Offensive Security Talks


Title: VLAN hopping, ARP Poisoning and Man-In-The-Middle Attacks in Virtualized Environments

Abstract: 
Cloud service providers and data centers offer their customers the ability to deploy virtual machines within multi-tenant environments. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. In this talk I will demonstrate the effects of VLAN hopping, ARP poisoning and Man-in-the-Middle attacks across every major hypervisor platform, including results of attacks originating from the physically connected network as well as within the virtual networks themselves. Each attack category that is discussed will be accompanied by a detailed proof of concept demonstration of the attack.

Speaker Bio:
Dr. Ronny L. Bull is an Assistant Professor of Computer Science at Utica College as well as an independent consultant with a focus in computer networking and information security. Dr. Bull earned his Ph.D. in Computer Science at Clarkson University in 2016 with a focus on layer 2 network security in virtualized environments. Ronny earned an A.A.S. degree in Computer Networking at Herkimer College in 2006, and completed both a B.S. and M.S. in Computer Science at SUNYIT in 2011. He also co-founded and is one of the primary organizers of the Central New York Intercollegiate Hackathon event which brings together computer science and cybersecurity students from regional colleges to compete against each other in offensive and defensive cybersecurity activities.  Dr. Bull has had the privilege of presenting his research at multiple InfoSec venues such as DEF CON, DerbyCon, BSides Roc, and HackCon Norway.
 


Title: Red Team Yourself

Abstract: 
So your organization conducts regular tests with $automated tool. Want to bring your security testing program to the next level? Red Teaming will give your organization a goal based, adversarial emulating approach to see how secure it really is. In this talk we will cover what red teaming is and how it can be applied to your organization to add a new level to your security program.

Speaker Bio:
Thomas Richards, Senior Consultant, has been with Cigital(now Synopsys) since 2012. His primary areas of expertise include Red Teaming and Mobile Security. He is an Offensive Security Certified Professional (OSCP). Thomas spends his days guiding working with clients on red teaming activities and initiatives. In his free time, he enjoys playing guitar, camping, and spending time with his wife and five kids.


Title: Noob 101: Practical Techniques for AV Bypass

Abstract: 
The shortcomings of anti-virus (AV) solutions have been well known for some time. Nevertheless, both public and private organizations continue to rely on AV software as a critical component of their information security programs, acting as a key protection mechanism over endpoints and other information systems within their networks. As a result, the security posture of these organizations is significantly jeopardized by relying only on this weakened control.
This presentation will discuss and demonstrate some of the options available to bypass AV controls in order to deliver a variety of payloads to a targeted system. This includes using publicly available tools to generate these payloads, coding and compiling custom binaries with the Python and C++ programming languages, and leveraging the native Windows management framework PowerShell to deliver and execute payloads directly from the target system’s memory. Further, beyond just avoiding signature based AV detection, this presentation will also discuss some techniques to consider to avoid heuristic, or behavioral based detection as well.
This presentation reinforces the need for all organizations, whether public or private, to have a comprehensive security program in place to safeguard their informational assets. This includes a security program that practices a defense-in-depth approach, and is not reliant on a single control for wide-ranging protection to address all possible threats.

Speaker Bio:
Jared Hoffman is the founder and CEO of the information security consulting firm CYBERDECODE LLC. Jared has over 12 years of experience in the IT field, with more than 6 of those years focused solely on information security. Jared has acted as a team lead on multiple IT, security-based audit teams both at the State and Local government level, and was also a member of the NYS Cyber Incident Response Team. Jared's interests focus on offensive security techniques, and he currently holds the following professional certifications: Offensive Security Certified Professional (OSCP), GIAC Certified Penetration Tester (GPEN), and the GIAC Certified Web Application Penetration Tester (GWAPT).


Title: OWASP Top 10: Hacking Web Applications with Burp Suite

Abstract: 
A fast-paced intro to the world of web application security. Briefly, I will summarize OWASP, the Top 10 Web Application Vulnerabilities, and Burp Suite. Then we'll dive into a live demo of each of the OWASP Top 10 Vulnerabilities by using Burp Suite against the Mutillidae vulnerable web application.

Speaker Bio:
Chad Furman is a full-stack Web Developer with a passion for security. Degree in Computer Science / Applied Math from UAlbany. Likes to make things, break things, and fix things :)


Title: DIY Spy: Roll-Your-Own Covert Channels With Scapy & Python  

Abstract: 
This is an educational track to teach newcomers to covert channels the concept of stealthy exfiltration and examples of how to create your own covert channels using the popular Scapy packet crafting library in Python and network protocol RFCs from IETF. Talk will cover basics of Scapy and how to build a custom covert channel abusing common network protocols to mask exfiltration traffic. Emphasis on lowering detection of activity through atypical protocol manipulation and understanding the victim network defenses.

Speaker Bio:
Jennifer Allen is the Red Team Manager for Twinstate Technologies, with a passion for offensive security, creative  re-purposing of technology, solving puzzling scenarios, and mischievous system making/breaking. She is an Amateur Extra radio enthusiast with an emphasis on amateur, and has fallen in love with hardware hacking as electronics have become cheap and available by overnight mail. She is also involved in the DEFCON Biohacking Village and hasn't yet been kicked out. She got her start programming as a child and began getting into trouble in high school (like everyone), which evolved into a less prosecutable career in professional fields. Her experience includes doing time in various low level tech jobs, working in a NOC, as an IT Security Analyst, too many years of management in the healthcare IT industry, and most recently having a great time working with a team of ethical hackers. Notably, she landed all these jobs without a degree, and so considers herself a bit of a social engineer as well


Title: Jumping the Fence: Comparison and Improvements for Existing Jump Oriented Programming Tools 

Abstract: 
In this talk I will compare ROP compiler support for Jump Oriented Programming (“JOP”) across exploit tools and software architectures in order to identify areas for expansion and improvement. I will discuss improvements to existing JOP tool chains, and propose an architecture for an improved JOP chain compiler system as well as elucidate common use cases where JOP techniques can offer better results over the standard return oriented programming techniques.

Speaker Bio:
John Dunlap is a security Engineer at Gotham Digital Science specializing in static analysis and code review. Gotham Digital science is a boutique penetration testing firm specializing in testing of unusual or otherwise bespoke software systems. John’s main research interests include concolic execution, reverse engineering and advanced exploitation techniques.


Title: The Stuffer  

Abstract: 
The Stuffer is a utility which exploits the reserved bits and padding space of multiple layers of the TCP/IP protocol stack for covert data transfer between two or more networked systems. Implemented using a custom Python library, Stuffer is easily integrated into existing or future Python applications. Stuffer is currently implemented as a proof of concept in Python, and could be easily ported to other programming languages such as C/C++. This concept can be leveraged for command and control systems for botnets, as a method of covert data ex-filtration, as well as a pseudo-private line of communication. Current firewall and intrusion detection/prevention technologies are ill-equipped to protect against this data hiding technique.

Speaker Bio:
Sean Drzewiecki is a current undergraduate student of Computer Science at Utica College, also working as an intern for North Point Defense. When not interning or attending classes, Sean works as a System Administrator for the Utica College CS network, developing hypervisor management tools and integrating with existing educational computer systems. Sean's experience with CTF events is extensive, volunteering as a Black Team member for the Central New York Hackathon.

Aaron Gudrian is currently an undergraduate student at Utica College working towards his Bachelor of Science in Computer Science with a concentration in Computer Security. Aaron works as an intern for Par Government, providing systems support for research work at the Air Force Research Lab in Rome New York. Outside of class, Aaron has attended multiple CTF events; including HSCTF an introductory CTF game for high school students meant to introduce students to the world of computer science, and the Central New York Hackathon. The Stuffer is Aaron's first major computer security project, and contribution to the information security community.

Dr. Ronny L. Bull is an Assistant Professor of Computer Science at Utica College as well as an independent consultant with a focus in computer networking and information security. Dr. Bull earned his Ph.D. in Computer Science at Clarkson University in 2016 with a focus on layer 2 network security in virtualized environments. Ronny earned an A.A.S. degree in Computer Networking at Herkimer College in 2006, and completed both a B.S. and M.S. in Computer Science at SUNYIT in 2011. He also co-founded and is one of the primary organizers of the Central New York Intercollegiate Hackathon event which brings together computer science and cybersecurity students from regional colleges to compete against each other in offensive and defensive cybersecurity activities. Dr. Bull has had the privilege of presenting his research at multiple InfoSec venues such as DEF CON, DerbyCon, BSides Roc, and HackCon Norway. 


Title: Jedi Mind Tricks: People Skills for Security Pros

Abstract: 
People skills for security professionals but WAY MORE FUN!

Speaker Bio:
Alex breaks things and gets paid for it. It's a pretty sweet deal really.


Title: Sniffing Sunlight

Abstract: 
Laser listening devices (laser microphones) are a well understood technology. They have historically been used in the surreptitious surveillance of protected spaces. Using such a device, an attacker bounces an infrared laser off of a reflective surface, and receives the ricocheted beam with a photoreceptor. If the beam is reflected from a surface that is vibrating due to sound (voice is a typical background target), that sound is subsequently modulated into the beam and can be demodulated at the receptor. This is a known attack method and will be briefly discussed.

However, does this principle also hold for non-amplified or naturally concentrated light sources? Can one retrieve modulated audio from reflected sunlight? The idea of modulating voice with sunlight was pioneered by Alexander Graham Bell in 1880 with an invention called the Photophone. A Photophone uses the audio modulation concept now used in laser microphones, but relied on a concentrated beam of sunlight rather than a laser to communicate at distance. Considering that Bell proved that intentionally concentrated sunlight can be used to modulate voice, we will explore under what natural conditions modulated audio can be found in reflected ambient light.

Using off the shelf solar-cells and handmade amplifiers, Erik will demonstrate the use of the receiver side of a historic Photophone to identify instances of modulated audio in reflected light under common conditions.

Speaker Bio:
Erik Kamerling is a Senior Director at The Center for Internet Security, in the Multi State Information Sharing and Analysis Center (MSISAC). He has nineteen years of experience in the fields of advisory and consulting, network security assessment, penetration testing, vulnerability research, monitoring/incident response, and fundamental security research. He’s made the rounds over the years, having worked for RSA, Mandiant, Neohapsis, and Symantec (Bugtraq/Security Focus). His work has taken him around the globe conducting assessments, consulting, and research for government and private industry alike.

He enjoys writing and research on cyber intelligence topics and has driven the development of keynote speeches, research presentations, course-ware, advisories, papers, and hacking and penetration testing classes taught in a variety of venues. He spends his spare time researching and working on new techniques in information hiding, detection evasion, communications subterfuge, parasitic computing, and vulnerability identification.