BSIDES PITTSBURGH 2016

June 10th, 2016
Spirit Pittsburgh

There are a lot of people in Pittsburgh doing awesome things in the field; let's get them all together! BSidesPittsburgh is a volunteer-run computer security conference held in Pittsburgh annually. Security BSides is part of a global series of community-driven conferences presenting a wide range of information security topics from technical topics, such as dissecting network protocols, to policy issues such as managing information leakage via social networks.

Pittsburgh has a flourishing information security community; this is a great chance to meet each other, share ideas and work together. Many of those professionals in Pittsburgh as well as nationally recognized experts are doing awesome things in the field; let's get together to learn, collaborate, and protect.

Speakers and Talks

9:00 - Dan Klinedinst (@dklinedinst) - I Heart My Robot Overlords - Infosec Challenges in Emerging Technologies

This talk describes some of the most important emerging technologies of the next 5 - 10 years and what information security challenges they will pose. This work is based on the CERT Coordination Center’s 2016 Emerging Technology Domains Risk Survey report, of which Dan is a co-author. (http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=453809) This report identifies technologies that are both likely to become mainstream within the next decade (based on the Gartner Hype cycle), and likely to have security ramifications above and beyond those of traditional IT technologies. Some of the technologies we’ll discuss include Intelligent Transportations Systems, Autonomous Vehicles, Artificial Intelligence / Big Data, Virtual and Augmented Reality, Smart Robots, Smart Medical Devices and Human Augmentation, the Internet of Things, and more.

Dan Klinedinst is a vulnerability researcher at Carnegie Mellon University's CERT Coordination Center. His work includes performing vulnerability analysis of government and critical infrastructure assets. He is currently focused on researching security vulnerabilities in autonomous vehicles, edge computing platforms and embedded devices. Prior to this role, he was the technical lead for developing a national scale penetration testing program for a major U.S. Government sponsor. Klinedinst is also the author of the Gibson3D visualization tool, a co-founder of the BSides Pittsburgh security conference, a frequent speaker at security events, and a former security engineer at Lawrence Berkeley National Laboratory.

10:10 - Kyle O'Meara (@cool_breeze26) and Deana Shick (@deanashick) - A Unique Approach to Threat Analysis Mapping

Malware family analysis is a constant process of identifying exemplars of malicious software, recognizing changes in the code, and producing groups of “families” used by incident responders, network operators, and cyber threat analysts. With adversaries constantly changing network infrastructure, it is easy to lose sight of the tools consistently being used and updated by these various actors. Beginning with malware family analysis, this methodology seeks to map vulnerabilities, exploits, additional malware, network infrastructure, and adversaries’ using Open Source Intelligence (OSINT) and public data feeds for the network defense and intelligence communities. The results provide an expanded picture of adversaries’ profile rather than an incomplete story. The goal of this document is to shift the mindset of many researchers to begin with the tools used by adversaries rather than with network or incident data alone for an “outside-in” approach to threat analysis instead of an “inside-out” method. We chose three malware families to use as case studies—Smallcase, Derusbi, and Sakula. The results of each case study—any additional network indicators, malware, exploits, vulnerabilities, and overall understanding of an intrusion—tied to the malware families should be utilized by network defenders and intelligence circles to aid in decision making and analysis.

Kyle O'Meara is a Senior Member of the Technical Staff at the Software Engineering Institutes's CERT Coordination Center (CERT/CC). Kyle works on the Applied Threat Analysis team at the CERT/CC where he researches and analyzes current and emerging threats to national security with a focus on exploits and malware. Most recently Kyle was with FireEye, where he was the lead senior threat analyst for the active cyber defensive program called SHARKSEER. Prior to FireEye, he was with the National Security Agency (NSA) for roughly five (5) years. At NSA he had a few different positions as a cyber-cryptanalyst, six (6) month deployment to Iraq as a media exploitation analyst, and a communication signal analyst. Kyle received his MS from Carnegie Mellon University in Information Security Policy and Management. Kyle has also presented at major information security conferences to include DEF CON and FIRST Technical Colloquium.

Deana Shick is a Member of the Technical Staff at the Software Engineering Institutes's CERT Coordination Center (CERT/CC). Deana works on the Applied Threat Analysis team at the CERT/CC where she researches and analyzes current and emerging threats to national security. Prior to working at CERT/CC, Deana was an International Trade Specialist focusing on EAR and ITAR regulatory processes. She received her B.A. from Duquesne University in International Relations with a Security Studies concentration. In 2014, she completed her M.S. in Information Security Policy and Management from Carnegie Mellon University. Deana has presented at major information security conferences to include FloCon and FIRST Technical Colloquium.

10:55 - Charles A. Wood - Big Data: How Data Analytics Can Be Incorporated into Intrusion Detection

Big data, data analytics, and business intelligence have all reached buzz-word status over the last few words. Many products claim to incorporate such new developments into their own financial, customer, and security products. But are these claims real, and what do they mean? In this presentation, Chuck will describe what all the talk about data analytics really is about, what it can do, how much will it cost (equipment, infrastructure, and skill set) to implement, and finally, what the promise of data analytics can mean for security (but often falls quite short).

Charles Wood has over two decades experience as a systems consultant, instructor, and author, including over ten years experience in developing software in Java, C++ and C#, VB.NET, HTML/XML/JavaScript/CSS, and other languages. Chuck is a holds a CISSP (Certified Information Systems Security Professional) and he teaches and consults in information security, software development, and infrastructure.

A Quick Glance at Web Infrastructure has been Chuck's most ambitious work to date. In addition to being the author for this book, Chuck is also the author of OLE DB and ODBC Developer's Guide from John Wiley & Sons (ISBN 0-7645-3308-8), Visual J++ Secrets from IDG Books WorldWide (ISBN 0-7646-3138-7), Visual J++ from Prima Publishing (ISBN 0-7615-0814-7), Special Edition Using PowerBuilder from QUE publishing (ISBN 0-7897-0754-3), and Special Edition Using Watcom SQL from QUE publishing (ISBN 0-7897-0103-0). He contributed to PowerBuilder 4 from Comdex Computer publishing (in India), Client/Server Unleashed from Sams Publishing (ISBN 0-672-30726-X) and Special Edition Using Turbo C++ for Windows from QUE publishing (ISBN 1-56529-837-3), and many other books.

12:25 - Justin M. Leapline (@jmleapline) - Tales From The Audits

Most of my career I've been involved with some type of assessments, either giving or receiving them. One of the gems you get are some of the stories. Stories about crazy auditors, dumb auditees, and everything else from solar flares, doll collections, and hoarding. During this time, I’m going to be sharing some of the best stories I've collected - pure entertainment and a little surprise that this is reality.

1:15 - Evan Wright - A Friendly Introduction to Adversarial Machine Learning

The popularity of machine learning applications to cybersecurity has inspired optimism for the future of cybersecurity. The idea is to better identify malicious behavior by using pattern detection techniques that have seen success in fields like computer vision, online- recommendation, and gene sequencing. Increasingly more and more commercial products and solutions are incorporating some form of machine learning. But since good guys can build learning algorithms, why can’t bad guys?

Adversarial machine learning is an emerging topic that investigates the effectiveness of machine learning methods when adversaries are able to “game the system” of how the machine learning detection works. This deception can occur when adversaries have access to the specifics of the pattern-identification system, an oracle, or the data channel that the algorithm bases its ground truth. Next, the adversaries may game the system by selectively generating results to outsmart the machine learning algorithm that would otherwise identify them as malicious. I'll conclude by discussing recent software frameworks and process improvements that can help mitigate this next phase of our collective cybersecurity arms race.

Evan Wright is a principal data scientist at Anomali where he focuses on applications of machine learning to threat intelligence. Before Anomali, he was a network security analyst at the CERT Coordination Center and a network administrator in North Carolina.

Evan has supported customers in areas such as IPv6 security, ultra-large scale network monitoring, malicious network traffic detection, intelligence fusion, and other cybersecurity applications of machine learning. He has advised seventeen security operations centers in government and private industry. Evan holds a MS from Carnegie Mellon University, a BS from East Carolina University, a CCNP and six other IT certifications.

2:25 - John Downey (@jtdowney) - Cryptography Pitfalls

As developers, sysadmins, and event security professionals, we tend do a poor job of implementing cryptography and other security measures in our systems. Often the primitives used are out of date and overlook very subtle flaws. These mistakes lead to systems that are hopelessly insecure despite our perception that we’ve build an impenetrable fortress. Fortunately there are a few tools and techniques at our disposal that can ease some of the pain. In this talk we’ll explore some of the most common pitfalls developers encounter with cryptography and restore some of our sanity.

John Downey is the Security Lead at Braintree. Braintree helps businesses accept payments online with great development tools and first class support. There he has worked on their highly available infrastructure and integrations into the banking system. In his free time he contributes to open source projects and mentors high school students in the FIRST Robotics Competition.

3:30 - Greg Anderson (@pghsec) - Operationally Focused Pen-Testing

Penetration testing is complex, costly, resource intensive and often perceived as just another compliance burden that produces relatively little business value. Despite what we believe as penetration testers, the fact is that we sometimes fail to deliver the full potential of our penetration tests by missing the forest for all of the trees. We often focus so heavily on the technical findings that we neglect the over-arching root causes, the different audiences of our reports, and the organization’s goals for the project. This results in an engagement that is only valuable in providing a technical reference for the organization’s IT staff rather than a measure of the organization’s cybersecurity risk and road map for more comprehensive mitigation. The goal of this presentation is to inspire the pen-testers in the audience to begin thinking operationally about the results of their pen-tests while simultaneous encouraging the procurers of pen-tests to begin demanding more from their pen-testers.

Greg has worked within the IT and Cybersecurity fields for over 14 years in various capacities across numerous industries. Currently, Greg is employed as a Penetration Tester at The CERT division of the Software Engineering Institute. Here, Greg works with the Department of Homeland Security’s Risk and Vulnerability Assessment program which provides penetration testing services to federal, state and local government entities as well as critical infrastructure sectors. Additionally, Greg possesses two technical Associate degrees from Pittsburgh Technical Institute, a Bachelor of Science degree in Information Assurance and Security from Capella University, and holds numerous industry-recognized certifications.

4:15 - Phil Burdette (@burdetp) - The Battle for the Enterprise

Hang on tight for a play by play, blow by blow, action packed incident response story. Nuke and pave is not an option when responding to a nation state entity who has been tasked to achieve a mission within your four walls. Attendees will learn that no response plan is ever perfect, you're only as strong as your weakest link, and no eviction is ever complete without a re-entry attempt.

Phil is a Sr. Security Researcher in the SecureWorks Counter Threat Unit research team. He leads targeted threat hunting and response engagements, and performs intrusion analysis to create threat intelligence assessments on nation state entities. Phil’s research interests include model-based threat actor behavioral analysis, adversary responses to stimuli, and threat group disruption tactics. He’s presented at RSAC 2015, Gartner 2015, US Cyber Crime 2014, and DHS CISSP ATTE 2014. Before joining at SecureWorks, Phil worked at CERT/CC supporting the DoD and USG communities. He holds a B.S. in Computer Science from Allegheny College and an M.S. from Carnegie Mellon University in Information Systems Management.

Planners

John Kostuch (@kostuch)

Geo Warnagiris (@GeoWarnagiris)

Joe Wynn (@wynnjoe)

Andy Johnson (@pierogipowered)

Steve Groark (@SteveGroark)

Jon Zeolla (@JonZeolla)

Brian W Gray (@BrianWGray)