Loading…
View analytic

Log in to bookmark your favorites and sync them to your phone or calendar.

Friday, May 18
 

8:00am

Breakfast and Registration
Register, pick up your poster, pick up your badge and grab some donuts!

Friday May 18, 2018 8:00am - 9:00am
Preservation Pub 28 Market Square, Knoxville, TN 37902

9:00am

No True Security Person - Balkanization of the Security Community
We talk about "the security community", but there is not one, but many that clash with one another. In security, it seems, there is no true Scotsman.

I'll discuss different security subcommunities, the psychology structures that produce them, as well as some pointers on how to work with each.

Speakers
avatar for Kate Pearce

Kate Pearce

Cisco
Kate Pearce is a New Zealand based Kiwi who moonlights by day as a Senior Security Consultant at Cisco. Kate is best known for her Multipath techniques for IDS evasion. She refuses to specialize and, as a result, spends some time security testing, some time helping the builders, and... Read More →


Friday May 18, 2018 9:00am - 9:45am
Scruffy City Hall 32 Market Square, Knoxville, TN 37902

9:00am

Containerization: a new Compartmentalization for Information Security
Despite how very different a container is from a virtual machine(VM), that comparison is the easiest to understand if you’ve never dabbled in the world of containers. You can think of it as a VM that runs one specific application. Essentially, you spin up an image that is trimmed down to run whatever specific application it’s been built for.

“But why would I want a VM that runs just one application?”

Well, that’s where it begins to get interesting. Containers are super lightweight and have a minuscule footprint on systems. They can be tailored to only use the minimum resources needed just for that application as opposed to a traditional VM where you’re supporting an operating system, services, and any other resources that a full-fledged physical machine needs to run. Additionally, containers can be spun up to do a job and deleted right after completing that job with no loss of data, meaning they’re only there when you need them.

So for those of us that work in the realm of information security, we know that one of the best ways to protect systems is by layering security. In fact, if we had our way, we would just pile on the layers until no attacker would see the value in the attempt. However, in the real world that’s just not practical. So as mentioned earlier containers are… well… self-contained. They are utilized for a single application maintaining compartmentalization of data, access, and resources. They can also be used and then deleted after use while the data they utilize is stored elsewhere.

This makes for a very convincing tool in securing systems and networks. We can have a single instance of an application run with access only to the data it needs to operate, accessed only by the person who instantiated the container, and then potentially deleted after use. Not to mention that simultaneous containers can operate independently of each other with no crossover connections, effectively isolating those instances from other systems, networks, and users. Truly, this sounds like a very effective strategy in securing a variety of systems and networks in a variety of environments.

Speakers
CM

Corey McReynolds

Sword and Shield Enterprise Security
Corey graduated Carson-Newman University with Bachelor of Arts in Communications. He then started his career with the United States Army where he worked on numerous operations as a Military Intelligence asset. He was Honorably Discharged as a Military Intelligence Officer from the... Read More →


Friday May 18, 2018 9:00am - 9:45am
KEC (Knoxville Entrepreneur Center) 17 Market Square Suite 101, Knoxville, TN 37902

9:00am

Tap, Tap, Is This Thing On? Testing EDR Capabilities
Many organizations and defenders are deploying EDR products. No one seems to be talking about how to test these products. Our aim is to provide teams with what we think works well across multiple vendor stacks. Atomic Red Team was created to assist with this exact task.

Speakers
avatar for Michael Haag

Michael Haag

Red Canary
Michael has more than a decade of experience across the security spectrum, from architecting security programs to overseeing day-to-day tuning and operations. His expertise includes advanced threat hunting and investigations, technology evaluations and integrations, and hands-on development... Read More →


Friday May 18, 2018 9:00am - 9:45am
Preservation Pub 28 Market Square, Knoxville, TN 37902

10:00am

Thinking outside the security box: Assembling non-traditional security teams
In an environment where traditional security professionals are scarce, I have taken a different approach to building out a robust pentesting team. By thinking outside the box and adding a bit of creativity to the process we have been able to transform the way we attract and hire talent.

Speakers
avatar for Jay Paz

Jay Paz

Senior Manager, Penetration Testing, Rapid7
Jay Paz (GSEC, GWAPT, GISP, GSSP-JAVA) has more than nine years of experience in information security and sixteen plus years of information technology experience including system analysis, design and implementation for enterprise level solutions. He has a strong background in developer... Read More →


Friday May 18, 2018 10:00am - 10:45am
KEC (Knoxville Entrepreneur Center) 17 Market Square Suite 101, Knoxville, TN 37902

10:00am

HTTP/2 Magic with Merlin
**FREE STICKERS**

HTTP/2 is a protocol that increases efficiency and overcomes shortfalls of the HTTP/1 protocol and is intended to be used only over TLS connections. Because this protocol is relatively new, there is a lack of tools capable of inspecting the protocol to detect or prevent attacks. The protocol’s use of Perfect Forward Secrecy TLS cipher suites further complicates matters by preventing inspecting technologies from capturing the keying material required to decrypt traffic for inspection. This presentation provides an overview of the HTTP/2 protocol along with implications for defenders and attackers alike. Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.A new tool will be released to the public that leverages HTTP/2 Command & Control of a host across many platforms to include Linux, Windows, Android, and MacOS.

Presentation
HTTP/2 ProtocolThis presentation will include a brief intro into HTTP/2 and how it is different than HTTP/1.X. Next we will walk through some of the unique aspects in regards to communication channel encryption such only allowing ephemeral cipher suites. During this research, it was determined that current tools sets are not capable of decrypting HTTP/2 traffic because of the ephemeral cipher suites nor decoding HTTP/2 traffic in an IDS to evaluate the contents.
Blue Team DefensesThe protocol can leave some blind spots for network defenders. We’ll quickly evaluate some options for working with HTTP/2 traffic such as downgrading the protocol so that an IDS can look at it or terminating TLS connections and changing cipher suites so it can be decrypted later. TLS fingerprinting is also another avenue the circumvents the need to perform any decryption.
Red Team Post-Exploitation Command & ControlThe second half of the presentation will focus on post-exploitation command and control tool written entirely in Golang that operates over HTTP/2. Additionally, the tool can be cross compiled to a plethora of platforms such as Linux, BSD, Windows, Solaris, and MacOS all with just a single command line switch. We’ll show how using a newer protocol can be used to stay undetected while maintaining access to systems on an internal network. The tool has been dubbed “Merlin”, is currently functional, and is hosted on GitHub. After announcing the tool, we’ll spend some time providing a demonstration of its functionality.

Background
Russel started researching the HTTP/2 protocol as part his graduate studies and published a paper on the topic.

Speakers
avatar for Russel Van Tuyl

Russel Van Tuyl

Security Analyst, Sword & Shield Enterprise Security
Russel Van Tuyl is a security analyst for Sword & Shield Enterprise Security. His primary role consists of conducting network vulnerability assessments, penetration tests, and web application assessments but also performs firewall configuration audits, wireless assessments, and social... Read More →


Friday May 18, 2018 10:00am - 10:45am
Preservation Pub 28 Market Square, Knoxville, TN 37902

10:00am

The differences and niches in the different major criminal undergrounds
Trend Micro's FTR team is known experts on the workings of the underground marketplaces and forums. Walk through all of the findings from each region, and the differences between the underground and criminals in each region. The following undergrounds. Russia, China, Japan, US, Germany, and Deepweb

Speakers
avatar for Stephen Hilt

Stephen Hilt

Trend Micro
Stephen Hilt is a Sr. Threat Researcher at Trend Micro. Stephen focuses on General Security Research, Threat Actors, Malware behind attacks, and Industrial Control System Security. Stephen enjoys breaking things and putting them back together with a few extra parts to spare. Stephen... Read More →


Friday May 18, 2018 10:00am - 10:45am
Scruffy City Hall 32 Market Square, Knoxville, TN 37902

11:00am

Death, Dealing, and Digital Forensics
Death. It's inevitable, yet we never plan for it. When it does happen, how do we deal with it? With everyone's lives deeply digitally intertwined, what do we need to do to prepare, and how do we investigate others' digital footprints when they are gone? This talk addresses all of those questions.

Speakers
avatar for Kyle Bubp

Kyle Bubp

For over a decade, Kyle has been elevating the state of security for enterprises, hosting providers, the FBI, the Department of Energy, and the Department of Defense. As co-founder of Savage Security, he built a successful research and consulting firm focused on cutting through FUD... Read More →


Friday May 18, 2018 11:00am - 11:45am
Scruffy City Hall 32 Market Square, Knoxville, TN 37902

11:00am

The Art and Science of Herding Cats (How to Keep Users from Clicking Stuff)
As a recent "Cat Daddy" of two kittens, I have noticed some interesting parallels in dealing with the challenges of user behavior and security training. While it may seem as impossible as herding cats, there is hope. Laugh as we explore these similarities and learn how to use them to advantage.

Speakers
avatar for John Helt

John Helt

Discovery (Formerly Scripps Networks Interactive)
My introduction to infosec began when I hooked up my first 300 baud modem to a Texas Instruments 99/4a computer, discovered bulletin boards, and the Compuserve username & password someone had noted on the underside of the keyboard at my local Radio Shack. My education includes electronics... Read More →


Friday May 18, 2018 11:00am - 11:45am
KEC (Knoxville Entrepreneur Center) 17 Market Square Suite 101, Knoxville, TN 37902

11:00am

Deadly Lag - Behavioral Security, ARMA3, UDP, Bad Packets and Dead People
Do you like cheating at video games? I sure don't, that's utterly reprehensible. That being said, video games are constant proving ground for security mitigations. A lot can be learned from dissecting them; I'll be breaking-down a sim-shooter with it's own scripting language (ARMA3) ... for science.

Speakers
avatar for Travis Palmer

Travis Palmer

Security Research Engineer, Cisco Systems
I'm a Security Research Engineer at Cisco. I've been getting paid to play with code and either fix or break things for over seven years. Like everyone I'm still learning, I just have the handicap of not having been around much more than two decades. I'm a fan (and sometimes-contributer... Read More →


Friday May 18, 2018 11:00am - 11:45am
Preservation Pub 28 Market Square, Knoxville, TN 37902

12:00pm

Lunch
Friday May 18, 2018 12:00pm - 1:00pm
Uncorked 28 Market Square, Knoxville, TN 37902

1:00pm

KEYNOTE: Security as a Product
Enterprise security teams too often are relegated to performing as firefighting, headless chickens – which is a waste of time, energy, passion, and talent. Rarely do we see the sort of strategic thinking, overarching vision, and fostering of organization-wide consensus that is required to proceed on projects in other parts of the business. At best, security teams will have a project manager to help individual projects stay on track, but this can lead to valuable streams of work on a micro-level that fail to accomplish meaningful change on a macro-level. At worst, security teams face burnout and frequent turnover due to continued disappointment over lack of progress in the security program.

Instead, I believe security should be treated as a product, which includes:
  • Defining an extended strategy to address ongoing needs
  • Understanding what the needs are across various stakeholders
  • Creating and prioritizing requirements, and maintaining a roadmap of features
  • Manage the release of features
  • Serving as the “face” of the product to the rest of the organization to cultivate consensus, answer questions, and solicit feedback
I’ll give specific examples of how this framework can help improve the performance (and even the oft-overlooked morale) of security teams and create the scaffolding necessary to build and scale security programs that engender meaningful progress.

Speakers
avatar for Kelly Shortridge

Kelly Shortridge

Product Manager, Security Scorecard
Kelly Shortridge is currently a Product Manager at SecurityScorecard. In her spare time, she researches applications of behavioral economics to information security, on which she’s spoken at conferences internationally, including Black Hat, Hacktivity, Troopers, and ZeroNights.Previously... Read More →


Friday May 18, 2018 1:00pm - 2:00pm
Scruffy City Hall 32 Market Square, Knoxville, TN 37902

2:00pm

SSnO-nos: Finding and exploiting common OAuth pitfalls
With OAuth, you can use a single identity with multiple web apps and securely delegate access to your data. But, if app developers weren't careful, it might let an attacker access your data too. Learn the basics of OAuth 2.0, how to find and exploit common vulnerabilities, and how to avoid them.

Speakers
avatar for Matthew Van Gundy

Matthew Van Gundy

Technical Leader, Cisco Advanced Security Initiatives Group
Matthew Van Gundy is a Technical Leader in the Cisco Advanced Security Initiatives Group, where he and his team members work to identify and mitigate security weaknesses and vulnerabilities in Cisco products and services. | | Before coming to Cisco, Matthew graduated from the University... Read More →


Friday May 18, 2018 2:00pm - 2:45pm
KEC (Knoxville Entrepreneur Center) 17 Market Square Suite 101, Knoxville, TN 37902

2:00pm

Can you hide from Big Data?
In today’s interconnected world of Facebook, Twitter, and LinkedIn it can be easy to miss out on the fact that everything we share is being stored and sold for a profit. Aspects of our daily lives are being used to fund large companies and most are unaware. In today’s surveillance economy, we trade our privacy for a cheap or free online existence. What most users don’t understand is that the information gathered isn’t limited to their volunteered data, and that Social media isn’t the only method that large corporations are using to spy on the population.

This presentation will explore some of the larger topics associated with the practice of information gathering. Follow along as we discuss who the key players are, how they obtain your personal information, and what they plan to do with it. Find out how you can reduce the amount of information being sent, about your daily activities, to the large corporations known as “Big Data”.

Speakers
avatar for James Harrell

James Harrell

The IT Company


Friday May 18, 2018 2:00pm - 2:45pm
Scruffy City Hall 32 Market Square, Knoxville, TN 37902
  • Audience Beginner
  • about James Harrell is a Systems Engineer with over 10 years of experience and co-organizer of DC865 hailing from Knoxville, TN. James holds a Bachelor’s of Applied Science in Information System Security and a handful of industry certifications. James enjoys long walks on the beach, deep conversation about the meaning of life online, holding hands during pen tests, romance novels about configuration management, pruning his vulnerability garden, and piggy-back rides.<br><br>Twitter: @Nosteia

3:00pm

Mobile Application Privacy and Analytics
I spend my days reviewing source code and dynamic run times of mobile applications from a security perspective. I'm continuously astonished by how much data our apps are able to gather, without special permissions. This talk will reveal many common analytic frameworks and data gathering practices.

Speakers
avatar for Kevin Cody

Kevin Cody

nVisium
Kevin is a Senior Application Security Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems. Kevin... Read More →


Friday May 18, 2018 3:00pm - 3:45pm
KEC (Knoxville Entrepreneur Center) 17 Market Square Suite 101, Knoxville, TN 37902

3:00pm

Hacking RFID Video Games the Crazy Way
A technical and personal recollection of how I hacked the first multi-platform RFID video game, Skylanders: Spyro's Adventure, within one week, the public fallout, and the hacking of the (supposedly more secure) next multi-platform game, Disney Infinity, within the same amount of time.

Speakers
avatar for Brandon Wilson

Brandon Wilson

Brandon Wilson is an East Tennessee State University graduate, software developer, application security consultant, and hacker of random things like game consoles and TI graphing calculators. An avid tinkerer of anything USB-related, he has spoken at DerbyCon about BadUSB and appeared... Read More →


Friday May 18, 2018 3:00pm - 3:45pm
Scruffy City Hall 32 Market Square, Knoxville, TN 37902

4:00pm

Full Auto OSINT
"Do you need to perform a social engineering attack but have no targets? Are you performing a pentest and you need some credentials to try? Are you a sysadmin wanting to know your company’s true Internet footprint? Then you need free-range, non-GMO, gluten-free OSINT."

Speakers
avatar for Adam Compton

Adam Compton

Senior Security COnsultant, Rapid7
Adam Compton has been a programmer, researcher, instructor, professional pentester, father, husband, and farmer. Adam has close to 2 decades of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam's career, he has... Read More →


Friday May 18, 2018 4:00pm - 4:45pm
KEC (Knoxville Entrepreneur Center) 17 Market Square Suite 101, Knoxville, TN 37902

4:00pm

A Good Watch for Radio and Reverse Engineers
Late last year, I cloned the Casio 3208 calculator watch module with an open design, the GoodWatch. It includes the usual clock and calendar, but also an RPN calculator, hex editor, disassembler, and a SubGHz radio capable of opening garage doors or tweeting in Morse code.

Speakers
avatar for Travis Goodspeed

Travis Goodspeed

Scheming to move back to Knoxville, Travis Goodspeed spends his days reverse engineering electronics and editing the International Journal of PoC||GTFO. He drives a 10-cylinder Ford E350 with a fifty food microwave tower.


Friday May 18, 2018 4:00pm - 4:45pm
Scruffy City Hall 32 Market Square, Knoxville, TN 37902

5:00pm

Just Let Yourself In
Social Engineering is eveywhere. In this talk, I will discuss three different real world Security Awareness/Social Engineering scenarios: a pretexting exercise, a phishing exercise, and a physical security assessment. I will review their definitions and appearance, tips and tricks to succeed at all three, as well as what worked and what failed. Lots of audience participation. There may even be a magic trick!

Speakers
avatar for David Boyd

David Boyd

David Boyd (@fir3d0g) has been working as a penetration tester in Knoxville since 2013. He is a Christian, husband, and father that also enjoys geek culture, video games and Mountain Dew. He has worked in several environments including education, military, retail, government, media... Read More →


Friday May 18, 2018 5:00pm - 5:45pm
KEC (Knoxville Entrepreneur Center) 17 Market Square Suite 101, Knoxville, TN 37902

5:00pm

Make your code faster by moving it outside the kernel
Everyone knows moving code to the kernel makes it faster. This talk describes the opposite, how the fastest speeds are obtained by moving code out of the kernel, into user space. Controversially, this includes the network stack and the driver. Code examples will be provided.

Slides: https://github.com/robertdavidgraham/papers/raw/master/presos/2018%20-%2 0BSidesKnox%20-%20Move%20things%20out%20of%20the%20kernel.pdf

Speakers
avatar for Robert Graham

Robert Graham

self
I wrote BlackICE and created the first IPS in the late 1990s. In 2007, I did "sidejacking" of non-HTTPS connections. More recently, I've done "masscan", scanning the entire Internet at high speeds (in less than 5 minutes given a fast enough pipe -- from a single machine). I get quoted... Read More →


Friday May 18, 2018 5:00pm - 5:45pm
Scruffy City Hall 32 Market Square, Knoxville, TN 37902