BSidesSF 2019

A career in security is part of a larger phenomenon called life. The work we do can be so all-encompassing that it can be easy to forget to take care of one's body and one's spirit.

In my career I've traveled the world to speak at security conferences, published a popular textbook, and written the security policies that enabled a company to go public. On the outside it usually looks pretty sunny, but on the inside it's been a mixed bag.

Life happens, and so does anxiety, depression, burn-out, alcoholism, marriage, divorce, medication, therapy, pregnancy, birth, death, etc.

In this session, I'll talk about the strategies I've tried and the various successes (and failures) I've had with managing my mental health. I hope that by sharing my story I can offer empathy and advice to others who may be struggling beneath the surface.

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

There are a number of audits related to business operations in the event of a catastrophic disaster, and they can be dull to prepare. How can an organization make preparation of these artifacts more tolerable and increase the participation of operations, engineering, and security teams? Gamify it!
This talk will combine research demonstrating the long-lasting positive effects of arcade games (perception, attention, memory, and decision-making) and experience organizing these events at a company with a mature security program. Moreover, the psychology and benefits of gamifying these events can be used for red and blue teams alike. We'll touch on helpful NIST standards, as well as how to make the exercise immersive with simple controls (just like an arcade game). This talk will provide participants with best practices to create their own effective roadmaps for operational resiliency audits, while participants create mental maps for an actual catastrophic event and have fun.

Slack's developer platform has some powerful functionality that allows you to customize your org's workflow. But with great power comes great responsibility. While Slack has a robust security posture, do you suffer from insomnia pondering the security aspects of third-party apps? Are coworkers pleading with you to install Slack apps with scopes that frighten you? Join Kelly on a walk through the history of the Slack app directory, the unique security problems surrounding it, and what Slack's doing to make it easier for you and all our users to sleep at night.

Is this "real"? This is the story of how attackers today leverage a variety of tools and tricks to impact the influence landscape at scale. Many have heard of "fake news" and know that those "friends," "matches," or "followers" might not all be real; the information we consume is inflated with likes and ratings generated by coordinated attackers utilizing anything from users' browsers to IoT devices.
How are these fake accounts and likes and clicks created? To what extent are they "real"? This session will explore the fake account ecosystem, with specific focus on the lifecycle of a fake account and how specific tools and attacks are used to create likes and clicks; sometimes through automation and emulators, sometimes using real people through phone farms, mechanical turks, and sweatshops. We'll dissect the different main attack vectors and how they are being exploited:
Content: repurposed to fit a different context,
Access & Authentication: gained through Account Takeovers and credential cracking,
Fake Accounts: created strategically to build trust,
Usage: to emulate "real" users and not get caught
Together, we’ll workshop practical steps to building an army of influencers (on a budget) using off-the-shelf tools and show some more advanced techniques seen in attacks today.

Every red and blue teamer needs a dedicated workstation when engaging a network via a pen test or even if you want to test your security skills. While some companies charge up to $749 for this exact system, Dale will show you what he reverse engineered (Are you surprised he hacked it?) using $250 in parts from Amazon and open source software to build the BatPi, a complete mobile security workstation. The BatPi is powerful enough to run Kali Linux or the Parrot Project, both of which contain more than 300 tools, from scanning wireless networks to running Wireshark, to documenting your engagement… Oh and did I mention it has a touchscreen?!

In this talk, we will examine key research findings and technological innovations in the past 20 years that have led to the accepted practice of collecting all of the data. We show a difference between tangible (e.g. PII) and non-tangible data and show how seemingly harmless data can still be used to derive behavior (with examples!). We also examine how privacy perspective can change depending on your role or background and propose a perspective shift if we are to try to maintain digital privacy today.

For decades security awareness programs have been based on the assumption that employees don't know the correct course of action and with the right training, they will start performing more securely. However, this approach has not proven to be effective. A second dimension needs to be considered in security behavior change: motivation. This talk will explore how and when to motivate employees to security action. It will also discuss how to "surf" motivation generated by both predictable and unpredictable security events to drive security behavior change in a workforce. Finally, this talk will explain how to measure changes in employees' security behaviors and how practitioners can create meaningful metrics.

Automated Teller Machine (ATM) attacks are more sophisticated than ever before. Criminals have upped their game, compromising and manipulating ATM networks, software, and other connected infrastructure. Between having a third-party manage these machines and ATMs deployed on low-bandwidth links, it's an inevitable wild-west environment. In this talk I will review three case studies of ATM attacks, showing how they have become more dangerous than ever before.

In this session, I will discuss unknown ATM flaws our pentesting team has uncovered while performing testing, the various ways criminals are attacking ATMs, the many security problems that we have identified with ATM systems, and what can be done to prevent these attacks.

I will review three case studies of ATMs. One where the ATM security was extremely poor; One where the security was very good but the ATM still fell victim to an attack because we discovered a zero-day in the management software; And one where the security was just right- but its specific deployment had some major flaws that ultimately led to an ATM compromise. In this last case, the attackers side-loaded an application, and were able to run a criminal ring that led to $7M USD in losses.

When many people join the professional workforce and are asked, "What do you want to do?" or the dreaded "What's your 5-year plan?" they answer, "I want to be a manager," without any real clue on why or what a (good) manager does. This is long before they reached the nervous stage of being a manager, see their tech skills disappear, and fear they'll be forever irrelevant. :)
Security conferences have always had talks on "red team," and more recently "blue team" talks have become more frequent. However, there has really been a lack of talks addressing moving to management or leadership and what that really means (personally and professionally).
At Riot Games, the Security team has developed a security program based on feedback and self-service, across a truly hybrid infrastructure. This has not only involved collaboration and education external to Security, but also within the Security team itself as we have mentored younger and new colleagues so they also realise being that Security team in the corner is from a previous generation while also being able to do “cool” stuff, learn and improve.
In this talk, Mark will dive into where he has:
failed and succeeded as a leader
challenges and self-doubts of moving from an engineer to a manager and further
Trying to stay in-tune with your reports while not becoming a “1-1” machine
And probably more things :)
An attendee should:
- see some pretty cool video game art (not created by Mark, obviously)
- understand the challenges and benefits of moving from being an engineer to a manager
- learn about a self-service and feedback-driven approach to leadership
Disclaimer: There will be no cool exploits, 0days or buffer overloads in this talk.

Every company big and small partners with external vendors for services. Examples can range from architects, caterers, painters, and law firms to content distribution, hosting, marketing insights, email, machine learning, and contingent labor. The exodus of information to these vendors and the need for their integration with internal resources can pose unique security challenges. In the age of daily breaches, how can you verify and improve the security of your vendors?

This panel will seek to explore diverse experiences and opinions on vendor security from companies both large and small. Topics of discussion will include varied methods for performing vendor security, approaches to influencing vendors, the value of investment in vendor security versus other security functions and priorities, scaling a vendor security program, and the ultimate question: can you really predict the security maturity and likelihood of a breach in another company?

Blue teaming has not, up until this point, received the same applause and attention that red teaming has, but the tide is changing. The realization that the charge to "protect all the things, all the time" requires the collection and analysis of all the data is creating the conditions to "bring the sexy" to the blue team.
This talk covers the application of different methods to collect, analyze, and correlate multiple types of data as well as the use of machine learning to generate behavioral anomalies that are incorporated into overall continuous monitoring capabilities. This is not a vendor talk, and with very few exceptions all methods and tools discussed are open source and free; the focus is on the application of concepts.