2015 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

After spending over 10 years as a builder of software systems, and the next five years on the breaking side of things, I then spent over a decade teaching information security concepts to over 25,000 people around the world at leading global organizations. Over the course of this work, I’ve noticed some interesting patterns across my body of students and clients. In most organizations, I have seen have at least one critical area of the business where basic information security best practices were not implemented where they should be. In many cases, this is because people are either not factoring in an accurate representation of infosec risks into their planning & project life cycles, or they willfully ignore them. The reason for this often boils down to one thing: the overall level of security awareness in most places is pretty low, even amongst developers, and even in organizations where you would think it should be a lot higher. Amongst business and management groups, it can be practically non-existent because security is still often assumed to be the purview of the security group, the infrastructure team, or the developers. In such an environment, business requirements often take precedence over security requirements, even when the security requirements are truly protecting the best interests of the business. I have seen that many people within a typical organization: I have come to believe strongly that this is as much as much our failure to communicate and influence information security initiatives as it is the business' failure to understand. Given the shortage of infosec professionals in the marketplace, I believe the only way we can scale ourselves is to communicate what we know more effectively. In short, we need to learn how to communicate what we know much, much better than we are doing today. Security is arguably much more of a people problem than a technology problem, and the ability to communicate rational security wisdom to people outside of the “InfoSec echo chamber” is a highly underrated skill. There are many areas of security where we have solid best practices, but they aren’t followed because the people who need to hear the message the most simply never receive it. Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.
 * have little to no understanding of the actual risks they face.
 * have no idea how to balance rational security options against business requirements to mitigate those risks.
 * think that security is somebody else’s job, and ignore it accordingly.
 * believe that internal systems are somehow safe from attack
 * think that the data breach will never happen to them

A discussion of current trend of account checking attacks and the tools used to execute them. Data breaches have given attackers a large list of usernames and passwords that are often valid on many other unrelated sites. Cybercriminals use botnets in an attempt to gain access to rewards points and financial information in automated fashion. Attackers span from professionals running custom tools hosted worldwide to advanced penetration testers

A discussion of current trend of account checking attacks and the tools used to execute them. Data breaches have given attackers a large list of usernames and passwords that are often valid on many other unrelated sites. Cybercriminals use botnets in an attempt to gain access to rewards points and financial information in automated fashion. Attackers span from professionals running custom tools hosted worldwide to advanced penetration testers who can quickly find and access an open back door. In this talk, we will look at the attack signatures and show some keys for detection and mitigation of the attacks.

Assessing the security of web applications is similar to penetration testing but also has certain key differences. In this presentation we will discuss what some of those similarities and differences are based on both academic research and real-world experience. Based on these similarities and differences, we will present the penetration testing practices we have found can be leveraged, the practices that need to be modified, and the practices that should be discard when conducting web application security assessments.

Buffer Overflow attacks are one of the most insidious and difficult to thwart exploits that exist in today’s modern IT security infrastructure. Most enterprise IT professionals have little understanding of how they work and why existing options generally fail in stopping them. While user input-based attacks are well understood and solutions exist and are emerging for them, buffer overflow attacks remain the bane of application security professionals everywhere.

This presentation will focus on dissecting how buffer overflow attacks work, why they succeed through existing types of security products and an entirely new way of thinking regarding how to stop them. Using examples from Virsec hacking labs, we will discuss this critical area of the security and new advancements, as well as demonstrate a buffer overflow attack that is thwarted using this new approach.

Cryptography is often seen as a security panacea, but the devil is in the details. While the standard algorithms are thought to be secure, how they are used or implemented can greatly affect their security. In this talk, I will start with the basic vocabulary of cryptography and then move on to some of the most common mistakes made in cryptography in recent years.

In this talk, we present the results of a long-term study of ransomware attacks that have been observed in the wild. We also provide a holistic view on how ransomware attacks have evolved during this period by analysing thousands of samples that belong to different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim's computer desktop or attempts to encrypt or delete the victim's files using only superficial techniques. Our analysis also suggests that defending against ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks. Our findings contradict some security community discussions that suggest the impossibility of detecting or stopping these types of attacks due to the use of sophisticated, destructive techniques.

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.

Static analysis, dynamic analysis, and other testing tools are all essential weapons against adversaries. But for the 78% of companies worldwide that use open source software in their application development these tools are ineffective in identifying and mitigating open source security risks across their application portfolios. This presentation will cover:
 * The value of static and dynamic tools, and where they best fit in the Secure Development Lifecycle
 * Why these tools are not useful in identifying known vulnerabilities in open source components
 * Controls development and security professionals can deploy to select, detect, manage and monitor open source for existing and newly disclosed vulnerabilities.

Home Network Attached Storage devices (NAS) are gaining in popularity because of the simplicity they offer to manage ever-growing amounts of personal data. The device’s functionality is extending beyond a data store, adding functionality to become the central content management system, multimedia center, network management point and even automation hub for the home and small business. The devices offer accessibility to local and remote users as well as to untrusted users via data shares. These capabilities expose all stored data and the device itself to outside/remote attackers. This talk will demonstrate an attack named NEON TOOL; by leveraging multiple vulnerabilities, it allows a remote attacker to gain root access on a popular home NAS device. It examines the problems that XSS, in conjunction with other weaknesses, can create, addresses how these vulnerabilities were uncovered, possible mitigations and how to work responsibly with the vendor to ensure a timely resolution.

There are no shortage of products on the market today that promise a "golden ticket" solution to software/mobile security across the enterprise. However, the reality is that while the market is quite saturated, a certain level of finesse is required to effectively scale a proper application security program across large architecture & development organizations, and empower development teams to integrate the correct app sec resources into their existing development lifecycle to assure the timely identification and remediation of flaws.

Topics to be covered:
 * Scaling Threat Modeling / reducing Threat Modeling Overhead
 * Application Risk Classification
 * Security Training/Developer Empowerment/Satellite Development
 * Effective Static Analysis
 * Scaling Automated Application Assessment
 * Open Source Component Management
 * Penetration Testing
 * Effective use of WAF's and other Production Controls
 * Financial & Productivity Gains of Efficient AppSec Program Implementation

With more enterprises embracing Hadoop ecosystem to store, manage and process large volumes data, securing it is vital. In this talk we will go over the fundamentals of Hadoop ecosystem and how it can be secured as it stands today.

This presentation explores the connections between threat modeling the Future of Humanity Institute’s (FHI) “Global Catastrophic Risks” and software threat modeling concepts, including the OWASP guide to Threat Risk Modeling. The impact to civilization from a technology perspective hinges on ensuring that proper risk is considered when developing technologies that the FHI has identified as catastrophic risks. While several risks are identified in by this institute, technological areas of focus are artificial intelligence and nanotechnology. An overview of each of these technology areas will be provided, as well as a deep dive into their associated risk. As these technologies continue to gain momentum, a risk assessment of their activities and impacts require a closer level of review and scrutiny as each implementation is evaluated. The most consistent finding in reviewing the various technologies is that an open framework of technological guidelines and threat models must be reviewed, applied, and revised by many professional security practitioners to assist in securing the long term fruition of our society and its inevitable technological reliance.

As a security consultant I do a lot of developer training sessions where I am routinely asked to go in front of a group of developers I have never met before, and teach them how to write more secure code. My approach to training is constantly evolving. After every training I do, self reflection occurs and materials are updated in preparation for the next session. Throughout the past year as I have performed trainings, I have learned a few techniques and topics that resonate, and a few that do not. In this talk I discuss what makes an effective program and offer my guidance on building it out.

Web applications often sit on the open internet for a long time before flaws are fixed. This presents an opportunity for crawlers to index the site, sometimes including exceptions, and other information that should not be exposed. When conducting an application assessment, it is often worthwhile to dig into what the search engines have already indexed. Looking at the history of the site at various dates can also lead to hidden or forgotten pages that may aid in an attack.

In this talk, I present a few tools and techniques I use to search out this forgotten information and how it can be used to aid in an application assessment.