Welcome to part two of our guide to Hacker Summer Camp! Today we are going to cover BSides Las Vegas 2018. If you missed part one or want to skip ahead to other sections use our Table of Contents below:
WHAT IS BSIDES LAS VEGAS?
Dates: August 7th — August 8th
Code of Conduct: https://www.bsideslv.org/code-of-conduct-photo-policy/
BSides Las Vegas is part of the Security BSides series of security conventions, a series of local conventions often in locations where Hacker and Information Security conventions are not normally held to provide low-to-no-cost education, initiate conversations, and foster community and collaboration. There are 300 BSides events, in 100 cities in 26 countries on 6 continents with BSides Las Vegas being one of the biggest and crown jewel of them all.
Due to their ethos of being entirelly voulenteer run (Banasidhe, Jack_Daniel and many others) and FREE of charge to attend, BSides Las Vegas has a more community and local vibe to it’s presentation and community. It is also known for it’s unique activities, themed speaker tracks and encouraging community participation.
Wether this is your first time at Hacker Summer Camp or you have attended tons of Black Hat USA and DEFCON events and want something new, this is a hidden jem of a convention that no attendee of Hacker Summer Camp should miss. (Plus, it’s FREE! Who passes up on FREE SHIT!?!)
SHUTTLE BUS INFORMATION & SCHEDUEL
You can catch the shuttle from LAS starting at noon on Monday, and you can use it to also attend Black Hat USA 2018 and DEFCON 26. BSides Las Vegas’ friendly, complimentary shuttle will be available at LAS airport terminals 1 & 3, Tuscany, Flamingo, and Mandalay Bay through DEFCON 26.
Monday: Start at McCarran International Airport (LAS) at 12:00 and run a continual loop to Tuscany Hotel until 23:59.
Tuesday: Start at LAS at 06:00, drop-off at Tuscany Hotel, continue to Mandalay Bay for pick-up, continue to LAS for pick-up, return to Tuscany. Repeat loop until 01:00 Wednesday morning.
Wednesday: Start at LAS at 06:00, drop-off at Tuscany Hotel, continue to Mandalay Bay for pick-up, continue to LAS for pick-up, return to Tuscany. Repeat loop until 14:00, then cut LAS from the route, and change the run to Mandalay Bay/The Flamingo/Tuscany from 14:00 to 04:00.
Thursday–Sunday: Run a continual, 24-hr loop between The Flamingo and Tuscany, starting at Tuscany at 06:00 on Thursday, ending at Tuscany at 18:00 on Sunday.
The Shuttle stop is at the Tuscany Hotel entrance (NOT the Casino). Wait on far side of Valet, under the carport.
HAM LICENCE EXAMS
Always wanted to get a new flannel shirt and pair of suspenders, and join the ranks of certified hams?
Write a short test and get access to experiment on spectrum from 135.7kHz to the moon, up to 1.5kW on parts! Run wifi with extra power on empty frequencies. Annoy your neighbours with an antenna they can’t make you take down!
Offering technician, general, and extra, free of charge.
Most licenses are issued within one day.
BSIDES LAS VEGAS SILENT AUCTION
BSides Las Vegas will be hosting a Silent Auction to help support some of the organizations that are doing great works in the industry and the community.
Located in the Chill Out Room, items for auction in the past have been everything from hacker wares, NoStarch Press Books and even DEFCON Badges. Stop by to see the suprise items for auction this year!
PROS VS JOES CTF
Date & Time: August 7th & August 8th from 9:00 AM to 4:00 PM Each Day
Location: Chill Out Room
The Pros V Joes CTF is an event where the average Joe can have a chance to defend along with Professionals in the field, to learn from them while having fun. The game consists of live combat, with each team of Joes defending a network from a Red Cell of professional hackers. Each team of Joes will be lead by a Pro Captain (PvJ Staff) and Pro co-Captain. These fine folks will help train and prepare their Joes, supporting them throughout the two days of carnage and mayhem.
This will be PvJ’s 6th year at BSidesLV. They are yet again overhauling the Gaming Grid, making some changes to game play to fix some problems, while also creating some some new and fun surprises for you to discover once you get hands on.
As in the past, this game is designed to give regular Joes their first taste of live-fire security, where they have to defend networks against Professionals who know how to break in.
For the Pros, this is a chance to flex your muscles, showing how good you are against live threats. Or, if you we accept you to our Red Team to play with their PvJ Staffers, it’s a chance to show your skills in pwning all the things. For both colors of Pro, Red and Blue, it is a chance to lend your experience to help others improve their game.
The environment to host this CTF is laced with various surprises to keep the game interesting. The networks that the Blue Teams must defend will be a mix of Windows and Linux, with the typical Internet services (web, DNS, mail, etc) and a mix of obscure systems and services.
THE NEW HACKER PYRAMID
Date & Time: August 7th — 9:30 PM
Location: Chill Out Room
A fun, audience sampled hacker themed game show based after the United States game show The $10,000 Pyramid!
You can qualify to enter the game show by showing up at 9:30 PM, if you wish to be a contestant please arrive on time. Details of the qualfication round will be revealed as the game begins.
The game is played in rounds of two teams taking the stage at a time. There will be a total of 12 teams in 2018.
The “civilian” (BSidesLV attendee who passes the qualification) player is offered the choice of giving or receiving clues to/from the “celebrity” player. The player giving the clues will have the answers of the category displayed in-front of them. The Answers are revealed one at a time to the clue giver. The team has 30 seconds to correctly guess as many of the clues in the category as possible. The clue giver may describe the answer verbally without saying the answer itself. The clue giver may not spell out the answer. If the answer is an acronym, the clue giver may not use any word represented within the acronym.
For instance, if the category is parts of the body, he can say “head,” “feet” or “hands,” but he may not say “body.” If the guesser is stumped, she may say pass to move onto the next answer. The player guessing the answers may “pass” on any answer they do not believe they are getting. If there is time remaining at the end of the round, then answers that the guessing player passed on will be recycled back for them to take another shot at them.
For every answer that the team names, they receive one point. Points are totalled at the end of each round and the top teams advance.
The final round will be 3 rounds of game play, winner being the team who has the most points.
Prizes will be awarded at the conclusion of all games!
DEFCON 201 TALK HILIGHTS FOR BSIDES LAS VEGAS 2018
This is the section where we have comb through the entire list of talks on both days and list our hilights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention scheduel beforehand and make up your own talk hilight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizzare. (Sometimes, all three!)
*NOTE: Certain sessions of Ground Floor are held in the Proving Ground room. Please check your schedule!
AUGUST 7TH HILIGHTS
The Best of Security BSides Now and Then: Ten Years of Mixes
Time: 11:00–11:25 AM
Location: Chill Out Room
How to (accidentally?) Change The @%!$ World in just ten years and a couple of two-day follow-ups.
Speaker: Jack Daniel
The Chrome Crusader
Time: 11:30–12:25 AM
Speaker: Lily Chalupowski
SiliVaccine: North Korea’s Weapon of Mass Detection
Time: 2:00–2:55 PM
Location: Breaking Ground
Meet SiliVaccine — North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by the government. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, drivers, and other puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product.How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing it. If there is anything we learned, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.
Speakers: Mark Lechtik, Michael Kajiloti
Engaging the Media: Know Your Target
Time: 2:00 -3:55 PM
Location: I Am The Calvary
Cybersecurity needs more and better ambassadors, particularly on topics that relate to cybersafety, where creating positive social change is more time-sensitive to avoid public harm. A significant part of this is learning how to work with the many media outlets and publications that regularly cover cybersecurity stories. Unfortunately, security coverage can often be sensationalist and counter-productive. It falls to us to provide reporters with the right information to cover complex and sensitive cybersafety topics appropriately. To help attendees learn how best to work with reporters, the I Am The Cavalry Track will have two complementary back-to-back sessions on “Engaging the Media.” Come for one or stay for both.
In “Know Your Target,” four highly respected reporters that regularly cover cybersecurity will share their war stories of working with the security community. They will give you insight into the potential pitfalls of both intentional and unintentional media engagement, and will help you understand how best to build productive relationships with cybersecurity writers. They will also highlight tips and tricks for successful media briefings. This session is an informal panel discussion.
“Telling your story” is a short interactive workshop, during which, three of our expert reporters will walk attendees through tips and tricks for building compelling and credible cybersecurity stories. The session leads will take you through what makes a story “newsworthy”, how to create “hooks” to grab a reporter’s attention, and how best to get your message across. They will also explain how you can pitch your story to other reporters like them, and you may get a chance to get them interested in your story right then and there. This session will include opportunities for brave audience members to engage in live practice with the reporters, but participation is not mandatory.
Speakers: Steve Ragan, Joe Cox, Sean Gallagher, Jen Ellis, Paul Wagenseil
A peek into the cyber security of the Aviation Industry
Time: 3:00–3:55 PM
The aviation sector is not immune to the cyber security risks that have been critical issues for all the other industries. Aircraft like the Boeing 777 are very complex systems that rely on many transponders to communicate their position to air traffic control. It’s quite difficult to hack all systems at once, including the on-board radios and the Aircraft Communications Addressing and Reporting System (ACARS), used to send messages or information about the airplane rather than voice transmissions. Consequently, an attacker with a deep knowledge of the plane’s system could intentionally cause serious problems with its normal operation. In this talk, we are going to take a look at the data communications of an aircraft, previous cases of the vulnerabilities that were exposed and the different threats and their corresponding attacks vectors. Additionally, the talk describes how the current recommendation standards address the security needs in the industry and the way forward for a secure future.
Speaker: Nitha Rachel Suresh
Redefining the Hacker
Time: 5:30–6:00 PM
Location: Hire Ground
Many women and underrepresented groups have faced adversity and lack of inclusion in their careers in Security. We have been able to rise above and “hack” through the obstacles. This talk is about overcoming the adversity we face (as Black, Asian, Latina, Indian, Women, self-made students, economically disadvantaged and culturally repressed groups) is a form of hacking in itself. We have been able to rise above the obstacles and elevate our privileges to be active members of the cyber security community.
Speaker: Manju Mude
AUGUST 8TH HILIGHTS
Evil Mainframe Hacking Mini
Time: 8:00–11:55 AM
Location: Training Ground 3
Come live your cyberpunk dreams! Mainframes are the workhorse behind almost every fortune 500. It’s probably time you learned how to hack one. This workshop provides a one of a kind experience, allowing you to get hands on mainframe hacking experience with multiple labs. This workshop lays the groundwork for mainframe penetration testing. Walkinging you through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to “own” the mainframe. After a brief overview of how z/OS works and how to translate from Windows/Linux to “z/OS” the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the workshop. The areas explored include VTAM, CICS, TSO, and Unix. Students will be given access to a mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some easy wins, and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, and JCL.
Speaker: Soldier of FORTRAN
Using Lockpicking to Teach Authentication Concepts
Time: 10:00–10:55 AM
When we teach security, we often face challenges in conveying our knowledge to a non-security audience. Ideas such as authentication bypass, password uniqueness and complexity, and defense-in-depth are abstract and can be difficult to grasp for those who aren’t already well-versed in the language of security. We need novel approaches to teaching security that go beyond language.Driven by the educational theory of embodied cognition — using hands-on, concrete metaphors to build a better understanding of abstract concepts — I explore teaching lockpicking alongside teaching authentication and security concepts. As security professionals, we deal largely in abstractions, but experiencing physical representations of those abstractions helps solidify understanding of them, both for us and for end users.
Speaker: Kat Sweet
Your taxes are being leaked
Time: 10:00–10:55 AM
Location: Breaking Ground
80% of U.S. small business accounting data is entered and stored on one company’s software. Major professional CPA firms around the world use this company’s tax preparation software and trust the security controls are doing their job. During a Penetration Test, I discovered, and disclosed to the manufacture, a critical unauthenticated information leak/man-in-the-middle vulnerability in the way the tax preparation software transfers customer data between client and server. This vulnerability exposes all customer’s names, addresses, phone numbers, email addresses, social security numbers, job, spouse information, and more.
Speaker: Michael Wylie
Time: 12:00–12:25 PM
Location: Ground Floor (Copa room, Tuscany Casino Floor)
For defenders Powershell is a major challenge when for attackers it is an opportunity (if it is enabled). This talk will open with a quick explanations and examples for Powershell abuse by malware in the wild and why it is so common. Then, the main dish will be served, InvokeNoShell -a new framework for generating infected documents containing embedded Powershell executed even if powershell.exe is disabled without admin privileges, bypassing app whitelisting and AV solutions. The tool is fully automatic and capable of generating multiple variants of bypassing output to optimize the test of solutions claiming to block Powershell. It will be shown that using the InvokeNoShell framework enables easy automation of the payload generation process from scratch. This allows to create multiple similar payloads automatically, allowing an individual to poke advanced ML unicorn next-NG AV engines efficiently, generating dozen payloads with a single command.
Speaker: Gal Bitensky
Cruising the MJ Freeway: Examining a large breach in legal Cannabis
Time: 2:00–2:25 PM
Location: Proving Ground
Recently a major Cannabis POS provider — with over 11 million in funding, 23 million pounds tracked to date, and operating in 30+ states & 4 countries — found itself on the business end of a “sophisticated digital attack” not once, not twice, but thrice. Or maybe four times; Gross mismanagement of the situation and a lack of transparency made it hard to tell. Their story went from “our 3rd party security auditors verified that only an unsuccessful attempt was made”, to “no wait, make that a successful attempt, but with no loss of PII”, to “ok, all our source code and much of your patient data is on ThePirateBay and our systems will be down for the next month”. Through a combination of OSINT, (ethical) social engineering, and close examination of source code, I hope to shed light on what actually happened, and how a large portion of all dispensaries in the country can be forced to manually write down sales & gov contracts be lost w/out more outrage from the industry. All eyes are on the industry right now and, given its precarious federal legal status, the next moves made will be crucial.
LibreSSL — Moving the Ecosystem Forward
Time: 3:00–3:55 PM
Location: Common Ground
In response to the Heartbleed vulnerability disclosure of April 2014, the OpenBSD team created LibreSSL, a fork of OpenSSL focused on removing obsolete code and dangerous features, improving security, and simplifying the interfaces, while maintaining backward compatibility as much as possible. Since that time, OpenSSL has also had significant investments both in developers and money. But the principal forks of OpenSSL, BoringSSL and LibreSSL, continue to grow and find unique places in the TLS stack ecosystem. Four years later, has the ecosystem improved? Are there too many forks? Why not merge everything back into OpenSSL?This talk will discuss the impact of OpenSSL, BoringSSL, and LibreSSL on applications and operating sytem, why forks still exist, and with TLS 1.3 right around the corner, where the projects are heading.
Speaker: Brent Cook
Bypassing Antivirus Engines using Open Sourced Malleable C2 Software, MSFVenom, Powershell and a bit of Guile
Time: 5:00–5:25 PM
Location: Proving Ground
Abstract There are a multitude of Open Sourced C2 software that are readily available for a quick git clone and deployment during a red team engagement. These softwares, though new and sometimes kind of buggy, can offer a unique way to bypass antivirus engines, allowing for undetected entry into a network and lateral movement that can allow you to move around undetected from many modern defenses. The usage of PowerShell scripting in Windows and MSFVenom payload generation in Kali make it all the easier to apply these methods for quick and easy wins. Using these methods and a bit of guile about delivering the payload will allow a Red Teamer to enter into the network easily and bypass perimeter defenses in play and lead to exfiltration of data and ultimately the end goal of your assessment, get as much win as you can.Full Example Locate at: https://informersecurity.com/antivirus_bypass/
Speaker: Michael Aguilar
Ask The EFF
Time: 5:00–6:55 PM
“Ask the EFF” will be a panel presentation and unrecorded question-and-answer session with several staff members of the Electronic Frontier Foundation, the nation’s premiere nonprofit digital civil liberties group. Each staffer will discuss a particular issue that has been in the news or on EFF’s docket this year.
Nate Cardozo, Kurt Opsahl, Nash Sheard, Eva Galparin
Ransombile, yet another reason to ditch SMS
Time: 6:00–6:55 PM
The general belief is that a mobile device that is locked, encrypted and protected with a PIN or biometrics is a secure device. Personal assistants on mobile devices are very popular like Siri and OK Google. They can perform multiple tasks including calls, sending emails and reading SMS. How secure are they? Can we trust our personal assistants to keep our data safe?With the proliferation of cheap SDR hardware, DIY IMSI catchers, open source tools and still supported broken GSM protocols, targeting mobile communications is easier than ever. But what are the real consequences? It is well known that SMS is not a secure channel but the industry is still hesitant to move away from it. This presentation is yet another nail in the SMS coffin and aims to help push the industry away from supporting it. Ransombile is a tool that can be used in different scenarios to compromise someone’s digital life in less than 2 minutes. Email accounts, financial data, social networks… all gone. Have you ever left your phone on the desk unattended? Do you belief losing your phone only impacts your wallet? This presentation is for you.
Speaker: Martin Vigo