Talks from CackalackyCon 1 - 2019 are available on
Youtube
-
Friday
-
17:00 | Registration Opens
-
18:15 | Opening Remarks
-
18:30 | Fn00bs - Fn00bs Guide to the (security) Galaxy
When I first became interested in Security, I was daunted by the questions, “where do I start?” and “what do I need to learn?”.
This talk will be the quintessential guide for people that are just getting started in the security field, and for professionals seeking to improve. I will talk about different career paths for those looking to jump in for the first time but aren’t sure where to start, discuss the resources available for training, and give an overview of the tools that can help launch a career in security, or polish existing skills.
A website will also be available to pick up any hitchhikers trying to navigate through the (security) galaxy.
-
19:00 | Foemat - Fantastic Bluesnarfs and Where to Find Them!
Teams
You wanna Bluesnarf? Little bit of Bluejacking? Sniff some packets? Me too!
Join me, a Bluetooth n00b, as I begin my journey. I will share my realizations, failures, moments of nerd rage, and what's this? Is that a bit of success? ¯\_(ツ)_/¯
My goal is to share my experience as I learned about Bluetooth vulnerabilities and how to use both hardware and software tools to exploit them. I will be going over things that I assumed were true/false about Bluetooth "hacking" and providing the real answers that I found along the way (almost myth buster "ish"). Beginners will benefit from this because I started this journey as a beginner so all of the doubts, curiosity and frustrations are bundled into a neat little package that I hope will help others have an easier go at it. Anyone beyond beginner will benefit from this because I want to engage others in the Q&A session, including but not limited too suggestions on how I could have done things differently, tool recommendations and future project suggestions. Regardless of skill level I plan for this to be very informative and entertaining for everyone.
-
20:00 | Gina Yacone and Bace16 - The Art of Streaking: A Cyber Story
Streaking: is an art form? is it an uncontrollable urge? Is it defiant? Is it perverse? Healthy? Naughty? More importantly, how do streakers get into some of the world’s most secure sporting events?
The powerhouse duo of Gina Yacone & Bace16 plan on taking you through the history of streaking – the good, the bad, the ugly, and the funny! Through storytelling and humor, they will draw parallels between the streaking assaults made at famous sporting events to the assaults and breaches attempted on the networks and physical security controls of companies.
-
21:00 | Ryan Linn - Practical Payload Hiding in Office Docs
Office documents have been an attack vector for a long time, but unfortunately they are still a requirement for most businesses. During this talk, we're going to look at some practical ways to hide data, demonstrate data hiding in Word and Excel documents that could be used for payload smuggling or even data exfiltration. We'll look at how to generate malicious documents, tricks for making them harder to analyze, and how to customize them so that they will be less likely to be detected. We'll also look at some of the ways to detect these techniques, and talk about other areas that might be fun to explore in the future.
-
22:00 | Grant Harris & Tyler Colgan - Windows Kernel Fuzzing for Mere Mortals
Blue-screens inbound. In this one we'll hold your hand as we walk through the process of attacking drivers in Windows kernel-land. This talk is meant to be an entry-level introduction to Windows driver fuzzing. No prior experience is required, but a knowledge of reverse-engineering, Windows internals, or the fuzzing process will be helpful. Attendees will walk away with basic knowledge and a step-by-step process of how to setup, fuzz, and triage crashes caused by drivers behaving badly.
-
22:30 | Party
-
Saturday
-
09:00 | Registration Re-Opens
-
09:50 | Opening Remarks
-
10:00 | Wes Lambert - Augmenting the Onion: Facilitating Enhanced Detection and Response with Open Source Tools
As network defenders, we face evolving threats every day, and are required to truly understand our computer networks; to gain perspective around normal (and abnormal) behavior, and the scope of an event. To help us better understand and protect our systems, we can use completely free and open source tools, augmenting a platform like Security Onion, to assist us in threat hunting, responding to alerts, tracking events, automating analysis of files extracted from network data streams, and even performing remote host-based forensics. This talk delves into tools that are freely available, and how they can be integrated to empower even the smallest of information security departments to effectively monitor, track, and investigate events to help lower risk and increase security posture within their organizations. Audience members should walk away from the talk with a better understanding of the open source tools at their disposal, and how they can begin to immediately realize the benefits of said tool usage within their environments.
-
11:00 | Takko_The_Boss - Gotta Keep Em Separated! Wait, but do we though? Well maybe not so much.
Industrial Control Systems (ICS) is the infrastructure in facilities that provide us with power, treat our drinking water and manage our city & town traffic system(s). Due to the need for a 100% uptime of these critical infrastructures, monitoring of data in the ICS network has to be constant. IT OT convergence covers the ways we can integrate Information Technology and Operations Technology in order to meet the demands of modern-day standards of system, network and security monitoring & diagnostics to cloud systems. At the moment, the way that communications are being remote off network traffic is being handled is through a process referred to as “air gapping” in which the Supervisory Control And Data Acquisition network (SCADA for short) on its own segmented network allows access to the internet for small periods of time. And these communications, updates etc, happen in an asynchronous manner.
For true IT OT convergence to happen, the air-gap needs to be bridged, and the way that data comes in and out of the SCADA network needs to be very protected and handled in a scrutinous manner in all perimeter layers. However, what is happening right now is that these networks and devices are being exposed and placed RIGHT onto the open internet, where anyone can observe and sometimes interact with these systems and devices that constitute these systems. This presentation will cover ways that these systems are compromised, and some ways to “Take home” to secure the air-gap between IT and OT.
-
12:00 | Drew Kirkpatrick - ENNEoS (Evolutionary Neural Network Encoder of Shenanigans)
Penetration testers and red teamers often need to bypass endpoint and network protections such as anti-virus and IPS to further access into a client’s network and better emulate the behavior of malicious actors. For this purpose, attackers use a number of methods to bypass antivirus solutions and avoid detection, including obfuscating payloads.
This talk will discuss a novel technique of hiding payloads inside of neural networks. An open source proof-of-concept encoder and loader called “ENNEoS” (Evolutionary Neural Network Encoder of Shenanigans) will be demonstrated. The encoder uses genetic algorithms to evolve complex neural networks that output the payload shellcode on demand. A high level overview of the technique will be covered, with a more detailed explanation given to how to use the technique.
-
13:00 | Lunch (Not Provided go get your own food lol)
-
14:00 | Xavier Ashe - IOC's: Indicators of Crap
“You should be looking at Indicators of Compromise!” exclaims your CISO, regulator, vendor, and mom. No problem, right? You have the most expensive security intelligence vendor and all you have to do is correlate in your expensive SIEM!
Well, if you have tried this, then you are laughing with me. Come hear my exploration into implementing IOCs at a major US insurance company and a major US bank. I’ll address the differences in Indicators of Compromise vs Indicators of Attack. I will show you how not to use the MITRE ATT&CK framework, plus some tips on how to use it well. My goal is to save you from falling into the same pitfalls when dealing with Indicators of Crap.
-
15:00 | Pandatrax - Investigate-alackin’ Linux Malware
If you’ve taken training about malware analysis, you’ve likely learned how to deal with suspect .exe files, macro-enabled word documents, or obfuscated scripts—all intended for a Windows victim. But what about malicious files targeting a Linux environment? This talk will walk through the basics of what Linux malware looks like and how to analyze it. We’ll walk through setting up an appropriate lab environment for testing, porting best-practices from Windows analysis into a Linux environment, and finally how to use radare2 to both debug and statically analyze a suspicious file.
-
16:00 | Aleks Kircanski - Depressing the Crypto Economy with DoS Bugs
A piece of software that implements a Satoshi-like blockchain client is a rather complicated one: it ingests and processes unauthenticated content, performs cryptographic validations and keeps large amounts of data both in memory and on disk. In general, a question relevant both for blockchain developers and security researchers is: what is a set of "baseline" bugs that apply in that context. Of interest are bugs inherent to the blockchain; general appsec bugs such as memory corruption are less interesting, as they do not really pertain to the nature of blockchain systems. In this talk we'll briefly look at a possible list of such baseline bug classes and focus on application security level DoS vectors. This includes issues related to serialization/deserialization, orphan transaction handling, quadratic complexity processing on user supplied input, memory stores of unlimited size, etc. The goal of this talk is to equip the audience with the means to search for relevant application-level DoS bugs in popular coins themselves.
-
17:00 | Lisa Lorenzin - Rise of the Weird Machines
One of the key assumptions in programming is that computers execute code
that performs the function intended by the programmer. However, as
programs become more complex, so do their inputs - giving rise to
situations where specially-crafted data can trigger unexpected
computations in targets ranging from executables to OS elements to
embedded hardware. These "weird machines" give rise to exploits in
targets ranging from ELF metadata to X86 page handling to embedded font
handlers We'll discuss how weird machines are born, take a tour of Sergey
Bratus' weird machine zoo, and talk about some of the frameworks and tools
being developed to counter the rise of the weird machines.
-
18:00 | Dinner (Not Provided go get your own food lol)
-
19:30 | Jarrod Overson - Analysis of an exploited npm package
A popular nodejs package changed ownership in late 2018 and found itself as the delivery mechanism for malicious code in a dependency manufactured specifically to inject a payload in a mobile application. How did an attacker go from an npm package to a mobile application? How was this exploit found? What purpose did each of the three payloads have?
This is just one example of an elaborately simple attack that can take over a developer environment and inject itself into production applications. In this session we will dive into the three payloads of the attack, how they worked, how they were obfuscated, and what their goal ultimately was.
There's no reason to assume this is an isolated event and understanding how this occurred and what it did is an important part of staying secure going forward.
-
20:00 | Deral Heiland - Uboot to Root
During this presentation I will be discussing and demoing various
methods to gain root console access to embedded devices via UART. As
part of this presentation I will detail methods around analyzing the
circuits boards using logic analyzer to help identify UART pinouts. The
discussions and demos will also including covering attack methods for
gain access to UBOOT console, and further attacks via boot arguments,
environment variables changes, and passwords alterations, which can
lead to root level access.
-
21:00 | Deviant Ollam - Forged in Fire - Casting Copied Keys in the Field
You've seen lockpickers open doors by manipulating pins. Such a tactic relies on ownership of pick tools and the knowledge of how to use them. You may have witnessed hackers demonstrate the art of impressioning. Such a technique requires a working blank key that can be hand-filed into the correct shape in order to facilitate entry.
But have you ever seen a key fabricated before your eyes from nothing at all? With a raw ingot of metal ore, heat from a flame, and some subversive skill it's possible to re-create almost any key -- no matter how obscure -- via molding and casting. That is what this presentation will entail: keys will be created using raw metal and fire. But not in a forge or foundry... this is a tactic that can be employed in the field by covert entry types who want a way to gain repeated access without having to carry around key blanks and specific tools specialized for every brand of lock. When you're casting a key from nothing, virtually any kind of mechanical lock becomes a valid target.
-
22:00 | Party
-
Sunday
-
09:00 | Registration Re-Opens
-
09:50 | Opening Remarks
-
10:00 | Blaine Schmidt - When Can I Go? Can I Even Turn Here? Interpreting the Legal Signs Posted at the Three-Way Intersection of Business, Law, and Information Security.
Like three busy roads coming together, the intersection of business, law, and information
security is complex and can have conflicting signs posted, making it difficult for the drivers of
Information Security to know which direction to turn. This high-level presentation reviews the
domestic and foreign legal “roads” controlling the vehicles of the InfoSec professional, the
practical issues that result from those roads, as well as the ethical implications of controlling the
traffic on the private corporate streets and the Information Superhighway.
-
11:00 | Ben Demick - Enter the Dragon (and Other Draconic Clichés)
The Kingdom in the West has borne forth a new dragon - its mantle: to vanquish vulnerabilities and immolate CTF binaries. Ghidra is poised to change the game of disassembler thrones, offering an open-source, extendable, and completely free software reverse engineering framework. What does Ghidra bring to the table and how does it compare to the tools you've been using? We'll cover all of that and more in this review of the fire-breathing-and-no-longer-mythical beast.
-
12:00 | Dan Helton - A Gentle Introduction to Hacking Mainframes
Contrary to popular belief, the IBM mainframe is alive and well. Also known as the IBM Z family, it is *not* a legacy system; it's still actively maintained and updated, it's still the workhorse of industries from finance to airlines, and it still makes IBM billions of dollars every year. Unfortunately, a combination of proprietary software, high entry costs, and a less-than-cuddly user community has been effective at scaring away new mainframers for decades. It's also been effective at scaring CIOs and CISOs from ever letting infosec staff anywhere near them. This talk will break down mainframes and how they work in terms that a Windows or Linux power user can understand, show you some of the attacks they can be vulnerable to, and hopefully inspire you to go back to your organizations and clients and start testing mainframes!
-
13:00 | Lunch (Not Provided go get your own food lol)
-
14:00 | wavelength - Header Steganography: Abusing the IPv6 Header and Prefix-Delegation for Data Exfiltration
The most widely used network-based data exfiltration techniques typically rely on the higher layers of the OSI model in IPv4 networks. The risk with using these higher protocol layers is that IDS/IPS signatures and SIEM rules can be written to spot protocol anomalies and thwart exfiltration. Enter IPv6. Designed to address the growing number of network-connected devices, IPv6 expands the IP space from 32 bits to 128 bits. Now, with more addresses than stars in the universe (~1x10e24), providers are issuing trillions of routable addresses to their customers. By utilizing the unused space that will inevitably exist in most IPv6 networks, paired with the expanded protocol header fields, low data rate exfiltration becomes possible using only Layer 3 protocol headers with the added bonus of a low risk of detection.
-
15:00 | Patrick McNeil - The Right Way To Do Wrong: Physical security secrets of criminals and professionals alike
In 1905 Harry Houdini wrote his first book entitled “The Right Way to Do Wrong” wherein he divulged the lockpicking and other trade secrets of criminals. People make assumptions about how schemes work and believe them to be complicated, yet in many cases the insider knows how simple they are. Most people assume that besides tailgating and social engineering, real break-ins (or physical security testing) are all about picking locks. However, the secret is that on physical pentests it’s typically unnecessary to do that! Some physical controls have known bypasses, and some building contractors (or even locksmiths) don't implement things correctly. Just like Houdini, I’ll be divulging the simple tricks of the trade employed by both criminals and professional physical pentesters to bypass physical controls without using lockpicks. You may be shocked and amazed by what you see, and once you leave you'll be an insider too - seeing insecurity everywhere!
-
16:00 | (blame) Gabe Marshall - Making Alexa Do Your Dirty Work - Improving Your Toolkit with Serverless Computing
During Red Team engagements it is important to be able to quickly deploy resources (c2 infrastructure, payloads, phishing pretexts, etc) that are independent of each other in order to reduce the chances of getting detected simply by the attribution of related infrastructure. This typically also requires the procurement of established (categorized) domains which can be difficult to obtain.
On the other side of the fence, an Incident Response Team’s activity can be fingerprinted by attackers due to the observable patterns and reuse of scripted analysis tools.
This talk will demonstrate how addition of serverless cloud computing can solve the aforementioned problems, and add an immediate benefit to an Infosec Practitioners toolkit (both Red and Blue). Detailed examples will be provided (including source code) showing how serverless functions can be used to perform tasks like using nmap to scan a target, exploiting a SQLi vulnerability with sqlmap, automating malware analysis, and much more - all while avoiding the need to reuse (and maintain) long term infrastructure.
-
17:00 | Closing Remarks and Awards