Keynote – Brian Kelly

Security BSides defines community. BSides Connecticut is designed for and by local information security community members, attendees have opportunities to both present and participate in an intimate atmosphere that encourages collaboration.

I will focus a short talk on the importance of community and the principles behind the BSides idea:

  • Expand the conversation.
  • Enable people to join the discussion. 
  • Get people involved.

We often hear that all politics is local (oh no, not politics), in my opinion all Information Security/Cybersecurity starts local. Conversations about Information Security/Cybersecurity start with our friends, family, classmates, and coworkers (locally) then moves to state and regional conversations at events like this, we meet new people and the conversation grows. These connections and conversations won’t end today they’ll continue online and we’ll look forward to next year.

Brian Kelly is the Director of the Cyber Security Program at EDUCAUSE.

Mental Health Hackers

Our mission is to educate tech professionals about the unique mental health risks faced by those in our field – and often by the people who we share our lives with – and provide guidance on reducing their effects and better manage the triggering causes.

We also aim at providing support services to those who may be susceptible to related mental health issues such as anxiety, depression, social isolation, eating disorders, etc.

Please understand that we do not provide counseling or therapy services. While there are no medical professionals on our board, we regularly consult with them on content and recommendations for training, phrasing, and information sources.

Check out our Mental Health Village at BSides CT 2019 and sign up for a free massage.

https://www.mentalhealthhackers.org

Track 1

Event Injections: Sending Evil to the Cloud – Tal Melamed

Serverless applications have seen a significant rise in adoption in the past year. Along with its advantages, serverless architecture presents new security challenges. Some of these security threats are equal to those we know from traditional application development and some take a new form.

One particular example is the Injection attacks. Yes, SQL/NoSQL, OS and Code Injection attacks, they all still exist. But, when dealing with a monolithic application we only have one way in. What happens when we move to serverless architecture and we lose the perimeter? code is no longer executed directly, but is executed through cloud events. Whether it’s a file upload, an email sent, a notification received or a simple log entry.

In this talk, I will examine the Serverless #1 risk: Event Injection and will demonstrate injection attacks form multiple event types.

In the past year, Tal been experimenting in offensive and defensive security for the serverless technology, as part of his role as Head of Security Research at Protego Labs. Specializing in AppSec, he has more than 15 years of experience in security research and vulnerability assessment, previously working for leading security organizations such as Synack, AppSec Labs, CheckPoint, and RSA. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects.

Election hacking defined, and how to fight back – Andy Dennis

What does election hacking mean?

Coming up with a definition is fraught with difficulties. Where are the boundaries where an incident is no longer considered hacking, but some other crime? The term is often thrown around in the media but can be ill-defined & nebulous.

Each jurisdiction implements different rules for whom can donate and participate in elections. Is illegal funding an election campaign hacking, or electoral fraud? Do these types of actions which predate the Internet, & computing, in general, constitute hacking?

Typical ways of throwing elections from fraudulent ballots to ballot stuffing have been observed in multiple countries. Should these be considered hacking too?

In this presentation drawing upon research conducted from 2017 through 2019, we will seek to narrow the term down into something more concrete. With this goal in mind, we will then look at six proposed attack vectors (called the hexad) that comprise the attack surface elections & referendum can face from hackers.

Following this, we will walk through some real-world examples of actions that meet this criterion, and how some campaigns have successfully fought back. The talk will wrap up with some thoughts on how future electoral campaigns can defend against nefarious actors.

Andy has 16 years experience in the tech industry and works as a Full Stack Architect with a focus on Cybersecurity for Modus Create, a D.C area based consultancy. His day-to-day job runs the gamut from designing secure systems in AWS to rolling out endpoint security. He holds an MSc in Information Security from Royal Holloway, University of London. It was during graduate studies he became interested in the subject of election hacking, which became the focus of his Master thesis. He’s here today to present some of his models and thoughts around election security.

Reversing and Bypassing DRM/HSM Dongles – Jeremy Mill

The talk is about a USB dongle DRM system which also has HSM functionality built into it. One of the main features of this dongle is an ‘enveloper’ which takes an existing application and wraps it in another executable and attempts to prevent execution of the existing application. In this talk I first reverse engineer the driver for the dongle with Ghidra and edit it to remove anti-debug functionality. After removing the anti-debug features I examine the ‘wrapped’ executable. I first perform a simple bypass of the dongle requirement, but then also extract the encryption key from the wrapper application and dump the ‘existing’ application which was being protected. Additionally I will outline some of the cryptographic flaws in the HSM functionality of the dongle.

Jeremy is a cyber security engineering specializing in appsec. Previously he worked as a software developer specializing in implementing multi-factor authentication systems, PKI infrastructure, and cyber security remediation for legacy systems. He is also a former Marine where he worked in signals intelligence.

Vigilante: Bringing a nail bat to a gun fightnobletrout

Middleboxes are everywhere. You’ve installed some, your work operates bigger ones, the NSA and FSB probably have the coolest ones. Sometimes they are deployed for good, sometimes for bad, and sometimes out of necessity. You might call them visibility appliances, next generation firewalls, or just “my soho NAT, router, internet access thinamajiggah.”

In this talk I’ll speak to how middleboxes work, from SSL interception to FTP tricks, why they break TLS 1.3, and why they are everywhere.

Nobletrout has officially moved to New Hampshire. He hacks things, breaks things, occasionally fixes things. He likes to think of himself as a badass hacker, but really has just faked his way until now. He enjoys not paying taxes, working on aging land rovers, and skiing any chance he gets.

Wrangle Your Defense Using Offensive Tactics – Matt Dunn

The key to a good defense is understanding the offense. Grab your lasso and hop in the saddle because this talk will cover attack techniques that are regularly used to compromise networks and how they can be leveraged by the blue team to build a stronger defense. Forget vulnerability scanners, in this talk we cover issues they rarely catch, which include: Discovering unknown weaknesses externally and internally, weak passwords, in-memory credential theft and privilege abuse.

Learn how to discover, exploit and defend against those weaknesses using a number of free and/or open-source tools, as well as defense tips and the IOCs needed to tune your SIEM. Lastly, the MITRE ATT&CK framework will be introduced, so that you can utilize the same tactics on the entire gamut of known attack vectors.

Matt is the lead security analyst in-charge of offensive security at Schneider Downs. Over his career, Matt has worked in computer and mobile device forensics, information security consulting, penetration testing, e-discovery, Windows system administration and Linux system administration. In addition to focusing on the technical areas of security, Matt enjoys working directly with clients to help them improve their security programs and policies. The ever-changing nature of IT and information security is what drew Matt to his career and he strives to be a continuous learner. He is driven to help clients, and the world at large, be more secure.

The Unmanaged Device Tsunami: Surf or Suffer? – Ziv Dines

There’s a tidal wave of unmanaged, un-agentable devices sweeping across businesses in every industry. From devices like smart TVs, MRI’s, patient infusion pumps, industrial device controllers, and manufacturing robotic arms, to printers, smartwatches, smart HVACs, and badge readers. Traditional security product can’t see these devices, making them ideal targets for bad actors who can use them to conduct attacks easily and undetected. Join us to learn about the explosive growth of unmanaged and un-agentable devices, real-world attacks we have seen, and the agentless device security strategy that fills the gaps in traditional security products — one that companies like Sysco Foods, Mondelēz, and Mattress Firm are now using.Detailed outline or description of the topic. Get into the meat of what the presentation is about in detail. This really shouldn’t be skipped.

Ziv Dines is the Senior Director of Solutions Architecture for Armis.

Zoom 0-Day: How not to handle a vulnerability report – Jonathan Leitschuh

On July 8th, 2019, a bombshell 0-Day vulnerability was dropped on Zoom Inc that disclosed how anyone could maliciously join a victim’s Mac to a call with their video camera active simply by visiting a malicious website. Additionally, Zoom left behind a hidden daemon that would re-install the Zoom client after it had been uninstalled. It was later discovered that this “feature” could be abused to allow remote code execution.

In this talk, I’ll discuss my communications with Zoom’s security team and the reasoning behind what led to my decision to resort to 0-Day disclosure. Additionally, we’ll walk through the post-disclosure timeline around how this vulnerability went from bad to worse, requiring the Apple security team to step in and use MRT to resolve this vulnerability.

Jonathan Leitschuh is a Software Engineer and Security Researcher. He is currently a member of the Gradle Security Team. His company’s software is used to build almost all JVM based Android applications in the world. His research focuses on build infrastructure and software supply chain security.

Track 2

Blue-teaming & Incident Response for the “Win”! – Roy Wattanasin

Does your company use Windows or is most of the environment Windows? Come to this session to specifically learn the ins and outs of what are the most critical things needed in order to establish a respectable blueteam program at your organization. Do you know what Windows security event log 4688 mean? What about others? What are the event logs that you should know by hand or have a cheat-sheet for? What are some tools that you should be using and how can you automate them to help detect lateral movement. Also, we will be leveraging opensource tools. No, additional $ is not required. Trying harder, building your technical skills and doing proactive threat hunting will help you and your team. “Don’t worry all of this information will be useful for all no matter what level.” Per time permitting, we might also quickly talk about incident response as well, initially. Also, bring your technical questions too during our Q&A session…

Roy Wattanasin is currently a healthcare information security professional. Additionally, Roy is an avid speaker who has spoken at many conferences and webinars. Roy also enjoys data forensics & incident response and building security in. He is heavily involved with many computer security groups including OWASP Boston, ISSA and the local communities. Roy is also a member of multiple advisory groups. He was an adjunct instructor at Brandeis University as part of the Health and Medical Informatics and is also the co-founder of that program. He is credited for bringing back the Security BSides Boston conference (setting the standards) and enjoys seeing it grow each year and being successful with its new team members.

Rethinking Privileged Access Management for Agile Clouds & Data Center Environments – Brian Gladstein

Managing privileged access inside cloud environments is completely different from the corporate environment. We love Linux because it’s so fast to build and deploy web apps, but the minute you want to put any kind of centralized security or control over that environment, you risk running DevOps into the ground.

The fact is, DevOps needs elevated access like root and sudo to deploy code and fix issues as quickly as possible. However, we also need a centralized way to manage that access so security policies are enforced on sprawling cloud hosts/containers. In this session, we’ll talk about moving from heavy-handed access control to lightweight, agile access guardrails that are built specifically for DevOps. Learn about:

  • Real-time user session monitoring for visibility and audit/compliance
  • Just-in-time access approvals and pre-execution blocks using 2FA or Slack/Teams
  • Threat detection and alerting for Linux based attack vectors
  • Identity-based policy for shared accounts and root-access users

Brian brings over 15 years in the cybersecurity industry to Cmd, where he’s helping to bring the company’s unique Linux security & access control technology to anyone who is operating a Linux cloud or data center. Previously at companies that include Carbon Black and RSA Security, Brian specializes in emerging security technology, launching category-redefining products that disrupt the status quo and help protect millions of people around the globe.  

Extensible DevSecOps pipelines with Jenkins, Docker, Terraform, and a kitchen sink full of scanners – Richard Bullington-McGuire

Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.

Richard Bullington-McGuire is Principal Architect at Modus Create. He is a serial entrepreneur and versatile technologist with experience in security agile processes, software development, system architecture, devops, mobile computing, for-profit and non-profit start-up companies, and design. Since 1995, he has continuously operated and defended Internet-connected production systems, the longest running being The Obscure Organization. He is a member of both IEEE and ACM.

Trust and Security: The Odd Couple Driving Your Business – Loren Dealy Mahler

The relationship between trust and security is often misunderstood, yet neither one can be successful without the other. Trust drives the very business that security is tasked to protect, but too often they are siloed between different parts of the organization. Breaking down these walls leads to improved business outcomes and a more secure organization. 

This session will take a deep dive into what trust really means to your business, and its complex relationship with security. We’ll also look at specific ways to more fully integrate the building and preservation of trust into the security side of the house. By better understanding how this odd couple drives your overall business, you can not only perform your specific role more effectively, but also contribute to improved business outcomes across the organization.

Loren is the President of Dealy Mahler Strategies, LLC, a strategic communications firm specializing in reputation management and crisis communications. With an emphasis on cybersecurity, the firm helps clients effectively manage risk through smarter communications strategies and incident response planning and management.  Loren is a seasoned strategic leader with high-level experience from the White House to corporate America. She has held roles at the National Security Council, Department of Defense, on Capitol Hill, and served corporate and non-profit clients as VP of communications for a PR firm in New York.  In 2016, she launched Dealy Mahler Strategies, and hasn’t looked back.  Loren currently serves on the Board of Advisors for the Cybersecurity program at Rutgers University and is a Visiting Fellow at the National Security Institute at George Mason University. She authors the “Communications War Room” blog at csoonline.com, and frequently speaks at events around the country.

Most Vulnerable Product: Easy to implement security solutions and strategies for the modern web application stack – Jason Portnoy

This talk intends to show security professionals and developers there is a middle ground between speed and security by demonstrating web application development with a focus on secure techniques. What makes this talk different is that we’ll be looking at this from the perspective of a developer. Using common web application security tactics, we’ve developed a hardened development process that can be implemented easily in most languages.

This talk will appeal to developers as well as anyone involved in web application penetration testing or development operations. Nothing presented will be considered a breakthrough–what will be presented is a practical, easy to replicate process illustrating secure web application development from idea to invention

Jason Portnoy is a software developer with 7+ years of professional experience in developing full stack MVP applications to production ready applications.

Building Castles in the Cloud: AWS Security and Self-Assessment – Rami McCarthy

As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. As a consultant, I’ve had experience breaking into a AWS environments with varying sophistication of security posture, and then helping those clients patch holes and harden their environments. This talk with lean on those experiences to provide you with a guide on securing your AWS enviornment, and then validating that security.

We’ll start by walking through AWS’s Shared Responsibility Model. Then we’ll identify the features of AWS that are most important for security, and give tips on best practices and easy wins. After establishing these security standards, we’ll take a quick look at a few (free) tools for auditing AWS configurations, including NCC Group’s own open-source ScoutSuite. You’ll leave this talk with concrete next steps for improving your own cloud security posture.

Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He’s spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has authored blog posts on misspelled security headers and enterprise Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He’s currently pursuing an MS from Brandeis University.

Securing Active Directory & PAM for ADDS – Rohit D’Souza

Active Directory is the fundamental application that provides authentication & authorization to all of the underlying systems within a Windows environment. While it is easy to deploy, it is just as easy to be exploited if the correct protocols and security features are not set in place. We’ll cover the basic common practices to best secure Active Directory and take a deeper dive into less commonly known features such as time based group memberships & bastion forests. We’ll also cover what PAM is, how to implement it and what it’s overall goal is. 

Rohit D’Souza has been an IT professional for a little over 10+ years, working in a myriad of different industries from retail, automotive and healthcare services among others. He’s an MCSE & CCNA certified solutions engineer currently working at Wayfair for the Corporate Engineering team. When not sitting (or standing) in front of a screen, he loves to go scuba diving or skiing and is an avid sports fan.