Category Archives: Speakers

BSides Detroit 12 Interviews 17

This week Josh Little is back as a host. Wolfgang and Josh talk to Prutha Parikh from Qualys, doing a technical talk. Last year Prutha found CVE-2011-4317, Apache Reverse Proxy Rewrite.

Abstract. This talk will discuss the Apache Reverse Proxy vulnerability (CVE-2011-4317) that I discovered while developing vulnerability signatures for Apache. Depending on the reverse proxy configuration, the vulnerability allows access to internal systems from the Internet.The presentation will start with discussion on reverse and forward proxies and look at some older reverse proxy vulnerabilities and patches. It will go into the thought process behind bypassing the latest patch to discover a new vulnerability to remotely gain access to the internal network. It will also describe the tools, techniques and ideas that went behind discovering the new variant of the vulnerability and constructing a proof of concept to exploit the issue. Along with exploring the root cause of the issue, it also talks about the issue from an attacker’s perspective and finally recommends protection mechanisms against the attack. The talk will also give the audience a peek into the process of vulnerability signature creation and discovering new vulnerabilities.I exercised responsible disclosure of the vulnerability to Apache and after the patch was released, I went public with my findings in a blog post. I will also share a standalone tool that will help system administrators identify the vulnerability in their environment.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 16

Week 16, hard to believe BSides Detroit is four weeks out. Don’t forget checkout the BSides Detroit page for the location. Get your tickets now!

This week Wolfgang and Chris talk to a guy from a Galaxy Far Far Away, from a Long Time Ago. Kellman Meghu. Kellman’s talk is “How NOT to do security: Lessons learned from the Galactic Empire.”

It is geeky, there is security gold in there. Lots of fun. He also likes to have conversations about it after the talk.

Abstract: An analysis of the strengths and weaknesses of the Galactic Empire security policy. This presentation seeks to conduct a post-mortem on the data security policy implemented during the events that led to the destruction of critical technology needed by the Empire for continued operational efficiencies. A history of the company, as well as a detailed look at the events that followed, provides a great working analysis that can be applied to your policy in hopes of avoiding the same fate. Learning from past mistakes, let’s ensure we are not doomed to repeat them, and potentially, suffer a similar fate.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 15

This week Chris and Wolfgang talk to Leonard Isham. Leonard is security practitioner and social engineer that travels 100%. He’s taken Leonard’s talk is about negotiating, during the hiring process. While they may not budge on the amount they’re willing to pay you, they may give you other perks. From Leonard’s point of view, we leave too much on the table because we don’t ask for it.

Abstract: Career 101: How to Unlock Achievements and Level Up. This isn’t magic or some scientific formula that you can purchase. It isn’t even an infomercial. It’s social engineering and there are steps that can be taken to increase your odds; build a proven track record moving forward in your career goals and the critical negotiation process.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 13

This week Wolfgang and Chris talk with Mike Westra of Ford. Mike is talking about the Ford Sync System and clearing up some of the misconceptions of hacking your car. He also touches on how he heard of BSides Detroit.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 11

his week Wolfgang and I are joined by a rogue. @Rogueclown, that is.  You might remember Nicolle Neulist from the Rats and Rogues Panel episode back in January. This time Nicolle is talking about HSTS, or HTTP Strict Transport Security. Since the interview, she’s gone on do do more research, which means her talk will be all that better.

Abstract: Although not widely implemented on websites yet, HTTP Strict Transport Security is a standards-track web security mechanism designed to allow a website to force a browser to only accept the site if it is delivered over SSL/TLS. HSTS has been implemented on two of the three most widely used browsers: Firefox and Chrome. It is designed as a transparent way to protect users from sniffing attacks and spoofed pages, by forcing SSL/TLS on pages that should have it. This presentation explores the design of HSTS as well as its implementation. Basically, all HSTS contains is one header telling the browser to only accept the site over a secure and trusted connection for a certain time. Except for a few dozen sites, for which HSTS protection has been hard-coded into Chrome at the request of the website owners, HSTS data for both Firefox and Chrome is saved in a user’s profile. If a user tries to load a site in the browser’s HSTS database, and the site is delivered either over plaintext or with a bad certificate, the browser returns an error that the site is not available. HSTS is designed to be transparent to the user — which is good for keeping users off some malicious sites, but can also be dangerous in the sense that it is so easy to take away a protection that a user doesn’t even know is there. One common way in which HSTS is mis-implemented by webmasters is by putting HSTS headers on a subdomain (www.site.com) without putting one on the website at the main domain (site.com) — even if site.com only serves as a redirect to https://www.site.com. Even with HSTS in place, and the database knowing that www.site.com should be accessed securely, a user who only types site.com could access a malicious site. I will show a demonstration of this in a VM lab with a rogue DNS server provided by a DHCP server as the attack vector; DNSChanger malware, however, would work just as well. This can be straightforwardly addressed by webmasters, by placing an HSTS header at site.com with subdomain permissions enabled, or adding HSTS headers to all pages at all domains and subdomains. Another implementation flaw involves the threat of an attacker adulterating or deleting a browser’s HSTS database. Since HSTS is transparent, a user is unlikely to notice if the database has been tampered with. I will demonstrate and share code (written as a Metasploit module for the sake of community usability) that will remove the HSTS databases for both Firefox and Chrome, as well as continue to do so in the future — leaving the user vulnerable to accessing malicious sites posting with “legitimate” domain names when using a rogue DNS server. Although with root privileges this can be done for all users, even with user-level privileges this can be set to persistently break any given user’s HSTS protection. Hard-coding, as Chrome does, may work for small amounts of sites, but may not be scalable as more sites adopt HSTS.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 10

It is week 10, Wolfgang said we’re half way through. This week Justin and I were not available so Wolf and Ray talked to Rob Former (Slugs on Toast).

Rob is talking about “Smart” Power Meters. Ray actually asks some good questions. Listen in to find out just how secure and safe the new tech really is.

Abstract: In the information security business, it seems you can’t open a journal or blog site without being inundated with articles about SmartMeters and AMI. There is a lot of speculation and FUD on this topic. There are claims of wormable code and full carnal pwnage. What are the facts? What can you really do to hack a meter, and what does that gain you? This talk will examine the vulnerability points of a typical meter and the systems that support it. Will you be able to hack a meter by the end of this talk? Maybe, maybe not. It depends on how smart you are I guess. What you WILL get out of this talk is a sense of the security realities that adding two-way communication and shutoff switches to the meter on the side of your house brings, along with the ability to tell if the talking head on is full of sh*t or not. Oh yes, I’ll also be poking fun at the Tin Foil Hat crowd. If you don’t know who that is, come to the talk.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 09

This week Wolfgang and Chris talk to John Moore. His talk is about the computer in your pocket, and the data it leaks on a regular basis. Listen for the AD security leak.

He talks about using Shark for Root (Wireshark for Android), to do packet capture around a you, having your phone broadcast as a WiFi access point and seeing what happens. He talks a little about war walking, war dining, stroll trolling and WiFi phaking.

Abstract:  The pervasiveness of mobile devices like smart phones are often overlooked as a valid and effective attack vector in regards to the confidentiality of sensitive data in the general public and IT/Security Enterprise communities. This talk aims to educate both the laymen and professional on how exploitation and social engineering can occur in regards to smart phone attacks against public Wi-Fi networks and what behaviors and technologies can be utilized to minimize the impact of sensitive data loss for both individuals and businesses. This discussion will include an application based presentation and live demonstration on how to sniff data from public wireless hotspots using a smart phone or tablet referred to as “War Walking” or “War Dining”. It will also introduce the social engineering concept called “Wi-Fi Phaking” and “Stroll Trolling” which results from the act of tricking a local device such as a phone or a laptop into joining a smart phone enabled Wi-Fi hotspot with the sole intent of collecting and identifying sensitive information from that connected device. More alarmingly, this can be accomplished by utilizing freely available applications found on the Internet and the Android Market which makes this threat incredibly pervasive and cost effective. The presentation will conclude with discussing security practices and procedures users and businesses can take to help mitigate the risk of these vulnerabilities being exploited both personally and professionally.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 08

This week we are joined by the Marketing Master of GrrCON, Jaime Payne. One of the things I noticed during her talk, her method for marketing GrrCON sounds a lot like some of the things Social Engineers do to get to the right people in a company. The title of the talk sounds awesome, and it sounds like the talk will span beyond just Cons, and could help any new group starting in the area.

Abstract: So you decided to start up a hacker conference in your town? Awesome! Now how the hell are you going to get money? I’ll tell you how! A little bit of BS (well perhaps a touch more than that) a pinch of social engineering, and a whole lot of patience and spamming! Apply my concepts not only to conferences, but your Hacker Space, local ISSA chapter, or maybe even your school’s cyber defense team. Who knows? Just get that cash! I’ll walk you through how to actually get through to sponsors, milk them for the most ca$h possible, social engineer your way to interviews and most importantly – butts in your seats!

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 06

Hey everyone, sorry it’s late. Our guest this week is so awesome that he caused a buffer overload on the website. Ok no not really.

We do refer to this weeks guest as the most interesting man in #misec. He joins us this week to talk about Tough Mudder, training, the #misec Capture The Flag (CTF) team that he heads up. Oh yeah, and about his talk at this year’s BSides Detroit. He’ll be teaching us about Vulnerability scanning.

He IS Derrek Thomas.

Abstract: The vulnerability scan has become a staple in the modern security program.  A single scan can provide a point-in-time snapshot of known vulnerabilities and configuration issues associated with the infrastructure.  I find many organizations perform vulnerability scans but the problem is that the scans are performed merely to satisfy compliance.  An annual scan may check the box in a report but there will also be 11.5 months of little to no visibility into the state of the infrastructure. Have those patches really been applied?  Is change control being followed?  Vulnerability management needs to move beyond the periodic vulnerability scan towards continuous vulnerability discovery.  This process is much more than just technical scanning and requires the security professional to constantly test and improve detection and alerting.  Poor incident response, inadequate security monitoring, and unknown assets can leave a network just as vulnerable as an unpatched server.  Are IDS alerts generated when they should be or has an antivirus alert received adequate response?  I will be discussing my experience with a vulnerability management program from the painful beginning.  In addition to the use of vulnerability scanning tools I will address how to solve these problems through red team testing, security information and event monitoring, and configuration baselines.  A vulnerability management program should be designed around making incremental improvements in current security processes.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 05

This week we talk with Georgia Weidman. Georgia lets us in on a little bit of Android security permissions.

Abstract: When giving a security talk on the Android platform, one of the most common questions is can the permissions model be bypassed? Can an Android app, short of exploiting the phone and gaining root privileges gain additional permissions? In this talk we will look at ways attackers can bypass the permission model including: taking advantage of insecure storage practices in other installed apps, and piggybacking on other apps with insecurely implemented interfaces. Demos, code snippets and examples of apps from the Android Market with these problems will be shown. We will then discuss resources Android has in place to combat these problems and what developers and users can do to mitigate these risks.

This episode is cross-posted at Rats and Rogues.