Loading…
Welcome to Bsides Seattle 2020

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Saturday, October 17
 

9:00am PDT

Keynote
Speakers
avatar for Jules Okafor

Jules Okafor

CEO, RevolutionCyber
​Juliet Okafor, J.D., is a cybersecurity professional who has combined her knowledge of the legal system and cybersecurity solution models into success stories across fortune 500industries throughout the USA. Her ability to scope, plan and design the creation of an OT Cybersecurity... Read More →


Saturday October 17, 2020 9:00am - 9:55am PDT
Track A

10:00am PDT

Exploiting Bluetooth Low Energy 101
Bluetooth, especially Bluetooth Low Energy (BLE), has become the ubiquitous backbone that modern devices use to interact with each other. From mobile, to IoT, to Auto, most smart devices now support Bluetooth connections, meaning that this attack vector is becoming an increasingly necessary aspect of security testing. This talk will cover various phases of Bluetooth “hacking”, in relation to the communication between a BLE device and companion mobile application, with an emphasis on sniffing connections, spoofing targets, and exploiting services. Some BLE security research tools will be discussed, along with some recommendations for secure use of BLE in connected products.

Speakers

Saturday October 17, 2020 10:00am - 10:15am PDT
Track D

10:00am PDT

Airplane Mode: Cybersecurity @ 30,000+ Feet
Imagine being in charge of a system where you own the product. You do not own the software and the hardware is proprietary. You need to coordinate with multiple vendors for any updates or modifications and you’re under strict government regulation. By the way, the product has a lifespan of 20 - 30 years. Welcome to the world of aviation cybersecurity, where safety and security live together. At a high level, this presentation will cover what is aviation cyber security, the unique challenges it represents and why the industry is captivating.   

Speakers
avatar for Olivia Stella

Olivia Stella

Cybersecurity Engineer, Los Alamos National Lab
Olivia Stella is a cybersecurity engineer for Los Alamos National Lab. She has over ten years of experience in software development and information security. She previously worked on aviation cybersecurity & vulnerability management at American Airlines.  Olivia also worked at Panasonic... Read More →


Saturday October 17, 2020 10:00am - 10:55am PDT
Track A

10:00am PDT

Trust: from Zero to Hero
Wouldn’t it be great if everyone behaved securely? Devs writing secure code, no one falling for phishing, people following security best practices with pleasure. A dream

Today, our industry is not on the path to achieve that dream. We need to change our technology-first approach to a people-centric one based on trust to get back on track.

In this talk, we’ll talk about Security Culture, what trust is, and how to extend and inspire trust. We’ll follow almost exactly the same method that FBI hostage negotiators use on their day today.

It doesn’t get more battle tested than that.


Saturday October 17, 2020 10:00am - 10:55am PDT
Track B

10:00am PDT

LockPick Village Live Session
Speakers

Saturday October 17, 2020 10:00am - 10:55am PDT
Track C

10:20am PDT

Brainjacking: Is it really you?
Neural devices are getting more and more popular. They are used to treat various illnesses or to counter disabilities. However... what would happen if they get compromised? This talk will provide brief overview of neurotechnology, focused on possible impacts caused by lack of security.

Speakers

Saturday October 17, 2020 10:20am - 10:35am PDT
Track D

10:40am PDT

Building hacking tools: from developer to Red teamer
As a Red teamer trying to evade detection, using existing tools means the risk of being caught by the Blue team. At some point, one should start writing their own scripts and exploits. Sure, there are hundreds of hacking tools out in the wild, but would you risk being caught? In this talk, we outline the thought process of writing a couple of security tools to be used in Red team operations, such as a simple Windows keylogger and a cred scanner from git history, for any developers and students wanting to make their first jump into the not-so-dark side of offensive security.

Speakers
avatar for Khoa Nguyen

Khoa Nguyen

Security Software Engineer 2, Microsoft
Khoa Nguyen is a Security Software Engineer 2 on the SERPENT Red Team at Microsoft in EDG Security (Edge + Platform, Devices, and Gaming). As a Red teamer, she performs Red/Purple team assessments against software products and services in scope, as well as helps driving a few security... Read More →



Saturday October 17, 2020 10:40am - 10:55am PDT
Track D

11:00am PDT

See No Revil, Hear No Revil, Speak No Revil: Forecasting the Evil Known as Ransomware
Ransomware is an increasing threat that's difficult to defend against, especially when dealing with hundreds of different variants and threat actors who continuously deploy new techniques to get victims to pay up. But what if you could better predict what type of ransomware you're most likely to see? This talk will show you it's possible to weaponize the underground world against cybercriminals and become more proactive in blocking this growing threat. You'll learn what variants are popular, how to predict which variants will soon be dominating the media, and all about the criminal ecosystems that help ransomware flourish.

Speakers
avatar for Kelsey Helms

Kelsey Helms

Lead Cyber Threat Intelligence Analyst, Target
Kelsey Helms is a cyber threat intelligence analyst and researcher for Target's cyber security team. Her work has concentrated on solution-focused research and behavioral trend analysis to help companies predict, preempt, and prepare for potential attacks. Helms received her BS in... Read More →


Saturday October 17, 2020 11:00am - 11:25am PDT
Track C

11:00am PDT

Micro-Agency, Mega-Adversary, Macro-Response
 Federal "micro agencies" are small in size but big in many citizen businesses and lives, including those that manage museums and libraries, oversee ecosystem restoration, and promoting equal opportunity for those with disability. They often pool resources with larger agencies, have small IT environments, increasingly rely on cloud services, and their cybersecurity isn't always cutting edge. They may be smaller, but this is not to say that micro-agencies are not targeted by mega-attackers. We talk about one CISA incident response engagement at a small agency hit by a skilled adversary, and offer a look, a few warnings, and lessons learned.

Speakers
avatar for Ann Galchutt

Ann Galchutt

HIRT Senior Engagement Lead, CISA
Ann Galchutt is a 16 year veteran of the federal government, having served at the Department of State, Foreign Service, and now at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). She is currently a senior Engagement Lead for the Hunt... Read More →


Saturday October 17, 2020 11:00am - 11:25am PDT
Track D

11:00am PDT

Red Team Handcuffs
Microsoft Red Teams try and emulate attackers as much as possible with how we do our activities, aiming to provide our respective Blue Teams with an adversary that emulates a real attacker well enough to earn a name on our periodic table.

For the most part this is achievable, however there are some tactics and techniques that attackers can do (and do use) that CDG SERPENT has challenges emulating. We will share what these attacks and challenges are, how we work around them, and what we are considering doing for the future. This will cover items like:
- Supply chain attacks that include a third-party compromise
- Compromises where the blast radius cannot be controlled
- Product compromises that would reach public consumers
- Attacks that would cause an extended service outage
- Etc.

This talk will offer specific examples of each type of attack that we wanted to do from the public space and how we replicated (or attempted to replicate) that attack internally. We will explain our thought process, how we made decisions, and what trade-offs we had to accept in the end to achieve our goals.

Speakers
avatar for Caleb McGary

Caleb McGary

Senior Software Security Engineer, Microsoft
I\'m a member of the SERPENT Red Team at Microsoft servicing EDG (Edge, Devices, and Gaming). I enjoy coding, astronomy, and building new things.


Saturday October 17, 2020 11:00am - 11:55am PDT
Track A

11:00am PDT

MQQT: Tiny Protocol, Big Vulnerabilities
Have you ever wondered about how your IoT device talks to your phone? Or how industrial factories collect data from sensors? Odds are pretty good they use a tiny protocol called  Message Queuing Telemetry Transport (MQQT). Join me as we learn more about this tiny protocol and discuss common implementations and vulnerabilities. Learn how to find open mqqt brokers using Shodan and then learn how to build your own internet scanner using Masscan and namp. 

Speakers
avatar for Tracie Martin

Tracie Martin

Principal Security Engineer/Founder, DefendCon
Tracie Martin is a Principal Security Engineer at a really big book store. Previously she's worked in a variety of roles in various tech companies such as Google, Microsoft and Twitter. She is passionate about making security accessible and approachable to everyone and changing the... Read More →


Saturday October 17, 2020 11:00am - 11:55am PDT
Track B

11:30am PDT

Introduction to PCB Analysis & Hardware Reverse Engineering
In today’s technological landscape, there exists a concept called the chain of trust. The user trusts that the software is secure while the software is designed with an assumption that the underlying hardware platform is stable, secure, and immutable, and locked away somewhere that’s far from prying eyes.

When we’re pen-testing most applications, we’re also often times abstracted away from any of the complexities of the underlying hardware. However, sometimes we have to “peel back” the layers of simplification and abstraction that have been created in order to challenge some of these underlying assumptions.

But what is this green fiberglass board with black rectangles covering portions of it? How do I even being to understand its functionality? In this talk, a senior Deja vu Security consultant will guide you through the journey of reverse-engineering a Printed Circuit Board (PCB) to understand it’s functionality. We will also be going through common mistakes made when designing a PCB and the associated security impact.

Speakers
avatar for Atanas Kirilov

Atanas Kirilov

Security Specialist, Deja vu Security @ Accenture
I've been a penetration tester for almost 5 years, and a security developer for 2 years before that. I consider myself a generalist, but my main focus is in native, hardware, and crypto. I also do more web than I'd like to admit. Outside of work, I'm a co-founder of a DEFCON party... Read More →


Saturday October 17, 2020 11:30am - 11:55am PDT
Track C

11:30am PDT

FreeIPA: Attacking the Active Directory of Linux
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

Speakers

Saturday October 17, 2020 11:30am - 11:55am PDT
Track D

12:00pm PDT

Cheap Shot: Hunting Low-Cost Attacker Infrastructure
At the end of the day our attackers are human and love a cheap domain, familiar tool, or free service. This talk will quickly look at the prevalence of low-cost attacker infrastructure in the threat landscape and how to implement controls around top level domain filtering to help cut down on classes of threats from a higher level than individual IOCs. Additionally, this will call to attention that lack of industry tooling and publicly available research into domain registrar reputation tracking and TLD filtering.

Speakers

Saturday October 17, 2020 12:00pm - 12:25pm PDT
Track D

12:00pm PDT

Lunch and Connecting
Saturday October 17, 2020 12:00pm - 1:00pm PDT
Track A

12:00pm PDT

Lunch and Connecting
Saturday October 17, 2020 12:00pm - 1:00pm PDT
Track B

12:00pm PDT

Lunch and Connecting
Saturday October 17, 2020 12:00pm - 1:00pm PDT
Track C

12:30pm PDT

How to Render Ransomware Detection and EDR Products Blind?
Remember WannaCry - the ransomware attack that two years ago infected Windows devices across 150 countries and resulted in an estimated damage of $4B? What is often forgotten is that WannaCry was completely preventable. Microsoft had issued a patch two months prior to the attack. If you think WannaCry was bad, how about a technique that organizations do not have any protection from?

This talk will cover a Windows evasion technique called “RIPlace” that, when used to maliciously alter files, bypasses most existing ransomware protection technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes.

The technique leverages an issue at the boundary between a Windows design flaw and improper error handling of an edge-case scenario by filter drivers of security products. While not a vulnerability per say, the technique is extremely easy for malicious actors to take advantage of with barely two lines of code. RIPlace abuses the way file rename operations are (mis)handled using a legacy Windows function.

I will review existing ransomware detection methods, the workflow of a typical ransomware and provide a live demo of RIPlace bypassing a number of anti-ransomware technologies. Finally, I will share a ransomware testing tool we are releasing for the community to play with.

Speakers
avatar for Rene Kolga

Rene Kolga

Head of Product, Nyotron


Saturday October 17, 2020 12:30pm - 12:55pm PDT
Track D

1:00pm PDT

ZeroTrusting Serverless Applications: Protecting Microservices using Secure Design Patterns
Serverless applications are the latest trend that is disrupting the world of microservices. Microservices enables developers to move faster with continuous delivery and deployment of large, enterprise applications. They offer loose coupling through modularity, scalability and fault isolation and resiliency from a security perspective. However, the resulting distributed systems are often complex with a large attack surface, making traditional security assessments difficult.  Tasks such as security design review, threat modeling, security code reviews and especially security testing becomes challenging due to the overall scope of feature deployment spanned across multiple services and domains and the speed at which these are deployed.  Therefore, if security is not baked into the design and architecture, the applications are suspectable to a variety of security attacks.
The main purpose of this presentation is to discuss the common security pitfalls associated with serverless application variable such as “Backend-as-a-Service” (BaaS) or “Functions-as-a-service” (FaaS). The talk will also cover discuss microservices architecture and design in order to analyze how certain aspects of security is achievable at scale through these patterns.

The target audience for this talk is security engineers, security architects, software development engineers and managers, and anyone who is involved in designing and deploying the end to end applications based on microservices oriented architecture. The attendees will walk away with a general understanding of security issues related to serverless applications and a framework to mitigate residual risk challenges through secure design patterns.

Speakers
avatar for Trupti Shiralkar

Trupti Shiralkar

Principal Application Security Engineer, Illumio
Trupti Shiralkar is a Principal Application Security Engineer at the world’s most customer-centric security company Illumio. She has a strong passion for security and privacy and believes in influencing security by creating a mutual win for all involved parties. She enjoys diving... Read More →


Saturday October 17, 2020 1:00pm - 1:55pm PDT
Track A

1:00pm PDT

Anti-Checklist Culture: Building a Useful Security Compliance Program
Speakers
avatar for Luka Trbojevic

Luka Trbojevic

GRC, HashiCorp
Started playing with computers as early as I can remember  Been doing security and compliance (regulatory and non-regulatory) for the past 5 years. Before then, I did everything from run experiments in the lab to hosting websites/gameservers and playing around with bug bounties... Read More →


Saturday October 17, 2020 1:00pm - 1:55pm PDT
Track B

1:00pm PDT

Peek Inside the Pelicans - What Gear Do Covert Entry Teams Take on the Road?
Deviant, by dint of living locally, brings out some of the Pelican cases that he and the rest of his covert entry team from The CORE Group bring with them on physical assessment jobs and we can all walk through the contents of cases with names like "Field Gear", "Social Engineering", and - of course - "Penetration"

Speakers
avatar for Deviant Ollam

Deviant Ollam

Red Team Alliance
While paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock... Read More →


Saturday October 17, 2020 1:00pm - 1:55pm PDT
Track C

2:00pm PDT

Y'all Tryna Understand Azure AD and RBAC or Nah?
Azure roles and relationships are complex. Managing Azure AD permissions and can be complicated and is often misunderstood by administrators. In addition, management of Role-Based Access Controls can complicate things further and misconfigurations usually lead to unintended consequences. This talk will discuss Azure AD, Azure RBAC, and how to interpret the relationships between them. There will also be a demonstration of Stormspotter, a tool written by the Azure Red Team that helps visualize these relationships from an attack and defense perspective. 

Speakers
avatar for Leron Gray

Leron Gray

Security Software Engineer, Microsoft
Leron (aka daddycocoaman) is a ten year Navy veteran and former NSA operator with several years of offensive security experience. He's currently works on the Azure Red Team at Microsoft, loves winning all the CTFs, and enjoys writing things in Python and Python-like languages. He's... Read More →


Saturday October 17, 2020 2:00pm - 2:55pm PDT
Track A

2:00pm PDT

Hiding In The Clouds: How Attackers Can Use Applications Consent for Sustained Persistence and How To Find It
Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don’t understand how these work and where to look.  What’s the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You’ll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.

Speakers
avatar for Mark Morowczynski

Mark Morowczynski

Principal Program Manager, Microsoft
Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. Previously he was Premier Field Engineer supporting Active... Read More →


Saturday October 17, 2020 2:00pm - 2:55pm PDT
Track B

2:00pm PDT

LockPick Village Live Session
Speakers
avatar for Matt Burrough

Matt Burrough

Sr. Penetration Tester, Microsoft
Matt Burrough is a senior penetration tester on a corporate red team, where he assesses the security of cloud computing services and inter­nal systems. He is also the author of the book Pentesting Azure Applications (No Starch Press). Matt holds a bachelor’s degree in networking... Read More →


Saturday October 17, 2020 2:00pm - 3:55pm PDT
Track C

3:00pm PDT

We went to Iowa, and all we have to show for it is this felony arrest record
Its 3:00 pm and we’ve been sitting in jail for about 14 hours. I finally get a hold of my director only to be told our customer has disavowed us and has “lawyered up”.

From the scoping call of the engagement to charges finally being dropped we will take you through, step by step, on our point of view of what happened in the Dallas County Iowa incident, Lessons learned, mistakes that were made (not by us) and things we hope are changed due to the “incident”.


Saturday October 17, 2020 3:00pm - 3:55pm PDT
Track A

3:00pm PDT

Kubernetes Practical Attack and Defense
Learn to attack and defend the container orchestration system, Kubernetes, in this demo-heavy, Avengers-themed talk. As one of the hottest open source projects history, Kubernetes is no longer the primary realm of west coast technology firms.  A tremendous number of companies' engineering teams have begun running clusters. Information security professionals and DevOps engineers both need to understand the attacks and defenses against Kubernetes clusters, microservice-based applications and cloud environments. In this talk, we'll demonstrate Kubernetes attacks against the open source Bust-a-Kube cluster. We'll break the attacks with a host of defensive technologies, including configuration hardening, open source admission controllers and multiple competing container security tools. Every tool we use for attack or defense is freely-available. We'll perform our attacks manually, but also demonstrate a free tool, Peirates, that automates a portion of these attacks. Come learn to attack and defend Kubernetes!

Speakers
avatar for Jay Beale

Jay Beale

CTO, InGuardians
Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He's the architect of the Peirates attack tool for Kubernetes, as well as of the @Bustakube... Read More →


Saturday October 17, 2020 3:00pm - 3:55pm PDT
Track B

4:00pm PDT

Closing Ceremonies
Speakers
avatar for Josh Michaels

Josh Michaels

Bsides Seattle, Founder
Josh Michaels founded Bsides Seattle to provide a space for the Seattle Security community.  He's driven to creating and nurturing spaces where humans can come together to share ideas, get excited by new concepts, and hear from new voices. The only way we change is by continuing... Read More →


Saturday October 17, 2020 4:00pm - 4:45pm PDT
Track A