HYBRID HACKER SUMMER CAMP 2021 GUIDE — Part Two: BSides Las Vegas
Welcome to the DCG 201 guide to Hybrid Hacker Summer Camp! This is part of a series where we are going to cover all the various hacker conventions and shenanigans at the end of July to the end of August both In Person & Digital! As more blog posts are uploaded, you will be able to jump through the guide via these links:
HYBRID HACKER SUMMER CAMP — Part One: Surviving Physical + Virtual Vegas
HYBRID HACKER SUMMER CAMP — Part Two: BSides Las Vegas
HYBRID HACKER SUMMER CAMP — Part Three: Ring Zer0
HYBRID HACKER SUMMER CAMP — Part Four: Black Hat USA
HYBRID HACKER SUMMER CAMP — Part Five: FuzzCON
HYBRID HACKER SUMMER CAMP — Part Six: DEFCON 29
HYBRID HACKER SUMMER CAMP — Part Seven: USENIX
HYBRID HACKER SUMMER CAMP — Part Eight: SIGS, EVENTS AND PARTIES
BSides Las Vegas — Camp Stay @ Home
Date: Friday, July 30th (10:00 AM EST) —Sunday, August 1st (10:00 PM EST)
Website: https://www.bsideslv.org/
Platform(s): Twitch, Discord
Scheduel: https://www.bsideslv.org/schedule
Live Streams:
Twitch Track 1: https://www.bsideslv.org/stream1
Twitch Track 2: https://www.bsideslv.org/stream/stream2
Chat: https://discord.gg/YcCWqMW5
Accesability: BSides Las Vegas is FREE this year. You can go to the different rooms, participate in contests, events, listen to DJs and watch talks. Primarily uses text to send messages, uses the system emoji, use reactions, and you can listen to audio and video in channels that support them.
Code Of Conduct: https://www.bsideslv.org/coc
BSides Las Vegas is part of the Security BSides series of security conventions, a series of local conventions often in locations where Hacker and Information Security conventions are not normally held to provide low-to-no-cost education, initiate conversations, and foster community and collaboration. There are 300 BSides events, in 100 cities in 26 countries on 6 continents with BSides Las Vegas being one of the biggest and crown jewel of them all.
Due to their ethos of being entirely volunteer run (Banasidhe, Jack_Daniel and many others) and FREE of charge to attend, BSides Las Vegas has a more community and local vibe to it’s presentation and community. It is also known for it’s unique activities, themed speaker tracks and encouraging community participation.
For 2021, BSides Las Vegas brings Security Summer Camp to a screen near you! All of the quality content and networking you love us for, all of the mischief and weird Canadian hijinks, and even something not entirely unlike our famous pool party!
PROS VS JOES CTF
Date & Time: July 31st from 10:00 AM to 10:00 PM EST Each Day
Pros vs Joes is a Capture the Flag event where inexperienced users learn from seasoned professionals in a fierce competition of attack and defend.
Blue Teams of Joes work with Pro Captains to compete against other defending Teams, protecting horrifically vulnerable networks from assault by a dangerous and relentless Professional Red Team.
For two days the battle will rage on an ethereal field rife with desktops and servers, Linux and Windows, systems and software both old and new.
On day one, Blues lock down their systems against the onslaught.
On day two, Blue Teams turn Purple and can go offensive, attacking the other competing teams.
After the dust settles each day, Blue and Red discuss events to help further mentoring and learning of defensive and offensive tradecraft. Come witness the teams do battle after weeks of preparation.
Only the strongest will survive, but all will learn and have fun!
Lockpick Video Village
For the first time ever, the BSidesLV Lockpick Village team will be running instructional videos on lockpicking- check them out in between talks, read our handy instruction manual and come chat with us in the lockpick-village discord channel.
Hire Ground Camp Counselors
Congratulations on realizing that we all need some help with our career search! We have two groups of camp counselors ready to assist you.
Each camp counselor has set up a scheduling link () for one-on-one sessions. Select a link and see what time is best for you!
https://bsideslv.org/hire_ground
Career Coaching
Career coaches are established community professionals who will give you honest commentary on what to look for next in your career or help you strategize how to overcome certain challenges.
- Vince Romney 12–2pm
Avid proponent of security-as-a-lifestyle and practitioner of IT security for over 20 years across both military and civilian organizations. - Kat Sweet 12–6pm
Security professional, educator, and leader building a strong security culture rooted in trust, empathy, and empowerment. - Pablo Breuer 12–2pm
Long time community volunteer who is great at Battleship. - Bob Grouley 2–4pm
Experienced CTO, author and entrepreneur with extensive past performance in enterprise IT, corporate cybersecurity and data analytics. - Kevin Mau 2–4pm
A well versed packet hunter - Kevin Babcock 2–4pm
Business-oriented cybersecurity leader with more than twenty years’ experience leading software-as-a-service (SaaS) projects - Jennifer Havermann 2–6pm
Tribe of hackers honoree
Resume Review
Resume reviewers are technical recruiters in our community who are setting aside 30 minutes to review your resume and give you the straight scoop on how to improve your resume.
- Christine Winchester 12–2pm
Long time community technical recruiter who likes marshmellows. - Jamal Drake 12–2pm
Tech recruiter who can tell really good campfire stories. - Jesse Gonzales 2–4pm
Tech recruiter who understands the value of a slip knot. - Josh Madrid 2–4pm
Tech recruiter who enjoys the great outdoors from the comfort of his tent. - Suzie Grieco 4–6pm
Tech recruiter with a great laugh and awesome smile. - Jason Hursey 4–6pm
West coast tech recruiter with an amazing boss.
The Camp Stay At Home Challenge
Instead of the usual shennanigans, we’ve carefully assembled a few things for you to figure out. The first one is how you’re going to play- you’ll need some other campers (3–7, ideally), and you’ll need to find the camp. Some of the staff can help you with that, but you’ll need to figure out who. Once you’re there, our puzzle master has left you a map that should lead you to where you need to go. Good luck, campers, and remember: it’s not cheating to read the source code!
BSidesLV not a pool party party
Live from somewhere in the desert, join Keith Meyers and his special guests for the exact opposite of a pool party, in your living room. We guarantee that if you’re not moved to dance, you will at least be moved to party! (22:00PM PST, Stream One)
HackerWood Squares (brought to you by our friends from the 10,000 cent Hacker Pyramid)
We’re back, despite closed borders, metric, hangovers, and an ongoing penchant for pretending that french fries, cheese curds and gravy are a meal. This year is a little different- Join the Hacker Pyramid crew and our 9 invited guests for a game where our somewhat-randomly selected contestants have to figure out if they’re really that smart, or bluffing their way through things. (20:00 PST, Stream One)
DCG 201 TALK HIGHLIGHTS FOR BSIDES LAS VEGAS 2021 (PST)
This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk highlight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!) (PST)
JULY 31st HIGHLIGHTS
How I hacked a bank using pen & paper
Ground1234!
I Wish Google Could Just Not Be Evil: A Security-based Comparison of Major (& Not-so-major) Email Providers
Proving Ground
It’s no secret to say email is the core of everyone’s digital life — which means there’s only one place someone would have to go to assume or ruin someone’s life online.
Putting aside how every email provider says they “care about our user’s security”, there are a number of which that specifically use security as a selling point — but how secure are they?
This talk will compare a number of notable email providers across a variety of security-focused criteria.
Jeremy Brown, Ms. Cheryl Biswas
Revenge on the Worms! Towards Deception Against Automated Adversaries
Ground Truth
Automation and artificial intelligence (AI) are both hugely beneficial for cyber defenders. This holds true for red teams too — AI-enabled vulnerability discovery, penetration testing, and red teaming are all active applied research topics. But if we can use AI for our red teams, can our adversaries as well? In the same way we use AI for automated red teaming, we can easily imagine even low-sophistication threat actors creating stealthy, efficient, and extremely fast attacks with a simple push of a button. How should we defend against this?
We think deception is the answer: by crafting deceptions that specifically target automated decision-making algorithms, we can slow down the misuse of AI and automation by adversaries. In this talk, we’ll expand on this thesis, discussing both how the AI automated planning subfield can help malicious actors as well as how planners can be deceived. Our talk will outline a series of simulated experiments we ran showing which types of deception actions/topology modifications made our networks more challenging for an automated planner to compromise. Through this talk, we hope to increase awareness and inspire future research into the area of using deception against automated adversaries.
Andy Applebaum, Dr. Ron Alford
Gamification of Tabletop Exercises
Proving Ground
Standard tabletop exercises (TTXs) are a staple of security risk assessment and are, generally, useless. The same people read verbatim from the same IR/DR/BCP plans, half asleep, wondering how fast they can check this stupid box for their SOC 2 audit. Most of the time, neither the participants nor the facilitator want to be there, and no one comes away having learned anything except to call in sick the next time one is scheduled.
Tabletop Role Playing Games (TTRPGs), on the other hand, bring all the hackers to the yard. While the Venn diagram between gamers and hackers isn’t a perfect circle, it’s probably close. TTRPGs combine elements of simulation, teamwork, and lateral thinking, with just enough random chance to keep it interesting.
Participants will learn about the differences and similarities between TTXs and TTRPGs, why someone would want to gamify a professional exercise, and what makes a game sing.
Kelly Ohlert, Dr. Allan Friedman
You Don’t Have to Be Crazy to Work Here: An Honest Talk About Mental Health
Common Ground
Cybersecurity professionals spend most of their day focused on the health and wellbeing of the environments in their care. However, the cost of reducing risk and keeping our networks safe often comes at the price of our professionals’ mental health. Many InfoSec professionals burn out, suffer from anxiety and depression, and turn to unhealthy coping mechanisms, which further exacerbate underlying psychological and physical health issues.
This talk will alleviate the stigma around mental health and stress the importance of open and frank dialogs about this critical issue impacting our community. I will share my journey, reverse engineer the stigma of mental health in business, and look at ways to hack mental health in productive and meaningful ways.
Revisiting the Analog Hole: Using OCR and other techniques to exfiltrate data
Proving Ground
“The Analog Hole” refers to the fact that in order for a user to work with information, it has to be converted into a human-usable form.
This talk looks at Optical Character Recognition (OCR) and other techniques which can be used to covertly extract data by taking advantage of this fact.
Samuel J Greenfeld, Lucas J Morris
Search engine deoptimization with Gootloader
Breaking Ground
The Gootkit malware family has been around more than half a decade — a mature Trojan with functionality centered around banking credential theft. In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.
In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader.
In addition to the REvil and Gootkit payloads, Gootloader has been used most recently to deliver the Kronos trojan and Cobalt Strike.
In its latest attempts to evade detection by endpoint security tools, Gootloader has moved as much of its infection infrastructure to a “fileless” methodology as possible. While it isn’t completely fileless, these techniques are effective at evading detection over a network — right up to the point where the malicious activity trips over behavioral detection rules.
Andrew Brandt, Gabor Szappanos
Static Detection of Novel Malware Using Transfer Learning with Deep Neural Networks
Breaking Ground
Nation-state adversaries are known to write custom malware to conduct cyberwarfare operations, which may go undetected simply due to the novel nature of the malware. According to the United States Congress, foreign militaries are using malware against military information networks to cause the loss of “combat effectiveness.” Industrial control system malware like Triton also has the potential to impact civilian lives. To counter this threat, we propose a method of malware detection using transfer learning with image classification neural networks to statically classify executable binaries as malicious or benign.
Our model can effectively detect malware not in the training data set, including nation-state malware. Most of our tests against nation-state malware gave us over 90% accuracy, with ordinary malware at over 93% accuracy. Our tests included malware written by APT 1, 10, 19, 21, 28, 29, 30 as well as Dark Hotel, Gorgon Group, and Winnti.
While previous research exists on this topic, most of it lacks enough detail to properly replicate the results and use it operationally. Our work aims to be the opposite, providing enough transparency and code to create operational knowledge and provide the audience with the capability to immediately employ this work in threat hunting operations.
AUGUST 1st HIGHLIGHTS
Repo Jacking: How GitHub exposes over 70,000 projects to remote code injection
Breaking Ground
Does your project depend on a GitHub repository? It might be vulnerable to remote code injection. This talk will discuss ‘repo jacking’, an obscure supply chain vulnerability that allows attackers to hijack GitHub repositories and achieve remote code execution. This vulnerability has become exceedingly widespread in open-source projects and over 70,000 projects are affected, including popular projects from organizations such as Google, Facebook, Microsoft, and many more. Repo jacking can affect any language and has been found to impact small personal games, huge web frameworks, cryptocurrency wallets, and everything in between.
Come learn about this vulnerability, what causes it, and why it has gone unnoticed for so long. See how a mass analysis of all open source projects was performed to scan for repo jacking and the outcome of this analysis, how prevalent it is, and who is impacted. This talk will also discuss how, through targeted disclosure, over 40% of impacted projects were secured and how a version pinning bypass vulnerability (in both NPM and pip) further increased the impact of repo jacking. Finally, this talk will review important mitigation strategies that you can use to protect your own projects from this vulnerability and other supply chain attacks.
Lessons Drawn From Cybersecurity In The Rise of Privacy Tech
Common Ground
There is increasing interest in privacy innovation, but the critical players (innovators, investors, and privacy domain experts) aren’t connected enough to move things forward at the pace the market needs. We need to bridge these tech-capital-expertise gaps to fuel privacy innovation. Privacy is a critical component in designing and building technology to serve people. Privacy design and engineering are prerequisites for product excellence. Privacy innovation offers market opportunities to those who are able to recognize the value of privacy, beyond compliance. For example, Inc. named a privacy tech startup as the fastest growing company in America. The privacy tech landscape is still at its nascency, but its future is brimming with possibilities. We see a world where technology is designed and engineered with privacy in mind, to serve humans and respect their privacy. We see clear value in that.
Lourdes Turrecha, Michelle Dennedy, Melanie Ensign
Securing and Trusting Third-Party Javascripts in Your Web App
Proving Ground
Third-party javascripts are ubiquitous. Product teams want third-party javascripts in their web pages for a wide range of use cases like Analytics, data validation etc.
Compromise of these third-parties means compromise of our webapps. Hence, security engineers need to ensure that these javascripts are thoroughly vetted and that proper defense in depth measures are in place. At the same time, the focus must also be on the risk of trusting these javascripts.
This talk focuses on how we handle third-party javascripts at Adobe, which is a three-fold approach:
Risks of including random third-party javascripts
Vetting these third-party javascripts
Defense in depth measures for third-party javascripts
Talk Outline:
Intro
Use cases for third-party javascripts and risk of third-party javascripts
Vetting third-party javascripts
Defense in Depth Measures for third-party javascripts
How Risk and Trust Matters
Audience Takeaways:
Key things to look at when securing third-party javascripts while focusing on risk and trust.
Krishna Chirumamilla, Gabriel Ryan
Secure your AWS accounts without breaking the bank
Proving Ground
AWS is everywhere, behind most internet infrastructure, and a fixture of any well-rounded tech resume. However, AWS offers a dizzying number of services, making it hard to know how to navigate their services to secure your accounts and users. Within these dozens of offerings, there is a selection of security services that can up your security while increasing your monthly bill only a little — or not at all.
Whether you work at a startup or a well-funded company, matching budget to security needs is always a struggle. In this session, I describe some of the free services AWS provides and some easy automation techniques that can keep your accounts safer without hitting your budget hard. I’ll address solutions to common problems like DoS, securing data at rest and transit, and implementing effective authentication and authorization. This talk will be accessible to software engineers without extensive security or AWS experience.
Nishith Shah, Dr. John Seymour
Securing and Trusting Third-Party Javascripts in Your Web App
Proving Ground
Third-party javascripts are ubiquitous. Product teams want third-party javascripts in their web pages for a wide range of use cases like Analytics, data validation etc.
Compromise of these third-parties means compromise of our webapps. Hence, security engineers need to ensure that these javascripts are thoroughly vetted and that proper defense in depth measures are in place. At the same time, the focus must also be on the risk of trusting these javascripts.
This talk focuses on how we handle third-party javascripts at Adobe, which is a three-fold approach:
Risks of including random third-party javascripts
Vetting these third-party javascripts
Defense in depth measures for third-party javascripts
Talk Outline:
Intro
Use cases for third-party javascripts and risk of third-party javascripts
Vetting third-party javascripts
Defense in Depth Measures for third-party javascripts
How Risk and Trust Matters
Audience Takeaways:
Key things to look at when securing third-party javascripts while focusing on risk and trust.
Krishna Chirumamilla, Gabriel Ryan
Stupid Job Posts Don’t Matter!
Hire Ground
I’m mostly kidding, but not really.
I have taught managers for years how to write better descriptions and candidates how to write better resumes, and I will continue to do that. I even spoke at multiple conferences over the last few years for that purpose. But the key is to have a way of getting around and through bad descriptions, because I don’t think we can ever really fix that problem completely. In other words, even though those obstacles exist and likely always will, there are ways to get through it, and that is what I will be presenting.
This presentation isn’t going to offer a solution to making employers do a better job advertising for and determining the best fits for their openings. It will however tell you how to make it through bad descriptions, less than effective interviewers and maybe it will even help them see the light!
Looking for a job is an engineering problem. Gather the requirements, do some QA, launch and keep updating!
All your Ether are belong to us (a.k.a Hacking Ethereum-based DApps)
Breaking Ground
Blockchain technology is extremely fascinating… has captured our imaginations because of its huge potential to revolutionize industries such as logistics, food safety, music, insurance, banking, and even voting systems; however, its adoption is still very scarce. The reason is simple: blockchains are complex to use by end users.
During recent years, decentralized applications (DApps) have been emerging as candidates to change the rules of the game, mainly because of their ease of use and capability to leverage the full power of blockchains. The big question is… are DApps really secure?
This presentation will show how Ethereum-based DApps work, the technology behind them and some of their most common vulnerabilities. The ultimate goal will be to understand how to attack these applications and, especially, what to do to be protected.
Securing the 2020 Presidential Campaign: Threats, Challenges, and a Global Pandemic!
Common Ground
Elections security is important, but it’s not about the machines — it’s about the humans who work a campaign and their adversaries.
In 2016, we saw foreign intelligence operations target US Presidential campaigns and the US election process. Leading up to 2020, organizations involved in the campaign ecosystem had to change how they did business, addressing risks posed to systems and personnel, and changing how they use and protect information systems. Why? Cyber adversaries changed everything (and so did the pandemic).
Thousands of staffers had to adapt to a fully remote campaign from our bedrooms and couches — while also fundamentally reinventing how campaigns operate and keep themselves safe.
You’ve seen countless talks about hacking voting machines — this isn’t one of them. This panel is made up of people who worked on the 2020 Democratic campaigns, and we will tell you about the campaign, what we learned, and how we’re going to apply it in the future.
Mr. Timothy Ball, Alison Goh, Krishnan Aiyer, Matt Hodges, Will Rogers
QuadBlockQuiz — Supply Chain Sandbox Edition
I Am The Cavalry
To teach supply chain risk in a fun way, a game was developed for the Supply Chain Sandbox at RSAC. QuadBlocksQuizis a reimagined take on Tetris where playful spatial negotiations are infused with real-life Trivia challenges from the world of supply chain security.
The talk will begin with why the game was developed and a recap of the 5/18/21 Sandbox event. It will cover the development of the game from the players’ perspective, the developers’ perspective, and the educators’ perspective. The talk will include live demo’s, pre-recorded demo’s (some situations just take to long to get to in real-time), and 10-minutes of live contest play with as many attendees as are willing to play.
Healthcare Industry Career Search Panel
Hire Ground
There are many career trajectories in infosec but rarely do we get a chance to take a deep dive into careers that combine information security and healthcare. We have invited two amazing healthcare information security professionals who will share their career paths, suggestions on getting into the industry and what to watch out for.
