BSidesSF 2019: Full Schedule

9:00am PST

Monitoring Minimum Viable Security via osquery on Mac, Windows, Linux, and Containers

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

In this workshop, we will learn how to use osquery in a variety of environments and then use it to solve problems security teams everywhere have.

Required: One or more PC or VM running Mac, Windows, or Linux with Chrome installed as well as osquery installed. If osquery is not installed, do not worry; we will start the workshop with instructions on how to do that, and for Linux, we will provide a virtual appliance you can import. Be aware that we will centralize some of the osquery logs we generate, so we ask that you do not use a personal computer with your real data on it, unless you agree with other students being able to see the output of your queries.

In this workshop, we will understand how osquery is deployed, look at the way many companies get successfully attacked, monitor our systems for these issues, implement a fix, and check that it was implemented properly with osquery. We will also look at how osquery extensions can allow us to manage our systems in a more proactive way, by writing to them instead of just querying them.

If you have to manage endpoints in an environment that includes Mac, Linux, Windows, and even Docker containers, this workshop is a great way to learn about ways to manage security homogeneously, on an heterogenous environment.

Speakers

Guillaume Ross

Guillaume has worked as a manager of blue teams, as a security consultant, and way before that as an enterprise IT person focused on endpoints. Having worked for startups to fortune50, he knows how to build a security program, but having had to do the work, he also dislikes doing... Read More →

Saturday March 2, 2019 9:00am - 11:45am PST
Splunk HQ

Workshop

9:00am PST

Practical Threat Modeling

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

As software engineers and security practitioners working within software companies, threat modeling is one of the most important parts of the work that we do, no matter the size or sophistication of our organizations. Whether we’re having an informal chat with a colleague over coffee or we’re part of a team writing a report that formally analyzes a large and complex system, one of our most important functions is helping company leadership understand what the security threats facing our systems are and prioritize addressing them.

Many threat modeling methodologies have been developed over the years. The one I will present here was originally developed at Akamai, specifically for security teams in cloud software companies, who need to build safe systems which run big chunks of the modern Internet and provide fast, correct answers during outages affecting people around the globe. Such threat models need to be fast to create, correct to reason about, and easy to communicate, even to engineers and management who have deep knowledge of their systems and people but not necessarily specific expertise in security or a particular threat modeling framework.

To do this, we describe the system with a system diagram, and then answer four questions about it:
• Principals: Who cares about it?
• Goals: What is it supposed to do?
• Adversities: What bad things can happen to it? (Both by accident and by design.)
• Invariants: What must be true about the system so that the system can still accomplish its goals, despite those adversities?

(I creatively refer to this rubric as the “Principals–Goals–Adversities–Invariants rubric.”)

More here: https://increment.com/security/approachable-threat-modeling/

In this workshop, I will teach you how to understand your systems in this framework and apply it in a variety of contexts inside a software organization to communicate, collaborate, and prioritize in a variety of hands-on exercises.

Requirements:
• Pre-reading: https://increment.com/security/approachable-threat-modeling/
• Create & bring a system diagram like the ones in the article for a system you know well. (You don’t need to threat model it, you’ll do that together in class, just bring the diagram. Obviously don’t include any confidential information!)

Speakers

Kevin Riggle

Kevin Riggle works in security at Lyft and lives in San Francisco. When he’s not trying to keep people safe on the internet, he enjoys hiking and gluten-free baking.

Saturday March 2, 2019 9:00am - 11:45am PST
Splunk HQ

Workshop

9:00am PST

Reverse Engineering Mobile Apps

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

Learn how to extract, unpack, analyze, and modify Android apps (and some iOS apps) in a fun, CTF-style hands-on workshop. Topics include password exposure in network traffic, logs, and local storage; certificate verification flaws; keylogging; MDM systems; and cryptography errors.

We will use real commercial apps as targets, including apps from Schwab, Citi, Harvard, IBM, TD Ameritrade, and Stitcher. All vulnerabilities were responsibly disclosed years ago (and mostly ignored).

No coding experience is required.

Speakers

Sam Bowne

Professor, City College San Francisco

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on training at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges.

Saturday March 2, 2019 9:00am - 11:45am PST
Splunk HQ

Workshop

9:00am PST

Using the Secrets of Behavioral Science to Influence Security

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

Today’s tools that are available to security teams to engage and enable their employees to reduce this risk are simply inadequate and not up to the task. Quarterly or annual one size fits all training with repeated reminders and warnings leave employees feeling uncomfortably numb.

By leveraging the latest advances in behavioral science, we can better understand why employees make the decisions they do and how to influence these actions to make employees and organizations more secure.

This course will allow participants to define what security culture means for their organization and understand what key behaviors to focus on for maximum impact. We will then look at why humans are terrible at making risky decisions and what security teams can do about it. Finally, we will share the dark arts of behavioral science techniques to help security practitioners influence security behaviors across their organizations.

This course is for any security practitioners who care about making humans a key part of defending their organizations.

Speakers

Megan Caldwell

Megan Caldwell is the current Director of Customer Success for Elevate Security. She has spent the last five years working directly with customers to implement, scale and measure behavior change in the health and security fields. Previous to her work in behavior change startups she... Read More →

Robert Fly

Robert Fly is co-founder and CEO of Elevate Security. Prior to Elevate Security, Robert was an executive advisor for several security startups and built and led security and engineering teams at Salesforce and Microsoft for 17 years. He holds more than a dozen patents in security... Read More →

Masha Sedova

Co-Founder, Elevate Security

Masha Sedova is an industry-recognized people-security expert, speaker, and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering the first people-centric security platform that leverages behavioral-science... Read More →

Bsides Workshop pptx

Saturday March 2, 2019 9:00am - 11:45am PST
Splunk HQ

Workshop

12:30pm PST

Building Secure APIs and Web Applications

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

The major cause of API and web application insecurity is insecure software development practices. This highly intensive and interactive course provides essential application security training for web application and API developers and architects.

The class is a combination of lecture, security testing demonstration, and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.

Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Speakers

Jim Manico

Founder, Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices... Read More →

Jimmy Mesta

CTO, Manicode Security

Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →

Saturday March 2, 2019 12:30pm - 6:00pm PST
Splunk HQ

Workshop

12:30pm PST

RFID Hacking

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

This training will cover the basics of RFID, provide hands on labs using
Proxmark3 devices, and provide a fun environment for attendees to learn about
different RFID communication protocol attacks. Upon completion of the training,
students will:
• understand the technologies involved in RFID
• be able to perform clones of prox RFID
• be able to reverse engineer unknown prox formats
• be able to clone vulnerable ISO/IEC 14443 RFID
• be familiar with the use of the proxmark tool/hardware

Speakers

Valentin Leon

Technical Director, NCC Group

Valentin Leon is a Technical Director and has been with NCC Group for 5 years, performing penetration testing for a broad range of clients and technologies. Valentin leads engagements testing web applications of varying backends including .Net, Java, C/C++, and Python; internal and... Read More →

Saturday March 2, 2019 12:30pm - 6:00pm PST
Splunk HQ

Workshop

12:30pm PST

Spy Hunter: Reversing Your First Android Surveillanceware

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

This long-format workshop will provide a solid foundation in Android malware analysis. Attendees will be given an overview of important Android application components, introduced to open-source tools that are most useful for analyzing potentially malicious applications, and learn the best areas of an application to search for clues as to its malicious nature.

Throughout the workshop, we'll work on analyzing an interesting surveillanceware app through static and dynamic analysis with tools like APKTool, Dex2Jar, JD-GUI and Wireshark. We'll talk about ways to differentiate trojanized applications from benign, how to find mobile malware samples in the wild, and some additional resources for continued learning.

No prior reversing knowledge is required. Attendees should be relatively familiar with the command line and looking at code — even if it's not Java. A laptop capable of running a virtual machine is necessary.

Speakers

Kristina Balaam

Security Intelligence Engineer, Lookout

Kristina is a Security Intelligence Engineer at Lookout where she researches and reverse engineers malicious Android and iOS applications. Prior to Lookout, she was responsible for Android application security at Shopify. Kristina graduated with a Bachelor of Computer Science from... Read More →

Saturday March 2, 2019 12:30pm - 6:00pm PST
Splunk HQ

Workshop

12:30pm PST

Using Open Source Log Aggregation Tools to Improve Enterprise Security

Limited Capacity full

TO REGISTER FOR THIS WORKSHOP, GO HERE. NOTE THAT SPACE IS VERY LIMITED.

Securing the enterprise is a demanding task that requires a complete understanding of the infrastructure and its running services. To uncover signs of compromise, it is first necessary to know what normal activity looks like. Almost all services make use of some type of logging function with the vast majority of logs adhering to RFC 5424 or the Syslog protocol. Centralizing log analysis functions opens new opportunities for cross-referencing and analyzing data.

Log aggregation tools are available from a variety of vendors and are critical in presenting data in a timely and usable manner. With proper planning, log aggregation tools can be configured to track critical infrastructure activity and provide alerting when anomalies indicative of compromise are detected. Log analysis can be used to detect malicious login attempts, device compromise, data exfiltration, unexpected network traffic, unauthorized file changes, rogue application installations, and more.

This course will provide students with hands-on development of practical, real-world log aggregation, analysis, and alerting skills that they can take back to their jobs, massage, and implement in their environments. We will use real world scenarios and provide virtual machines, instruction, and workable demos that students can take with them.

Students should have basic Linux & Windows familiarity and be able to do basic virtual machine manipulation. We will provide all materials via AWS. Students will need laptops.

Speakers

Lennart Koopmann

Founder, Graylog, Inc.

Lennart founded the Graylog project in 2009 and has since then worked with many organizations on log management and security-related projects. He has extensive background in software development and architecture. His skills include Java, Ruby, Ruby On Rails, PHP, MySQL, MongoDB, and... Read More →

Jim Nitterauer

Director Information Security, Graylog, Inc.

Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf DNS infrastructure and the SecureTide spam & virus filtering platform, internal applications and security operations. He holds a CISSP certification... Read More →

Saturday March 2, 2019 12:30pm - 6:00pm PST
Splunk HQ

Workshop

9:00am PST

Breakfast

Sponsors

Bugcrowd

Segment

Sunday March 3, 2019 9:00am - 10:00am PST
General

Food & Drink

9:00am PST

Coffee

Sunday March 3, 2019 9:00am - 4:00pm PST
Sponsors Area

Food & Drink

9:00am PST

Capture The Flag

Our CTF (Capture The Flag) competition will be running from 9am Sunday till 5pm Monday. It'll have a range of challenges at all difficulty levels, and we'll have folks on-site in the CTF room for hints and guidance. Everyone is welcome! Individuals, teams, or whatever! Bring your laptop!

The server will be available for the full duration of the conference, including overnight, and anyone is allowed to play and help. Note that at least one player must be on-site to claim your prize, though!

Sponsors

Facebook

Sunday March 3, 2019 9:00am - 5:00pm PST
General

CTF

9:00am PST

Sponsor Lounge

Sunday March 3, 2019 9:00am - 5:00pm PST
Sponsors Area

Sponsor Lounge

9:00am PST

Crypto & Privacy Village

New this year! Learn how to secure your own systems while also picking up tips and tricks on how to break classical and modern encryption at the Crypto & Privacy Village. The village features workshops and talks on a wide range of crypto and privacy topics as well crypto-related games and puzzles and a key-signing party.

Villagers

Crypto & Privacy Village

Sponsors

F-Secure

Veracode

Sunday March 3, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

IoT Village

Organized by security consulting and research firm Independent Security Evaluators (ISE), the IoT Village delivers advocacy for and expertise on security advancements in Internet of Things (IoT) devices. The IoT Village features talks given by expert security researchers who dissect real-world exploits and vulnerabilities as well as hacking contests with off-the-shelf IoT devices.
Note: Limited lab stations will be provided so bring your own laptop if you can.

Villagers

Independent Security Evaluators (ISE)

Sponsors

F-Secure

Veracode

Sunday March 3, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

Living Security Escape Room

SIGN UP TO PARTICIPATE AT https://www.eventbrite.com/e/bsidessf-security-escape-room-presented-by-living-security-tickets-56370646120

This isn’t your ordinary escape room. The only way to escape the Living Security Escape Room is by using your security knowledge and skills to solve different challenges and puzzles. Expect to learn, meet new people in a game setting, and have fun! Note: The Escape Room runs with a maximum of eight participants and minimum of four. See https://www.livingsecurity.com/escape-room/ for more information.

Villagers

Living Security

Sponsors

F-Secure

Veracode

Sunday March 3, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

Lockpick Village

Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.

Villagers

Lockpick Extreme

TOOOL SF

Sponsors

F-Secure

Veracode

Sunday March 3, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

Spymaster Challenge

Join Cisco’s CSIRT for the Spymaster Challenge and see how your lockpicking skills stack up against the other participants. Through the challenge you’ll role play your escape as a captured spy and navigate a timed course consisting of a series of locks of varying levels of difficulty.

Villagers

Cisco CSIRT

Sponsors

F-Secure

Veracode

Sunday March 3, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

Registration

Sunday March 3, 2019 9:00am - 5:30pm PST
General

General

9:00am PST

Bar

Sponsors

Paranoids at Verizon Media

Sunday March 3, 2019 9:00am - 6:30pm PST
Bar

Food & Drink

9:00am PST

Info Desk

Sunday March 3, 2019 9:00am - 6:30pm PST
General

General

9:00am PST

Coat Check

Sunday March 3, 2019 9:00am - 10:00pm PST
Coat Check

Coat Check

10:00am PST

Opening Remarks

Speakers

Reed Loden

Sunday March 3, 2019 10:00am - 10:15am PST
IMAX

Keynote

10:15am PST

The Path to Infosec Is Not Always Linear

For some, the path to infosec starts in a lecture hall-- for Rachel it started in a glass booth hacking live in front of 400 people. Join Rachel as she walks through her nonlinear path to infosec from her background in neuroscience to the rat lab, through teaching to UX research, through live hacking to starting her own company in the field. You’ll hear tales from the glass booth, lessons she learned along the way, and insights from other non-traditional journeys to information security.

Speakers

Rachel Tobac

Rachel is the CEO of SocialProof Security where she helps people and companies keep their data safe by training and pentesting them on social engineering risks. Rachel was also a winner of DEF CON's wild spectator sport, the Social Engineering Capture the Flag contest, 3 years in... Read More →

Sunday March 3, 2019 10:15am - 10:50am PST
IMAX

Keynote

11:00am PST

How to Build an Application Security Program

Do you need to start or revamp your application security program?

I have spent the majority of my 20-year career helping government agencies, public companies and now a startup build out application security programs. In this discussion, I will talk about what has worked for me, what has not worked and things you should absolutely *never* do.

Speakers

Jerry Gamblin

¯\_(ツ)_/¯, Kenna Security

HowToBuildAnApplicationProgram pdf

Sunday March 3, 2019 11:00am - 11:30am PST
City View

Track: City View, Talk

11:00am PST

Lyft Cartography: Automating Security Visibility and Democratization

Lyft Security Intelligence team mission is to "Empower the company to make informed and automated security decisions." To achieve our mission, we invested in our cartography capabilities that aim at keeping track of our assets but most importantly, the relationship and interaction between them.

The talk provides insight on an intelligence service solution implemented by Lyft Security Intelligence team to tackle knowledge consolidation and improve decision making. Attendees of this session will be introduced to the platform we implemented along with a broad set of scenarios that allow us to burndown security debt, detect assumptions drift, and enable teams to explore their service and environment. Furthermore, Lyft will release the platform to the open source community as part of the conference and provide details on how it can be extended to adapt to each need.

Speakers

Sacha Faust

Manager, Product Security, Lyft

Sacha Faust is the engineering manager for Lyft's Security Intelligence team and previously led the Microsoft Cloud + Enterprise (C+E) Red Team. His mission is to empower organizations to make informed and automated security decisions through democratizing and automating security... Read More →

Sunday March 3, 2019 11:00am - 11:30am PST
IMAX

Track: IMAX, Talk

11:00am PST

Self Care for Security Professionals

A career in security is part of a larger phenomenon called life. The work we do can be so all-encompassing that it can be easy to forget to take care of one's body and one's spirit.

In my career I've traveled the world to speak at security conferences, published a popular textbook, and written the security policies that enabled a company to go public. On the outside it usually looks pretty sunny, but on the inside it's been a mixed bag.

Life happens, and so does anxiety, depression, burn-out, alcoholism, marriage, divorce, medication, therapy, pregnancy, birth, death, etc.

In this session, I'll talk about the strategies I've tried and the various successes (and failures) I've had with managing my mental health. I hope that by sharing my story I can offer empathy and advice to others who may be struggling beneath the surface.

Speakers

Caroline Wong

Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been featured... Read More →

Sunday March 3, 2019 11:00am - 11:30am PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

11:00am PST

Conquer the Enterprise from Inside with Penetration Testing Dropboxes

Penetration Testing Dropboxes are dismissed by many clients and infosec pros because they require internal access to corporate network. The reality is that dropboxes are a very valuable tool because they can lower costs and gain efficiency testing. Penetration Testing Dropboxes fit perfectly with the Assume Breach approach; as pentesters can launch internal attacks to simulate an attacker with access to the network to uncover gaps in the corporate security posture from the start of the engagement, both red teams and blue teams win.
This talk focuses on the different types of dropboxes, hardware additions, how to set up, and what attacks can be executed. Demos included.

Speakers

Simon Roses Femerling

CEO, VULNEX

Currently Simon Roses Femerling is the CEO at VULNEX, driving security innovation. Formerly he was at Microsoft, PriceWaterhouseCoopers, and @Stake. Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published... Read More →

Sunday March 3, 2019 11:00am - 11:30am PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

11:45am PST

Cats? In My Certificate Transparency Logs? It's More Likely Than You Think

Certificate Transparency (CT) logs are a new and incredibly useful tool for bringing auditability and accountability to the public web certificate ecosystem. CT logs aim to provide a verifiable, append-only history of all publicly trusted certificates on the web. With browsers like Chrome now enforcing that certificates belong to CT logs, CT logging has become a vital part of the web's ecosystem.

But as with any new technology, it's our hacker duty to ask the question "How can this be misused?" We'll be providing a deep-dive into what CT logs are, how they work, and how we can take advantage of them for novel and nefarious purposes. We'll also explore if any bad actors have exploited our use cases in the wild. Most importantly, we'll be showing you why CT logs are the best new place to find pictures of cats on the internet.

Speakers

Scott Behrens

Senior Application Security Engineer, Netflix

Scott Behrens is a senior application security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University where he taught a graduate course on software security assessment. Scott's expertise... Read More →

Ian Haken

Staff Security Software Engineer, Netflix

Ian Haken is a staff security software engineer at Netflix where has been working since 2016. His work includes development of tools and services that defend the Netflix platform such as the implementation of authentication and authorization solutions, access control management platforms... Read More →

Catlog BSidesSF 2019 pdf

Sunday March 3, 2019 11:45am - 12:15pm PST
City View

Track: City View, Talk

11:45am PST

How to Orchestrate a Cyber Security Incident Tabletop Exercise

"Assume breach" helps incident responders prepare for the next major cyber security incident. Ask yourself—What would you do if an attacker were inside your systems? In this interactive presentation, the speaker will present a hypothetical security incident and guide you through a simulated timeline of events. She will engage with the audience and ask questions like, "What would you do next?"

Speakers

Melanie Masterson

Threat Intelligence and Response - CSIRT, Airbnb

Mel Masterson has worked in the IT and Information Security space for 17 years. She is a Sr. Threat Response Engineer and focuses on threat detection, incident response, and vulnerability management. She has worked on multiple high-profile security incidents. She is passionate about... Read More →

Sunday March 3, 2019 11:45am - 12:15pm PST
IMAX

Track: IMAX, Talk

11:45am PST

Contact Center Authenticaion

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

Speakers

Kelley Robinson

Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups in San Francisco. She believes in making technical... Read More →

Sunday March 3, 2019 11:45am - 12:15pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

11:45am PST

Operation PZCHAO

Nowadays cyber-attacks are growing in complexity as threat actors divide payloads in multiple modules with highly specialized uses to achieve a target's compromise. The past few years have seen high-profile cyber-attacks that shifted from damaging the targets' digital infrastructures to stealing highly sensitive data, silently monitoring the victim, and constantly laying the ground for a new wave of attacks. This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wreaked havoc in Asia by targeting a number of high-profile institutions. Our threat intelligence systems picked up the first indicators of compromise in July last year and we have dissected it to better understand its capabilities, its communication techniques, and ultimately its impact on the victim's data.

Speakers

Ivona-Alexandra Chili

Ivona Alexandra Chili is a Forensics Engineer in the Bitdefender Cyber Threat Intelligence Lab. She has recently graduated Computer Sciences at the Alexandru Ioan Cuza University in Iasi and is currently pursuing a bachelor's degree. With almost three years of experience in malware... Read More →

Sunday March 3, 2019 11:45am - 12:15pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

12:00pm PST

Lunch

Sponsors

ASAPP

Sunday March 3, 2019 12:00pm - 1:30pm PST
General

Food & Drink

12:00pm PST

BSides Career Chit-Chat

New this year! BSides Career Chit-Chat is an opportunity for all participants to share information, hear new perspectives, and broaden their networks. Each chit-chat is a 2-5 minute conversation between security professionals and participants. The conversations are participant-driven and allow participants the opportunity to ask questions of industry veterans on the topics of the industry, careers, and personal experiences within the field.

Sunday March 3, 2019 12:00pm - 4:00pm PST
AMC Lounge

General

12:15pm PST

T-Shirt Sales

Sunday March 3, 2019 12:15pm - 10:00pm PST
Coat Check

Coat Check

1:30pm PST

A Deep Dive into Go Malware: Using Metadata to Empower the Analyst

Go is a programming language created at Google by Robert Griesemer, Rob Pike, and Ken Thompson. Their vision was a statically typed, productive, and readable language with good networking and multiprocessing support. By default, Go binaries are statically linked, and it is very easy to cross-compile binaries for different operating systems or CPU architectures. This makes it easy to produce an executable that can be copied to any machine and run without runtime errors due to missing libraries, something that should be appealing to malware authors.

While Go has exploded in popularity, the same cannot be said for malware written in it. This presentation will take a look at a few pieces of malware written in Go and how they differ from other malware written in, for example, C and try to answer why we don't see more. Also, this presentation will show how metadata in stripped Go binaries can be used to recover everything from function names to source code tree structure and functions’ number of lines of code, which hopefully can give us an insight to the author behind the malware.

Speakers

Joakim Kennedy

Joakim Kennedy is the Senior Principal Security Researcher for Anomali Labs. His job involves playing with malware, tracking threat actors, and everything else around threat intelligence.

Sunday March 3, 2019 1:30pm - 2:00pm PST
City View

Track: City View, Talk

1:30pm PST

How to Lose a Container in 10 Minutes

Moving to the cloud and deploying containers? In this talk I will discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We'll also look at what happens to a container that's been left open to the Internet for the duration of the talk.

Speakers

Sarah Young

Azure Security Architect, Microsoft

Sarah is an Azure Security Architect working for Microsoft. Allegedly she lives in Melbourne but is more likely to be found in airport lounges across Asia. Sarah loves cloud, Kubernetes and container security and spends most of her time telling people how to do it better and generally... Read More →

How to lose a container in 10 mins Sarah Young pdf

Sunday March 3, 2019 1:30pm - 2:00pm PST
IMAX

Track: IMAX, Talk

1:30pm PST

Arcades and Audits: What Gaming Can Do for Your Security Posture

There are a number of audits related to business operations in the event of a catastrophic disaster, and they can be dull to prepare. How can an organization make preparation of these artifacts more tolerable and increase the participation of operations, engineering, and security teams? Gamify it!
This talk will combine research demonstrating the long-lasting positive effects of arcade games (perception, attention, memory, and decision-making) and experience organizing these events at a company with a mature security program. Moreover, the psychology and benefits of gamifying these events can be used for red and blue teams alike. We'll touch on helpful NIST standards, as well as how to make the exercise immersive with simple controls (just like an arcade game). This talk will provide participants with best practices to create their own effective roadmaps for operational resiliency audits, while participants create mental maps for an actual catastrophic event and have fun.

Speakers

Miranda Fullerton

Software Engineer, Cloud Security, Duo Security

Miranda is a SE on the Production Engineering (CloudSecOps) team at Duo Security. She exists online at https://twitter.com/0hh1miranda

arcades and audits pdf

Sunday March 3, 2019 1:30pm - 2:00pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

1:30pm PST

Twist & Shout: Ferris Bueller's Guide to Abuse Domain Permutations

Internet scammers move pretty fast. If you don't stop and look around once in a while, you could miss it. Just as Ferris Bueller always had another trick up his sleeve to dupe Principal Rooney, attackers are employing homoglyphs, subdomain attacks, typo-squats, bit-squats, and similar attacks to trick internet denizens with fraudulent websites. Adversaries may register domains permutations in order to commit fraud, distribute malware, redirect traffic, steal credentials, or for corporate espionage. We know these threats have been around for a while, but not many defenders adopt proactive technical controls in their social engineering incident response plans.

The question isn't what are we going to do about it. The question is what aren't we going to do. With the capability to continuously monitor domain permutations for new HTTP, HTTPS, or SMTP services in real-time, the blue team doesn’t have to trust domain permutations any further than they can throw them.

In this talk, we will demonstrate red team and blue team techniques. For Buellers, demonstrations include ways to leverage domain permutations in adversary simulations. For Rooneys, we will detail how to better prepare, identify, contain, and eradicate threats that utilize domain permutations. If you’re not leveraging our recommended technical controls to defeat attackers, you risk fishing for your wallet in a yard full of rage-fueled Rottweilers.

Speakers

Kelly Albrink

Kelly Albrink is a Security Analyst at Bishop Fox where she specializes in network penetration testing, social engineering, and hardware/embedded security. Kelly has presented at a number of Bay Area events including DeadDrop, Day of Shecurity, and OktaRex. She is a recipient of the... Read More →

Rob Ragan

Partner, Bishop Fox

Rob Ragan is a Principal Researcher with 15+ years experience in penetration testing, red teaming, and offensive security. These days he's mostly interested in innovative techniques to to map out the domains, subdomains, exposed services, and vulnerabilities of large and complex... Read More →

Sunday March 3, 2019 1:30pm - 2:00pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

2:10pm PST

The Secure Metamorphosis: Streaming Logs with Kafka and TLS

Apache Kafka is a widely adopted pub/sub messaging platform that can scale to handle huge volumes of data. It’s a powerful technology but notoriously difficult to configure, especially when it comes to Transport Layer Security (TLS). In this session, we’ll cover TLS best practices that yield a secure and compliant system, as well as critical techniques to maximize performance.

Speakers

Tyler Paxton

Tyler Paxton is VP of Product at Distil Networks, a bot mitigation company. He joined Distil in 2017 through the acquisition of Are You A Human — a company that offers expertise in analyzing and understanding how real humans interact with the internet — where he served as co-founder... Read More →

Sunday March 3, 2019 2:10pm - 2:40pm PST
City View

Track: City View, Talk

2:10pm PST

Hacking with a Heads Up Display

Introducing security testing tools to a QA or developer's workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time.

The OWASP ZAP team is working to help enable developers, QA, and hackers alike with the ZAP Heads Up Display, a more user friendly way to engage with the security testing tool. The Heads Up Display integrates ZAP directly in the browser providing all of the functionality of the tool via a heads up display. The goal is to make ZAP more accessible and enable users, especially developers, to integrate security in their daily workflows. This talk will discuss the importance of usable tools, design tradeoffs made to improve usability, the various browser technologies powering the HUD, and how you can start hacking with a heads up display.

Speakers

David Scrobonia

Security Engineer, Segment

David Scrobonia is part of the Security Engineering team at Segment working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and is a core team member of the OWASP ZAP project.

Hacking with a Heads Up Display (BSides SF) pdf

Sunday March 3, 2019 2:10pm - 2:40pm PST
IMAX

Track: IMAX, Talk

2:10pm PST

Slack App Security: Securing Your Workspaces from a Bot Uprising

Slack's developer platform has some powerful functionality that allows you to customize your org's workflow. But with great power comes great responsibility. While Slack has a robust security posture, do you suffer from insomnia pondering the security aspects of third-party apps? Are coworkers pleading with you to install Slack apps with scopes that frighten you? Join Kelly on a walk through the history of the Slack app directory, the unique security problems surrounding it, and what Slack's doing to make it easier for you and all our users to sleep at night.

Speakers

Kelly Ann

Security Engineer, Slack

Kelly Ann is a security engineer on the Product Security team at Slack, where she works on vulnerability assessments of Slack features, as well as educational materials for security best practices for developers. Before joining Slack, Kelly was a penetration tester at NCC Group... Read More →

Sunday March 3, 2019 2:10pm - 2:40pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

2:10pm PST

Attacking Deep Learning-Based NLP Systems with Malicious Word Embeddings

Recent Deep Learning-based Natural Language Processing (NLP) systems rely heavily on Word Embeddings, a.k.a. Word Vectors, a method of converting words into meaningful vectors of numbers. However, the process of gathering data, training word embeddings, and incorporating them into an NLP system has received little scrutiny from a security perspective. In this talk we demonstrate that we can influence such systems by manipulating training data and how we can inject them into real-world systems.

Speakers

Toshiro Nishimura

Toshiro is an independent software engineer and entrepreneur with a passion for security and privacy. Previously he has worked in email security and bioinformatics. His regular expression and Vim skills are second to none.

Attacking Deep Learning Based NLP Systems with Malicious Word Embeddings Toshiro Nishimura pdf

Sunday March 3, 2019 2:10pm - 2:40pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

2:50pm PST

Security Automation Simplified

Security automation can look a lot like magic, and many feel a strong temptation to go buy $HOT_SECURITY_ORCHESTRATION_PRODUCT, but it's really not hard to get started automating SecOps with the tools you already have, free and open source tools, and a little bit of code. In this talk I will give a high level view of how a SecOps or other IT group can use automation to save time and effort. I'll walk through an example, with screenshots and code, of how to automate an ops process. I want to remove the magic from automation and present concrete ways for any ops team to do this. This is not a "no code required!" approach to automation, but it's practical and easy enough to get started.

Speakers

Moses Schwartz

Staff Security Engineer, Box

Moses is a staff security engineer working for the Box security incident response team. He's part software developer and part security researcher, with over 10 years experience in industry and government. Nothing hurts him more than watching someone do a tedious, manual task that... Read More →

Security automation simplified Moses Schwartz pdf

Sunday March 3, 2019 2:50pm - 3:20pm PST
City View

Track: City View, Talk

2:50pm PST

Offensive Javascript Techniques for Red Teamers (Or Anyone Really)

AppSec is often very heavily focused on pre-exploitation. Frameworks like BeEF break this norm a little and can be used as tools to move laterally from the browser, to implant malware on adjacent machines. Unfortunately, performing network reconnaissance with JavaScript becomes tricky if the victim doesn't keep the tab open for long.

This presentation will discuss relatively new techniques and features of JavaScript that have made it easier for sophisticated threat actors to craft JavaScript payloads that target internal network vulnerabilities, as fast as a person can think to close a tab. We'll also show new reconnaissance techniques traditionally used by red teams, post-malware implant, that can be used to get a foothold onto a network from a browser, pre-malware implant. We'll also show some real examples of this, crafting external payloads that target internal assets at large companies, and we'll show how responsible disclosure for intranet facing bugs typically gets resolved.

Speakers

Dylan Ayrey

I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world

Christian Frichot

Christian 'xntrik' Frichot is an application security person who spends his free time trying to avoid computers. Currently working to secure self-driving cars in SF, Christian used to contribute a lot to BeEF and has helped put together words for The Browser Hacker's Handbook. He's... Read More →

Sunday March 3, 2019 2:50pm - 3:20pm PST
IMAX

Track: IMAX, Talk

2:50pm PST

Friend or Replicant: How Attackers Automate and Disguise Themselves in a Shroud of Authenticity to Gain Followers, Control Influence, and Malign Credit

Is this "real"? This is the story of how attackers today leverage a variety of tools and tricks to impact the influence landscape at scale. Many have heard of "fake news" and know that those "friends," "matches," or "followers" might not all be real; the information we consume is inflated with likes and ratings generated by coordinated attackers utilizing anything from users' browsers to IoT devices.
How are these fake accounts and likes and clicks created? To what extent are they "real"? This session will explore the fake account ecosystem, with specific focus on the lifecycle of a fake account and how specific tools and attacks are used to create likes and clicks; sometimes through automation and emulators, sometimes using real people through phone farms, mechanical turks, and sweatshops. We'll dissect the different main attack vectors and how they are being exploited:
Content: repurposed to fit a different context,
Access & Authentication: gained through Account Takeovers and credential cracking,
Fake Accounts: created strategically to build trust,
Usage: to emulate "real" users and not get caught
Together, we’ll workshop practical steps to building an army of influencers (on a budget) using off-the-shelf tools and show some more advanced techniques seen in attacks today.

Speakers

Anna Westelius

Anna Westelius is a Scandinavian expat and Security Researcher, Analyst & hacking enthusiast turned technology strategist; currently solving fraud and abuse problems as Sr Director of Engineering for Arkose Labs. Originally of a network security background, she moved into the web... Read More →

Sunday March 3, 2019 2:50pm - 3:20pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

2:50pm PST

Owning the Smart Home with Logitech Harmony Hub

This talk will walk through reverse engineering Logitech's Harmony smart home hub from a blackbox perspective. The process of vulnerability hunting in the device will be outlined along with discussion of vulnerabilities found and post exploitation implications.

Speakers

Joseph Bingham

Senior Research Engineer, Zero Day Research, Tenable

Before joining Tenable in 2014, Joseph worked at Symantec doing malware reverse engineering. Since joining Tenable as a reverse engineer, Joseph has produced several publications on malware, exploitation and reverse engineering.

Owning the Smart Home pptx

Sunday March 3, 2019 2:50pm - 3:20pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

3:30pm PST

Bye-Bye False Positives: Using AI to Improve Detection

Mainstream IPS/IDS solutions including WAF, NGWAF, and RASPs produce so many false positives they are almost impossible to manage. The reason for that is that they rely on outdated detection mechanisms like signatures, human-defined rules, regexps, etc. In this talk we want to suggest a better method, based on neural network, provide an overview and comparison for several AI-based injection detection architectures, and release a specific architecture and implementation which has produced the best results. To illustrate the application of this methodology, we will review in detail the implementation of AI-based false-positive detection for a SQL injection. The insight is to represent the injection as time series which then lets us apply the same AI-approach as those used in time-series classification. To find the difference between normal requests and attacks/injections, we normalize query to the sequence of tokens/lexemes and pass them to our recurrent-based neural network model which predicts the probability that is the injection. The best architecture to apply here was proven to be bidirectional recurrent neural network with LSTM cells. As a result, it was possible to achieve 96.07% false positive detection quality at the false_positives dataset of 433 samples from libinjection (https://github.com/client9/libinjection/blob/master/data/false_positives.txt).
The implementation of presented model is already used in production at Wallarm for reducing false positive events.

Attendees will take away understanding of most modern AI injection detecting methods, a methodology for building their own RNN network for detection, understanding of the training and test datasets and methodology for accuracy testing.

Speakers

Ivan Novikov

Ivan Novikov is a white hat security professional with over 12 years of experience in security services and products. He is an inventor of memcached injection and SSRF exploit class as well as a recipient of bounty awards from Google, Facebook, and others. Ivan has recently been a... Read More →

Sunday March 3, 2019 3:30pm - 4:00pm PST
City View

Track: City View, Talk

3:30pm PST

Building Identity for an Open Perimeter

Netflix is a 100% cloud first company. The traditional corporate network security perimeter no longer meets our needs. In this talk, I will be covering the core building blocks comprising of identity, single sign-on using standards like SAML, OIDC and OAuth, multi-factor authentication, adaptive authentication, device health, and authorization we have invested in, to make identity as the new security perimeter.

Speakers

Tejas Dharamshi

Netflix, Inc.

Tejas Dharamshi is a Senior Security Software Engineer at Netflix. Tejas specializes in security and is focused on corporate Identity and Access, multi-factor authentication, adaptive authentication, and user-focused security at scale.

Sunday March 3, 2019 3:30pm - 4:00pm PST
IMAX

Track: IMAX, Talk

3:30pm PST

Ethical Hacking: DIY Mobile Security Workstation (For Cheap)

Every red and blue teamer needs a dedicated workstation when engaging a network via a pen test or even if you want to test your security skills. While some companies charge up to $749 for this exact system, Dale will show you what he reverse engineered (Are you surprised he hacked it?) using $250 in parts from Amazon and open source software to build the BatPi, a complete mobile security workstation. The BatPi is powerful enough to run Kali Linux or the Parrot Project, both of which contain more than 300 tools, from scanning wireless networks to running Wireshark, to documenting your engagement… Oh and did I mention it has a touchscreen?!

Speakers

Dale Meredith

Author/Trainer/Consultant, My Mentored Learning, Inc.

Like the Dark Knight, Dale Meredith swoops in and saves the day when no one else can. Dale's expertise is in explaining difficult concepts and ensuring his students have an actionable knowledge on the course material. Straddling the line of fun and function, Dale's instruction is... Read More →

Sunday March 3, 2019 3:30pm - 4:00pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

3:30pm PST

High Performance VM Introspection Using Virtualization Exceptions

Hypervisor memory introspection is a security solution isolated from the protected virtual machine's operating system by leveraging hardware virtualization technologies. It relies on the second-level address translation (SLAT) mechanism, in order to enforce restrictions on certain memory areas of the protected VM. In some scenarios this can have a high performance impact, especially due to accesses inside the guest paging structures done by the CPU page walker or the OS memory manager. Most of these accesses are not relevant to the HVI logic. This presentation addresses these issues, promoting an innovative approach on filtering the page-table accesses directly from the guest VM. The filtering is done by a small in-guest agent that uses the virtualization exception (#VE) mechanism: relevant accesses are reported to the main HVI module via a hypercall, while the other accesses are discarded with minimal performance impact. We also discuss a method of protecting the in-guest agent from possible malicious guests by isolating it inside a different physical address space.

Speakers

Cristinel-Ionel Anichitei

Sr. Team Lead, Bitdefender SRL

Cristinel-Ionel Anichitei is a team leader for the Windows HVI team at BitDefender who joined the team 4 years ago. Since then they played a key role in ensuring the success of the project. Their efforts are mainly focused towards Windows reverse engineering, security, and performance... Read More →

Raul Tosa

Senior Manager, Bitdefender

Raul has been working with Bitdefender since 2005, building a strong technical background in fields like malware research, kernel driver development and virtualization. In the past years he's been researching how hardware virtualization technologies can be leveraged to strengthen... Read More →

High Performance VM Introspection Using Virtualization Exceptions pdf

Sunday March 3, 2019 3:30pm - 4:00pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

4:10pm PST

WHOIS Calling the 80s to Get Their Finger Back: LOL with Old TCP Services

A current trend among threat actors is the notion to Live Off the Land (LOL). LOL involves using binaries provided by the operating system to reduce the chances of being detected or to bypass application whitelisting. This presentation will look into the possibility of writing a remote access trojan (RAT) that does not handle any network connection on its own. The RAT instead uses TCP services, such as Whois and Finger, that are provided by the operating system to do the network connections to the command and control server. We will also take a look from a defender's perspective. How can we detect this in our environment?

As a bonus, we will also create bash one-liner reverse shells using these services.

Speakers

Joakim Kennedy

Joakim Kennedy is the Senior Principal Security Researcher for Anomali Labs. His job involves playing with malware, tracking threat actors, and everything else around threat intelligence.

Sunday March 3, 2019 4:10pm - 4:40pm PST
City View

Track: City View, Talk

4:10pm PST

Automating Web Application Bug Hunting

If you are a bug bounty hunter or an application security analyst the ability to automate your web hunting tools is the best way to get paid. In this talk, I will discuss how I do this and share some of my favorite scripts.

Speakers

Jonathan Cran

Researcgh, Kenna Security

Jonathan Cran is an information security expert based in Austin Texas. He’s a principal at the strategic consulting firm Pentestify, and founder of the the open security intelligence platform, Intrigue. His passion is security assessment, architecting systems to measure and ultimately... Read More →

Jerry Gamblin

¯\_(ツ)_/¯, Kenna Security

Automating Application Security Bug Hunting pdf

Sunday March 3, 2019 4:10pm - 4:40pm PST
IMAX

Track: IMAX, Talk

4:10pm PST

Journey to Command Injection: Hacking the Lenovo ix4-300d

Fully comprising an embedded device isn't always as easy as sending a GET request with admin=true. Sometimes, owning an embedded device takes multiple different vulnerabilities, creativity, and a little finesse. In this live demo, we show how we were able to chain multiple vulnerabilities in the Lenovo ix4-300d network attached storage (NAS) device into a remote exploit that can be executed with little user interaction. As a result, an adversary can provide the victim with a link to a malicious page that grants the attacker the ability to extract all information stored on the victim's NAS, and the ability to execute arbitrary operating system (OS) commands on the compromised NAS. In the talk we cover how we first identified command injection, then used cross-site scripting (XSS) and cross-site request forgery (CSRF) to build an exploit that would hijack values stored in the victim's browser storage, issue a malicious request on the user's behalf, and issue an OS command to open a remotely accessible operating system shell.

Speakers

Rick Ramgattie

Rick Ramgattie is a Security Analyst at Independent Security Evaluators (ISE), where he conducts high-end, custom security assessments of computer hardware, software products, and manages a team of security researchers. Rick recognizes that it isn't all that easy to get into the information... Read More →

Sunday March 3, 2019 4:10pm - 4:40pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

4:50pm PST

Strangeways, Here We Come: A Journey from On-Prem to Cloud First with AWS

The underlying desire with any technology is to push beyond its limits. In the 80s, we had the PC turbo button. In the 00s, everyone got all saas-y with software as a service. In the 2010s, we have the cloud (or as some of us know it, just someone else's computer). Jokes aside, leveraging the cloud allows teams to deliver content more rapidly compared to a local/on-prem solution. This sounds great until you remember nothing in life is free—cloud security is no exception.

While this talk is technical, we will begin by discussing the benefits motivating a small startup's decision to transition from on-prem to the cloud along with the inherent risk. A wide range of factors were considered: hiring, platform selection, technology stack, user management. We will talk about Amazon Web Services (AWS), the moving parts of our cloud, and what was required to get a minimum viable product off the ground. We will share our own ProTips for going cloud first; by the end, hopefully you’ll walk away with a few cheat codes of your own, whether it’s getting a peek at going cloud first or a verification of your own cloud security best practices.

Speakers

Victor Clark

Cloud Security Engineer, Insight Engines

Victor Clark is the Cloud Security Engineer at Insight Engines, a natural language processing (NLP) startup located in San Francisco, CA, USA. His breadth of experience ranges from several other startups to Fortune 500 and S&P 500 companies. As digital privacy and digital rights advocate... Read More →

Sunday March 3, 2019 4:50pm - 5:20pm PST
City View

Track: City View, Talk

4:50pm PST

Ask the EFF

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation. The panel will also include a discussion on some exciting new technology projects, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Speakers

Andrew Crocker

Alexis Hancock

Director of Engineering, Public Encryption Projects, EFF

Alexis works to encrypt the web by managing the Certbot project on the Public Interest Technology team at EFF. She researches an intersection of issues on digital rights, encryption, and consumer technology. Deeply passionate about tech equity for all, she has been aiding activists... Read More →

Sydney Li

Electronic Frontier Foundation

India McKinney

Legislative Analyst, Electronic Frontier Foundation (EFF)

Alex Moss

Kurt Opsahl

Deputy Executive Director and General Counsel, Electronic Frontier Foundation

Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders... Read More →

Cooper Quintin

Sr. Staff Technologist, Electronic Frontier Foundation

Cooper is a Senior Security Researcher at the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware, IMSI catchers, and other digital attacks on activists, journalists, and human rights defenders. He has also performed... Read More →

Sunday March 3, 2019 4:50pm - 5:20pm PST
IMAX

Track: IMAX, Talk

4:50pm PST

Navigating Passwordless Authentication with FIDO2 & WebAuthn

For decades, passwords have been the common backbone (headache) of authentication and are well known to lack in security while being frustrating and difficult to use. As we continue to see daily data breaches, the reality of moving away from weak static credentials and killing the password is upon us.
Join this session to learn how FIDO2 and WebAuthn open authentication standards, in conjunction with YubiKeys, are solving the elimination of passwords at scale. Hear how organizations like Microsoft have implemented these standards for a true passwordless experience and find out how your organization can follow suit. You'll gain a greater understanding of how to achieve a modern and flexible security architecture through the use of FIDO open standards and hardware authenticators.

Speakers

Jerrod Chong

Chief Solutions Officer, Yubico

Jerrod Chong is Chief Solutions Officer at Yubico focusing on accelerating solutions development with YubiKeys to solve customer's account life cycle challenges and evolve the state of authentication in the industry. Jerrod has delivered numerous presentations on modern authentication... Read More →

BsidesSF 19 FIDO2 WebAuthn pdf

Sunday March 3, 2019 4:50pm - 5:20pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

5:30pm PST

Happy Hour

Sponsors

Cybrary

Sunday March 3, 2019 5:30pm - 6:30pm PST
Bar

Food & Drink

6:30pm PST

Party

Sponsors

Valimail

Sunday March 3, 2019 6:30pm - 9:30pm PST
City View

Food & Drink

9:00am PST

Breakfast

Sponsors

Pluralsight

Monday March 4, 2019 9:00am - 10:00am PST
General

Food & Drink

9:00am PST

Coffee

Monday March 4, 2019 9:00am - 4:00pm PST
Sponsors Area

Food & Drink

9:00am PST

Capture The Flag

Sponsors

Facebook

Monday March 4, 2019 9:00am - 5:00pm PST
General

CTF

9:00am PST

Bar

Sponsors

Paranoids at Verizon Media

Monday March 4, 2019 9:00am - 5:00pm PST
Bar

Food & Drink

9:00am PST

Registration

Monday March 4, 2019 9:00am - 5:00pm PST
General

General

9:00am PST

Sponsor Lounge

Monday March 4, 2019 9:00am - 5:00pm PST
Sponsors Area

Sponsor Lounge

9:00am PST

Crypto & Privacy Village

Villagers

Crypto & Privacy Village

Sponsors

F-Secure

Veracode

Monday March 4, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

IoT Village

Villagers

Independent Security Evaluators (ISE)

Sponsors

F-Secure

Veracode

Monday March 4, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

Living Security Escape Room

Villagers

Living Security

Sponsors

F-Secure

Veracode

Monday March 4, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

Lockpick Village

Villagers

Lockpick Extreme

TOOOL SF

Sponsors

F-Secure

Veracode

Monday March 4, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

Spymaster Challenge

Villagers

Cisco CSIRT

Sponsors

F-Secure

Veracode

Monday March 4, 2019 9:00am - 5:00pm PST
Villages

Village

9:00am PST

T-Shirt Sales

Monday March 4, 2019 9:00am - 5:30pm PST
Coat Check

Coat Check

9:00am PST

Info Desk

Monday March 4, 2019 9:00am - 6:30pm PST
General

General

9:00am PST

Coat Check

Monday March 4, 2019 9:00am - 7:00pm PST
Coat Check

Coat Check

10:00am PST

Opening Remarks

Speakers

Reed Loden

Monday March 4, 2019 10:00am - 10:15am PST
IMAX

Keynote

10:15am PST

Securing Online Identities with Simple, Secure, Open Standards

As Volvo realized when developing the three-point seatbelt, security needs to be simple and work in a simple gesture, or users won’t adopt it. Volvo also knew that in order to scale to every car and user, their invention needed to be an open standard. Eventually, all countries made the seatbelt a legal requirement, and it has since then saved millions of lives.

The future of strong online identities is following the same path and must be simple to use across all computers and mobile devices. Several years ago, the Swedish/American authentication innovator Yubico co-developed the open authentication standard U2F (Universal 2nd Factor), which was further developed by the open standards organization FIDO Alliance. Since deployed by Google staff and end users, U2F devices have significantly reduced fraud, support calls, and time to login compared to mobile software authentication.

We are today moving beyond U2F with the evolution of FIDO2 - a new open standard which delivers upon removing the need for a username and long complicated passwords. Microsoft has already incorporated this standard to allow for passwordless login into Microsoft Accounts and we expect to see much more passwordless support for hardware security keys as we continue into 2019.

Stina will explain the advantages presented by FIDO U2F and FIDO2 in comparison to one-time passwords (apps, SMS, tokens) and smart cards, how and why these technologies will continue to coexist in the coming future, and where they fit in the larger identity ecosystem.

Speakers

Stina Ehrensvard

Stina Ehrensvard is the CEO and founder of Yubico and coinventor of the YubiKey — a small device that makes strong hardware-based authentication easy and affordable for everyone. She is a visionary IT entrepreneur with a proven track record of creating and bringing new technology... Read More →

Monday March 4, 2019 10:15am - 10:50am PST
IMAX

Keynote

11:00am PST

Abusing WCF Endpoint for RCE and Privilege Escalation

In 2018 there were quite a few local privilege escalation and remote code execution CVEs related to abusing the functionality exposed by WCF services in .NET programs. These were found in products such as VPN clients, commercial network monitoring tools, and antivirus software. In some cases, these services accidentally exposed stronger capabilities than intended (for example, the ability to run arbitrary code). In other cases, sensitive features have been locked down, but the security mechanisms are faulty and can be bypassed.

The aim of this presentation is to spread awareness of WCF as an attack surface and to demonstrate how to get started finding and exploiting these bugs. This will be accomplished by reviewing the vulnerability identification and exploit development process for a recent 0-day privilege escalation in Check Point's flagship antivirus product ZoneAlarm.

Speakers

Christopher Anastasio

Security Analyst, Illumant

Chris Anastasio is a penetration tester at Illumant, bug bounty hunter, amateur exploit dev, and bad coder. He’s been working in Infosec professionally for 5 years and as a hobbyist for many more. He cofounded the Dark Corner (darkcorner.org), a monthly hacker meet up in Palo Alto... Read More →

Abusing WCF Endpoints for RCE and Privilege Escalation BSidesSf 2019 pptx

Monday March 4, 2019 11:00am - 11:30am PST
City View

Track: City View, Talk

11:00am PST

How to Fix the Diversity Gap in Cybersecurity

Women make up just 11 percent and minorities are slightly less than 12 percent of the cybersecurity workforce. Coming from a nonprofit background, which is an industry with a high diversity, to one where it is so unbalanced—it's disheartening and disappointing. I've connected with persons who are underrepresented in the field, and many after spending years in cybersecurity are leaving the field. From their shared experiences as well as my own, it is clear that the cybersecurity space needs to get real about the lack of diversity in the space, and the necessity to make changes as we approach the estimated shortage of 1.5 million cybersecurity professionals in 2019.
In this talk, we will discuss our brains and how we label and prejudge, hear experiences of underrepresented people in the space, what can be done to fill the gap, and how to increase and retain the number of qualified candidates in cybersecurity.

Speakers

Chloé Messdaghi

CEO and Founder, Global Secure Partners

For over ten years, Chloé Messdaghi has advised and developed impactful solutions that have driven growth and innovation while transforming security teams to become resilient. Her work has helped businesses unlock opportunities to enhance trust, mitigate risk, and become purpose-driven... Read More →

Monday March 4, 2019 11:00am - 11:30am PST
IMAX

Track: IMAX, Talk

11:00am PST

Anti-Privacy Anti-Patterns

In this talk, we will examine key research findings and technological innovations in the past 20 years that have led to the accepted practice of collecting all of the data. We show a difference between tangible (e.g. PII) and non-tangible data and show how seemingly harmless data can still be used to derive behavior (with examples!). We also examine how privacy perspective can change depending on your role or background and propose a perspective shift if we are to try to maintain digital privacy today.

Speakers

Sarah Harvey

Software Engineer - Privacy Engineering, Square Inc

Sarah is an engineer on a privacy engineering team at Square. Her background includes almost 4 years of industry experience in security/privacy infrastructure design and engineering, and 4 years of academic privacy research. She has a variety of speaking experience; highlights including... Read More →

antiprivacy speaker notes pdf

antiprivacy slides pdf

Monday March 4, 2019 11:00am - 11:30am PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

11:00am PST

Making Sense of Unstructured Threat Data

Over the last decade the cybersecurity community has made significant progress on collecting and aggregating intelligence that describes threat actors and campaigns, their tactics and techniques, and technical IOCs leveraged by them. However, tracking this intelligence as part of cybersecurity operations or applying it to analytical systems is difficult because it is generally unstructured. Knowledge bases like MITRE's ATT&CK are an excellent example of how useful intelligence can be once it's organized—getting to that end state is a huge challenge. In this presentation we will show how recent advances in Natural Language Processing (NLP) can help us organize this intelligence and add structure to make it actionable. We will demonstrate how to use Word2Vec: a shallow neural network which understands meanings and relationships between words and can therefore be used to organize the information these documents provide. This exercise trains a Word2Vec model on open source intelligence reports coming from EU-CERT and US-CERT and clusters them into ‘tactical categories’, that can be mapped to the MITRE ATT&CK framework.

Speakers

Zainab Danish

Data Scientist, Trustar Technology

Zainab has been working as a Data Scientist at TruSTAR since July 2018. She laid down groundwork for a new data infrastructure at TruSTAR and is helping design more optimized workflows. She also builds Machine Learning models to augment core services in the security platform and loves... Read More →

Nicolas Kseib

Nicolas is the Lead Data Scientist at TruSTAR Technology, a threat intelligence platform built to accelerate enterprise security investigations. He leads the company's data science initiatives and roadmap. He is always thinking of ways to leverage analytics and machine learning to... Read More →

Making Sense of Unstructured Data pdf

Monday March 4, 2019 11:00am - 11:30am PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

11:45am PST

BADPDF: Stealing Windows Credentials via PDF Files

Microsoft NTLM is an authentication protocol used on networks that includes systems running the Windows operating system and stand-alone systems. Despite Microsoft's implementation of Kerberos, NTLM is still in use in order to support older systems. Many exploits in the past targeted Microsoft Office and Windows OS internal functions in order to cause the leaking of Windows users' NTLM hashes, which can then be cracked and disclose the original passwords. Are those the only products vulnerable to NTLM credential theft? Find out how PDF files can be weaponized to automatically achieve NTLM hash leaks with no user interaction.

Speakers

Adi Ikan

Cyber Security Research Team Leader, Check Point Software Technologies

Adi Ikan is a Cyber Security Research Team Leader at Check Point Software Technologies. Adi has served as an Officer in the IDF Intelligence Corps 8200 Unit in various research and development roles.Adi Holds a M.Sc. in Financial Mathematics and a B.Sc. in Applied Mathematics at Bar-Ilan... Read More →

Ido Solomon

Security Researcher, Check Point Software Technologies

Ido Solomon is a Security Researcher at Check Point Software Technologies’ IPS Research and Urgent Protections team. Ido holds a B.Sc. in Information Systems Engineering at Ben-Gurion University.

Monday March 4, 2019 11:45am - 12:15pm PST
City View

Track: City View, Talk

11:45am PST

Don't Boil the Ocean: Using MITRE ATT&CK to Guide Hunting Activity

As threat hunting becomes a focus for more and more organizations, the abilities of the staff who are being asked to hunt vary greatly. One of the greatest challenges of threat hunting is biting off more than you can chew.
Oftentimes, analysts want to "boil the ocean" and hunt without a specific purpose or plan. This talk is focused on using the MITRE ATT&CK framework as the catalyst to assist in building the hypothesis and plan to determine what we should hunt for and how we should build our hypothesis. To make this point, I will use an adversary emulation that we developed at Splunk and show how hunt teams can take the techniques defined in the MITRE ATT&CK framework and apply them to hunts that identify artifacts and indicators and how these initial findings can be fed into a process with ATT&CK to drive additional hunts, enabling hunters to gain more and more insight to better operationalize their findings.

Speakers

John Stoner

Principal Security Strategist, Splunk

John Stoner is a Principal Security Strategist at Splunk. In his current role, he leverages his experience to educate and improve users’ capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that... Read More →

Don't Boil the Ocean Using MITRE ATT&CK to Guide Threat Hunting Activities Stoner pdf

Monday March 4, 2019 11:45am - 12:15pm PST
IMAX

Track: IMAX, Talk

11:45am PST

Surfing the Motivation Wave to Create Security Behavior Change

For decades security awareness programs have been based on the assumption that employees don't know the correct course of action and with the right training, they will start performing more securely. However, this approach has not proven to be effective. A second dimension needs to be considered in security behavior change: motivation. This talk will explore how and when to motivate employees to security action. It will also discuss how to "surf" motivation generated by both predictable and unpredictable security events to drive security behavior change in a workforce. Finally, this talk will explain how to measure changes in employees' security behaviors and how practitioners can create meaningful metrics.

Speakers

Masha Sedova

Co-Founder, Elevate Security

Monday March 4, 2019 11:45am - 12:15pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

11:45am PST

Guarding Against Protocol Subversion at Coinbase

As the number of blockchain assets and projects continues to increase, so too do the opportunities for attackers to exploit or trigger unstable asset behaviors, defined or otherwise. Given Coinbase's intention to support a large number of blockchain assets, Coinbase needs to take steps to ensure that all funds are properly safeguarded, regardless of any of malicious or disruptive activity on an asset network.
Our initial efforts in this area have focused on Proof of Work blockchains and on Ethereum smart contracts. The talk will provide a high level overview of how Coinbase detects threats to these assets.

Speakers

Mark Nesbitt

Security Engineer, Coinbase

Mark Nesbitt is a security engineer with Coinbase. Mark's responsibilities focus on security support for Coinbase's crypto engineering teams, which write services that integrate with cryptocurrency networks. Mark is also responsible for threat modeling and threat mitigations for the... Read More →

Monday March 4, 2019 11:45am - 12:15pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

12:00pm PST

Lunch

Sponsors

Intezer

Monday March 4, 2019 12:00pm - 1:30pm PST
General

Food & Drink

12:00pm PST

BSides Career Chit-Chat

New this year! BSides Career Chit-Chat is an opportunity for all participants to share information, hear new perspectives, and broaden their networks. Each chit chat is a 2-5 minute conversation between security professionals and participants. The conversations are participant-driven and allow participants the opportunity to ask questions of industry veterans on the topics of the industry, careers, and personal experiences within the field.

Monday March 4, 2019 12:00pm - 4:00pm PST
AMC Lounge

General

1:30pm PST

Implementing a Kick-Butt Training Program: BLUE TEAM GO!

Hands-on incident response roles such as those found within a SOC or CIRT are difficult to staff. Even when these roles are filled, analysts often find themselves faced with unfamiliar tasks. Certification and higher education programs provide a decent foundation, but they do not produce strong responders. For that matter, analyst skills are often weakened by the onslaught of repetitive tasks, such as fielding phishing ticket after phishing ticket.

Ask yourself: Do all analysts on your team have a firm understanding of your company, the SIEM, network forensics, host-based forensics, malware analysis, threat hunting, and working with intel? In this talk, I’ll provide a framework for an on-boarding/baseline training program. The framework is flexible, allowing for multi-phase deployments or an all-at-once bootcamp style training depending on your needs.

The program utilizes experiential training to teach your analysts the HOWs and WHYs behind their processes and tools. We don’t need analysts who can push a button to get a banana — We needs analysts who truly understand the inner-workings of their tools. Adversaries and red teams rely on weaponization… why not weaponize your blue team with the tools they need too?

Speakers

Ryan Chapman

Monday March 4, 2019 1:30pm - 2:00pm PST
City View

Track: City View, Talk

1:30pm PST

Career Mutation: A Panel on the Evolution to Management in Security

Have you been considering management for your next career move in security? Our group of panelists took that leap and are ready to tell you everything. Come hear these ex-engineers discuss their transformations into managers, along with their struggles and overcome challenges. You'll learn things they wish they knew from the beginning, as well as their tips on how to prepare for such a jump in your own career and even how to better understand your current manager.

Moderators

Zach Powers

Speakers

Rachel Black

Senior Manager Application Security, One Medical

Rachel Black is a Senior Manager of Application Security at One Medical focusing on product security, vendor security, and a little of everything else. In her free time she snuggles with her Corgi, plays Stardew Valley on the Switch, and religiously uses Yelp to decide where to e... Read More →

Chris Dorros

Engineering Manager, Stripe

Chris works on Security Infrastructure at Stripe. He’s currently focused on securing your credit card numbers. Previously focused on securing DNS (OpenDNS), Mars Rovers (NASA), Fighter Jets (Lockheed Martin). When not starting at computer screens, you can find him out exploring... Read More →

Daed Latrope

Director of Security, Cisco Meraki

Daed is currently leading security for Cisco Meraki. They're passionate about all things related to defensive and cloud security. In their spare time they like to do art and brunch hard.

Kyle Tobener

VP, Head of Security, Copado

Kyle Tobener is a VP and Head of Security for the DevOps startup Copado. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. He loves application security, third party risk management, and building security programs from... Read More →

Xiaoran Wang

TLM, Security Assessments, Google

Xiaoran Wang is a Tech Lead Manager (TLM) for the Security Assessments team at Google. His day to day work includes securing Google infrastructure, its vendor usages and its acquisitions. He also runs offensive security exercises and managing a team of talented security engineers... Read More →

Monday March 4, 2019 1:30pm - 2:00pm PST
IMAX

Track: IMAX, Talk

1:30pm PST

Goldilocks and the Three ATM Attacks

Automated Teller Machine (ATM) attacks are more sophisticated than ever before. Criminals have upped their game, compromising and manipulating ATM networks, software, and other connected infrastructure. Between having a third-party manage these machines and ATMs deployed on low-bandwidth links, it's an inevitable wild-west environment. In this talk I will review three case studies of ATM attacks, showing how they have become more dangerous than ever before.

In this session, I will discuss unknown ATM flaws our pentesting team has uncovered while performing testing, the various ways criminals are attacking ATMs, the many security problems that we have identified with ATM systems, and what can be done to prevent these attacks.

I will review three case studies of ATMs. One where the ATM security was extremely poor; One where the security was very good but the ATM still fell victim to an attack because we discovered a zero-day in the management software; And one where the security was just right- but its specific deployment had some major flaws that ultimately led to an ATM compromise. In this last case, the attackers side-loaded an application, and were able to run a criminal ring that led to $7M USD in losses.

Speakers

David M. N. Bryan

David M. N. Bryan is an Executive Consultant, and Technology leader with X-Force Red, IBM’s elite security testing team. Responsibilities include establishing standardized tools and procecess for our consultants and working with clients on penetration testing projects. David has... Read More →

Monday March 4, 2019 1:30pm - 2:00pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

1:30pm PST

Fuzzing Malware for Fun & Profit: Applying Coverage-Guided Fuzzing to Find and Exploit Bugs in Modern Malware

Practice shows that even the most secure software written by the best engineers contains bugs. Malware is not an exception. In most cases their authors do not follow the best secure software development practices thereby introducing an interesting attack scenario which can be used to stop or slow-down malware spreading, defend against DDoS attacks, and take control over C&Cs and botnets. Several previous researches done by the security community have demonstrated that such bugs exist and can be easily exploited. To find those bugs it would be reasonable to use coverage-guided fuzzing. Numerous studies have shown that this is the most effective technique to automatically find bugs in closed source software.

This talk aims to answer the following two questions:

Can we defend against malware by exploiting bugs in them ?

How can we use fuzzing to find those bugs automatically ?

The speaker will show how we can apply coverage-guided fuzzing to automatically find bugs in sophisticated malicious samples such as botnet Mirai which was used to conduct one of the most destructive DDoS in history and various banking trojans. A new cross-platform tool implemented on top of WinAFL (called netAFL) will be released and a set of 0day vulnerabilities will be presented along with several exploitation demos.

Do you want to see how a small addition to HTTP-response can stop a large-scale DDoS attack or how a smart bitflipping can cause RCE in a sophisticated banking trojan? If the answer is yes, this is definitely your talk.

Speakers

Maksim Shudrak

Security Researcher

Maksim Shudrak is an Offensive Security Researcher, PhD focusing on vulnerabilities hunting in open source and proprietary software. Prior to this, Maksim worked on malware analysis and developing advanced solutions for highly-evasive malware detection. Maksim had a chance to present... Read More →

BSides malware fuzzing pdf

Monday March 4, 2019 1:30pm - 2:00pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

2:10pm PST

HTTP Security Headers: A Technology History Through Scar Tissue

Security headers are a history of digital scar tissue. Each one there because we discovered something terrible on the internet but couldn't shut it off without breaking things. They allow you to tap into a wealth of security controls built into modern browsers, but most are simply off by default. We'll start with a quick, high level overview of most of the major security headers and what best practice is for setting them.

We'll finish with a deep dive into the content-security-policy header, both the most complex and most powerful security header. I'll show how at my company we got the best security outcomes by enabling developers—the people who best know the content that should be running in our apps—to tailor the CSP header themselves giving us more fine-grained control than a traditional security or operations driven policy.

Speakers

Benjamin Hering

Manager, Security Engineering, ASAPP

Benjamin Hering leads Security Engineering at ASAPP. His career focuses on leveraging technology to improve organizations and people in both the for-profit and non-profit spheres; making technology meet people where they are rather than the other way around. He graduated from Grinnell... Read More →

HTTP Security Headers Benjamin Hering pdf

Monday March 4, 2019 2:10pm - 2:40pm PST
City View

Track: City View, Talk

2:10pm PST

Deploying Two-Factor Authentication to Millions of Users

Two-factor authentication (2FA) represents a second line of defense against account takeover, and all online services accepting passwords should provide 2FA as an option to their users, especially if they deal with sensitive data or money. When implementing 2FA, however, we are faced with several choices that directly impact the user experience, including which methods to support, how and when to introduce them, and more generally how to describe 2FA to users, perhaps with limited technical knowledge.

This talk is structured as a tutorial on how to add 2FA to an existing website, with flows and code samples. It's based on first hand experience implementing 2FA at Pinterest and releasing it globally to millions of users. We cover designing an effective user journey, architecture, and implementation choices including TOTP, push notifications, and FIDO security keys. For completeness, we also cover additional authentication flows such as social login via OAuth or password reset.

Speakers

Emanuele Cesena

Security Engineer, Pinterest

Emanuele Cesena is a Security Engineer at Pinterest focused on product security. Previously, he was co-founder and CTO at Theneeds (acquired by Shopkick) and a researcher in the security group at the Politecnico di Torino, Italy. Emanuele holds a PhD in Mathematics with a thesis in... Read More →

Deploying Two Factor Authentication to Millions of Users Emanuele Cesena pdf

Monday March 4, 2019 2:10pm - 2:40pm PST
IMAX

Track: IMAX, Talk

2:10pm PST

Do You Even Tech Anymore: Management & Leadership in Security?

When many people join the professional workforce and are asked, "What do you want to do?" or the dreaded "What's your 5-year plan?" they answer, "I want to be a manager," without any real clue on why or what a (good) manager does. This is long before they reached the nervous stage of being a manager, see their tech skills disappear, and fear they'll be forever irrelevant. :)
Security conferences have always had talks on "red team," and more recently "blue team" talks have become more frequent. However, there has really been a lack of talks addressing moving to management or leadership and what that really means (personally and professionally).
At Riot Games, the Security team has developed a security program based on feedback and self-service, across a truly hybrid infrastructure. This has not only involved collaboration and education external to Security, but also within the Security team itself as we have mentored younger and new colleagues so they also realise being that Security team in the corner is from a previous generation while also being able to do “cool” stuff, learn and improve.
In this talk, Mark will dive into where he has:
failed and succeeded as a leader
challenges and self-doubts of moving from an engineer to a manager and further
Trying to stay in-tune with your reports while not becoming a “1-1” machine
And probably more things :)
An attendee should:
- see some pretty cool video game art (not created by Mark, obviously)
- understand the challenges and benefits of moving from being an engineer to a manager
- learn about a self-service and feedback-driven approach to leadership
Disclaimer: There will be no cool exploits, 0days or buffer overloads in this talk.

Speakers

Mark Hillick

Mark is Product Lead of Security at Riot Games

Monday March 4, 2019 2:10pm - 2:40pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

2:10pm PST

Profiling "VIP Accounts" Access Patterns in User-Centric Data Streams

Detecting compromise of privileged "VIP accounts" using real time analysis using Kafka streaming solution that scales on a per account basis and lets us build an evolving picture of individual risk in real time via a distributed streaming approach.

Speakers

Xiodan Li

Xiodan Li is a Data Scientist at JASK.

Rod soto

Principal Security Researcher, Splunk

Rod Soto is the Director of Security Research at JASK.

Joseph Zadeh

Joseph Zadeh is the Director of Data Science at JASK.

Monday March 4, 2019 2:10pm - 2:40pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

2:50pm PST

Concrete Steps to Create a Security Culture

Who's got time for any of this "culture" business? The security team has more trash fires than they can handle. No one is listening to their warnings!

As it turns out, security culture plays a pivotal role in the health of your organization's security. In this talk I'll go over why I invest so heavily in creating a culture of security at my organization, 10–20 concrete examples of things I do that are easily replicable, my overarching strategy for changing culture, and what it means to measure success when talking about something as intangible as culture.

Speakers

Arkadiy Tetelman

Staff Application Security Engineer, Lob

Arkadiy is a security engineer, currently running the security program at Lob and previously working on application security at Airbnb, Twitter, and CardSpring. Arkadiy is passionate about all things appsec, including running bug bounty programs, static analysis, building secure-by-default... Read More →

Monday March 4, 2019 2:50pm - 3:20pm PST
City View

Track: City View, Talk

2:50pm PST

Containers: Your Ally in Improving Security

Developers are now building, configuring, and deploying their own services on Kubernetes and Docker. Yikes! All three offer lots of built-in security tactics. Let's explore how to automate and determine configurations like:
- Read-only filesystem
- Linux capabilities and seccomp profiles
- Limiting cross-container communications

Using Kubernetes metadata and syscall data, we can systematically configure our services as opposed to simply turning these features on and hoping that we haven't broken our deployments.

Speakers

Connor Gilbert

Senior Product Manager, StackRox

Connor Gilbert is a senior product manager at StackRox, a Kubernetes security company. He has presented at BSides SF, Google Next, and Cloud Native Rejekts; hosted Cloud Native Computing Foundation (CNCF) webinars; and published CNCF blogs on cloud-native security topics. Connor was... Read More →

Connor Gorman

Principal Engineer, StackRox

Connor Gorman is a Staff Software Engineer at StackRox, where he designs and builds the StackRox Kubernetes Security Platform. Lately, he has focused on helping users understand the complete risk context for their Kubernetes workloads and enabling them to implement effective security... Read More →

Monday March 4, 2019 2:50pm - 3:20pm PST
IMAX

Track: IMAX, Talk

2:50pm PST

Vendor Security: Where Our Data Goes We Follow

Every company big and small partners with external vendors for services. Examples can range from architects, caterers, painters, and law firms to content distribution, hosting, marketing insights, email, machine learning, and contingent labor. The exodus of information to these vendors and the need for their integration with internal resources can pose unique security challenges. In the age of daily breaches, how can you verify and improve the security of your vendors?

This panel will seek to explore diverse experiences and opinions on vendor security from companies both large and small. Topics of discussion will include varied methods for performing vendor security, approaches to influencing vendors, the value of investment in vendor security versus other security functions and priorities, scaling a vendor security program, and the ultimate question: can you really predict the security maturity and likelihood of a breach in another company?

Moderators

Justin Calmus

Chief Security Officer, OneLogin

Justin is the chief security officer of OneLogin responsible forarchitecting and leading risk management, security, and complianceefforts. Justin is an information security leader, researcher, andhacker-turned chief security officer who previously served as the chiefinformation... Read More →

Speakers

Rachel Black

Senior Manager Application Security, One Medical

Vivienne Pustell

Niru Ragupathy

Security Engineer, Google / BSidesSF CTF

Niru is a tech lead manager on Google's Offensive Security team, where she oversees the program and works on red team exercises. She has run web application security workshops at BSidesSF, WiCys and Blackhoodie. In her free time she doodles corgis and writes CTF challenges.

Kyle Tobener

VP, Head of Security, Copado

Wendy Zenone

Monday March 4, 2019 2:50pm - 3:20pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

2:50pm PST

Two-Faces of WASM Security

JavaScript is the most popular language of the web. It is one of the fastest dynamic languages around; even though it is fast it still cannot compete with raw C/C++. WebAssembly or WASM, an evolution of asm.js, is a low level, portable binary format that aims to speed up apps on the order of 20x compared to JavaScript. Developers can compile their C/C++/Rust code to wasm modules which can be directly used in JavaScript code. Currently, WA is supported across all major browsers.
The security model of WASM is based on two concepts: protect users from malicious modules and provide developers primitives to build secure modules. For users, wasm modules in a browser are designed to be executed in a safe and sandboxed environment. And for developers primitives like type safety, control flow integrity, execution traps, and protected stacks ensure that the modules are safe against direction code injection attacks.
We have seen an increased interest in using WebAssembly for malicious purposes. Initially the use of wasm was seen in keyloggers, and tech support scams. Recently, we have seen increased use of web assembly by coin-mining scripts. These mining scripts have become extremely sophisticated and hard to detect. The sophistication of web assembly has caused havoc to web authors as well, the number of vulnerable modules has been constantly increasing.
In this talk, we present two sides of wasm 1) Increased sophisitication of wasm modules for malicious intent 2) Exploitation of vulnerable modules presenting an increased attack surface for web-authors

Speakers

Kaizhe Huang

Security Researcher, Sysdig

Kaizhe Huang is a security researcher in Sysdig where he researches about defending Kubernetes and containers from attacks ranging from web to kernel. Kaizhe is one of the maintainers of Falco, an incubation level CNCF project and the original author of multiple open source projects... Read More →

Pranjal Jumde

Pranjal is a Senior Security Engineer at Brave Inc. His primary research interest is Browser Security and Exploitation. Over the past 5 years in the security industry, he has worked on different aspects of security Reverse Engineering malware, Security Automation, Developing security... Read More →

Monday March 4, 2019 2:50pm - 3:20pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

3:30pm PST

DevSecOps State of the Union

Many companies have shared their lessons learned in scaling their security efforts, leading to hundreds of blog posts and conference talks. Sharing knowledge is fantastic, but when you're a busy AppSec engineer or manager struggling to keep up with day-to-day requirements, it can be difficult to stay on top of or even be aware of relevant research.

This talk will summarize and distill the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts and conference talks over the past few years and combine it with knowledge gained from in-person discussions with AppSec engineers at a number of companies with mature security teams.

Topics covered will include:
• Principles, mindsets, and methodologies of highly effective AppSec teams
• Best practices in developing security champions and building a positive security culture
• High value engineering projects that can prevent classes of bugs
• How and where to integrate security automation into the CI/CD process in a high signal, low noise way
• Open source tools that help with one or more of the above

Attendees will leave this talk with an understanding of the current state of the art in DevSecOps, links to tools they can use, resources where they can dive into specific topics of interest, and most importantly an actionable path forward for taking their security program to the next level.

Speakers

Clint Gibler

Senior Security Consultant, NCC Group

Clint Gibler is a research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies... Read More →

Monday March 4, 2019 3:30pm - 4:00pm PST
City View

Track: City View, Talk

3:30pm PST

You Might Still Need Patches for Your Denim, but You No Longer Need Them for Prod

In this talk, Maya and Dan will cover what changes in your patch management story if you use containers instead of virtual machines in production. Containers are meant to be immutable and short-lived—so they're frequently redeployed. Rather than pushing individual code changes, you rebuild and redeploy the whole container image. Processes that take place passively, like patching, can be going on constantly, with the latest images kept in your image registry. As a result, the new container image is fully patched and can be rolled out or rolled back as one unit, so that the patch rollout process becomes the same as your (obviously very frequent) code rollout process, with monitoring, canarying, testing, and lots of SREs in tight black ripped jeans. No more Sunday 2am patching windows!
You’ll learn what containers are, why patching is different for containers, best practices for maintaining your container images and patches as part of an image registry, how Google has used a containerized infrastructure to its advantage to patch critical vulnerabilities like Spectre with no downtime, and that despite trying we can’t make jean jackets cool again.

Speakers

Maya Kaczorowski

Product Manager, Software Supply Chain Security, Tailscale

Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she... Read More →

Dan Lorenc

CEO, Chainguard

Dan has been working on and worrying about containers since 2015 as an engineer and manager.He started projects like Minikube, Skaffold, and Kaniko to make containers easy and fun, then got so worried about the state of OSS supply-chains he partnered up with Kim and others to f... Read More →

BSidesSF 20190304 You might still need patches for your denim, but you no longer need them for prod pdf

Monday March 4, 2019 3:30pm - 4:00pm PST
IMAX

Track: IMAX, Talk

3:30pm PST

Collect All the Data; Protect All the Things

Blue teaming has not, up until this point, received the same applause and attention that red teaming has, but the tide is changing. The realization that the charge to "protect all the things, all the time" requires the collection and analysis of all the data is creating the conditions to "bring the sexy" to the blue team.
This talk covers the application of different methods to collect, analyze, and correlate multiple types of data as well as the use of machine learning to generate behavioral anomalies that are incorporated into overall continuous monitoring capabilities. This is not a vendor talk, and with very few exceptions all methods and tools discussed are open source and free; the focus is on the application of concepts.

Speakers

Aaron Rosenmund

I am a full-time author with Pluralsight focusing on security operations and incident response. With that position, I conduct “In the field” incdent response focused research and produce mostly advanced level video courses and demonstration content for Pluralsight. I am also... Read More →

Monday March 4, 2019 3:30pm - 4:00pm PST
Theater 14 (overflow in #10)

Track: Theater 14, Talk

3:30pm PST

Shall We Play a Game?

Muscle memory, incident responders will tell you, is crucial to acting quickly in a crisis. Cyber Threat Intelligence informs what we do, but practice ensures we do it well—executing effectively to eliminate the threat and protect the organization. This session provides an approach to developing security exercises and running practice drills. MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) forms the basis of this approach. We will cover the fundamentals of an exercise: selecting the story, identifying the tactics, threat modeling, table top discussions, adversarial emulation, and scoring. The session concludes with advice on creating an overall exercise program, focusing on repetition, momentum, and building muscle. Turn intelligence into practiced action with security games.

Speakers

J. Wolfgang Goerlich

Advisory CISO, Duo Security

J Wolfgang Goerlich supports information security initiatives for clients in the healthcare, education, financial services, and energy verticals. In his current role with CBI, a cyber security consultancy firm, Wolfgang is the senior vice president for strategic security programs... Read More →

Monday March 4, 2019 3:30pm - 4:00pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

4:10pm PST

Treat the Problems, Not the Symptoms: Baby Steps to a More Secure Active Directory Environment

Since it was introduced twenty years ago, Active Directory has become a major security concern for the majority of enterprises. In spite of the enormous amounts of money spent on defense security products, it is very hard to efficiently protect large domain environments that span across multiple domains and forests. In this presentation we will offer an alternative view on Active Directory security with a strong focus on actionable steps security teams can take to improve their domain security. After a short overview of the current attack trends, we will explore why most defensive products deployed today are not enough to secure complex multi-domain environments and what additional measures security teams should take to better protect their infrastructure.

Speakers

Igal Gofman

Igal Gofman is a head of security Research at XM Cyber. Igal has a proven track record in network security, research-oriented development, and threat intelligence. His research interests include network security, intrusion detection, operating systems, and active directory. Prior... Read More →

Yaron Shani

Yaron Shani has been working in the security field for the last 8 years. He is currently senior researcher at XM Cyber, researching how to attack and mitigate popular threat actors trends in large enterprise network. His past work was ranging from reversing embedded systems, developing... Read More →

Monday March 4, 2019 4:10pm - 4:40pm PST
City View

Track: City View, Talk

4:10pm PST

All Your Containers Are Belong to Us

The rising adoption of container orchestration tools, such as Kubernetes, has enabled developers to scale cloud applications quickly and efficiently. However with this adoption comes with a new set of security challenges, such as securing the APIs used to manage these ecosystems. We recently conducted a research study that uncovered more than 20,000 publicly accessible management nodes open to the Internet. In this talk we will discuss the implications of the findings and provide recommendations for running orchestration systems securely in the public cloud.

The following platforms are exposed and part of the research: Kubernetes, Mesos Marathon, RedHat OpenShift, Docker Swarm, and Portainer (Docker Management). Not only are these management UIs available on the web but we also discovered that their APIs are also available. Some are wide open. We will uncover how we did this research, who is the most popular cloud provider hosting the containers, which regions are most popular, and show demonstrations of exploitation and discover.

Speakers

James Condon

Director of Research, Lacework

James Condon is Director of Research at Lacework. James is a security veteran with over 10 years of experience in incident response, intelligence analysis, and automated threat detection. James was previously Director of Threat Research at ProtectWise (acquired by Verizon), an Incident... Read More →

All Your Containers Are Belong To US James Condon pdf

Monday March 4, 2019 4:10pm - 4:40pm PST
IMAX

Track: IMAX, Talk

4:10pm PST

Beyond AV: Detection-Oriented File Analysis

This talk advocates adding detection-oriented file analysis systems to the modern threat detection technology stack by taking an in-depth look at Strelka, Target's recently released static file analysis system. Strelka's project lead will cover an overview of these systems, review Strelka's features and design, and show how data produced by these systems can be used to find malicious files in the enterprise.

Speakers

Josh Liburdi

Lead Engineer, Target

Josh Liburdi is a lead engineer at Target who focuses on developing, maturing, and maintaining custom threat detection systems and related solutions for Target's Cyber Fusion Center. Josh's specialities are in detection systems engineering, large-scale threat hunting, and adversary... Read More →

beyond av detection oriented file analysis pdf

Monday March 4, 2019 4:10pm - 4:40pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

4:50pm PST

Do Androids Dream of Electric Fences?: Defending Android in the Enterprise

In this talk, Brandon will cover Android enterprise security and how to use the features provided by the platform in your organization to protect your users. Unfortunately, Blade Runner was a few years off, and Androids aren't self-aware enough yet to protect themselves.
Though Android itself has huge uptake in the enterprise, its management features are not as widely deployed, despite potentially providing a lot of enterprise security functionality.
In this talk, you'll learn how Android devices are typically used by organizations, threats to Android in the enterprise, the latest Android enterprise management security features, how these compare to user requirements, how to maximize the use of these in your organization, and how Google itself uses these features to protect its users. Most importantly, you'll learn where to start—after all, we're not computers; we're physical.

Speakers

Brandon Weeks

Security Engineer, Google

Brandon Weeks is a Security Engineer at Google. His focus is on client device security, public key infrastructure and remote attestation.

Do Androids dream of electric fences pdf

Monday March 4, 2019 4:50pm - 5:20pm PST
City View

Track: City View, Talk

4:50pm PST

Back to the SOCless Future: Implementing Monitoring & Response Through Automation

How do you implement effective, scalable, 24/7 monitoring and response without 24/7 staff? The challenge posed by this question is one that the Twilio Security Operations team has been tackling since its inception 3+ years ago. In tackling this challenge, the team has gained insights into the problem and developed a methodology and a serverless automation framework to address it.

In this presentation, Ubani will talk through the motivations, challenges, and solutions the Twilio Security Operations team has developed on their journey towards a SOCless future.

Speakers

Ubani Balogun

Senior Security Engineer, Twilio

Ubani Balogun is an incident response engineer with a background in software engineering. He's spent the last 3 years at Twilio using his software engineering chops to tackle the challenge of 24/7 monitoring and response without a SOC.

bsides2019 Atlas key

Monday March 4, 2019 4:50pm - 5:20pm PST
IMAX

Track: IMAX, Talk

4:50pm PST

RadRAT: An all-in-one toolkit for complex espionage ops

This talk presents a piece of malware that had previously gone unnoticed and that seems to have been operational since at least 2015. Among the remarkable traits of RadRAT are its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization, and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT can be used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.

Speakers

Ivona-Alexandra Chili

Monday March 4, 2019 4:50pm - 5:20pm PST
Theater 15 (overflow in #11)

Track: Theater 15, Talk

5:30pm PST

Closing Ceremony

We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!

Speakers

Reed Loden

Monday March 4, 2019 5:30pm - 6:30pm PST
City View

Closing Ceremony, Closing Ceremony