2015 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

This presentation explores the connections between threat modeling the Future of Humanity Institute’s (FHI) “Global Catastrophic Risks” and software threat modeling concepts, including the OWASP guide to Threat Risk Modeling. The impact to civilization from a technology perspective hinges on ensuring that proper risk is considered when developing technologies that the FHI has identified as catastrophic risks. While several risks are identified in by this institute, technological areas of focus are artificial intelligence and nanotechnology. An overview of each of these technology areas will be provided, as well as a deep dive into their associated risk. As these technologies continue to gain momentum, a risk assessment of their activities and impacts require a closer level of review and scrutiny as each implementation is evaluated. The most consistent finding in reviewing the various technologies is that an open framework of technological guidelines and threat models must be reviewed, applied, and revised by many professional security practitioners to assist in securing the long term fruition of our society and its inevitable technological reliance.

There are no shortage of products on the market today that promise a "golden ticket" solution to software/mobile security across the enterprise. However, the reality is that while the market is quite saturated, a certain level of finesse is required to effectively scale a proper application security program across large architecture & development organizations, and empower development teams to integrate the correct app sec resources into their existing development lifecycle to assure the timely identification and remediation of flaws.

Topics to be covered:
 * Scaling Threat Modeling / reducing Threat Modeling Overhead
 * Application Risk Classification
 * Security Training/Developer Empowerment/Satellite Development
 * Effective Static Analysis
 * Scaling Automated Application Assessment
 * Open Source Component Management
 * Penetration Testing
 * Effective use of WAF's and other Production Controls
 * Financial & Productivity Gains of Efficient AppSec Program Implementation

Static analysis, dynamic analysis, and other testing tools are all essential weapons against adversaries. But for the 78% of companies worldwide that use open source software in their application development these tools are ineffective in identifying and mitigating open source security risks across their application portfolios. This presentation will cover:
 * The value of static and dynamic tools, and where they best fit in the Secure Development Lifecycle
 * Why these tools are not useful in identifying known vulnerabilities in open source components
 * Controls development and security professionals can deploy to select, detect, manage and monitor open source for existing and newly disclosed vulnerabilities.

Web applications often sit on the open internet for a long time before flaws are fixed. This presents an opportunity for crawlers to index the site, sometimes including exceptions, and other information that should not be exposed. When conducting an application assessment, it is often worthwhile to dig into what the search engines have already indexed. Looking at the history of the site at various dates can also lead to hidden or forgotten pages that may aid in an attack.

In this talk, I present a few tools and techniques I use to search out this forgotten information and how it can be used to aid in an application assessment.

As a security consultant I do a lot of developer training sessions where I am routinely asked to go in front of a group of developers I have never met before, and teach them how to write more secure code. My approach to training is constantly evolving. After every training I do, self reflection occurs and materials are updated in preparation for the next session. Throughout the past year as I have performed trainings, I have learned a few techniques and topics that resonate, and a few that do not. In this talk I discuss what makes an effective program and offer my guidance on building it out.

In this talk, we present the results of a long-term study of ransomware attacks that have been observed in the wild. We also provide a holistic view on how ransomware attacks have evolved during this period by analysing thousands of samples that belong to different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim's computer desktop or attempts to encrypt or delete the victim's files using only superficial techniques. Our analysis also suggests that defending against ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks. Our findings contradict some security community discussions that suggest the impossibility of detecting or stopping these types of attacks due to the use of sophisticated, destructive techniques.

Home Network Attached Storage devices (NAS) are gaining in popularity because of the simplicity they offer to manage ever-growing amounts of personal data. The device’s functionality is extending beyond a data store, adding functionality to become the central content management system, multimedia center, network management point and even automation hub for the home and small business. The devices offer accessibility to local and remote users as well as to untrusted users via data shares. These capabilities expose all stored data and the device itself to outside/remote attackers. This talk will demonstrate an attack named NEON TOOL; by leveraging multiple vulnerabilities, it allows a remote attacker to gain root access on a popular home NAS device. It examines the problems that XSS, in conjunction with other weaknesses, can create, addresses how these vulnerabilities were uncovered, possible mitigations and how to work responsibly with the vendor to ensure a timely resolution.

A discussion of current trend of account checking attacks and the tools used to execute them. Data breaches have given attackers a large list of usernames and passwords that are often valid on many other unrelated sites. Cybercriminals use botnets in an attempt to gain access to rewards points and financial information in automated fashion. Attackers span from professionals running custom tools hosted worldwide to advanced penetration testers who can quickly find and access an open back door. In this talk, we will look at the attack signatures and show some keys for detection and mitigation of the attacks.