web-Workers and good old fashioned XMLHttpRequest objects we have everything we need to plant a JavaScript hook and monitor the local network interface for changes in connectivity. From here, we can start scanning different local subnets looking for available hosts. Once identified, we can even determine if they have any listening ports.

This presentation will discuss existing methods of subnet discovery & scanning, persistence methods and ways in which dormant JavaScript objects can periodically scan the local browser's network to discover new attack surfaces, even those that may be air-gapped. (Bloody JavaScript...)