BSidesLV has ended
Thank you for joining us for our 5th Anniversary celebration! We certainly hope you enjoy the conference. Here’s to Education, Collaboration, and Community!

Remember, we don’t take ourselves too seriously and you shouldn’t, either! To quote the old motto of another collaborative community, "We trick into learning with a laugh".

We wish you both laughter and learning - and lots of both!

-= Team BSidesLV 

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Breaking Ground [clear filter]
Tuesday, August 5

11:00 PDT

USB write blocking with USBProxy
"USB mass storage devices are some of the most common peripherals in use today. They number in the billions and have become the de-facto standard for offline data transfer. USB drives have also been implicated in malware propagation (BadBIOS) and targeted attacks (Stuxnet).

A USB write blocker may help to prevent some of these issues and allow researchers to examine the content of the attempted writes. USBProxy allows us to build an external write blocker using cheap and widely available hardware that will be undetectable by the host system."


Dominic Spill

Dominic Spill has been building packet sniffers and researching wireless security since 2007. He has been a security researcher and the lead developer for Ubertooth for the past two years while also working on Daisho, FCC.io and USBProxy.

Tuesday August 5, 2014 11:00 - 12:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

12:00 PDT

Allow myself to encrypt...myself!
"At BSides LV 2013, I shared a dream…of a day when all-the-things would be endowed with…with huge…encryption! YES! BIG ENCRYPTION! Where NSA is spelled with F & U! Of a future where I can share my data without sacrificing ownership, confidentiality, or anything else. Where my memes and social awkwardness will be appreciated! Um…seriously though, we played “fantasy defense-in-depth”, sacrificed an “admin dude” dressed like the black knight, and generally shocked the world that the internet isn’t a safe place.

Wait…ok…now seriously, we explored why the “escalation of weaponry” means defense is futile; why the networks of the future, pervasive ubiquity, and other unknowns won’t fit into a secure perimeter; that we need to protect data over devices; that if we can’t control how our data is transmitted, processed, or stored we need to figure out how to protect it!

Can we create data resilient to attack even when the host it resides on is compromised? How do we not lose availability or the ability to share & collaborate with others? We were on the trail last year, but now we think we have a solution & can’t wait to show you! Fast forward 1 year & we have possibly the first open source destined & patent protected comprehensive framework for data protection. It’s a big idea with big challenges destined for failure without your input and expertise so come join the conga line to crazy town!"


Evan Davison

Sr. Engineer, FireEye/Mandiant
With hardly any experience in anything worth discussing, Evan is a frustrated and jaded security professional tired of responding to incidents and data owners in a broken mantra…"I told you so! Oh, you agree? Then WTF!" After a certification binge and stint at corporate ladder climbing... Read More →

Tuesday August 5, 2014 12:00 - 13:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

14:00 PDT

What reaction to packet loss reveals about a VPN
Suppose there is a stream of packets coming through your gateway, their contents apparently encrypted. They may be from
a standard VPN such as OpenVPN or an IPSec implementation running over some non-standard ports or protocol, but you
missed the initial negotiation that could tell you what sort of a VPN that might be. Can you still find out what
software stack and what cipher are being used?

We found out that, if you introduce a periodic disturbance to an encrypted VPN connection, you can fingerprint the VPN
and, in particular, the cipher using nothing but packet timings of typical file transfers. We found out also that many
things we take for granted aren't necessarily true - e.g., that double encryption may not be better for resisting
fingerprinting, and that the most common encryption algorithms differ more in performance than one would think they do.

We believe that the fingerprinting signatures are due to the interactions between the cryptographic and the network
layers of the VPN, the cross-layer effects that have been largely overlooked to date. Our findings suggest that these
interactions between the layers of a VPN implementation should be studied and taken into account to protect
implementations against information leaks.


Sergey Bratus

Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He sees state-of-the-art hacking as a distinct research and engineering discipline that, although not yet recognized as such, harbors deep insights into the nature of computing. He has a Ph.D... Read More →

Anna Shubina

Anna Shubina chose “Privacy” as the topic of her doctoral thesis and was the operator of Dartmouth’s Tor exit node when the Tor network had about 30 nodes total. Sergey Bratus is a research associate professor at a college in Northern Appalachia, looking for bright and wonderful... Read More →

Tuesday August 5, 2014 14:00 - 15:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

15:00 PDT

Untwisting the Mersenne Twister: How I killed the PRNG
"Applications rely on generating random numbers to provide security, and fail catastrophically when these numbers turn out to be not so “random.” For penetration testers, however, the ability to exploit these systems has always been just out of reach. To solve this problem, we've created “untwister:” an attack tool for breaking insecure random number generators and recovering the initial seed. We did all the hard math, so you don't have to!

Random numbers are often used in security contexts for generating unique IDs, new passwords for resets, or cryptographic nonces. However, the built-in random number generators for most languages and frameworks are insecure, leaving applications open to a series of previously theoretical attacks.

Lots of papers have been written on PRNG security, but there's still almost nothing practical you can use as a pentester to actually break live systems in the wild. This talk focuses on weaponizing what used to be theoretical into our tool: untwister.

Let's finally put rand() to rest."


Dan 'AltF4' Petro

Dan Petro is a Senior Security Analyst at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and secure... Read More →

Tuesday August 5, 2014 15:00 - 16:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

16:00 PDT

Anatomy of memory scraping, credit card stealing POS malware
Cedit card stealing RAM scraper malware is running amok compromising point-of-sale (POS) systems. Recent breaches have shown that exposure to such attacks is high and there is a lot at risk. This presentation shows how the attack is carried out by looking at the nuts-and-bolts of a home grown malware sample. During the demo we will pretend to be the bad guy and steal information from the belly of the POS process. Then we switch hats, expose the malware to multiple environmental hazards to study its behavior and identify strategies that can be implemented to make it hard for the malware to behave correctly and deter the bad guys. If all goes well, you will walk away with RAM scraping and prevention mojo.

avatar for Amol Sarwate

Amol Sarwate

Director of Vulnerability and Compliance Labs, Qualys Inc.
As Director of Vulnerability Labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability... Read More →

Tuesday August 5, 2014 16:00 - 17:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

17:00 PDT

Cluck Cluck: On Intel's Broken Promises
Cluck Cluck presents an architectural, OS-independent method for accessing arbitrary physical memory from kernel shell-code or forensics memory acquisition tools where the virtual addresses of the paging structures are not known -- 'breaking out' of virtual memory. Currently, the virtual address for the page directory is hard coded in the kernel, but this is specific to each OS and version thereof. Cluck Cluck solves the chicken and egg problem (needing access to the page structures to gain access to the page structures) at an OS-independent, architectural level, highlighting how a newer Intel feature violated existing guarantees.

avatar for Jacob Torrey

Jacob Torrey

Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc, where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS... Read More →

Tuesday August 5, 2014 17:00 - 18:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV
Wednesday, August 6

10:00 PDT

A Better Way to Get Intelligent About Threats
There is a lot of talk about sharing and the security of our data. A recent Ponemon Report on Exchanging Cyber Threat Intelligence states that current threat sharing mechanisms are broken. Data is not timely enough, scalable or actionable as it often lacks context to a type of threat or actor. Today, government, military, and private organizations do share through unofficial channels (spreadsheets, email listservs, and “fight clubs”), but the time has come for security teams to have a tool to aggregate and analyze the influx of data coming in. More than a feed, and more than a SIEM, the future of threat intelligence lies in the threat intelligence platform.

A threat intelligence platform should achieve many things, but most importantly it should offer a singular platform to aggregate, analyze, and act on threat intelligence data as well as offer options for context, sharing, and privacy. Any mature security organization should consider how and from where they are gathering their data, and what they then do with it.

Attend this session to learn what a threat intelligence platform is and why you need one, and the real-life use-cases to sharing data, keeping it private to only those you wish to share with, and the benefit to collaboration at a large scale to achieve a predictive defense and ensure your threat data is being optimized to the fullest.


Adam Vincent

CEO, Cyber Squared Inc.
Adam is an internationally renowned information security expert and is currently the CEO and a founder at Cyber Squared Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control... Read More →

Wednesday August 6, 2014 10:00 - 11:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

11:00 PDT

Bring your own Risky Apps
BYOD is a cute and harmless-sounding acronym for a trend that is in reality introducing exponentially more risk to end-users and organizations. The common refrain is to seek out and secure your smartphones and tablets from malware and other malicious software which can wreck havoc on a device and completely ruin its integrity. However, BYOD is about more than just introducing hardware; it also brings the issue of BYOApps. Layers of protection covering both the device operating system as well as the apps running on it is required to have a comprehensive solution to combat this problem, which is actually deeper than it seems.

In this co-hosted 45 minute presentation, we will present several real-world case studies of:

- How easy it is to App side-jack to gain root (Jailbreak)
- How a popular app like Flappy Bird can be trojan-ized to defeat two factor authentication.

While the industry loves to talk about sexy malware exploit scenarios, few are exploring the risks that BYOD and BYOApps are introducing, by bringing apps that are hungry for user/private data into the workplace.

Does a flashlight app really need access to a corporate address book or calendar? Should a doc-signing app transmit passwords in clear-text? Should a productivity app have access to corporate email attachments and be able to store them to DropBox? As we scratch beneath the surface, the real security issue is deeper rooted in policy decisions that now must be made on which app behaviors should be allowed in an enterprise environment.

BYOD has really become BYOApps, bringing with it a new layer of complexity with risks outside of obvious issues like malware. Organizations must make policy decisions about behaviors in apps and look for ways to enforce customized policy. A new approach defines the future of how mobile threats will need to be addressed in an automated and scalable way.

avatar for Domingo Guerra

Domingo Guerra

President & Founder, Appthority
Domingo Guerra is the President and Co-founder of Appthority. Domingo was born and raised in Monterrey, Mexico, and moved to the United States at age 18 to pursue his passion for technology. Domingo is a weekly contributor to the Appthority App Security blog and authors Appthority's... Read More →
avatar for Michael Raggo

Michael Raggo

Director, Security Research, MobileIron, Inc.
Michael T. Raggo, Director of Security Research, MobileIron, Inc. has over 20 years of security research experience. His current focus is threats and countermeasures for the mobile enterprise. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding... Read More →

Wednesday August 6, 2014 11:00 - 12:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

12:00 PDT

Invasive Roots of Anti-Cheat Software
Some of the most sophisticated rootkit behaviors are implemented by today's anti-cheat gaming software, in a constantly evolving game of cat and mouse. Game hackers often look for flaws in a system or program’s logic, seeking to exploit them for their own performance gains. As cheats evolve to evade detection, so do the anti-cheat software products, employing hooking mechanisms to catch the newest subversions. Often the effectiveness of an anti-cheat implementation will affect legitimate users’ enjoyment (no one likes to play with cheaters, even cheaters themselves!), making it highly profitable for game developers to focus on improving this technology and expediently identifying game hackers. As a natural consequence, anti-cheat software has grown more invasive and intrusive. For example, a recent version of VAC (Valve's Anti-Cheat Software) was found to scrape gamers' system DNS cache in order to spot commercial game cheats and ban users. Just what else is being extricated from our gaming systems and which products are the worst offenders?

By analyzing system memory, several anti-cheat software implementations will be isolated. With a cadre of reverse engineers, we will walk through just how these products are monitoring for game hacking behavior and if any of these techniques call into question aspects of their End User License Agreements.


Alissa Torres

Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on a internal... Read More →

Wednesday August 6, 2014 12:00 - 13:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

14:00 PDT

Vaccinating Android
Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. In the presentation some runtime techniques will be discussed and a tool will be released that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters.


Milan Gabor

CEO, Viris
Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker on information security. He has previously been invited to speak at various events... Read More →

Wednesday August 6, 2014 14:00 - 15:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

15:00 PDT

Security testing for Smart Metering Infrastructure

In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its Advanced Metering Infrastructure (AMI) program, formally known as the Smart Meter & Infrastructure (SMI) program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation.


An AMI program requires the introduction of many new devices and applications into a utility’s infrastructure.  Some of these devices and software may have never been deployed before anywhere in the world. Many are field deployed, outside of the utility’s physical and cyber security perimeters.


Security teams within utilities need to take responsibility for the end to end security of an AMI program. Traditional approaches may not be sufficient to deliver this security.  A new approach including pen testing specialist and third party labs may form an important part of this security.


A standards based approach will be required to ground the security and penetration testing both in best practice and in a common set of principles that utility and its partners can accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force can form the basis for creation of the test plans. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems.


For successful outcomes it is important to consider emerging new factors.  These are discussed in the presentation.


Robert Hawk

Principal Consultant, RBH Enterprises
Robert Hawk began working as a Private Investigator and Security Consultant in the metropolitan Vancouver area in 1988. In 1995 Mr. Hawk began working in the Information Technology and Information Systems. Now specializing in the fields of Information Systems Security, Computer Security... Read More →

Steve Vandenberg

Security Team Lead, British Columbia Hydro
Steve Vandenberg has held a variety of technical and leadership positions with General Electric, Hess, the US State Department and BC Hydro, the British Columbia electric utility. Steve has worked in the Middle East, Asia, Europe and the Americas in the areas of SCADA and Controls... Read More →

Wednesday August 6, 2014 15:00 - 16:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

16:00 PDT

The Savage Curtain
Mobile, the Final Frontier. These are the voyages of two researchers. Their 45 minute mission: to explore strange new apps, seek out new mobile SSL bugs and new SSL implementation flaws, to boldly go where no man has gone before. We'll trek across the mobile landscape showing numerous mobile failures, related to encryption.

avatar for Tushar Dalvi

Tushar Dalvi

Senior Information Security Engineer, Vulnerability Research & Assessment, LinkedIn
Tushar loves breaking web applications and ceramic bowls. Tushar Dalvi is a security enthusiast, a pool hustler and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research... Read More →
avatar for Anthony Trummer

Anthony Trummer

Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently a penetration tester for LinkedIn, running point on their mobile security initiatives. Prior to LinkedIn, he has worked for Warner Bros Advanced... Read More →

Wednesday August 6, 2014 16:00 - 17:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV

17:00 PDT

We Hacked the Gibson! Now what?
IBM has been touting the security of the mainframe for over 30 years. So much so, that the cult of mainframers believes that the platform is impenetrable. Just try showing how your new attack vector works and you'll be met with 101 reasons why it wouldn't work (until you prove them wrong of course). This talk will take direct aim at the cultist! Previous talks about mainframe security only got you to the front door. Leaving many asking 'great, I got a userid/password, now what?!'. That's what this talk is about: the ‘Now what’. You'll learn a few new techniques to penetrate the mainframe (without a userid/password) and then a bunch of attacks, tricks and mischief you can do to further maintain that access, find important files and really go after the mainframe. During this very Demo Heavy talk you'll learn how to take advantage of APF files, SSL key management, cgi-bin in TYooL 2014, what NJE is and why it's bad, why REXX and SETUID are dangerous and how simple backdoors still work (and will likely go undetected).

avatar for Soldier of FORTRAN

Soldier of FORTRAN

Supreme Commander, Zed Security
Soldier of Fortran is a mainframe hacker. Being a hacker from way back in the day (BBS and X.25 networks) he was always enamored by the idea of hacking mainframes. Always too expensive and mysterious he settled on hacking windows and linux machines, until 2010 when he finally got... Read More →

Wednesday August 6, 2014 17:00 - 18:00 PDT
Tuscany Suites 255 E. Flamingo Rd. Las Vegas, NV