Saturday October 5th

C3X - The Experience

Ahmed Imran

Experience of C3X 2018 Genesis as a student who participated and won. Experience of C3X 2019 Red Forest volunteer. The journey, how we planned, what we realized, how we adapted, how we moved forward, and what I learned as both a participant and as a volunteer.

Beyond Logs: Why it's an exciting time to be a defender

Anton Ovrutsky

The talk will provide a high-level overview of some newer and perhaps overlooked defensive security tooling that has recently been released. Splunk/Elastic SIEM, Sysmon, KAPE, Moloch and BloodHound will be some of the tooling covered. An overview will be provided into what these tools do and how defenders can quickly extract defensive value from them.

Front-end Web servers: The smuggling corridor

Anuj Mistry

Web app penetration test? Yes. Run tests against server? Yes. Test for client side attacks? Yes. Test for a front-end server? What?

Yes, while performing penetration tests on web applications, all focus is usually on the client and the server. However, most modern deployments have an intermediate HTTP entity such as proxy server, cache server, WAF, load balancer, SSL termination server, etc. See how these can be used to smuggle specifically crafted HTTP requests to the target web server.

Evasive Malware Techniques and What We Can Do About Them

Brandon Mesquita

Working with a sandbox has led to delving into malware samples that are known to be malicious but just don't exhibit certain or all behaviors. We'll cover several of these evasion techniques from the simple to specific, and what defenders can do to avoid or encourage their detection.

Deception - Your Secret Ally

Harish Ramadoss, Bhadresh Patel

This talk aims to provide the necessary background knowledge of deception to improve network defense and then dive deep into understanding the efficient deployment of deception along with strategizing this from an offensive mindset. Attendees will learn how to set different set of decoys and detect attack vectors like LLMNR Poisoning, Bloodhound/Domain Enumeration, password spray, pass the hash, Kerberoast, data exfiltration, network enumeration/port scans and attacks on AWS infrastructure.

Inhumane: Making Security Hard on Criminals, Easy on Everyone Else

J Wolfgang Goerlich

Security happens where man meets machine. Or, fails to happen, as we see all too often. But perhaps, we’ve been placing the blame on the wrong places. What exactly happens where people and technology meet? Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and identifies lessons the cyber security field can learn from industrial design.

Application Pentesting in 2019: APIs in the Cloud!

Jamie Baxter

As monotholic PHP scripts and beloved pet servers of old have given way to todays cloud-based single page applications built on mature frameworks, microservice APIs, and ephemeral servers, we’ve seen entire vulnerability classes fade away. Yet complexity remains the antithesis of security and in many ways the attack surface of modern cloud-based applications are as extensive as ever. In this talk we’ll a take tour through a API assessment based on aggregate real world experience, highlighting emerging vulnerability classes and how cloud deployment has put a new spin on old ones.

Security Controls are Beside the Point

Jason Murray

Cyber security programs have for years focused on controls and compliance. But attackers don't care about your PCI compliance, and your staff don't like controls. Controls are necessary but not sufficient. In this talk we'll discuss a few other facets of your cyber security program: threat, risk, variance, capability, maturity.

Adventures in Obfuscated Mobile Adware

Kristina Balaam

As official app stores like the Google Play Store increase security measures to prevent adware from targeting its users, developers are relying on more sophisticated techniques for hiding their malicious functionality and monopolizing on the profitable out-of-app ad revenue stream. We'll look one publicly traded company's attempt to circumvent app store antivirus detections as a case study on the increase of sophisticated Adware in the mobile device ecosystem. We’ll discuss how they managed to bypass stringent security checks and the aftermath of their unveiling.

C Sharp Run

Lee Kagan

The PowerShell bubble has burst. With offensive use going down and detections and defences rising, the need for an alternative means to operate offensively against Windows environments is well underway and a big part of that is due to C# and .NET. In this presentation, [the speaker] will take the audience through rise of weaponized C#. From well known toolkits to ideas and struggles for defenders, inner workings of the technology itself and where it may be heading in the long run.

Sunday October 6th

Lessons Learned from a Digital Badge Maker

David Schwartzberg

Hacker and maker Con badges have evolved beyond the laser printout of a name on a piece of paper in a plastic sheath. Art has evolved into a multi-dimensional visual and intellectual experience. Going from idea to badge can be daunting. Heal will be providing an overview of his lessons learned making the Hak4Kidz Cryptex badge for 2019. In addition to going over how to actually build and prototype your badge, we’ll also touch on the soft skills required to actually make it through the mass production process. Makers curious about creating a badge, this talk is for you.

You Shared What? Seriously?!

Don Mallory, Bronwyn Mallory

This is that conversation which needs to happen between a parent and their teenage child about the challenges of growing up in an increasingly connected world. We will discuss many privacy and security related decisions and experiences, and the differing perspectives on each. The reality is we don’t know all we think we know - and neither do our teens.

From Novice to Apprentice: How to start participating in Capture the Flag events

Christine McGarry

Capture the Flag (CTF) events are competitions where security professionals can hone their skills but they can also be intimidating to people early in their career. If you’ve never played in CTF events because you believe you don’t have the skills to play then this is for you. The talk will start by dispelling myths about CTFs. I will share how you can prepare your toolbox for a CTF and what to expect at the event, including a live demo! The talk concludes with an overview of why playing CTFs will benefit you regardless of your career level.

Inside DataSpii: the catastrophic data leak impacting millions of web users

Sam Jadali

DataSpii leaked sensitive personal, corporate, and government data on a catastrophic scale. We dive into the DataSpii players, the evasion measures used to thwart detection, and provide video of how it occurred. We explain how the extensions collected sensitive data from the internal networks of major cybersecurity companies. Using available toolsets, we analyze the obfuscation methods, data points, and infrastructure to ascertain the flow of data. Finally, we discuss what you can do to protect your data.

The Mechanics of Malware’s Darkside

Yagneshwaran, Laura Harris

This presentation will introduce the basics steps of carrying out static and dynamic analysis on malware using disassemblers, debuggers, and amongst other tools. Diving into the dark waters of dissecting malware will allow the audience to understand how to disassemble malware, identify key strings and process, and track the behavioral triggers once placed in a sandbox. It also highlights the limitation of static analysis and hints at the next phases of analyzing an obfuscated malware. The audience will be able to develop basic SNORT and YARA rules based on the information shared.