BSidesSF 2019

Do you need to start or revamp your application security program?

I have spent the majority of my 20-year career helping government agencies, public companies and now a startup build out application security programs. In this discussion, I will talk about what has worked for me, what has not worked and things you should absolutely *never* do.

Certificate Transparency (CT) logs are a new and incredibly useful tool for bringing auditability and accountability to the public web certificate ecosystem. CT logs aim to provide a verifiable, append-only history of all publicly trusted certificates on the web. With browsers like Chrome now enforcing that certificates belong to CT logs, CT logging has become a vital part of the web's ecosystem.

But as with any new technology, it's our hacker duty to ask the question "How can this be misused?" We'll be providing a deep-dive into what CT logs are, how they work, and how we can take advantage of them for novel and nefarious purposes. We'll also explore if any bad actors have exploited our use cases in the wild. Most importantly, we'll be showing you why CT logs are the best new place to find pictures of cats on the internet.

Go is a programming language created at Google by Robert Griesemer, Rob Pike, and Ken Thompson. Their vision was a statically typed, productive, and readable language with good networking and multiprocessing support. By default, Go binaries are statically linked, and it is very easy to cross-compile binaries for different operating systems or CPU architectures. This makes it easy to produce an executable that can be copied to any machine and run without runtime errors due to missing libraries, something that should be appealing to malware authors.

While Go has exploded in popularity, the same cannot be said for malware written in it. This presentation will take a look at a few pieces of malware written in Go and how they differ from other malware written in, for example, C and try to answer why we don't see more. Also, this presentation will show how metadata in stripped Go binaries can be used to recover everything from function names to source code tree structure and functions’ number of lines of code, which hopefully can give us an insight to the author behind the malware.

Apache Kafka is a widely adopted pub/sub messaging platform that can scale to handle huge volumes of data. It’s a powerful technology but notoriously difficult to configure, especially when it comes to Transport Layer Security (TLS). In this session, we’ll cover TLS best practices that yield a secure and compliant system, as well as critical techniques to maximize performance.

Security automation can look a lot like magic, and many feel a strong temptation to go buy $HOT_SECURITY_ORCHESTRATION_PRODUCT, but it's really not hard to get started automating SecOps with the tools you already have, free and open source tools, and a little bit of code. In this talk I will give a high level view of how a SecOps or other IT group can use automation to save time and effort. I'll walk through an example, with screenshots and code, of how to automate an ops process. I want to remove the magic from automation and present concrete ways for any ops team to do this. This is not a "no code required!" approach to automation, but it's practical and easy enough to get started.

Mainstream IPS/IDS solutions including WAF, NGWAF, and RASPs produce so many false positives they are almost impossible to manage. The reason for that is that they rely on outdated detection mechanisms like signatures, human-defined rules, regexps, etc. In this talk we want to suggest a better method, based on neural network, provide an overview and comparison for several AI-based injection detection architectures, and release a specific architecture and implementation which has produced the best results. To illustrate the application of this methodology, we will review in detail the implementation of AI-based false-positive detection for a SQL injection. The insight is to represent the injection as time series which then lets us apply the same AI-approach as those used in time-series classification. To find the difference between normal requests and attacks/injections, we normalize query to the sequence of tokens/lexemes and pass them to our recurrent-based neural network model which predicts the probability that is the injection. The best architecture to apply here was proven to be bidirectional recurrent neural network with LSTM cells. As a result, it was possible to achieve 96.07% false positive detection quality at the false_positives dataset of 433 samples from libinjection (https://github.com/client9/libinjection/blob/master/data/false_positives.txt).
The implementation of presented model is already used in production at Wallarm for reducing false positive events.

Attendees will take away understanding of most modern AI injection detecting methods, a methodology for building their own RNN network for detection, understanding of the training and test datasets and methodology for accuracy testing.

A current trend among threat actors is the notion to Live Off the Land (LOL). LOL involves using binaries provided by the operating system to reduce the chances of being detected or to bypass application whitelisting. This presentation will look into the possibility of writing a remote access trojan (RAT) that does not handle any network connection on its own. The RAT instead uses TCP services, such as Whois and Finger, that are provided by the operating system to do the network connections to the command and control server. We will also take a look from a defender's perspective. How can we detect this in our environment?

As a bonus, we will also create bash one-liner reverse shells using these services.

The underlying desire with any technology is to push beyond its limits. In the 80s, we had the PC turbo button. In the 00s, everyone got all saas-y with software as a service. In the 2010s, we have the cloud (or as some of us know it, just someone else's computer). Jokes aside, leveraging the cloud allows teams to deliver content more rapidly compared to a local/on-prem solution. This sounds great until you remember nothing in life is free—cloud security is no exception.

While this talk is technical, we will begin by discussing the benefits motivating a small startup's decision to transition from on-prem to the cloud along with the inherent risk. A wide range of factors were considered: hiring, platform selection, technology stack, user management. We will talk about Amazon Web Services (AWS), the moving parts of our cloud, and what was required to get a minimum viable product off the ground. We will share our own ProTips for going cloud first; by the end, hopefully you’ll walk away with a few cheat codes of your own, whether it’s getting a peek at going cloud first or a verification of your own cloud security best practices.

In 2018 there were quite a few local privilege escalation and remote code execution CVEs related to abusing the functionality exposed by WCF services in .NET programs. These were found in products such as VPN clients, commercial network monitoring tools, and antivirus software. In some cases, these services accidentally exposed stronger capabilities than intended (for example, the ability to run arbitrary code). In other cases, sensitive features have been locked down, but the security mechanisms are faulty and can be bypassed.

The aim of this presentation is to spread awareness of WCF as an attack surface and to demonstrate how to get started finding and exploiting these bugs. This will be accomplished by reviewing the vulnerability identification and exploit development process for a recent 0-day privilege escalation in Check Point's flagship antivirus product ZoneAlarm.

Microsoft NTLM is an authentication protocol used on networks that includes systems running the Windows operating system and stand-alone systems. Despite Microsoft's implementation of Kerberos, NTLM is still in use in order to support older systems. Many exploits in the past targeted Microsoft Office and Windows OS internal functions in order to cause the leaking of Windows users' NTLM hashes, which can then be cracked and disclose the original passwords. Are those the only products vulnerable to NTLM credential theft? Find out how PDF files can be weaponized to automatically achieve NTLM hash leaks with no user interaction.

Hands-on incident response roles such as those found within a SOC or CIRT are difficult to staff. Even when these roles are filled, analysts often find themselves faced with unfamiliar tasks. Certification and higher education programs provide a decent foundation, but they do not produce strong responders. For that matter, analyst skills are often weakened by the onslaught of repetitive tasks, such as fielding phishing ticket after phishing ticket.

Ask yourself: Do all analysts on your team have a firm understanding of your company, the SIEM, network forensics, host-based forensics, malware analysis, threat hunting, and working with intel? In this talk, I’ll provide a framework for an on-boarding/baseline training program. The framework is flexible, allowing for multi-phase deployments or an all-at-once bootcamp style training depending on your needs.

The program utilizes experiential training to teach your analysts the HOWs and WHYs behind their processes and tools. We don’t need analysts who can push a button to get a banana — We needs analysts who truly understand the inner-workings of their tools. Adversaries and red teams rely on weaponization… why not weaponize your blue team with the tools they need too?

Security headers are a history of digital scar tissue. Each one there because we discovered something terrible on the internet but couldn't shut it off without breaking things. They allow you to tap into a wealth of security controls built into modern browsers, but most are simply off by default. We'll start with a quick, high level overview of most of the major security headers and what best practice is for setting them.

We'll finish with a deep dive into the content-security-policy header, both the most complex and most powerful security header. I'll show how at my company we got the best security outcomes by enabling developers—the people who best know the content that should be running in our apps—to tailor the CSP header themselves giving us more fine-grained control than a traditional security or operations driven policy.

Who's got time for any of this "culture" business? The security team has more trash fires than they can handle. No one is listening to their warnings!

As it turns out, security culture plays a pivotal role in the health of your organization's security. In this talk I'll go over why I invest so heavily in creating a culture of security at my organization, 10–20 concrete examples of things I do that are easily replicable, my overarching strategy for changing culture, and what it means to measure success when talking about something as intangible as culture.

Many companies have shared their lessons learned in scaling their security efforts, leading to hundreds of blog posts and conference talks. Sharing knowledge is fantastic, but when you're a busy AppSec engineer or manager struggling to keep up with day-to-day requirements, it can be difficult to stay on top of or even be aware of relevant research.

This talk will summarize and distill the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts and conference talks over the past few years and combine it with knowledge gained from in-person discussions with AppSec engineers at a number of companies with mature security teams.

Topics covered will include:
• Principles, mindsets, and methodologies of highly effective AppSec teams
• Best practices in developing security champions and building a positive security culture
• High value engineering projects that can prevent classes of bugs
• How and where to integrate security automation into the CI/CD process in a high signal, low noise way
• Open source tools that help with one or more of the above

Attendees will leave this talk with an understanding of the current state of the art in DevSecOps, links to tools they can use, resources where they can dive into specific topics of interest, and most importantly an actionable path forward for taking their security program to the next level.

Since it was introduced twenty years ago, Active Directory has become a major security concern for the majority of enterprises. In spite of the enormous amounts of money spent on defense security products, it is very hard to efficiently protect large domain environments that span across multiple domains and forests. In this presentation we will offer an alternative view on Active Directory security with a strong focus on actionable steps security teams can take to improve their domain security. After a short overview of the current attack trends, we will explore why most defensive products deployed today are not enough to secure complex multi-domain environments and what additional measures security teams should take to better protect their infrastructure.

In this talk, Brandon will cover Android enterprise security and how to use the features provided by the platform in your organization to protect your users. Unfortunately, Blade Runner was a few years off, and Androids aren't self-aware enough yet to protect themselves.
Though Android itself has huge uptake in the enterprise, its management features are not as widely deployed, despite potentially providing a lot of enterprise security functionality.
In this talk, you'll learn how Android devices are typically used by organizations, threats to Android in the enterprise, the latest Android enterprise management security features, how these compare to user requirements, how to maximize the use of these in your organization, and how Google itself uses these features to protect its users. Most importantly, you'll learn where to start—after all, we're not computers; we're physical.

We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!