Welcome to the DEFCON 201 guide to Ultimate Hacker Summer Camp! This is part of a series where we are going to cover all the vairous hacker conventions and shenanigans in August. As more blog posts are uploaded, you will be able to jump through the guide via these links:
Diana Inititive Virtual Confrence 2020
Date: Friday, August 21st (11:00 AM EST) — Saturday, August 22nd (7:00 PM EST)
Accesability: Only registered attendees will be able to participate in the speaker talks, workshops and activities. These will only be available to registered attendees who register. Regestration is $5 per person.
Code Of Conduct: https://www.dianainitiative.org/about/policies/
A conference focused on Women, Diversity, and Inclusion in Information Security that embraces all genders, sexualities, and skill levels. The Diana Initiative features multiple speaker tracks, fully expanded villages with hands-on workshops, and a women-led Capture the Flag event.
Due to increased awareness of COVID-19 and the risk it poses to our participants, family, and friends, they’ve made the difficult decision to cancel the physical aspects of The Diana Initiative 2020. However, instead of cancelling the conference entirely, they’ve decided to go virtual.
This year, their slogan “Breaking Boundaries Byte by Byte” allows them to focus on the different ways that representation in cybersecurity — whether gender, sexuality, skill level, or red/blue/purple team alignment — can help protect data today and into the future.
From the designer of this year’s logo, [@1dark0ne]:
“This logo is a celebration of diverse cultures and breaking boundaries. It’s a juxtaposition of rigid geometry and organic movement. Bytes break free of the grid. It honors the underlying structure and beauty of mathematics in the work we do, whilst challenging the boundaries of a world we once knew, in order to create a better one.”
Originally known as TiaraCon, this matured and hardend version of the original concept has evolved so much over time that it has emerged from DEF CON’s shadow and has grown into it’s own thing. As a group that is made up and led by various minorities on the fringes of society (even for New Jersey standards), we completely understand the need and creation of a space to discuss issues in a demographic of technology-minded people. If you identify as a woman, an ally or want to learn amazing technology skills while getting a broader social impact picture, this convention is for you.
General inquiries -> firstname.lastname@example.org
Tickets -> email@example.com
Speakers -> firstname.lastname@example.org
Volunteering -> email@example.com
Sponsorship -> firstname.lastname@example.org
Donations -> email@example.com
Website issues -> firstname.lastname@example.org
Come build a DIY Blinky Badge with us! This year we will be building them from off-the-shelf parts instead of custom printed circuit boards. Check the parts list and see if you’ve got what you need in your supplies. Don’t worry, there’s a few different versions to try.
Since we’re going virtual this year it doesn’t mean that we’ve stopped making our own blinky badges. It just means that this year we will be building them from off the shelf parts instead of custom printed circuit boards. While the event isn’t until late August, I wanted to get a supply list out early so that parts can be ordered from chinese suppliers for the cost savings or if you want to quarantine your supplies before handling them.
This year, there will be 3 options for our DIY badge:
 The soldered project. Aside from the supplies outlined below, you will need some basic tools: soldering iron, solder, wire stripper, snips and maybe some solder braid for those oops moments.
 A breadboard option. Not as permanent as the soldered project, but there is no soldering required and you still can do all things that you would do with the soldered project.
 A virtual product. We’ll be using the electronics simulator feature of tinkercad.com so that you can play with a simulation of the planned build.
No matter which you choose, you will need to download and install the Arduino IDE from [https://www.arduino.cc/en/Main/Software] and/or create an account with tinkercad.com
Let’s start with the things that both the breadboard (hence referred to as BB) and the soldered project (SP) will need:
7 (seven) 10mm LEDS, yep we’re going to go big and bright
220 Ω resistors, we need to limit the current for the LEDs
An Arduino nano clone. Arduinos are open source so a clone is fine. A note about the nano is that they take a Mini USB, like a digital camera, so do be sure you get one with a cable or order a mini usb cable.
A button. This is optional; I’ll be demonstrating how to do multiple patterns but if you want to stick with just one pattern, that’s okay.
If you’re going with a button, it requires a resistor as well: a 10k one to be exact
Lastly we’ll need a bit of wire. The best option I’ve come up with for this is some male to male jumpers even if you’re not going to BB your set; if you’re doing the soldering project, stripping back the ends of some of the jumpers is worth it to be able to color code things, rather than just buying a spool of wire.
So now we come to the final bit: if you are choosing the soldering project you will need these solderable breadboards from [Amazon]. I used the blue ones for the prototype, but feel free to order your favorite color.
*A note about tools*
When I buy tools I follow the Harbor Freight/Wally World rule: if need it, buy a cheap one first. If you only use it just for that project then you are not out a lot for a dust collector, like in my circular saw (a power tool for cutting wood) — I’ve used twice and it was actually cheaper than a daily rental. If you use it for more than the initial project, or enough that it breaks, that’s when you lay down some serious money on a tool. For example when I got into electronics, my first soldering iron was a $10 Radio Shack special. Today I use a much nicer one that I paid a whole lot more for. My first multimeter was a free one from Harbor Freight.
If you have any questions, feel free to email me [email@example.com]
Capture The Flag
A favorite event of attendees is our beginner-friendly Capture the Flat (CTF). There’s an options Intro Course to help you get started, and we’ll have mentors available to help if you get stuck.
Our Capture the Flag (CTF) event is going virtual this year! This Jeopardy-style CTF features challenges ranging from forensics to OSINT to hack-the-box to malware analysis to hacker trivia and more — truly something for everyone! Our challenges are designed to appeal to a wide audience, from experienced hackers to those new to the field.
We will have challenge authors available to answer questions throughout the event and will start with a CTF4Noobz workshop for those who are new to cyber competitions. No experience necessary, just come with your enthusiasm!
**NOTE REGARDING WORKSHOP:
The workshop is separate from the rest of the CTF event. Workshop: 9–11am Pacific (UTC-7) on 21 August.
Workshop attendance is not required in order to compete in the CTF.
Our CTF can be played either as a team or individually. We will be running the competition throughout the course of TDI, with live support available during the main conference hours (9a-4p Pacific, UTC-7).
Questions regarding the CTF or the CTF4N00bz workshop can be directed to [firstname.lastname@example.org]
Date: Saturday, August 22nd, 2020
Place: Details of our online learning space will be sent you to after registration and before the event begins.
Time: Sessions available for 9am and 12pm Pacific (UTC-7).
This purchase includes access to the remote workshop as well as your selection of either the Classroom Set or Premium Lockpick Training Kit.
For this session, we require the purchase of either the Classroom Set or Premium Lockpick Training Kit.
A webcam and microphone are required for participation. We understand that some may be shy to show their face or surroundings.
To provide you with the best experience and feedback to grow your lockpicking skills, it is best if we can see what you are doing. If you would prefer, we suggest setting up your camera in a way that only shows your hands so we can still provide you with picking guidance.
After you purchase this item, you will be contacted via the email used at checkout about details on how to join the workshop event.
Shipping is limited to U.S. Domestic address. (Sorry, we are unable to ship to AFO/FPO addresses).
As in years past, we want to help you at every stage of your InfoSec Career — that’s why we’ve got an array of volunteers ready to help with resume reviews, LinkedIn profiles, and interviewing skills. The virtual format is also allowing us to feature career-related talks.
With our 2020 move to a virtual format, we’re able to expand Career Village beyond resume reviews and mock interviews! We’ll have presenters sharing their experiences to help you across the arc of your career, whether you’re new to/transitioning into Cybersecurity, an individual contributor looking for peer mentoring, or a new manager wanting to do the best for your team.
Don’t worry — we will still help folks with their resumes, LinkedIn profiles, and interviewing skills! Our virtual conference platform will automatically match attendees with volunteers who can help them for 20 minutes.
Open Hours: 9am — 4pm Pacific (UTC-7) both Friday and Saturday
Check out these Hot Jobs from some of our Sponsors!
[Application Engineer] — Locations: Irving TX / San Jose CA / Basking Ridge NJ / Bellevue WA / Irvine CA / Boston MA / Colorado Springs CO / Temple Terrace FL / Chandler AZ / Hilliard OH / Ashburn VA / Schaumburg IL / Alpharetta GA / Silver Spring MD / Cary NC
[Application Security Architect] — Locations: Irving TX / San Jose CA / Basking Ridge NJ / Bellevue WA / Irvine CA / Boston MA / Colorado Springs CO / Temple Terrace FL / Austin TX / Chandler AZ / Hilliard OH / Ashburn VA / Schaumburg IL / Alpharetta GA / Silver Spring MD
[Cloud Security DevOps Engineer] — Locations: Irving TX / Irvine CA/ Boston MA / Temple Terrace FL / Ashburn VA / Bedminster NJ
[Big Data Software Engineer] — Locations: Irving TX / Temple Terrace FL / Ashburn VA / Alpharetta GA
[Language Enabled Analyst] — Location: Ashburn VA
[Dark Web Researcher] — Locations: Ashburn VA / Irving TX
[Senior PCI Consultant] — Location: Irving TX
[PCI QSA Consultant] — Location: Irving TX
[Threat Intelligence Analysts] — Location: Irving TX
[Paranoids Cyber Threat Investigator] — Locations: Dulles VA / Washington DC / Seattle WA / Baltimore MD / Sunnyvale CA / New York NY / Los Angeles CA
[Paranoids Principal Cloud Security Engineer] — Locations: Sunnyvale CA / Dulles VA
[Paranoids Senior Product Security Engineer — Media Platform] — Location: Los Angeles CA
[Senior Security Engineer] — Location: Portland OR
Red Team Village
[Red Team Village] is a community driven combat readiness platform for Adversarial attack simulation and Red teaming tactics. This community is managed by a group of cyber security and red team tactics enthusiasts.
An adversary needs to be skilled in every aspect of offensive security. We can consider this as a platform to share tactics, techniques, and tools related to various domains of adversarial attack simulation.
We have been organizing workshops, talks, demonstrations, open discussions, Capture the flag challenges and other exercises at Cyber Security conferences for a couple of years, and now we’re coming to The Diana Initiative!
We design real life corporate CTF scenarios with the same network architecture and defensive mechanisms. The CTF players needs to act as an adversary against this infrastructure which protected and monitored by Blue teams.
Both adversaries and defenders can be participated in this Village. Blue teams get to know the attack tactics used by the adversaries, and Red teams get to learn the security monitoring/detection techniques used by the defenders.
Learn more about and connect with Red Team Village through these channels:
DEFCON 201 TALK HILIGHTS FOR DIANA INITIATIVE 2020 (EST)
This is the section where we have comb through the entire list of talks on both days and list our hilights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention scheduel beforehand and make up your own talk hilight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizzare. (Sometimes, all three!)
Empathy as a Service to Create a Culture of Security
11:00 AM EST
So-called “soft skills” are greatly undervalued in the Information Security industry. The very core of security involves humans. Rather than tackle human problems with zeros and ones, try to approach security with a more people-minded focus. A former librarian turned Information Security professional will go through examples of how addressing humans can ultimately help security. Using a 7-step framework from the library science discipline, the speaker will help you improve interactions with both colleagues and end users. You will come away with new ideas and a different outlook on how to improve the security posture of your organization.
Tracy Z. Maleeff, aka @InfoSecSherpa, is an Information Security Analyst for The New York Times Company. Prior to joining the Info Sec field, Tracy worked as a librarian in academic, corporate, and law firm libraries. She holds a Master of Library and Information Science degree from the University of Pittsburgh in addition to undergraduate degrees from both Temple University (magna cum laude) and the Pennsylvania State University. While a member of the Special Libraries Association, Tracy received the Dow Jones Innovate Award, the Wolters Kluwer Law & Business Innovations in Law Librarianship award, and was named a Fellow. Tracy has been featured in the Tribe of Hackers: Cybersecurity Advice and Tribe of Hackers: Leadership books. She also received the Women in Security Leadership Award from the Information Systems Security Association. Tracy publishes a daily Information Security & Privacy newsletter, and maintains an OSINT blog. A native of the Philadelphia area, she lives and dies with its sports teams.”
Application Security: OAuth 2.0 and OpenID Connect
12:00 NOON EST
OAuth and OpenID Connect are the two widely used protocols for authentication and authorization of delegated access to third party applications. Not only they provide a common framework that can be implemented across different platforms, but also allow a user to grant limited access to their resources without having to expose their credentials, thus making them inherently more secure. But OAuth can be exploited to steal the access tokens, which can then be used in lieu of user credentials. This presentation will discuss the key concepts related to OAuth and OpenID and the relevant security issues with them. The presentation will also give an insight into how we can mitigate the risks to OAuth and detect the abuse of access tokens.
Nitya Garg works with LinkedIn Technology as Information Security Engineer — Threat Mitigation and Incident Response. She has about 7 years of experience in Information Security, most of which has been on Threat Detection, Intrusion Analysis, and Incident Response.
She is passionate about promoting diversity in Information Security. She is part of ISSA W-CS: Women in Cybersecurity and Women’s Society of Cyberjutsu, dedicated to raise awareness of cybersecurity among women and close the gender gap in security roles.
Akanksha Chaturvedi works with LinkedIn Technology as a Senior Identity & Access Management Engineer. She has been working in this domain since past 7 years. She has an expertise in SSO, Active Directory, Authentication, Azure AD fields. Prior to joining LinkedIn, she has worked for Microsoft and Tata Consultancy Services Ltd. She is passionate about the domain that she works on and likes to explore more in depth on the same.
Breaking Down Barriers to InfoSec for Neurodivergent Individuals
2:00 PM EST
InfoSec is a daunting field for many. For people who are neurodivergent, this field can be even more challenging to get into. The goal of this lightning talk is to highlight some of the challenges and pain points that neurodivergent people may experience when contributing to open source InfoSec projects, when getting started in InfoSec as a new career, or when changing careers to InfoSec, and to provide implementable solutions to these challenges, that are designed to make a positive impact.
Rin Oliver is the Content Marketing Manager at Esper. They enjoy discussing all things open source, with a particular focus on diversity in tech, improving hiring pipelines in OSS for those that are neurodivergent, and removing accessibility barriers to learning programming. Rin is also a Member of Kubernetes, a contributor to Spinnaker, involved in the Kubernetes Contributor Experience SIG, and is a Storyteller on the Kubernetes Upstream Marketing Team. When not immersed in all things OSS and cloud-native, they can be found hanging out with their wife and pets, making candles, cooking, or gaming.
CTI Mindset as a Technique for Blue Teamers
2:30 PM EST
What if I told you that it is possible for blue teamers to practice CTI everyday?! With minimal guidance and insight, blue teamers can learn how to see things through the eyes of a cyber threat intel analyst. We’ll step through multiple examples of how a CTI analyst would view data, intel, analysis, and situations so you can gain helpful perspectives when performing analysis for your organization. Learn about the cognitive biases and logical fallacies that are killing your analysis and what to do about it. Take away CTI strategies that you can use in your org.
Xena Olsen works for a Financial Services Fortune 500 Company. She is a graduate of the SANS 2017 Women’s Academy, has an MBA in IT Management, and currently holds the GSEC, GCIH, GCFE, GMON, GDAT, GPEN and GCTI certifications. She is a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), Yara Exchange, and FuzzySnugglyDuck. Xena is a doctoral student at Marymount University and has served on multiple CFP review boards.
3:00 PM EST
Friends and family ask for assistance installing WiFi or configuring smart devices in the house. They are now asking members of the InfoSec community for help ‘fixing my situation’ to digitally detach domestic disputes.
The attendees will leave with the fundamentals to assist their community with the same fundamentals which are applied with Operation Safe Escape clients, NATO special forces training, and corporate Digital Forensic/Insider Threat centers.
The very same Internet of Things which are installed for convenience can form agilded, velvet lined cage with an Alexa or Siri voice.
I will discuss how our community can apply InfoSec principles and forensic principles to assist domestic abuse victims cutting the electronic cord to their abuser.
The counterintelligence mindset should be applied to the domestic situation what can be gathered, what sources and methods can be used against a person in their own house and how to detect the threat.
The talk will discuss the use of social media to detect physical surveillance, technical countermeasures for surveillance devices, lessons learned with forensics…and the ways to protect oneself against leaving data behind.
Prior to joining Revolutionary Security as a Senior Cybersecurity Consultant, Will has a solid foundation of applying innovative cyber solutions to the public and private sector. During his time in public service, he identified new cyber methods and capabilities to mitigate risk to U.S. personnel and facilities during the Global War on Terror. In the private sector, Will has performed e-discovery, data recovery, mobile forensic analysis and fatal automobile incident reconstruction. Will is often interviewed by radio and television news sources as a mobile forensic subject matter expert,with an upcoming appearance on HBO’s documentary focused on voting machine vulnerability and exploitation.
Will has appeared as a speaker at DefCon 2019, BSidesLV, BSides Detroit, BSides Tampa, and has upcoming lectures at the Techno Forensic Security conference. He serves as a OpSec/OSINT/Digital Forensic advisor to Operation Safe Escape, providing assistance to domestic abuse victims seeking to cut the ties digitally to their abusers
What if we had TLS for Phone Numbers? An introduction to SHAKEN/STIR
3:00 PM EST
If you’ve noticed a surge in unwanted robocalls from your own area code in the last few years, you’re not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it’s time to address the problem.
This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.
Kelley works on the Account Security team at Twilio. Previously she worked in a variety of API platform and data engineering roles at startups. Her research focuses on authentication user experience and design trade-offs for different risk profiles and 2FA channels. Kelley lives in Brooklyn, is an avid home cook, and spends too much time on Twitter.
Cyber Harassment: Things I wish I knew when sh1t went sideways
4:00 PM EST
Cyber harassment is a grey area in both legal and forensic capability. Protecting one’s self can feel impossible, however it is not!
Are words on the internet/emails/private messages considered harassment, seen as threatening, or just freedom of speech?
I will share the first-hand extensive knowledge on options. Life tossed me a curveball, which resulted in a life experience which lets me share how to help individuals through a series of options to be protected and for additional help.
Do not feel helpless, evidence can be gathered. Protective orders can be obtained. Individuals who have been harassed causing mental trauma have the right to file for FMLA (NOT just for babies folks!). This allows them to take the necessary time off work without having a fear of losing employment.
The options provided will include tips on how to document and obtain evidence, tips for interviewing lawyers to find an attorney that meets specialized standards for cyber, and how to reach out to get help that can protect an individual in their career.
I truly wish I knew during my experiences these options and by sharing my experiences, as long as one person is helped, then it makes my adventure worth it.
Laura Johnson is a Senior Security Engineer, who started her career by joining the military unaware of how much she would fall in love with “security and things”. Earlier in her career, Laura held roles such as Maintenance/Integrator, Network Engineer, Consultant, and Managing Security Engineer. Laura has first-hand experience in regards to cyber harassment and would like to share her knowledge to assist individuals in options.
I’m a hunter! Cyber Intelligence the new(ish) frontier.
4:00 PM EST
Threat hunting and cyber intelligence is not new but interest in it is growing, and with good reason. Cyber intelligence helps fill in gapsand hunting helps find hidden threats. It’s an important area that doesn’t get enough attention. Companies and organizations should understand why knowing their threat space could help them prevent attacks, infections, breaches and other issues. I also hope to show another field in infosec, that might be of interest to those looking for a new area to learn.
Army SIGINT vet who grew up in the intelligence world with a passion for cyber threat intelligence and malware.
“A target is a target and a network is a network — human or digital.
In the shadows, it’s one in the same.” — Yaz
How to sink the ducky and other tricks
5:00 PM EST
Unified logs contain a wealth of information that can be used to detect malicious USB devices like rubber ducky and bash bunny. Unified logs can also help find lateral movement and other malicious activity . . . once you know where to look. This presentation will cover some tips for detection using unified logs, and some gotchas for searching unified logs.
Megan Carney has been an analyst/bad news giver in several different environments over the past ten years or so. She spends most of her time searching for all the places badness might hide. Can often be found staring into the abyss. It’s true the abyss stares back.
Conference Submissions for the Faint of Heart
Submitting a talk to a conference is quite overwhelming, even for seasoned speakers and presenters. The CFP process, while often documented, still results in submissions that may make a good idea tough to evaluate by the review team, and eventually they may be rejected. How could a first time submitter to a seasoned pro go about ensuring they share their ideas to the right audience and past muster with the review committee. In this talk we plan to present a general primer on how to make the submission the best it can be, reduce your stress, and ensure that you will have the tools required to confidently present your ideas to the target audience.
Amélie Erin Koran is a Senior Technology Advocate at Splunk, focused on helping organizations transform, grow and secure themselves in the ever evolving world of technologies and their accompanying challenges. She arrives at Splunk after nearly 25 years as a technologist, from systems administration and engineering to executive technology leadership in various industries, academia, NGOs, and the government. In the last decade, she’s supported various Federal agencies, leading various projects and initiatives, including modernization activities, cybersecurity policy, and security architecture and operations. Often seen “soapboxing” about technology workforce development, training and recruiting policies, practices and techniques, she’s mostly observed providing measured guidance to InfoSec Twitter at @webjedi and her executive take on DevSecOps at AllTheOps.org.
Nicole Schwartz (@CircuitSwan) is a Product Manager for the GitLab Secure team. In her career, she has been in Product, System Administration, and Agile coaching. Before her career ever started she was a Hacker. When she isn’t working, she volunteers at and attends conventions (you may have known her as @AmazonV) such as the Diana Initiative and groups like HackerSwan, HackerFoodies and HackeerConTicketExchange.
Secrets of the Second Factor
6:00 PM EST
Bored by talks convincing you to setup 2FA, as if you haven’t already had it on your MMORPG account for a decade?
There’s more to MFA than protecting an account from a bad, reused, or dumped password. Let’s go discover all the dirty little secrets in $company using the MFA logs!
Break the barrier of complacency that comes with a multi factor system! Explore all the obvious security violations of risky login habits. I’ll step through why you should be logging every authentication attempt and read the logs to discover all the hidden secrets that could have been unnoticed for years. Things slip by other data sources and behavior analysis tools but become clear when you know how to spot the secrets in the second factor.
BACE16 was bored as a firewall engineer so she started a Def Con Group in RTP, NC, DC919, to re-discover the joys of hacking with a community. Building on this, she also volunteers for BSides RDU and is a founding member of Cackalacky Con. She eventually found her calling as an incident response security analyst, finding bizarre things in logs and investigating user access behavior. While there’s so much work that can’t be spoken about, she hopes people will learn and push detection methods further together.
Reclaiming Your Space in Cyber Security: Speak Out, Speak Up, Speak Often
7:00 PM EST
There is a great global discussion happening about the ways in which systemic racism and gender bias reveal themselves across various aspects of our society. From #BlackLivesMatter to #Me too to #Timesup, there is a massive movement on the part of large swaths of American citizens that incremental progress is no longer enough. Americans seems ready for a sweeping change in the very definition of what America is, what we truly value and who the beneficiaries should be of a long-broken system.
This public discourse is visceral, its uncomfortable and its disruptive. But it is necessary. It was unavoidable. Women, minorities, and other marginalized groups now have growing public support to transform discourse into action, draft new policies, and advance new ways for our society continues tovalue difference — across the board. More of them today are choosing to “Speak Out, Speak Up and Speak Often” in advocacy for more control over their lives.
The Cybersecurity industry acts as a microcosm of the broader society in which it sits. Therefore, it is not exempt from the same demand for a revolution — a change in the way women are treated, minorities are kept out, and the responsibility for diversity and inclusion is placed on the victims of the treatment over and over again. The first black or female employee in any security team is the one who “breaks the boundaries”, therefore innately a change agent. But we all as an industry have to make space for those who are different. We must allow them to use their unique voice and value them as equals. It now the time for action.
The purpose of this talk will be to discuss the responsibility of the cyber security industry to move over, open doors and make space for more women and minorities to “Speak Up, Speak Out and Speak Often”.
Juliet Okafor, J.D., is a cybersecurity professional who has combined her knowledge of the legal system and cybersecurity solution models into success stories across fortune 500 industries throughout the USA. Her ability to scope, plan and design the creation of an OT Cybersecurity Management System framework for one of the largest cruise lines in the world is testament of her commitment and leadership regardless of the challenge. She is a passionate security solutions visionary and strategist who builds the Fortune 500 enterprise’s overarching security strategy that governs all other smaller strategies within. She is the person who determines how to solve the company’s problem, be it vulnerability management, incident response or reducing the risk associated with technology or vendors, and then puts a plan into action or roadmap to remediate the risks in place — using a combination of people, transforming operations and an array of emerging security technology.
Okafor has also helped build startup security organizations from the ground up, negotiating contracts, forging partnerships, selecting tools, leading strategic initiatives, and partnering with key customers and security stakeholders to create, identify, measure and report the maturity of their enterprise security programs to senior leadership to justify additional financial investment or demonstrate continuous improvement.
Juliet graduated from UMass-Amherst with a B.A. in Communication, Fordham University with an M.A. in Public Communication and Media Studies and received her Juris Doctorate from Temple University — Beasley School of Law.
She is currently the Chief Engagement Officer (CEO) for RevolutionCyber.
What Does it Mean to Be a Barrier Breaker?
11:00 AM EST
We often assume ‘Barrier Breaker’ means that someone was ‘the first’ or ‘the only’ to do something and what happens after that is almost a foregone conclusion . That’s not how barriers get broken. It’s kind of like saying, “a single drop of water breaks the dam”, when we know that it takes a critical mass of water, a flood, before the dam will break. In security, especially, we reward the ‘lone hacker’ who discovers a zero-day and tend to dismiss those that come behind who identify similar classes of vulnerabilities or the same vulnerability presented in different ways — as if those discoveries aren’t equally remarkable. Barrier breaking isn’t a one-person phenomenon, it is a movement of people committed to change. Using a handful of examples, I will highlight some barrier breakers in our industry and provide actionable methods that each of us, day by day, and byte by byte, can use to become better barrier breakers.
Yolonda Smith is the Head of Cybersecurity for sweetgreen, a fast-casual salad restaurant chain with over 100 locations across North America whose mission is inspire healthier communities by connecting people to real food. In this role, she is responsible for the development and operationalization of security policy; building high-performing teams which instantiate security practices throughout core business functions and; ensuring that sweetgreen’s two million guests are able to access real food using a trustworthy platform.
A security professional herself, she spent 8 years in the United States Air Force as a Cyberspace Operations Officer with duties and responsibilities varying from Mission Commander, (Advanced Network Operations) where her team planned and executed the first DoD Cyber Threat Hunting Missions to Flight Commander, (Cyber Defense Capabilities Development) where her team developed and fielded the first and only malware neutralization tool for the Predator Drone Weapon System. Additionally, she successfully completed multiple deployments in support of Operations Iraqi Freedom and Enduring Freedom where her teams delivered secure, reliable communications capabilities to forward-deployed units on-demand.
Yolonda holds a litany of degrees and certifications including a Bachelor of Science, Computer Science (University of Notre Dame, 2005), Master of Science, Information Technology, with a concentration in Information Assurance (University of Maryland, 2010) as well as GSEC (2008), GCIH (2011), and CISSP (2008) certifications.
It’s a Human Thing: Strategies for Navigating Diversity & Inclusion in your Organization
12:00 NOON EST
Over the last several years, the infosec community has preached the importance of Diversity & Inclusion in the space. But what does that look like? How can infosec leaders put realistic measures and policies in place to achieve a diverse and inclusive work force? In this session, I will cover both good and bad strategies used by companies over the last two years; highlight the do and do not for organizations of all sizes; and discuss with the audience how to navigate Diversity & Inclusion during socially charged times. The audience will leave with real implementation measures; guidance on what to steer clear of; and a community to continue the discussion after the talk.
As the CEO of ShyftED, Inc., a Security Awareness company for all humans, Keenan Skelly provides engaging awareness software and strategic business insights for cybersecurity. Skelly, a former Army Explosive Ordnance Disposal Technician, and Chief, Comprehensive Reviews for DHS, has extensive experience which informs her role as an executive woman in cybersecurity. Skelly has 20 years experience providing security and management solutions including personnel, physical, cybersecurity, crisis management and intelligence. In 2019 Skelly was recognized as one of the Top 25 Women in Cybersecurity by Cyber Defense Magazine, the Software Report as Top 25 Women Leaders in Cybersecurity, and Top Female Executives, Women World Awards. Skelly mentors and coaches for Cyber Patriot, Girls Who Code, and was awarded Women’s Society of Cyberjutsu Mentor of the Year.
IoT Honeypots and Rogue Appliances
12:00 NOON EST
Honeypots AND IoT security, all in one place? Yes, why YES I tell you, and this is it! Oh sure, honeypots are not new, but how they are used is what makes this talk just a little bit different. Presented for your viewing pleasure will be IoT specific honeypot configurations, some deployed with k8s (some not) and how they are used to not only trap attacks against your IoT devices but also detect attacks FROM a compromised IoT device.
Introduction — who I am and where this idea came from (2 mins)
Introduction to IoT devices and why they continue to be a serious issue with consumer and corporate security. I will discuss the 5 verticals of IoT devices while focusing on some of the typical attacks that have been used in the past few years. It is important to understand why vendors produce insecure devices and that they will continue to do so. (3 mins)
Introduction to Honeypots and key issues with planning, architecture and deployment. One of the biggest issues with honeypots is not setting them up, but using them the right way. Now referred to as “deception tech”, honeypots can provide a level of detection and defense against rogue IoT devices. Several examples will be presented with recorded sessions (or live demos if the demo gods are in a good mood) showing how to plan and deploy the right honeypots to the right environments. (5 mins)
Now for the fun! In this next section I will show IoT honeypots used for protection in the wild. The wild will consist of your home network, corp network, and even deployed in DMZs and other locations. Several examples of how honeypots were used to detect “angry appliances” doing things they should not have been doing will be shown. A more recent example in my own private home network will show how an intelligent thermostat was found to be scanning the network. This sections gets fun with various devices from light bulbs, IoT hubs and more. (10 mins)
Summary and Key Takeaways — Here I bring it all to a conclusion by providing key takeaways for the How and the Whys of planning and deployment and what to expect from private and hostile environments. The key point here is that attendees will walk away with real tools and ideas to use right away and not just some theory. This is actually a detailed section reviewing key points of the takeaways, not just a summary slide (10 mins)
Q&A — (5 mins)
5 minutes to spare from a 40 minute session!! Woo Hoo!
Demos will make this fun, with one live and a couple of recorded demos to cap it all off.
Key takeaways: 1. Different levels of IoT devices 2. Threat modeling techniques for IoT devices 3. Honeypots and deception tech — not your mother’s honeypot 4. Planning stages — this is CRITICAL for successful deployment 5. Setting up collectors/SIEM for analysis 6. CCAD
Based in Pittsburgh and a natural creature of winter, you can typically find me (Kat) sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Pittsburgh area.
Levelling up the Estrogen in the Cyber World
12:00 NOON EST
The lockdown has forced almost everyone into digitalization. But as the scale of the number of people doing remote work has increased so has the complexity and vastness of cyberattacks.
Now, from the point of a female engineering student, it’s hard to find a lot of female colleagues in the tech field.‘The International Journal of Gender, Science and Technology’ and many others have published studies regarding the gender gap of women in technology, cybersecurity being one of the fields. And we believe it is our duty to do something for the cause.
If you have ever been intrigued by cybersecurity and wanted to learn, the next question is HOW. Well, we may have the best answer to that, CTF’s. CTFs’ are coding competitions to Cyberworld teaching you how to work up to escalate privileges from lowkey “bugs”.
Yes, we all know that there are tons of resources on the Internet. But that’s exactly the reason why we lose track. In this talk, we shall introduce you some Crypto and a little bit of Reverse Engineering and shall give you an idea of how to get started and how to navigate your way into the cyber realm. We shall also talk about existing opportunities for women and how to make the most of it.
I’m a B-tech Undergrad student who has been playing CTF’s for the past two years out of pure interest and also for the adrenaline rush right after I get a flag. I am also a member of teambi0s the #1 CTF team in India (I’ve been lucky ) also TeamShakti, an amazing group of girls from teambi0s who teamed up to break the stereotypes and set out to be an example for the young girls out there trying to learn the opportunities and struggling to make their way into Cyber-Security by organizing beginner friendly CTF’s. Our goal is to reach out and help as many students to know about CTF’s.
TeamShakti — https://team-shakti.github.io/
teambi0s — https://wiki.bi0s.in/
Events are displayed below in the America/New York timezone.
Hacking into Android Ecosystem
1:00 PM EST
There are more than 2.5 billion devices on Android today. That implies any vulnerability can potentially lead to a massive privacy breach or security attack. So, how does the security landscape looks like for Android, are there known privacy limitations or security threats? How do you look into the internals of an Android app? How do you look into the internals of Android itself? This talk will answer these questions for the audience. As a part of the talk, we will cover the following:
1. Overview of Android Security Landscape: Present day’s security and privacy posture of Android, the attacks and challenges in defence.
2. Android Apps Internals: How to reverse engineer Android App and see what it does?
3. FRIDA: Using FRIDA to explore Android Apps Ecosystem
4. Design of malwares and spywares
5. Current situation, exploitation, risks and future.
Aditi Bhatnagar is a security enthusiast who is presently working as Software Engineer in end point security team, developing defender solutions for Android platform at Microsoft. She is actively involved in researching the evolving Android threat landscape and likes hacking around tools/technologies that interest her.
She is an advocate of digital privacy, security and digital wellbeing and often publishes her research on several aspects of evolving relationship between humans and technology in her blogs. She has started an initiative named Digitised (www.digitised.in) and conducted several talks and workshops to spread awareness regarding the same.
Exploiting Sexual Exploitation
2:00 PM EST
Online sexual harassment is one of the most overlooked crimes on both the interwebs and irl. Victims need help, and way fewer resources exist to support them. From cyberstalking cases, to revenge porn posts to deepnude takedowns, Labac helps victims of abuse defend and prevent targeted attacks.
This talk details our crew’s efforts to flip the table against online abusers. We will outline various tactics used against historical targets, such as technical attacks and policy exploits. We’ll also discuss how you can help.
Threat Hunter. Founder, Labac. https://labac.dev
Bot Detective. Founder, Labac.
LaBac is a hacker collective combatting tech-enabled abuse. LaBac serves on the NYC Cyber Sexual Assault Taskforce, a city-wide initiative dedicated to fighting online sexual exploitation. The LaBac collective curates the Museum of Modern Malware at DEFCON.
BlueZ Cluez: Getting to Know the Linux Bluetooth Protocol Stack
3:00 PM EST
There are many opportunities to learn about various protocols through the Internet of Things. One such protocol, Bluetooth, is a wireless protocol used for communicating data between devices from 2.400 to 2.485 GHz over short distances. This presentation introduces Bluez, a Bluetooth stack available in Linux, as a tool that researchers can utilize to study the protocol and identify potential vulnerabilities between devices exchanging data. In this case, we will leverage BlueZ and its features to control a light bulb. The presentation intends to cover the set-up and installation of pertinent tools in order to scan, identify devices, connect with the targeted device, and change the light bulb’s LED color. Audience members will walk away with a solid foundation of BlueZ and how to interact its tools to scan, connect, and tinker with devices.
Ria Baldevia is a student at King’s College London pursuing her PhD in digital humanities.
So, I Made A Microdot
3:00 PM EST
Microdots have a long and storied history in the transfer of information over obscured channels. In the same family of invisible inks and stenganography, microdots were the OG side channel attack and were used to great effect throughout the cold war.
But the advent of more modern methods of data storage and transfer have rendered film microdots obsolete. In this talk, I discuss the technical concepts behind how I made the microdot, and a modern twist on microdot methodology to bridge the gap between analog and digital microdot creation and use.
- Here’s a rough outline:
- Introduction — 2 min
- What is a microdot? — 2 min
- History of the microdot — 2 min
- methodology overview — 2 min
- 1-step method — 7 min
- 2-step method — 7 min
- analog/digital hybrid — 5 min
- Operational security considerations — 3 min
- Challenges — 3 min
- wrap-up & questions — 7 min
Emily Crose has been working in the field of information security for over 10 years. Previously she has worked at the CIA, NSA, and US Army INSCOM. In her free time, she runs the Hacking History project and co-authors The Teletypist.
Unmasking the Avengers: Shifting Roles of Facial Recognition
4:00 PM EST
Your voice may be your password, but what happens when it’s your face and there’s a data breach or the data is wrong? What happens to your privacy and security when all of the data is right?
No longer solely for use by protestors or comic book characters, facial recognition algorithms are racing to adjust for the increased use of facial masks in public. Caught up between protests and COVID19 are cellular data and biometric data sets, shared with and utilized by law enforcement in often unintended ways. A growing number of public/private partnerships are providing law enforcement access to large data pools. Information that in some cases is incorrect. We’ll take a deeper dive into how privately collected location sharing and facial recognition data is being increasingly leveraged by government and law enforcement.
Elizabeth (Liz) Wharton is a technology-focused business and public policy attorney who has advised researchers, startups, and policymakers at the federal, state, and local level. She is the Chief of Staff at SCYTHE as well as a member of the Technology & Innovation Council with Business Executives for National Security and a member of the DEFCON CFP Review Board. In addition to serving as the former technology attorney for the World’s Busiest Airport, she also hosted the “Buzz Off with Lawyer Liz” podcast.
Suchi Pahi is a data privacy and cybersecurity lawyer who has spent the last six years assisting clients in setting up their cybersecurity programs, incident response plans, and data privacy approaches both in regulated and mostly unregulated spaces. She loves to talk about data protection, data brokers, longitudinal health data gathering, facial recognition and more.
She is currently Director of Privacy and Business Affairs at Rally Health, Inc., an active Fellow of the Internet Law & Policy Foundry, and assists with the BSides NoVA CFP board.
How To See Your Own Perception Bias
5:00 PM EST
Five years ago my career was skyrocketting upwards, but that changed when I brought my gender expression inline with my gender identity. As a result of transitioning, I experienced a shift in bias that no one could have prepared me for — but it’s not what you’re thinking.
In the two years that followed, I received over 30 rejections for roles and levels that I had previously held. I anticipated that I would run into stereotypes and negative bias, but the most surprising change in bias was internal.
Years of practicing meditation gave me a direct awareness that our perceptions are coloured by our past experiences, but as this body’s hormones changed, so too did my own perception of the world!
The interplay between memory and sensation, which occurs continually in each of us, is known as “perception bias”, and I have some news for you: we’re all biased — and that’s OK.
What matters is what we do with it.
Aeva is a veteran open source developer and community leader with 20 years’ experience in the tech sector. They launched OpenStack’s Bare Metal program in 2012, enabling performance-sensitive cloud native workloads to run securely without a hypervisor. After served on the OpenStack Technical Committee, they ran the engineering arm of a cloud hosting company for two years before taking a sabbatical.
Today, they work at Microsoft as a Sr Technical Open Source Program Manager within the Azure Confidential Computing team. They also sit on the Kubernetes Code of Conduct Committee and the Confidential Computing Consortium’s Outreach Committee, and hold a board seat on a Seattle-area non-profit which advocates and educates for a culture based on consent.
Election Security 101
5:30 PM EST
Election security in the United States is one of the most complex and difficult cybersecurity challenges facing our country today. Outdated and vulnerable equipment, chronic underfunding, untrained personnel, and a bewildering diversity of jurisdictions and laws are only the beginning of the problems the country faces going into the 2020 election cycle, and experts agree that little to nothing has been done to solve them. All of this in addition to the struggles the country faces with the onslaught of COVID-19.
In 2017, the DEF CON Voting Machine Hacking Village was convened by myself and my fellow organizers, Matt Blaze, Harri Hursti, and Jake Braun. Together, we opened up the previously restricted voting machinery for public, good-faith hacking efforts to explore and educate the security challenges inherent in these machines. In my talk, I will be giving an overview of the overall state of the industry for election security in the U.S. going back to the 2000 Florida recount. Among the topics, I’ll be addressing are how the industry got to its current state, what we can do to improve it, and the individual findings of the three DEF CON Voting Machine Hacking Village reports released since 2017. Our findings have also been featured in a newly released HBO documentary, “Kill Chain”.
Maggie MacAlpine is an election security specialist and one of the co-founders of the DEF CON Voting Machine Hacking Village. Over the course of ten years spent in the election security field, MacAlpine has been a contributing researcher on the “Security Analysis of the Estonian Internet Voting System” in partnership with the University of Michigan and a co-author of the DEF CON Voting Village Machine Hacking Village annual report for the past three years. MacAlpine has served as an advisor for the office of the Secretary of State of California for the Risk Limiting Audit Pilot Program 2011–2012, and is widely regarded as an expert on the use of high-speed scanners for conducting post-election audits. As a pro-bono consultant and most recently with her firm, Nordic Innovation Labs, she has advised on election security and auditing practices in numerous US states including Connecticut, New Hampshire, Florida, California, Colorado, and Kentucky. She has been a speaker on election security at conferences including DEF CON, ShmooCon Hacker Conference, PacSec Tokyo and in presentations to Capitol Hill.
Gatekeeping, Gaslighting & Grieving: Excelling Despite The Ugly Phases of Your Security Development Life Cycle
7:00 PM EST
This talk will apply a common SDLC model to career development: Planning, Threat Modeling, Testing, Deployment, and Maintenance. Our peers can typically use this 5-step model throughout their careers with no roadblocks. However, women are often suffering in silence through 3 extra unspoken phases in our security development life cycle: gatekeeping, gaslighting, and grieving.
Also overlooked: Black women and sisters of color face unique barriers to career success. Diversity efforts are often not intersectional, network access controls are designed to keep us out, and our threat models are different from industry peers.
This keynote will use the SDLC model to bring these vulnerabilities to the forefront. The audience will leave empowered with strategies to help them excel despite the ugly phases of the career life cycle. The speaker will also talk openly about money, a conversation that is long overdue.
Keirsten Brager is a Sr. Security Consultant/NERC-CIP SME in critical infrastructure and was recently named one of Dark Reading’s top women in security quietly changing the game. She is also the author Secure The InfoSec Bag: Six Figure Career Guide for Women in Security. She produced this resource to help women strategically plan their careers, diversify their incomes, and fire bad bosses. Keirsten holds a M.S. in Cybersecurity and several industry certifications, including GICSP & CISSP. As an active member of the Houston security community, Mrs. Brager has participated in a number of panels and public speaking engagements promoting strategies for success. In her free time, she loves sharing career advice, studying Black history, and convincing women not to quit the industry.