Keynote: Jessica Payne (@jepayneMSFT) on Building Security People
Jessica Payne is a Security Person at Microsoft. She’s held roles as a consultant doing Incident Response and proactive security engagements and as a Security Assurance Program Manager for the Windows and Devices Group. Currently she works on the Threat Intelligence team of Windows Defender Research. She has a Twitter account @jepayneMSFT and a blog at https://aka.ms/jessica
Hardware Implant Panel
Based on the interesting news in the past few weeks, we rounded up the top technical experts with experience designing, detecting, and building hardware imlpants to discuss both what’s technically possible as well as what’s realistically probable with implants.
In addition, we’re honored to have veteran infosec and national security journalist and author Kim Zetter(@KimZetter) moderate this panel.
Kim Zetter, Joe Grand, Joe FitzPatrick, @__MG__, @r00tkillah, Mickey Shkatov and Jason Meltzer
BSidesPDX 101 Panel - CTF, Contests, and Events, Badges, & more with
@TTimzen, @securelyfitz, @r00tkillah & @office_deskjet
BSidesPDX continues to grow in size and quality year over year. This panel serves to tell you some of the “what” of the event and will discuss the thing around your neck, CTF challenge development, Contents and Events, organizational changes, new processes to make BSidesPDX better, 501(c)3 status, and more! Don’t miss out on the opportunity to hear from the organizers how things got done!
Learning Security by ATT&CK’ing Yourself
Travis Smith (@MrTrav)
Back in 2016, I presented on how I taught high school students about security by building, hacking, and then securing an internet controlled robot. This year I changed my tactics and leveraged the MITRE ATT&CK framework as a teaching tool instead. In this talk I will go over what the ATT&CK framework is and how I used it to teach students about security. The program was so successful that we are now using it to teach security to anyone from junior to senior level practitioners. Even seasoned veterans have something to learn from the collective knowledge found inside this framework.
Travis is a security researcher based here in Portland at Tripwire. He focuses on how defenders can gain an unfair advantage over attackers.
CyberPDX: A Camp for Broadening Participation in Cybersecurity
Wu-chang Feng
With society’s increasing dependence on technology infrastructure, the importance of securing the computers, networks, data, and algorithms that run our digital and physical lives is becoming critical. To equip the next generation of citizens for the challenges ahead, an effort is underway to introduce security content early in a student’s academic career. It is important that these efforts broaden participation and increase diversity in the field. While many camps and curricula focus on introducing technical content and skills related to cybersecurity, such approaches can prematurely limit how students view career opportunities in the field, potentially limiting those who ultimately pursue it. In addition, it is likely that many problems in cybersecurity can only be addressed in an interdisciplinary manner by those trained in the arts and humanities as well as in technical fields.
In this talk, we describe CyberPDX, a residential summer camp that introduces cybersecurity to high school students. Key to CyberPDX is its focus on the range of societal issues that will be impacted by cybersecurity as well as its coverage of the breadth of roles that students can play to help address them. Through four learning threads taught by faculty in Computer Science, Sociology, and Film Studies, the CyberPDX curriculum spans topics from constitutional law, cyberpolicy, ethics, and filmmaking to programming, cryptography, security, and privacy in order to show students how broad cybersecurity issues are and the many ways they can participate in helping to solve them.
Wu-chang Feng is a Professor in the Department of Computer Science at Portland State University where he offers courses on Internet and Cloud Systems, Web Security, Malware Reverse Engineering, and Blockchain Applications. He currently serves as the program chair for USENIX’s Advances in Security Education and is (a bit shamelessly) seeking submissions for next year’s workshop.
SAST and the Bad Human Code Project
John L. Whiteman
Static application security testing (SAST) is the automated analysis of source code both in its text and compiled forms. Lint is considered to be one of the first tools to analyze source code and this year marks its 40th anniversary. Even though it wasn’t explicitly searching for security vulnerabilities back then, it did flag suspicious constructs. Today there are a myriad of tools to choose from both open source and commercial. We’ll talk about things to consider when evaluating web application scanners then turn our attention to finding additional ways to aggregate and correlate data from other sources such as git logs, code complexity analyzers and even rosters of students who completed secure coding training in an attempt to build a predictive vulnerability model for any new application that comes along. We’re also looking for people to contribute to a new open source initiative called “The Bad Human Code Project.” The goal is to create a one-stop corpus of intentionally vulnerable code snippets in as many languages as possible.
John L. Whiteman is a web application security engineer at Oregon Health and Science University. He builds security tools and teaches a hands-on secure coding class to developers, researchers and anyone else interested in protecting data at the institution. He previously worked as a security researcher for Intel’s Open Source Technology Center. John recently completed a Master of Computer Science at Georgia Institute of Technology specializing in Interactive Intelligence. He loves talking with like-minded people who are interested in building the next generation of security controls using technologies such as machine learning and AI.
Rastrea2r: Collecting & Hunting for IOCs with Gusto and Style
Sudheendra S Bhat (@eaglesparadise)
Rastrea2r (pronounced ““rastreador”” - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To collect forensic artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools (including custom batch scripts) across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can easily integrate with AV consoles and SOAR tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with ‘gusto’ and style!
Sudheendra (Sudhi) Bhat is an Information Security Professional, currently holds a role of Product Security Architect in Security Operations Group at McAfee. Sudhi has been developing software for last 12+ years and has worked for a variety of Software Corporations ranging from small startups to fortune 100’s. It was while working at Intel 6 years back, Sudhi got exposed to the analyzing Security vulnerabilities which influenced him to pursue Security as a Career Interest. Sudhi Bhat has a Bachelor Degree in Computer Science from MSRIT, Bangalore (India) and Masters Degree in Computer Science from George Mason University, Virginia and holds various Software and Security Certifications, the most recent one being GIAC GWEB (Analyst # 641). Sudhi Bhat is passionate about OpenSource projects and currently maintains and contributes to the projects under rastrea2r organization in GitHub. Sudhi’s current research areas include Forensic Data Collection, Web Services Security and Automotive Security. Apart from Software and Security, Sudhi loves traveling and outdoor photography.
State of Cyber Education
Tobin Shields (@TobinShields)
There is a massive skills gap in the information security field. While many organisations forecast unbelievably high numbers, even the most conservative estimates show that there will be and overwhelming number of positions that go unfilled in the coming years. This “State of Cyber Education” talk will highlight education and workforce development programs that are trying to train the incoming workforce and close that gap. In addition, the talk will end with a call-to-action that will encourage local information security professionals to mentor, engage with, and help train a new generation of students.
I am a information security instructor at Mt. Hood Community College. I have been teaching security topics for the past four years in the Portland/Gresham area and have worked with both high school and college-level students.
Threat Modeling Authentication
Kelley Robinson (@kelleyrobinson)
Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs to convince computers we’re human. Is there a better way? Idealistic and technically challenging solutions for authentication (password reset protocol!, identity on the blockchain!) are tempting but unproven.
This talk will introduce practical ideas for designing your authentication systems and the UX considerations that will influence your architecture. We’ll walk through how to evaluate the risk associated with your business and how to protect your customers appropriately. Putting identity on the blockchain is probably not the answer right now, but together we can find a way to make your users more secure.
Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups in San Francisco. She believes in making technical concepts, especially security, accessible and approachable for new audiences.
How open source security solutions can solve your problem!
Jeff Bryner (@0x7eff)
You have a set budget for people and blinky boxen and an unlimited set of infosec problems. How can open source help you? Mozilla is working on a new initiative to help curate a set of open source security solutions to common problems. Come here a preview of that work and how you can help!
Jeff is the Director of the Enterprise Information Security team at Mozilla, responsible for risk management, incident response, threat management, intrusion detection, red team exercises and the web bug bounty program. Speaker at 3 DEF CONs, a bunch of B-sides and an RSA (but he didn’t mean it), he enjoys focusing on bringing diversity to infosec and finding new, collaborative ways of solving our now ancient infosec problems.
Survival of the fittest: password edition! Implementing the new NIST guidance into your password policy
Kevin Neely (@ktneely)
Historically, corporate and service password policies are all the same: some combination of characters, length, and 90 days before it expires. What if your security team took a different approach? By testing the passwords with cracking tools and using the results to create a strength metric, you can allow employees to keep their strong password if they landed upon a strong, difficult-to-crack password, only forcing the weak to expire.
This talk will describe the password policy we use, which involves the security team actively attempting to crack employee passwords, forcing a change when discovered, and allowing them to keep the password if it isn’t cracked. More than two years into this program, I will review our mature implementation and present an analysis of the collected password data demonstrating how this approach has markedly raised security awareness of our employees and improved the strength of their passwords. Day-to-day blue team security is hard and draining; this approach gives the defense team members a chance to play the role of attacker with a fun task quite different from their day-to-day.
I will also talk about how to explain this approach to a skeptical customer base and SOX auditor that request and are accustomed to the policy style every company has had for the past 20 years.
Lastly, I will link to a detailed step-by-step approach along with scripts to analyze the discovered passwords available in a public github repository for your immediate use.
By Most Days: Leads the security team at Pure Storage
By Other Days: BSidesSF volunteer, perennial DEFCON attendee, legal scholar, cyclist.
By Night: Wannabe chef and alcoholic beverage enthusiast
Security As Nurturance
Esteban Gutierrez (@apebit)
The infosec industry is plagued with language borrowed from the military culture. We see this in many products and tools sold by security vendors, the processes we use to do security work, and the ideas and theories used to advanced and grow the discipline. I describe this as working under a metaphor: “Information Security is Warfare.” Unfortunately, we see infosec programs fail people and organizations time and time again. Systems are either not built or configured safely or don’t get patched, code develops vulnerabilities, people get phished, credentials get compromised, and people lose time, money, and sanity from having to deal with the fallout. I see this as the result of working under the influence of the warfare metaphor which causes people to see things in way that are adversarial, zero-sum, and controlling.
This talk describes how a new metaphor, “Security is Nurturance”, when used as a goal for a security team flips the traditional paradigms of the security industry and influences new outcomes. When we use this metaphor to inform our approach to how we do security, security goals become less focused on locking access down, building DMZs & firewalls, or rotating passwords (and other adversarial methods) and more focused on processes to help grow the businesses and empower employees with knowledge and accountability. I will talk about a few solutions developed by security teams that exemplify the metaphor, how this metaphor aligns with values focused on enabling people to do what is valuable to them and a call for change in the information security industry.
Esteban has been warily working in Information Security since before the .com bust of 2000. It shows.
Securing Bare Metal Hardware at Scale
Matt King (@syncsrc) and Paul McMillan (@paulm)
Less than three years after it was discovered the Equation Group was backdooring hard drive firmware, courses on how to create such a backdoored firmware are available to the public. New exploits in BIOS/UEFI that enable bypassing OS and Hypervisor protections have become commonplace. Once compromised, remediation is virtually impossible; malicious firmware is perfectly positioned to block the very updates that would remove it.
Truly defending against these threats requires a different approach - traditional vendor firmware signatures and secure boot implementations aren’t good enough. Without mechanisms to detect and recover the firmware, a backdoor could be forever persistent and undetectable. Fortunately, nearly every device available has an existing mechanism to force it into a state which can be used to restore the writable firmware components. We’ll describe how we’ve made use of such capabilities at scale, the challenges in doing so, and what the future holds for securing firmware.
Matt is a security geek responsible for ensuring platform and firmware trust at a cloud service provider. He has pen tested a broad range of systems, helped implement hardware implants, and has a history of rendering all manner of computing devices inoperable.
Paul McMillan enjoys drinking cocktails, breaking the internet, and doing the impossible. He also works on security at Netflix.
Attacking Azure Environments with PowerShell
Karl Fosaaen (@kfosaaen)
For a multitude of reasons, many organizations are moving their operations to the cloud. Along with this, many organizations are introducing old vulnerabilities in new ways. As one of the top cloud providers, Microsoft Azure has had significant adoption and continues to grow in market share. As part of this increase in adoption, there has also been an increase in demand for security testing of Azure environments. Given the blended nature of hosted services, PAAS, and virtual infrastructure, it can be difficult to get a handle on how to properly secure these environments. Reviewing Azure environments can also be time consuming given the lack of automated tools for dumping configuration information.
MicroBurst is a set of PowerShell tools that helps automate the processes of dumping and reviewing Microsoft Azure configurations. This talk will go over the ways that pen testers and defenders can use MicroBurst to dump out the configuration information for an Azure environment, and identify common configuration issues. Security testers will benefit from the speed of dumping environment credentials for pivoting, listing out publicly available services and files, and enumerating additional targets for phishing and password guessing attacks. As an added bonus, defenders can also use these tools to audit their environment for weak spots.
Karl is a Practice Director at NetSPI who specializes in network and web application penetration testing. With over ten years of consulting experience in the computer security industry, he has worked in a variety of industries and has made his way through many Active Directory domains. Karl also holds a BS in Computer Science from the University of Minnesota. This year, he has spent a fair amount of time digging into automating and assessing the Azure stack. Over the years at NetSPI, Karl has also helped build out and maintain their GPU cracking boxes. Karl holds a couple of certifications, that is neat. Karl has previously spoken at THOTCON, DerbyCon, and BSidesPDX. In his spare time, you may see him trying to sell you a t-shirt as a swag goon at DEF CON.
Unsafe Harbor: Practical Attacks on Docker Infrastructure
Josh Farwell (@JoshFarwell)
Docker has become a very popular tool for deploying server applications. It aims to solve many problems with dependency management and drift between development and production environments, and make it easy for developers to deploy their software quickly.
This talk is about how to use all of this wonderful convenience for evil. It will cover Docker containers and how they work (and how to infect them with malware), some services commonly used in Docker infrastructure and how to find and exploit them, and some Docker-specific post-exploitation strategies. It will also cover best practices for mitigating and detecting attacks on your Docker infrastructure and how to create a healthy security culture among your Docker engineers.
Josh is a Linux security practitioner and developer based in Portland, Oregon. He works as a security engineer at New Relic, where he builds security visibility tools, breaks SaaS software, and helps developers build secure infrastructure.
It’s the little things
Ben Sadeghipour (@nahamsec)
Reconnaissance plays a huge role while hacking. While there are 100s of different tools available to make this process easier, you may not be maximizing your recon process without a working methodology. In this session attendees will learn how the best hackers use recon to size up their targets. This methodology helps create an automated process that will actively look for vulnerabilities using OSINT and other well known recon tools.
Ben is a the Hacker Operations Lead at HackerOne, the #1 most popular bug bounty platform by day, and a hacker by night. Prior to joining HackerOne, he has helped identify and exploit over 500 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, Github, and more. He also invested time in the security community, by creating a community of 200+ active hackers who share ideas and their experience. He has also held a few free workshops and trainings to teach others about security and web application hacking.
Tiny Invaders: New Threats from Cables We Take for Granted
Ken Hollis (@GandalfDDI)
“Miniaturization and system-on-a-chip (SoC) have enabled the explosive growth and opportunities for the Internet of Things. It has also brought around new unseen risk in spots that we never imagined. SoC processors bring a range of functionality now in a form factor small enough to inconspicuously incorporate into everyday items like a USB or network cable. Are we ready for this new variation of a supply chain attack?
We will explore this new threat, some of the mischief that could be done, and look for ways to prepare and combat this as defenders. This will challenge our views of possible threats we should monitor and open up the discussion on how to better assume breach.”
Ken Hollis has had a diverse career. He started professionally programming the first adventure game for girls, “Jenny of the Prairie”. Graduated with a BS in Math/Computer Science. From there he moved to Kennedy Space Center with the Ground Launch Sequencer team and the Main Propulsion System / Space Shuttle Main Engines hardware / software team performing test, checkout launch and landing of the Space Shuttle (https://1drv.ms/f/s!AsoLDJx_szsuc_zSFFU0B1gKkFc ). Next, he worked at ARINC on the ACARS (Aircraft Communication And Reporting System) network, design test build and management of the Tulsa Schools network, Network manager at SouthWestern Power Administration and finally to Microsoft on the protocol documentation for the DoJ / EU, then troubleshooting / fixing production networking outages (“The Cloud”) and lastly working on Security Incidents.
CTF@Work, School, or Anywhere
Steve Willoughby (@TeXnik_PDX)
I will recap my adventures as I challenged my co-workers to raise their security awareness and skills through puzzles and tutorials, which gradually grew until I had created an always-on, persistent CTF game site. I will discuss the benefits to an organization to have games like this to teach coding and security skills, as well as the technical design employed to make the system playable outside a single event (flags are dynamic so “just type ZEBRA as the flag name” doesn’t become common knowledge between players), and allow other users to donate puzzles as isolated CTF modules without needing to trust the overall security of the site to the contributed code. (We assume one person doesn’t have time to write all the challenges full-time, and we encourage players to add to the game.)
“Steve Willoughby is a Senior Information Security Specialist for a Fortune 50 company. He discovered Version 7 Unix while in high school and, apart from brief forays into VMS in college and failed attempts to hide from other operating systems, he’s been spending most waking hours tinkering on UNIX in one form or another, either writing software or administering systems. He lives in the Portland, Oregon area and keeps a vintage Altair 8800 and COSMAC Elf as pets. In his spare time, he runs a MUD game and creates microcontroller gizmos to make his Christmas lights flash in the most over-engineered way possible.”
The Making of the Banglet
Nisha Kumar (@nishakmr)
This year’s DefCon DC503 badge was not a badge at all but a bangle with Bluetooth LE controlled lights. It was a risky gambit that paid off (or not, depending on your perspective).
Nisha is the badge designer for the DC503 badge for DefCon26: https://github.com/pdxbadgers/2018-banglet. She also maintains an open source project: https://github.com/vmware/tern
Grandmothers, Gangsters, Guerrillas and Governments
Ted Corbeill (@TedCorbeillJr)
This presentation will explore threat actors including insiders, cybercriminals, hacktivists and nation-states. We will dissect how these actors operate and analyze their techniques to better understand what makes each group successful. This presentation will translate the “who, how and why” of cyberattacks. We will identify multiple “old school” and modern-day threat vectors and organize attacks by motives like financial and political. Each threat actor type will be explored in detail with real-life use cases and similarities to my personal experience supporting counter-insurgency operations in Afghanistan.
Ted Corbeill is the Senior Manager, Sales Enablement Programs at Verodin. He is a retired Marine Corps Intelligence Officer who is adapting military best practices to improve cybersecurity effectiveness. Additionally, he is leveraging his military experience to build and lead innovative sales enablement programs to drive revenue growth through data-driven insights, business innovation, and collaboration. Prior to joining Verodin, Ted built sales enablement programs for DXC Technology and Hewlett Packard Enterprise.
Oh! 365: Avoid an “Oh ****” moment in Office 365
Dan Whalen (@vac4n7)
“You mean I don’t have to host Exchange? Where do I sign up!” These days, it only takes a few clicks to spin up a fully provisioned Office 365 subscription that gives your users access to all of their favorite office productivity apps they ?love? without all of the operational overhead and licensing headaches IT hates.
As usual, though, security is often an afterthought. It’s easy to overlook how these services impact your risk profile and it can be confusing to figure out exactly what you should be worried about or how to respond if something does go wrong.
In this talk, we’ll walk through real examples of how attackers have used O365 to compromise organizations. We’ll also share techniques we’ve used to investigate and detect O365 compromises. Finally, we’ll share how you can mitigate some of the key risks in O365. You’ll leave with a clearer picture of risk exposure and a bag full of tips and tricks that you can go implement!
Dan is a Detection and Response Lead at Expel, a transparent managed security provider. With many years of experience in security operations at scale, he’s been exposed to a ton of different environments, unusual attacks, and challenging security problems. Dan holds a BS in Information and Security and Forensics from the Rochester Institute of Technology and is an avid learner / conference goer. Lately, he’s been focused on helping organizations detect and respond to security threats in their cloud infrastructure.
The Bottom of the Barrel - Scraping Pastebin for Obfuscated Malware
Patrick Colford (@kaoticrequiem)
Started in 2002, pastebin.com has become the largest service of its kind in the world, serving 18 million visitors monthly and hosting 95 million pastes. Though used for lots of legitimate content, malicious actors have been using the site to distribute obfuscated malware and other malicious content for years. In this presentation, I’ll demonstrate FIERCECROISSANT, an open source tool for scraping Pastebin and decoding obfuscated malware. I’ll also talk about how to tailor FC to your needs, whether that’s to find data dumps, malicious pastes, or other potentially harmful content.
Patrick Colford is a Security Analyst with Cisco Umbrella (formerly OpenDNS). Formerly a Customer Service Representative with nearly 10 years of experience, he joined the analyst team in 2016 to help support Umbrella’s London office. He is passionate about security education and hopes to inspire people all over the world to learn more about whatever interests them.
Intern-alyzing Your Defense
shadejinx (@shadejinx)
Controls testing is just another thing to do on a never-ending list of things to-do. It’s not fun or sexy, but needs to be done more than once. We sought out a way to ‘automate’ the process. By building it into an internship, we found a reason to formalize and document the process. Then we were able to offload some tedious repetitive work to someone who would get educational value out of it (and probably escape before the tedium set in) I’ll outline the program that we set up, share our experience, and show how it’s possible to make the process more interactive, educational, and fun.
Just some guy, you know?
Incomplete Views: Network Incident Response in a Data-Poor Environment
Malcolm Heath
Quite often, when doing network incident response, we find that we either don’t have, or can’t get, adequate information to determine what the actual situation is. While it would be great if we lived in a world where we had all the information all the time, the fact of the matter is that we often need to take action based on an incomplete picture. This talk will focus on what sorts of network data and data collection systems you might want to have, how to analyze the data you do have, and how to use some innovative techniques to mine data you already collect for interesting, and actionable, items.
I’m a security engineer with a company that makes networking and security products. I do incident response, PSIRT, and some research.
Pseudorandom Meta Threat Intelligence. TL;DR - Lessons Learned from the Verizon Data Breach Investigation Report
Walter Abeson (@thesaltr)
You’ve heard about it, you’ve seen it cited, you may have even printed it, but have you actually read the Verizon Data Breach Investigation Report (VDBIR) in its entirety? If not, no worries! While the experience of curling up with a nice libation and the scintillating 70 pages of the VDBIR is quite enticing, come, hear a distilled version. Learn about the latest attack vectors, who the current cast of malicious actors are, and discover how to bolster your security posture against today’s threat landscape. From human to technical exploits, internal to external agents, acquire the knowledge that’s necessary to defend yourself against the threats that matter most.
Walter Abeson is currently a Systems Engineer with RSA NetWitness, focusing on digital forensics, incident response, and threat hunting. Walter thrives at detecting anomalous behavior in endpoint and network environments. Prior to joining RSA, Walter was the Technology Manager for Black Hat, responsible for the NOC and overall security posture. Walter continues to serve as staff for the Black Hat NOC and is also a goon at DEF CON. When not behind a computer, Walter enjoys photography, reading, and spending time outdoors. Follow Walter on Twitter @thesaltr.
Reverse engineering CISSP practice exams (no cheating!)
Alexei Kojenov (@kojenov)
If you read this catchy title and thought “Finally, somebody is going to teach me how to easily pass the dreaded CISSP exam!”, you’d be disappointed. This talk is not about cheating a professional exam (who would ever do that?) As a matter of fact, this talk is not much about CISSP at all. Instead, we’ll be talking about reverse engineering a Java program and reusing its code to extract the valuable data, or in other words, using a few hacking techniques against an imperfect application to improve user experience, get the most out of the application, and ultimately, save one’s precious time. I will demonstrate in real time how to crack open an executable, decompile the underlying Java code, understand its behavior, and reuse the existing classes to make them do exactly what you want. While this is not rocket science, you should come to this talk having some basic Java programming knowledge, or at least being able to read and understand Java code. And in case you were wondering, I did pass the exam and got my CISSP certification, and I’m pretty sure this exercise contributed to my success.
Alexei Kojenov is a Senior Product Security Engineer with years of prior software development experience. During his programming days at a large technology company, he gradually moved from writing code to breaking code, which he enjoyed a lot! Alexei then decided to go work for an application security consulting company, helping big and small businesses identify and fix security vulnerabilities and design secure applications. Currently, he is part of Salesforce’s product security team. Throughout his career, Alexei performed architecture reviews, threat modeling, code reviews, application and network penetration testing, and more. He volunteers for OWASP Portland, where he occasionally speaks on various security topics. Earlier this month, he also spoke at AppSec USA 2018, a major application security conference.
Hey Everyone, Break Our Stuff
Daniel McMahon (@mcmahoniel)
More and more companies are considering bug bounty programs, but intentionally opening up your organization to attackers isn’t always an easy proposition. Join me as I talk about the perils, pitfalls, and lessons learned from over two years of running a paid bug bounty program at a major SaaS company. Hear real-world stories of the types of bugs participating researchers have found and how their findings have influenced our company from security engineers, to our Product team, and beyond.
Daniel is an Application Security Engineer on New Relic’s Product Security team, helping to manage their public Coordinated Disclosure program and specializing in black hoodies, Advanced Persistent APT Threats, and The Cyber.
Containers with windows, elevators and backdoors
Alex Ivkin (@alerxes)
When it comes to container security there are two prevailing schools of thought - either containers are secure by default, so you should not care much, or containers can not be secure in principle, so you should avoid them at all costs. In this talk I offer hard earned insights into the security of both Windows and Linux containers, having dockerized many open source and proprietary apps and shoot myself in the foot plenty of times. I will demonstrate vulnerabilities unique to different architectures of containers and techniques to break out of them.
Alex Ivkin (@alerxes) is a Director of Solutions Engineering at Eclypsium, a local Portland company, specializing in firmware, hardware and supply chain security. Alex has deep implementation experience in a long list of security domains, from hardware to application security to IAM. He co-authored the ISACA CSX Professional certification and spent a lot of time climbing mountains.
Eliminating an entire class of exploits
Ravi Sahita (@rsahita)
Return-oriented programming aka ROP techniques have been used for many 0-day attacks. In this talk, we will describe an approach to eliminate this class of exploit using CPU instructions including what else is critically needed in software to take advantage of this defensive mechanism. we will also discuss what other exploit classes must be addressed broadly.
Principal Security Researcher @ Intel Labs
The Secret to Secret Management
Mark Cooper (@thepkiguy)
The modern IT landscape is filled with secrets: certificates, cryptocurrency wallets, SQL connection strings, storage account keys, passwords, and encryption keys. Getting a handle on secrets management is a top challenge. A centralized approach to secrets management is vital to protect their data and assets, whereby poorly-managed security could lead to breach, non-compliance, or outage.
Mark B. Cooper, president and founder of PKI Solutions, has been known as “The PKI Guy” since his early days at Microsoft. Mark has deep knowledge and experience in all things Public Key Infrastructure (PKI), including Microsoft Active Directory Certificate Services (ADCS), PKI design and implementation, Internet of Things (IoT), mobile security, and encryption. PKI Solutions provides consulting, training, professional services, and assessments to help ensure the security of organizations now and in the future. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented, and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.
Security Education 101
nash (@nash12) and Chris Bushick (@PDXPrivacy)
The need for robust personal digital security is growing every day. Individuals, grassroots groups, and civil society organizations are voicing a need for accessible security education. Whether you’re new to computer security concepts or you’re new to teaching, there’s an important role you can play in addressing this need. Using EFF’s Security Education Companion, this workshop will explore how you can support the development of new skills and assembling superhero teams within your community.
As EFF’s Grassroots Advocacy Organizer, nash works directly with community members and organizations to take advantage of the full range of tools provided by access to tech, while engaging in empowering action toward the maintenance of digital privacy and information security.
Chris Bushick is an organizer for Portland’s Techno-Activism 3rd Mondays (TA3M), which brings together technologists and activists to share information related to privacy, security, anti-censorship, anti-surveillance, and open source software and hardware. Chris is also the founder of PDX Privacy, a group working towards transparency in the acquisition and use of surveillance systems in the Portland Metro area.
Lightning Talks Hosted by @TTimzen
BSidesPDX will be hosting lightning talks this year! Come find TTimzen at the conference, during the BSidesPDX 101 panel or in the CTF room to sign up! We will be doing 5 minute talks for everyone who signs up!