Recent News

  • Shakacon VII Speakers Announced...More Coming Soon!

    Click 'Speakers' for more information

  • Announcing Shakacon 2015 CTF
    Hosted by Salesforce

    This year's CTF features a variety of challenges including topics such as reverse engineering, digital forensics, and even some programming challenges. All levels of expertise are encouraged to play. The CTF will be hosted in the cloud so all you'll need is an internet-connected device to start playing (though realistically you'll probably want a couple VMs). More details will be revealed closer to July.

  • REGISTRATION IS OPEN - Early Bird Discount ENDS APRIL 15th

    Click 'Registration' for more information

  • Sponsorship Opportunities Still Available

    Click 'Sponsors' for more information

  • 2-Day Trainings Announced - Registration Deadline May 31st

    Click 'Trainers' for more information.

  • Click ‘Social’ to add yourself to our mailing list to get the latest Shakacon VII news

Sun, Surf, and C Shells

People from all over the world are coming to Shakacon! You should too!


Image

Shakacon is Hawaii’s only Call for Paper based IT security conference. Shakacon is recognized as Hawaii’s premier information security centric conference with speakers and attendees from around the globe. Shakacon attracts Hawaii’s top security professionals and executives, and our audience consists of CIOs, CISOs, CTOs, IT Managers, Network Engineers, Security Managers, IT Auditors, and various IT professionals.

Shakacon is a unique and intimate security conference where industry, government, academia, and independent experts gather together to share knowledge and experiences in one of the most beautiful places on Earth. Shakacon will offer local, national, and international participants a casual and social learning environment designed to present a “holistic” security view, as well as the opportunity to network with peers and fellow enthusiasts in a relaxed setting.

SHAKACON VII Powered by

Call For Papers

    ----++++++++++++++++++++++++++++++++++++----
	Shakacon VII  - Honolulu, Hawaii
    
	"Sun, Surf, and C Shells"
    
    CALL FOR PAPERS
    
    www.shakacon.org/CFP2015.html
----++++++++++++++++++++++++++++++++++++----
Who: Shakacon Crew
What: Shakacon VII
When: July 6-7 (Training) & July 8-9 (Conference) 2015
Where: Honolulu, HI - Hawaii Prince Hotel Waikiki
Why: World Class Speakers, World Class Location, World Class People
How: By plane, boat, canoe, yacht, hydrofoil, stand-up paddle board, jet ski, long board, dolphin, whale sled, nuclear submarine, etc.

[Overview]

Going into our seventh year, Shakacon offers attendees a unique opportunity to really network with some of the world's top security professionals in casual and friendly setting. At its heart, the Shakacon security conference is a laid back conference where industry, government, academia and independent experts will get together to share knowledge and experience in one of the most beautiful places on Earth.

The conference committee strives to build a balanced schedule that appeals to all security practitioners with talks covering all different aspects of the information security landscape. There will be something for everyone and if sitting through talks isn't your cup of Hawaiian coffee you can step into one of the social areas and talk with our sponsors, staff, and attendees.

[Trainer Opportunities]

Don't want to speak at the Con but have an uncanny ability to teach and a proven track record for delivering quality courseware and want to come to Hawaii? We will be evaluating trainers for two days of training leading up to Shakacon (July 6-7). Submit a synopsis/class agenda, prior teaching experience, and maybe you'll get selected to teach in Hawaii. Revenue is split 50/50 between the trainer and conference. The conference will cover all venue related costs (A/V, Food, Drinks, etc.). The trainer is expected to cover their own travel costs (unless they are also selected as a speaker). All selected trainers will receive free admission to the conference.

[CFP Details]

We have up to sixteen (16) spots and typically receive 100+ submissions to speak. If you are serious about speaking please submit your abstract as soon as possible.

(1) Abstract for papers must be submitted to the review committee by March 6, 2015.
(2) Selection notification will occur by April 8, 2015 and abstracts posted to the site by April 13, 2015.
(3) Full Slides for your papers must be submitted by May 31, 2015.

As mentioned, there are a limited number of speaking sessions for which the conference organizers will provide travel and accommodations so please submit your abstract early if you are interested in speaking. Speaking slots will be 50 minutes long (45 minutes for your talk and 5 minutes for Q&A). See [Speaker Benefits] section below for financial details on speaker reimbursements.

The audience will be a broad mix of professional, academic, and enthusiast, so we welcome both technical and non-technical submissions on all aspects of security. The key criteria are practicality and timeliness. We want to provide our attendees with up to date materials they can take away and immediately gain benefit from, as well as new research or tools. Absolutely NO SALES presentations will be accepted.

Proposals should include:

Subject Line:
"Shakacon CFP Submission: <paper title>, <your name>"

Body:

1. Name, address, and contact info.
2. Employer and/or affiliations.
3. Brief biography.
4. Presentation experience.
5. Topic summary.
6. Reason this topic should be considered.
7. Other publications or conferences where this material has been or will be published/submitted.
8. Links to videos or slides showing previous presentations.

Please include plain text of all information provided in the body of your email, as well as any file attachments. The plain text information will be reviewed first to find the most suitable candidates.

Please forward the above information to cfp at shakacon.org in order to be considered.

[Speaker Benefits]

Besides a cool speaker badge and the brightest speaker shirt you'll ever lay your eyes on Shakacon will reimburse speakers for two (2) hotel nights and round trip coach airfare. If you choose to stay somewhere other than the official Shakacon hotel we will only be reimburse for hotel room nights at a less than or equal to cost. Reimbursable round trip coach airfare cannot exceed $1,200.00 US without prior approval from conference organizers.

Speakers also receive free admission to the conference, all conference related materials, and an invite to the private pre-conference dinner with the conference organizers, staff, and fellow speakers.

[Trainer Benefits]

Trainers are responsible for their own travel and lodging unless other arrangements have been made with the conference organizers. Trainers should evaluate the minimum attendee requirements for their course and plan for possible cancellation of their class if such minimums are not met. Shakacon will take care of all venue costs (A/V equipment, Internet, tables, chairs, food, beverages) for the training; however, trainers are responsible for providing materials necessary for conducting their class (hardcopy material, hardware, software, switches). Revenue from the training class is split 50/50 between the trainer and conference. Trainers receive free admission to the conference.

More conference information, registration details, and travel partner deals will be posted to:
http://www.shakacon.org

Follow Status on:
www.twitter.com/shakacon

[Media Partners]

We are media friendly. Please email info at shakacon.org for inquiries about press passes.

[CFP Review Team]

A big Mahalo to our CFP review committee:

Caleb Sima - BlueBox
Katie Mossouris - HackerOne
Cory Michal- Salesforce.com
Alberto Garcia - Salesforce.com
Colin Ames - Attack Research
Matthieu Suiche - MoonSols
Vincenzo Iozzo - TiQad
Kent Backman - Independent Researcher
Jonathan Brossard - Toucan Systems
Jeremiah Grossman - Whitehat Security
Daniel Hodson - Oxin Security & Ruxcon
Kris Harms - Cylance
Ryan Talabis - zVelo
Chris Potter - Attack Research
Jason Martin - FireEye
Darryl Higa - Independent Researcher
Patrick Wardle - SynAck
Tammie Kim - Oracle
Josh Schwartz - Salesforce.com
Luis Santana - Salesforce.com

ALOHA FROM THE SHAKACON CREW!

Pricing

Costs*:
General Admission: $350 (plus tax and fees)

Early Bird Discount (EXTENDED thru April 15, 2015): $280 (plus tax and fees)

*All Active Military, State & Federal Government Employees, Members of ISSA, ISACA & Infragard, Students, groups of 5 or more, and those registered for a Shakacon VII Training please contact info@shakacon.org for your discount promo code.

**NOTE: Affiliate discounts may not be combined with the Early Bird Discount.

Shakacon Training and Conference dates: July 6-7, 2015 Trainings (8am-5pm)
July 8-9, 2015 2-Day Conference (8am-5pm)

Book your Room Reservations at Hawaii Prince Hotel Waikiki
Ask for the SHAKACON special group rate.

ROOM GROUP RATE
Run of Ocean $209.00
**The rates quoted above are based on single or double occupancy and are subject to hotel room tax of 9.25% and state tax of 4.712%, currently totaling 13.962%. (Taxes subject to change.)

Group rates based on space availability at the time of booking.

Third person charge $60.00 + tax per night. Maximum guestroom capacity is (3) adults and (2) children. Children 17 years and under are complimentary in the same room utilizing existing bedding, when sharing with an adult.

- Call toll free reservations line at 1-800-321-6248
- Call hotel directly at (808) 956-1111
- Email reservations@princehawaii.com
http://www.princeresortshawaii.com/en/hawaii-prince-hotel-waikiki/shakacon.php

NOTE: (1) night room and tax deposit will be required at the time of booking.

Register Here

2-Day Trainings (July 6-7, 2015)



Shakacon VII Conference (July 8-9, 2015)

Shakacon 2-Day Trainings

July 6-7, 2015

Location: Hawaii Prince Hotel - Haleakala-Kilauea Rooms
  • 7:30am-8:00amRegistration Opens
    8:00am-5:00pm Training
    *Continental Breakfast, Lunch & Afternoon Refreshments will be provided.

Shakacon Speaker Welcome Dinner

  • Details to be provided.

Shakacon 2-Day Conference

July 8-9, 2015

Location: Hawaii Prince Hotel – Mauna Kea Ballroom

  • 7:00amRegistration Opens
    8:00am-5:00pm General Conference

    *Continental Breakfast, Lunch & Afternoon Refreshments will be provided.

Shakacon Post-Conference Networking Event & After Party featuring Dualcore

Thursday, July 9, 2015

Location: Hawaii Prince Hotel – Promenade Terrace

5:30pm-10:00pm Appetizers, Cocktails, Raffle Prize Giveaways, & Entertainment by Dualcore

Speakers

MORE SPEAKERS WILL BE ANNOUNCED SOON!


**Conference Keynote – Day 1**

Name: Stephen Adegbite, Senior Vice President, Enterprise Information Security Program Oversight and Strategy, Wells Fargo & Co.

Bio: Steve Adegbite is the Senior Vice President in charge of the Enterprise Information Security Program Oversight and Strategy Organization at Wells Fargo & Co. Prior to joining Wells Fargo & Co., Mr. Adegbite was the Director, Cyber Security Strategies at Lockheed Martin Information Services and Global Services (IS&GS). Prior to joining Lockheed Martin, Mr. Adegbite was the Chief Security Strategist for Adobe Systems Inc. within the Adobe Secure Software Engineering, Steve has also worked with Operations (IO) positions at the National Security Agency (NSA), the National Geospatial-Intelligence Agency (NGA) and the Defense Intelligence Agency (DIA), both as a government employee and as an associate consultant for Booz Allen Hamilton, a strategy and technology consulting firm. Mr. Adegbite is a current member of President Obama’s Homeland Security Advisory Council.

Title: Slipping out the front door of the party: The challenges of detecting silent exits of your data

Synopsis: The security landscape is changing...I know…I know this is a much worn cliché. However, it’s something to note that for every landscape change, a resurgence of old attacks get repackaged and whitewashed as something new. Lucky us! The good thing is that with the resurgence of certain attacks our defenses are increasingly better almost to the point where the attack becomes a non-factor.

Except for one…Data Exfiltration/Data Exposure. Looking at recent cyber events hitting the financial and retail sectors such as the Home Depot, JP Morgan and even unimaginable places like the Dairy Queen breech. It’s no surprise that this will be a continued trend.

This Keynote talk will look at defining the problem...exploring the question "Is data exfiltration different than data exposure or are they one in the same? And going one step further, why the answer is important for present and future actions against this threat. We will look at the past and present for this threat in a hope that you will leave thinking the same bold statement I have..."the age of destructive cyber attacks are at an end...the days of "silent exits" of data has begun."


**Conference Keynote – Day 2**

Name: Chris Evans

Bio: At Google, Chris founded and built the Chrome Security Team. He is currently focused on doing the same for Google Project Zero. He has launched various progressive initiatives including the Chromium Vulnerability Reward Program and Pwnium competitions. He particularly enjoys driving wider community participation and is also a director for the Internet Bug Bounty charity.

As time permits, Chris is a vulnerability researcher, speaking at various worldwide conferences and serving on talk and paper selection panels. He has found vulnerabilities in most of the popular operating systems and web browsers.

Chris also enjoys contributing to open source and security design best practices, being the author of vsftpd and it's "privsep" concept, and having detected the "Diginotar incident" with contributions to the design of SSL in Chrome.

Chris' current focus is defending internet users from sophisticated targeted attacks.

Title: Project Zero: make 0day hard

Synopsis: We'll provide a frank assessment of the current attack landscape and how it has changed since the "mass malware" years. We will then explore what this means for effective defenses and vulnerability response. This will lead into a detailed description of where Project Zero fits it, with it's mission to make zero days hard and lower the incidence of targeted exploitation. We'll dive into some depth on the most significant Project Zero publications, policies and general observations to date.


Name: Craig Smith

Bio: Craig Smith is the founder of Open Garages and the author of the Car Hacker's Handbook. Craig has performed security work with the auto-industry and published independent work for 6 years. He has worked in the security industry for over 15 years and currently runs his own independent security research company, Theia Labs.

Title: Automotive Exploitation Techniques

Synopsis: Demonstrating some of the newest car hacking tools from Open Garages. This includes how to use the CAN of Fingers (c0f) to develop smart vehicle exploit code. There will also be a demonstration of the web based remote vehicle C&C interfaced used by NBC reporters in NYC to hack a vehicle in Seattle. There will be examples from the 2015 Car Hacker's Handbook as well.


Name: Deviant Ollam

Bio: While paying the bills as a security auditor and penetration testing consultant with his firm, The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation of Lockpickers. Every year at DEFCON and ShmooCon, Deviant runs the Lockpick Village, and he has conducted physical security training sessions for Black Hat, The SANS Institute, DeepSec, ToorCon, HackCon, Shakacon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th and 10th.

Title: Exploiting Elevator Security Weaknesses

Synopsis: Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don't do that, please!), to the work of modern pen testers who use elevators to bypass building security systems (it's easier than you think!), these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevator control systems work...allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!


Name: James Forshaw

Bio: James is a security researcher in Google's Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, BlueHat, HITB, and Infiltrate.

Title: Social Engineering the Windows Kernel

Synopsis: One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.

The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.

This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.


Name: Martin Vigo

Bio: Martin Vigo is a Product Security Engineer with a special interest in Web and Mobile security. He previously worked as a Software Engineer where he developed a strong passion for information security. Currently he helps engineers design secure systems and applications, conducts security reviews and penetration testing and is responsible for mobile security. Martin is also involved in educating fellow developers on security essentials and best practices. He has also presented secure development and mobile apps hardening talks at several conferences.

Outside the office, Martin enjoys research, bug bounties, gin tonics and scuba diving.

Title: Breaking Vaults: Stealing LastPass protected secrets

Synopsis: LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.

The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.


Name: Patrick Wardle & Colby Moore

Bio: Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OSX and mobile malware.

Colby Moore is a Security Research Engineer at Synack, working mainly on breaking emerging technologies. He is a former employee of VRL and has identified 0-day vulnerabilities in embedded systems and major applications. Colby prefers focus on that sweet spot where hardware and software meet, usually resulting in um....interesting....consequences.

Title: There's Waldo

Synopsis: Mobile apps are truly ubiquitous and enhance our lives in many ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate, track, or even determine a user’s identity. This talk describes classes of geolocation vulnerabilities, how apps may be audited to find such bugs, and best practices to ensure users remain protected. To provide a more 'hands-on' feel, real world case studies are presented to demonstrate attacks uncovered by Synack researchers.

The talk will begin with a technical overview of geolocation capabilities in mobile OSs and how apps may access a user's location. Next the talk will identify common classes of geolocation bugs and illustrate how developers often utilize a user's location in an insecure manner. One example, since geolocation APIs may default to the highest level of accuracy, a user's precise location may be revealed if not properly secured (on the device, in transit, or in the cloud).

Unfortunately, as our case studies show, such bugs are alarmingly common (numerous popular applications will be mentioned). A specific case study on Grindr (a common dating app), will be presented to illustrate a myriad of geolocation bugs that placed its users in harm’s way (see: 'Grindr vulnerability places men in harm's way' http://goo.gl/dg4cs6). First, due to the lack of SSL pinning, we present a MitM attack that reveals the user's exact location. Following this, we demonstrate a scalable remote attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all 'near-by' users. With these distances and the ability to spoof one's location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately though we reported the bugs, patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users.

Step by step demonstrations will be given, showing how we were able to harvest data and run calculations to determine tens of thousands of user's locations in real time. But it would be silly if we stopped there... Leveraging our capability we demonstrate a custom framework developed to map patterns of life and subsequently correlate these patters to true identity. By setting "hot spots" in our framework (think celebrity homes or US capitols) we can monitor target locations for user activity - potentially exposing identities of parties that may traditionally wish to remain private such as celebrities, athletes, and politicians. And yes, it works ;).

Besides illustrating location-specific bugs and providing real-world examples, the talk will provide suggestions best practices to ensure applications are developed in a manner that does not put users at risk. Such suggestions include precision limiting of geolocation data, rate limiting APIs (in order to make large-scale data harvesting difficult), and limiting the speed and magnitude of user location changes (to prevent harvesting of distances from arbitrary points). For companies or anybody developing location-aware apps, these suggestions will be directly applicable - and ideally, Waldo will remain hidden.


Name: Scott Erven

Bio: Scott is an Associate Director at Protiviti. He has over 15 years of information security and information technology experience with subject matter expertise in medical device and healthcare security. Scott has consulted with the Dept. of Homeland Security, FDA, and advised national policymakers. His research on medical device security has been featured in Wired and numerous media outlets worldwide. He has presented his research and expertise in the field internationally. Scott also served as a subject matter expert and exam writer for numerous industry certifications. His current focus is on research that affects human life and public safety issues inside today's healthcare landscape.

Title: Medical Devices: Passwords to Pwnage

Synopsis: Last year I presented at Shakacon on how medical device security is significantly lagging behind other industries, and also demonstrated thousands of healthcare organizations had Internet facing exposures allowing direct attack vectors to medical devices. Well just how hard is it to take it to the next step in an attack and gain administrative access to these critical life saving devices?

I will discuss and publicly disclose over 20 CVE's I have reported that will demonstrate how an attacker can gain remote administrative access to medical devices and supporting systems. No 1337 haxor skills needed here. Over 100 service and support credentials for medical devices will be released. I will also focus on the positive response and coordination with DHS/ICS-CERT, FDA and the device manufacturers. In addition, I will discuss recent research on application security and design failures in medical devices that allow for compromise of healthcare organizations' internal networks.


Name: Sean Metcalf

Bio: Sean Metcalf is the Chief Technology Officer at DAn Solutions, a company that provides Microsoft platform engineering and security enterprise. Mr. Metcalf is one of about 100 people in the world who holds the elite Microsoft Certified Master Directory Services (MCM) certification. Furthermore, he assisted Microsoft in developing the Microsoft Certified Master Directory Services certification program for Windows Server 2012.

Mr. Metcalf has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers with large Active Directory environments and regularly posts useful Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3.

Title: Red vs. Blue: Modern Active Directory Attacks, Detection & Protection

Synopsis: While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?

This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!

Some of the topics covered:

  • How attackers go from zero to (Domain) Admin
  • MS14-068: the vulnerability, the exploit, and the danger
  • "SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
  • Exploiting weak service account passwords as a regular AD user
  • Mimikatz, the attacker's multi-tool
  • Using Silver Tickets for stealthy persistence that won’t be detected (until now)
  • Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
  • Detecting offensive PowerShell tools like Invoke-Mimikatz
  • Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.


Name: Zoltán Balázs

Bio: Zoltán (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. Before MRG Effitas, he worked for 5 years in the financial industry as an IT Security expert, and for 2 years as a senior IT security consultant at one of the Big Four companies. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide including DEFCON, Hacker Halted USA, OHM, Hacktivity, Ethical Hacking.

He is a proud member of the gula.sh team, 2nd runner up at global Cyberlympics 2012 hacking competition.

Title: Hacking Highly Secured Enterprise Environments

Synopsis: In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.

I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Training Sessions

2-Day Training classes are now available. Please see below for detailed information on the various trainings we are offering this year, including the course outline and prerequisites. Click on the Registration tab to register and for pricing information.



Training: Powershell for Penetration Testers

Trainer: Nikhil Mittal

Description: PowerShell has changed the way how Windows is used, secured and also the way Windows is owned. It is an automation platform for everybody; developers, defenders and attackers. PowerShell provides easy access to almost everything in a Windows machine and network. It comes installed by default in modern version of Windows. During a penetration test, it could be really helpful to use this powerful shell and scripting language for further attacks.

This training would help anyone who wants to know more about PowerShell from a security perspective. If you are a defender, you could learn how this attack vector can be used against a corporate environment. If you are a pen tester you would learn how to use PowerShell for pen testing in a windows environment. You will learn various techniques like privilege escalation, backdoors, keylogging, data exfiltration, dumping system secrets in plain, persistence, pivoting, in-memory code execution, using top sites as C&C, web shells, bots...the list goes on.

Learning how to use a target environment for your purpose is crucial in pen tests. Open source tools which help in achieving this would also be discussed including those written by the trainer. The training aims to bring PowerShell goodness to security professionals and includes hands-on in a lab environment and CTF like exercises. You would be able to write your own scripts for security testing after this training. This training aims to forever change how you pen test a Windows based environment.

ATTENDEES WILL GAIN:

  1. PowerShell Cheat Sheet, solutions to exercises, sample source code, updated tools and extra slides explaining things which could not be covered
  2. Attendees would learn a powerful attack method which could be applied from day one after the training
  3. The attendees would understand that it is not always required to use a third party tool or foreign code on the target machine for post exploitation
  4. The attendees would learn how PowerShell make things easier than previous scripting options like VB.
COURSE OUTLINE:

  • Introduction to PowerShell
  • Using ISE, help system, camlets and syntax of PowerShell
  • Writing simple PowerShell scripts
  • Functions, Objects, Pipeline, Jobs and Modules
  • Playing with the Windows Registry
  • .Net with PowerShell
  • COM with PowerShell
  • WMI with PowerShell
  • Recon, Information Gathering and the likes - Tools written/integrating in PowerShell
  • Vulnerability Scanning and Analysis - Tools written/integrated in PowerShell
  • Exploitation - Getting a foothold on a system
  • Writing shells in PowerShell
  • Post-Exploitation - What PowerShell is actually made for
  • Pivoting to other machines
  • Poshing the hazes
  • PowerShell with Human Interface Devices
  • Client Side Attacks with PowerShell
  • Achieving Persistence
  • Owning other MS products - SQL Server and AD
  • Attacking UNIX machines
  • Clearing Tracks
  • Quick System Audits with PowerShell
  • Detecting PowerShell attacks
  • Security controls available with PowerShell
PREREQUISITES:

  • Basic understanding of a programming or scripting language could be helpful but is not mandatory.
  • An open mind.
Bio: Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has 5+ years of experience in Penetration Testing for his clients which include many global corporate giants.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is created of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate (in US, Europe, SE Asia), for educational institutes like IITs and at the world's top information security conferences.

He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more.



Training: Offensive Techniques

Trainer: Colin Ames, Attack Research

Description: In the professional information security world, there has yet to be a course which provides the students the knowledge and skills required to carry out real world attacks. Traditional penetration testing courses impart only a limited view of the exposure and vulnerabilities companies suffer from. These classes are generally focused on standard scanner, frameworks, and tool usage as well as techniques for collecting "shells" on target systems. In contrasts, this course is designed to teach its students how to plan and execute a successful attack against a target, using the same techniques and mindsets that real attackers use.

Attack Research teaches a unique approach to penetration testing, using deep system knowledge and lesser-known techniques that will arm the student with true offensive capabilities. This class is designed to help students think past the need for known exploits. Alternating between hands-on exercises and lectures, the students will walk away having been given the chance to utilize the new skills that they will learn. A target network will be provided, along with all of the software needed to participate in the labs.

Students will leave with an understanding of:

  • How real attacks are planned and carried out
  • Unique exploitation techniques that aren't public
  • End to end attack methodologies
  • How to use and deploy true offensive techniques
  • Attacker opsec both on and off boxes
Students will spend a significant amount of time creating their own custom tools in a lab environment. The labs are designed around the students working through the following:

  • Software weaponization and custom payload creation
  • Web recon and how automation works for you
  • Initial exploitation vectors from basic to advanced
  • Command and Control
  • Lateral movement with custom tools
  • Stealth
  • Evading detection on all levels
  • Exploiting both Windows and *Unix networks
  • Abuse of PAM authentication for lateral movement
Students will test all of the skills they have gained in the course against a target network specially designed for the class. The labs will be interwoven into the lecture so that students will receive a significant amount of time to practically exercise these new skills as they learn them. By the end of the class students will have spent roughly 50% of the time in a lab environment.

COURSE OUTLINE:

  • Introduction
    • Class fundamentals
    • Mentality for Offensive Operations
  • Weaponization Software
    • The basics of MSF and why attackers don’t really use it
    • Attacker toolsets
    • Rapid malware prototyping with other languages and platforms
  • Initial Exploitation
    • Attacker recon
    • Web hacking techniques for Black Hats
    • Secure Java exploitation techniques
    • Customizing exploits for weaponization
  • Recon techniques on and off hosts
    • Recon is how you win
    • Uncommon recon techniques
    • Finding assets on a network like a true attacker
  • Getting root
    • Paths
    • Services
    • Injections
    • Unknown shells
  • Persistence
    • Enumerating best locations for persistence
    • In memory
    • On disk but then gone
    • Trojaning OS assets for persistence
  • Personal Security Products Evasion
    • Attack the PSP process
    • Defeating all PSP products
    • Attacker OPSEC
  • Lateral Movement
    • Playing with APT
    • Binary obfuscation techniques
    • Working through networks
  • Unix network exploitation
    • Non memory corruption root
    • Poormans rootkits
    • How to make kerberos kill
    • Trojaning home
    • SSH manipulation for shells
    • Hacking X like never seen before
Student laptops must be running OSX, Linux, or Windows and they must have the ability to disable all antivirus on the machine. You must have administrative access on your machine as well for sniffing traffic, adjusting firewalls, etc.

PREREQUISITES:

  • A concept of scripting languages such as Python/Perl/Ruby
  • A medium level of systems administration on a Windows or Linux machine (Windows preferable but not a must)
  • Students don’t have to have internet access, but it would be desired for all
Bio: Colin is a security researcher with Attack Research, LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.



Training: Web Application Exploitation

Trainer: Chris Potter, Attack Research

Description: This course combines a deep understanding of manual web application exploitation with the latest in vulnerability identification as well as how to use the latest automated tools to assist in web application vulnerability identification and exploitation. By tailoring the instruction to the rapid assessment of web applications as well as deep dive source code auditing techniques, we equip students with the skills required to keep up with the modern web application security landscape as well as provide new knowledge to use in their engagements. This Web Application Exploitation class includes considerable lab time utilizing external applications and attacks as observed in the wild.

Students will leave with an understanding of:

  • How web application vulnerabilities are identified
  • How web application vulnerabilities are exploited
  • How exploit chaining can lead to greater vulnerability risk classification
  • How to exploit the latest 'Exotic' vulnerabilities
  • End to End attack methodologies including attacker OPSEC
Students will spend a significant amount of time creating their own custom exploits in the lab environment. The labs are designed around the students working through the following:

  • Profiling External Web Applications
  • Vulnerability Classification
  • Identifying Vulnerable Web Applications
  • Exploiting Web Applications
  • End to End Attack Methodologies
  • Using the Latest Security Tools to Aid in Application Assessments
COURSE OUTLINE:

  • Web Application Profiling
  • Cross Site Scripting (XSS)
  • Click Jacking
  • Cross Site Request Forgery (CSRF)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • SQL Injection (SQLINJ)
  • Remote Code Execution (RCE)
  • XML External Entity Injection (XXE)
  • Object Serialization
  • Exploit Development and Automation (OPSEC, Log Analysis)
  • Security Tool Usage (Acunetix, Burp, Qualys WAS, sqlmap)
Student machines must be able to run and have Burp, SQLMAP, and Firefox installed as well as the LiveHTTP Headers FireFox extension and the Firebug Firefox extension. Free versions and professional versions are fine.

Student laptops must be running either OSX, Linux, or Windows and must have the ability to sniff traffic, adjust firewalls, etc.

Students are encouraged to have a local WAMP/LAMP stack installed and running on their machine for local exploitation development testing/homework, however the lab infrastructure will be sufficient for all labs.

PREREQUISITES:

  • A concept of scripting languages such as Python/Perl/Ruby/PHP
  • A familiarity with LAMP/WAMP architectures
  • A concept of Web Application architectures
Bio: Chris is a Professional Security Consultant and Developer with over ten years of experience working within the Information Technology (IT) and Information Security (INFOSEC) industry. He has participated in numerous research projects with leading INFOSEC and IT experts from around the world. He has performed security audits for companies in the United States including leading industry fortune 100 firms. He is proficient in numerous programming languages and application development strategies. He has developed numerous tools for network security penetration testing as well as spoken and trained at several prominent security conferences on topics ranging from deep technical attack strategies to the fundamental psychological differences of attackers.



Training: Rapid Reverse Engineering

Trainer: Russ Gideon, Attack Research

Description: This course combines deep understanding of reverse engineering with rapid triage techniques to provide students with a broad capability to analyze malicious artifacts uncovered during incident response. By tailoring the instruction to rapid assessment of binaries, we equip students with the skills required to keep up with modern malware and rapidly extract the most valuable and pertinent data to their investigations, including Indicators of Compromise (IOCs). Rapid RE includes considerable lab time utilizing replicated enterprise networks and attacks as observed in the wild.

Students will leave with an understanding of:

  • How real world attacks are carried out
  • File triage processes and techniques
  • Intelligence extraction techniques from malware
  • How to deal with binary obfuscation techniques
  • How to get indicators from a file in a hurry
Students will spend a significant amount of time creating their own custom tools in a lab environment. The labs are designed around the students working through the following:

  • Recognizing the file format infections from various sources
  • Advanced triage capabilities
  • Extract host and network indicators from file format exploits
  • Developing your own custom process trace capabilities for IOC extraction
  • Rapid shell code analysis using the not so common tools and techniques
  • Rapid binary de-obfuscation techniques with IDA Pro and Debuggers
  • Rapid unpacking techniques
The labs will be interwoven into the lecture so that students will receive a significant amount of time exercising these new skills as they learn. By the end of the class, students will have spent 50% of the time in a lab environment. A significant portion of the class will be dedicated to building new tools, on the fly, to solve the challenges posed by a difficult adversary.

COURSE OUTLINE:

  • Rapid inspection of various file formats
    • Metadata extraction from PE, PDF, and Office docs
    • Finding buried artifacts in files
    • Mobile malware metadata analysis
  • Assured Dynamic Analysis
    • Extracting Hose IOCs from file formats with dynamic analysis
    • Working DLLs
    • Splatter network IOC extraction and log file analysis
    • Memory Analysis
  • Android Auto Analysis
    • Android Internals
    • APK Reversing By Hand
    • Automated Bindings and Android
  • Assembly
    • X86 intro
    • Arm intro
  • Process Tracing for Rapid Field Assessments
    • Intro to Intel PIN
    • Code tracing with Pin
    • Shellcode analysis with Pin
  • IDA Efficiencies
    • Intro to IDA Scripting
    • X86 emulation
    • De-obfuscation techniques
  • Unpacking
    • Using IDA for unpacking assistance
    • Unpacking in-memory
Student machines must be able to run at least 2 virtual machines utilizing VMware Workstation 8.0 and above (which can be obtained through a demo license). To run multiple machines usually means at least 4G of memory is needed. Laptops must be running either OSX, Linux, or Windows and must have the ability to disable all antivirus, sniff traffic, adjust firewalls, etc.

Students are encouraged to have a copy of IDA Pro version 6.0 or greater. Students are responsible for bringing a XP or Windows 7 VMware virtual machine that can be instrumented and infected with malware.

PREREQUISITES:

  • A concept of scripting languages such as Python/Perl/Ruby
  • A familiarity with Windows administration
  • A concept of malware analysis and reverse engineering malware processes
  • Programming in C and previous knowledge of assembly will help student, but not a must
Bio: Russ has many years of experience in information security fulfilling many diverse roles from being a core component of an Incident Response operation to running effective Red Teams from across the United States government. Russ excels both at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research.



Training: Low-Power Hacking

Trainer: Dr. Phil Polstra

Description: In the first part of this course, students will construct their very own remote hacking drones based on the BeagleBone Black. These devices can be used as dropboxes, remotely-controlled hacking drones, or full pen-testing desktop systems. When used as a dropbox or remote hacking drone, the devices may be controlled from a Linux PC located up to a mile (1.6km) away. This distance can be extended using gateways and/or routers. Multiple devices connected via IEEE 802.15.4 or ZigBee mesh networks can be used to perform powerful coordinated attacks. These devices can be battery powered for several days if required.

The second part of the training will show attendees how to maximize the power of pen-testing with remote hacking drones by leveraging Python scripting. By the end of the second day, students should be comfortable performing highly scripted remote pen-tests with a single drone and be able to perform some truly amazing pen-tests by scaling up to use multiple drones. All tools used in this training, including the hardware, are open source. Students will leave this course with a fully functional remote controlled drone and the knowledge of how to add additional drones to their army for well under $200/each. In addition to their low cost and easy availability, these drones are easily reconfigured for a number of pen-testing scenarios.

WHAT STUDENTS SHOULD BRING:

A Linux laptop capable of reading a microSD and the following hardware:

  • BeagleBone Black
  • XBee Pro Series 1 radio
  • XBee Series 1 radio (this could also be a pro version)
  • USB XBee adapter
  • Alfa AWUS036H (or other aircrack-ng compatible) wireless adapter
For student convenience, these items and optional items, such as additional drones, are available from http://philpolstra.com.

WHAT STUDENTS WILL BE PROVIDED WITH:

  • Signed copy of Hacking and Penetration Testing with Low Power Devices by Dr. Phil Polstra
  • Full assembled XBee Cape
  • 32GB microSD card preloaded with the latest version of a custom pentesting Linux distro (The Deck)
Bio: Dr. Phil Polstra is a professor teaching Digital Forensics at Bloomsburg University of Pennsylvania. He has been programming since age 8 when he cleaned out his savings to buy a TI-99-4A computer. Two years later he learned 6502 Assembly and has been hacking hardware and causing trouble ever since. For the last few years Phil has been using microcontrollers and embedded computer systems to build penetration testing and forensics hardware. This work includes developing a penetration testing Linux distro for the BeagleBoard and BeagleBone family of devices and accompanying hardware. This work is described in detail in his book Hacking and Penetration Testing With Low Power Devices (Syngress, 2014).



Training: Windows Internals for Security Professionals

Trainer: T. Roy

Description: This course takes a deep dive into the internal workings of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. The hands on labs consist of extensive use of the kernel debugger (WinDBG) with emphasis on interpreting the debugger output and using this information to understand the state and health of the system.

WHO SHOULD ATTEND:

  • Kernel mode software developers, anti-malware developers, malware analysts, rootkit analysts, security researchers and forensic investigators.
KEY LEARNING OBJECTIVES:

  • Understand the major components of the Windows Kernel and the functionality they provide.
  • Understand the internal workings of the kernel and how to peek into it using the debugger.
  • Be able to investigate system data structures using kernel debugger extension commands.
  • Be able to interpret the output of debugger commands and correlate them to the state of the system.
  • Be able to navigate between different data structures in the kernel, using debugger commands.
  • Be able to locate indicators of compromise while hunting for kernel mode malware.
  • Understand how kernel mode rootkits interact with the system.
PREREQUISITES:

  • Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require you to have any programming knowledge.
HARDWARE REQUIREMENTS:

  • Attendees must bring their own laptop powerful enough to run at least one virtual machine. It should have at least 8GB of RAM, 30 GB free disk space, working USB Port and Wireless LAN.
SOFTWARE REQUIREMENTS:

  • Laptop must be running 64-bit version of Windows 7 SP1 or higher. Virtualization software must be installed i.e. (VMWare, Hyper-V or Virtual Box). Guest OS must be a 64-bit version of Windows 8.1 Update 1. Bit-locker must be disabled on the guest. Attendees must have administrative access to both host and guest OSs. Debugging Tools for Windows and SysInternals Tools, both of which are publicly available, must be installed on both Host and VM guest. All other tools and software will be provided by the instructor.
COURSE AGENDA:

  • Architectural Overview Privilege rings, HAL, kernel, executive, device drivers, Win32k.sys, NTDLL, system process, user and kernel threads.
  • Hardware Support CPU registers, segment registers, global descriptor table (GDT), interrupt descriptor table (IDT), model specific registers (MSR).
  • System Mechanisms Interrupt request levels (IRQL), traps, system calls, service descriptor tables, native API calls (Zw vs Nt), read/write probes, exception handling.
  • Execution Environment Interrupt service routines (ISR), deferred procedure calls (DPC), asynchronous procedure calls (APC), worker threads, custom driver threads.
  • Memory Management Kernel virtual address space, page table entries (PTE), virtual address descriptors (VAD), page frame number (PFN) database, kernel mode thread stacks, pools, memory mapping, memory descriptor lists (MDL).
  • Objects and Handles Object manager, object header, object types and procedures, object layout, object security checks, handle tables, handle table entries, kernel handles, object reference counting.
  • Device Drivers Driver architecture, I/O manager data structures (driver object, device object, file object, symbolic link), I/O requests (IRP and I/O stack location), I/O processing, data buffering mechanisms.
  • Kernel Security Mitigations Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), supervisor mode execution prevention (SMEP), non-executable (NX) pools.
Bio: T. Roy, an author, instructor and consultant, is the founder and president of CodeMachine. He spends most of his time researching Windows internals and security, developing software and traveling around the world sharing this knowledge.

He holds a Master's Degree in Computer Engineering, has more than 20 years of experience and has taken more than a dozen projects from their infancy all the way through to commercial success. He works in the defense and intelligence community and is well versed with the offensive side of cyber-security. Additionally, T. Roy was involved with the development of some of the industry's leading endpoint security solutions like intrusion prevention systems, network firewalls, behavioral anti-malware, document security and data leak prevention system and has intimate knowledge of the limitations that these solutions have.

Over the last decade he has taught courses in more than 20 countries. He has taught Microsoft's own engineers and has received many instructor recognition awards. He is also an adjunct professor and teaches computer forensics to graduate students. He has an innate talent for taking complex concepts and explaining them in a lucid manner. Through his teaching, he shares the knowledge he has acquired through years of hands-on experience.



Training: Automotive Exploitation Techniques

Trainer: Craig Smith

Description: Hands-on car hacking course. No previous knowledge of mechanics required. Course walks you through the layout of modern car systems, including Infotainment attacks, ECUs, CAN bus and other embedded system attacks. This class will go over vehicle methodologies that can be applied to any vehicle. Tools will be provided as well as working on a functional car test bench to practice attacks on. You will learn the skills to analyze a car's security and create attacks that can be weaponized into further exploits.

Students will receive a CAN bus sniffer and a copy of all course materials and software tools.

COURSE OUTLINE:

    Day 1
    • Course overview of scope
      • What is car hacking
      • Benefits / why hack cars
      • Focusing on remote and local attacks
      • Hands on to feel comfortable doing these hacks at home
    • Vehicle Attack Surface
      • Define what the attack surface is. Infotainment, IC, CANBus, TPMS, etc.
      • Intro to threat modeling
    • SocketCAN
      • Setting up virtual CAN devices
      • Getting the build environment ready for testing
      • Tool overview
    • Infotainment System overview
      • Connected to CAN
      • Bluetooth
      • WiFi
      • USB
      • CD
      • Map Updates
      • XM
    • Vehicle Communication Systems overview
      • OBD Connector
      • CAN
      • Overview of other Bus protocols: GMLAN, PWM, K-Line, Line
      • Ethernet
    • Diagnostic Communication
      • Overview of ISO-TP / UDS
      • Scan Tools and PIDs
      • DTCs and Military
      • Hands-on: Query and clear DTC codes
      • Pull VIN from ECU
    • Intro to CAN Bus
      • Packet Structure
      • CAN data is unique per make/model
      • Adding a GUI to SocketCAN
      • Overview of reversing methodologies
      • Hands-on ICSim
        • Reverse door unlock codes
        • Reverse Turn signals
        • Reverse Speedometer
    • Overview of Engine Control Units
      • The "brains" of a car
      • How to build an ECU test bench
      • ECU Wiring diagrams
      • Test Bench setup, simulating engine signals via HW
    • Open Garages
      • Overview of Open Garages
      • How to find or start your own Open Garages
      • Final bonus hands on: SuperTuxKart hacking
    Day 2
    • How to weaponized CAN findings
      • Botnet video demo
      • Determine Host
        • ISO-TP UDS Queries
        • Passive monitoring
    • Writing assembler to make any payload usable in shellcode
      • Quick Intro to assembler for the target arch
      • Assembler code to trigger a one-time CAN pocket
      • Cleanup code to eliminate NULLs
      • Assembler code to send a constant CAN signal
      • Busybox demo
    • Immobilizer hacking and “hotwiring”
      • Intro to immobilizer tech
      • Crypto attacks
      • Current trends in attacking keyless entry systems
      • Methods to start a vehicle without a key
Bio: Craig Smith is the founder of Open Garages and the author of the Car Hacker’s Handbook. Craig has performed security work with the auto-industry and published independent work for 6 years. He has worked in the security industry for over 15 years and currently runs his own independent security research company, Theia Labs.



Training: Physical Penetration Testing

Trainer: Deviant Ollam

Description: Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network, but that doesn't make the slightest difference if someone can gain direct access to a keyboard or worse yet, march your hardware right out the door.

Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access, as well as how to compromise most existing physical security in order to gain access themselves. Attendees will not only learn how to distinguish good locks and access control from poor ones, but will also become well-versed in picking and bypassing many of the most common locks used in North America in order to assess their own company's security posture or to augment their career as a penetration tester.

We provide a full kit of picks, bypassing tools, impressioning gear, and instructional practice locks. Retail value if sourced separately would be over $450. The CORE Student kit includes:

  • A twelve-piece lockpicking toolkit with a varied blend of hooks, rakes, diamonds, and turning tools
  • A set of eight training and practice locks
  • Wafer lock tools and a sample wafer lock
  • A tubular lock pick
  • Door latch bypassing tools
  • A locksmith's impressioning file
  • A pocket microscope & steel key gripper (also for impressioning)
  • A bypass tool for American Lock padlocks
  • A bypass tool for Adams Rite display cabinet locks
  • A multi-wheel combination lock decoder tool
  • Bump keys and a bump hammer
  • A polymer and steel lock mounting stand (for picking and impressioning)
  • A tactical pouch to contain it all when you leave the classroom and put your knowledge into action in the field, because students retain all of these materials after the course concludes
Bio: While paying the bills as a security auditor and penetration testing consultant with his firm, The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation of Lockpickers. Every year at DEFCON and ShmooCoon, Deviant runs the Lockpick Village, and he has conducted physical security training sessions for Black Hat, The SANS Institute, DeepSec, ToorCon, HackCon, Shakacon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONfidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th and 10th.



Training: Diving Into Development of Microsoft Windows Kernel Exploits

Trainer: Nikita Tarakanov

Description: Security of Microsoft kernel is becoming a hot topic nowadays. With the rise of sandbox technologies compromising sandboxed applications via kernel vulnerabilities is a nice approach. Attendees will learn the various internals of the kernel exploit development, will face various problems and will learn how to solve them.

COURSE OUTLINE:

Day 1
  • Setting up the environment
  • Basics of Kernel Debugging with Windbg
  • Microsoft Kernel Vulnerabilities Overview
  • Null Pointer Dereference Exploitation
  • Arbitrary Memory Overwrite Exploitation
  • Stack-Based Buffer Overflow Exploitation
Day 2
  • Recent Exploit Mitigation Technologies Overview
  • Pool Overflow/Corruption Exploitation
  • Hardcore Pool Overflow/Corruption Exploitation
  • Race Condition Exploitation
WHO SHOULD TAKE THIS COURSE:

  • People that are interested in development kernel exploits for Microsoft Windows, as well who is interested in development sandbox bypass exploits.
STUDENT REQUIREMENTS:

  • Training attendees should be familiar with basic operating system concepts and have hands-on experience using the Windows operating system. Attendees should be familiar with the Win32 API, C (or derived) programming language and have basic knowledge of x86/x86-64 assembly language.
WHAT STUDENTS SHOULD BRING:

  • Hardware
    • 64-bit machine with at least 4GB of RAM (8GB and more is better)
  • Software
    • IDA Pro
    • Visual Studio 2012 (at least Visual express C++)
    • Virtualization software
    • VMWare Player (at least version 5.0) or Workstation (at least version 9.0)
    • Ability to debug a virtual machine from Host O.S or from another virtual machine with Windbg
    • VM samples: Windows 7 32-bits, Windows 7 64-bits, Windows 8 64-bits, Windows 8.1 64-bits, Windows 10 64-bits
WHAT STUDENTS WILL BE PROVIDED WITH:

  • Slides/book of course and Kernel exploits
Bio: Nikita Tarakanov is a security researcher, works currently in Intel, who has worked as an IS researcher in Positive Technologies, VUPEN Security, CISS and independently. He likes writing exploits, especially for Windows NT Kernel and won the PHDays Hack2Own contest in 2011 and 2012. He also tried to hack Google Chrome during Pwnium 2 at HITB2012KUL but failed. He has published a few papers about kernel mode drivers and their exploitation and is currently engaged in reverse engineering research and vulnerability search automation.



Training: Threat Modeling

Trainer: Matt Jones

Description: Threat Modeling for Pragmatic Security Approaches - Threat Modeling is the process of assessing a target application or infrastructure and then building a model that represents the perceived threats it may be facing. This model can prove invaluable for understanding, tracking, and improving security postures and also feed into preparing security activities and security strategies.

While there’s been a couple of books and presentations on Threat Modeling, there is limited resources and guidance for applying the concepts in the real-world. It can be a daunting and overwhelming task trying to jump into a new Threat Model, so this training will spend a day sharing the theory, war-stories, and approaches from years of Threat Modeling work and will include hands-on exercises.

TARGET AUDIENCE:

The training is designed to be accessible to a wide audience and works best with a broad range of attendees from different perspectives and backgrounds. Open discussion is encouraged throughout the day with a relaxed atmosphere where there’s no wrong questions or ideas.

The training has components that can delve into quite technical and intricate subjects, however it’s structured to at least promote the concepts and thought processes along the way.

The audience can be a mix of (but not limited to) the following backgrounds:

  • Security testers: individuals performing penetration testing, code reviews, red-teaming, etc.
  • Security consultants: individuals who perform risk assessments, products evaluation, incident response, security solution design.
  • Security managers: security operations managers, CISO’s/CTO’s looking at preparing pragmatic security roadmaps.
  • Software developers: individuals who work doing software architecture, software development, or QA testing.
  • Students/Enthusiasts: those keen to take a step back and look at security theories and concepts in a new light.
AGENDA:

  • Introduction
    • An introduction to Threat Modeling and a look at previous work.
  • Concepts
    • The basics, approaches, terminology, and current methodologies.
  • Theory
    • A brief run-through on the history of vulnerabilities and security incidents while examining common software architectures and how security practices are often applied in organisations. A key aspect of this theory is to see how security activities and technologies have evolved over the years and seeing their strengths and weaknesses while considering the big picture.
  • Exercises
    • Preparing a threat model for a simple public web application
    • Preparing a threat model for a larger application with several components
    • Preparing a threat model for an entire organization
  • Application
    • A guide for how to grow and use a Threat Model over time, from tracking and collaborating with security activities (e.g. penetration testing) to designing and implementing smart security defenses.
  • Wrap Up
Threat Modeling for Offence and Defence

This second day of training delves into more specific concepts and activities that can be applied by technically minded security professionals from both an offensive and defensive background to help give fresh ideas and concepts that can be applied in practice.

TARGET AUDIENCE:

The training is designed to be a more advanced course for applying Threat Modeling for Offence and Defence, and to help bring perspective and fresh approaches for carrying out more technical security activities.

The audience is specially designed for the following backgrounds:

  • Security testers: individuals performing penetration testing, code reviews, red-teaming, etc.
  • Security consultants: individuals who perform incident response, security solution design, blue-teaming, etc.
AGENDA:

  • Introduction
    • An introduction and overview on the concepts, theory, and ways Threat Modeling can be applied in practice, recapping the key points from the Applying Threat Modeling for Pragmatic Security approaches day.
  • Offence
    • A run-through of methods that Threat Modeling can be used for penetration testers to help in the following ways:
      • Classify and triage target components of an application or infrastructure
      • Simulate different threat actors, running through attack trees while factoring in mindsets, capabilities, and objectives.
      • Testing and validating threat scenarios
  • Defence
    • A run-through of methods that Threat Modeling can be used for defence to help with the following:
      • Profiling different threat actors and understanding their associated coverage of your threat model
      • Designing and implementing mitigation methods into attack trees to quickly change the cost of attacks for adversaries.
      • Designing and implementing adversary-specific detection approaches that have low false-positive rates to aid in security monitoring.
  • Exercises
    • An offensive view of a target piece of technology and preparing, maintaining, and testing threat scenarios.
    • A defensive view of the target and designing and preparing mitigations and detections abilities for threat scenarios
    • A simulated red-team/blue-team exercise referencing the previous exercises and working as a group to test and expand the target threat model.
  • Wrap Up
Bio: Matt runs Volvent Security specializing in Threat Modeling. Low-level code review, and Custom Security Engineering for a mix of interesting clients. He spent several years in Swiss Finance as a SME and was responsible for the strategy and technical solutions of their global Threat and Vulnerability Management, developing bespoke security solutions. Since 2003, he has contributed to Ruxcon. Research interests include vulnerability analysis, data mining and machine learning, and security visualization.



Training: Penetration Testing with the Pi

Trainer: Bob Monroe

Description: This workshop will use the tiny, portable Raspberry Pi to cover many of the steps of an OSSTMM penetration test. The steps will be illustrated using different Pi functionality — starting with building out your own Pi for your testing needs and taking it right through exploitation analysis. Everything you learn will be wrapped up by challenges we prepared for you — including several real-world system that have to be hacked. If you want to take a deep dive into this new dimension of computing, this workshop will fit your needs!

Each registered student will get a Raspberry Pi 2 (or B+ depending on availability), a touch screen display, a portable keyboard with built in touchpad and a red laser pointer, a battery pack, and the microSD card with software pre-installed. And you will put it together yourself. So roll up your mental sleeves and bring your data work gloves because this 2-day class will have you going in hard.

KEY TOPICS COVERED IN THIS COURSE INCLUDE:

  • Raspberry Pi construction and architecture, with focus on security usability and portability
  • Developing, documenting, and testing networks using the OSSTMM testing framework.
  • Reuse of RPi and software architectures for security testing, auditing and forensics.
  • Developing customized tool sets for the RPi based on user needs and future scalability.
These concepts and principles will enable you to construct reusable, extensible, efficient, and maintainable Raspberry Pi security testing systems.

You'll learn techniques to build good role models for structuring your own designs, as well as to clearly articulate the tradeoffs of alternative methods for designing your customized testing systems. OSSTMM testing techniques will show you how to build highly effective security testing software platforms and hardware architectures based on microcomputers. Example uses will include vehicle tracking, WiFi network security analysis, and Man in the Middle attacks with the RPi.

You are expected to be familiar with Linux . Guidance will be available.

Bio: Bob has been working as a writer, researcher, and trainer for ISECOM since May 2012. He maintains updates for our OSSTMM Professional Security Tester certification materials and creates video-based security training with the Raspberry Pi device. He is one of the primary writers for Hacker Highschool, which is an ISECOM project aimed to teaching teens about security awareness and the profession. Bob's specialty is public teaching and security awareness training. Along with work for the U.S. Army, he has provided security classes for the VA, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. With well over two decades of experience in cyber security, Bob is always learning something new. His current projects include using microcomputers as a security and forensic tool, reviewing technology books for Microsoft Press, Cisco, VMware and Person, and working with eForensic , Hackin9 and Pen Test magazines as a writer and video presenter.

Bob is a retired US Army Ranger Officer living in Mililani, HI.



Training: Mobile App Hacking - Internet Banking Edition

Trainer: Aditya Modha

Description: Mobile App Hacking is a two-day course on learning how to perform Android and iOS application security assessment based on the “OWASP Top 10 Mobile Risks”. This hands-on training is designed around the dummy internet banking application which contains vulnerabilities that were observed by the trainer during his daily application security assessments. This dummy internet banking application has features such as adding a beneficiary account, fund transfer, view statements, OTP, Pin and pattern sign-in, etc. to provide attendees a real world application scenario.

COURSE OUTLINE:

Day 1 (Android)
  • Crash course on – Android application permission model, APK file architecture and setting up the emulator
  • Reversing the APK file package
  • Investigating app permissions through manifest file
  • Understanding, patching and runtime debugging smali code
  • Importing SSL certificates and bypassing SSL pinning
  • Intercepting traffic and network activity monitoring
  • Exploring local data store
  • Analyzing system logs
  • Understanding components such as content provider, broadcast receiver and activity
  • Classification of vulnerabilities based on "OWASP Top 10 Mobile Risks"
Day 2 (iOS)
  • Crash course on – process of jailbreaking, IPA file architecture and setting up the iOS device for security assessment
  • Decrypting App Store application and dump class headers
  • Local datastore inspection (plist, SQLite, keychain, XML files, etc.)
  • Investigate platform provided security API usage
  • Bypass client-side validations
  • Import SSL certificates and bypass SSL pinning
  • Traffic interception and runtime manipulation
  • Binary patching
Bio: Aditya Modha is a Senior Security Analyst at Lucideus Tech focused on web and mobile applications security assessment. Prior to joining Lucideus, he was a Principal Security Analyst at Net-Square Solutions. He is a computer science graduate and a Microsoft Certified Technology Specialist. He has carried out security assessment of more than 200 web and mobile applications including core banking solutions and middleware applications. He blogs at oldmanlab@blogspot.com.

Aditya was a trainer at the following international conferences:

  • HITB, KL – Extreme Web Hacking Oct. 2013
  • HackCon, Oslo – Advanced Burp Suite March 2014
  • OWASP AppSec Eu, Amsterdam – Android App Hacking – Internet Banking Edition

Sponsors

Please click here to download the Shakacon Sponsorship Packet.

Diamond:


Gold:




Bronze:

Subscribe to our mailing list

* indicates required
Shakacon

Watch, Add, Like, Follow Us!