archive‎ > ‎2015‎ > ‎



Mike Ossmann presenting "Your Ideas are Worthless"

Michael Ossmann is a wireless security researcher who makes hardware for hackers.  Best known for the open source HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

If you're curious to know more about what he means, register now.

Announced Speakers:
Scared Poopless – LTE and *your* laptop
With today’s advancement in connectivity and internet access using 3G and LTE modems it seems we all can have a device that’s always internet capable, including our laptops, tablets, 2 in 1’s ultrabook. It becomes easier to be online without using your WiFi at all.  In our talk we will demonstrate and discuss the exploitation of an internal LTE modem from Huawei which can be found in a number of devices including laptops by HP.

Mickey Shkatov (
@laplinker) is a security researcher and a member of the Intel Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security. Mickey has presented some of his past research at DEF CON, Black Hat USA, BruCON, and BsidesPDX

Jesse Michael (@jessemichael) has been working in security for over a decade and is currently a security researcher at a Fortune 50 company who spends his time causing trouble and finding low-level hardware security vulnerabilities in modern computing platforms. 

Hijacking .NET Application Control Flow
This talk will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. Two tools, Gray Frost and Gray Storm will be shown in real world attack scenarios. These tools allow penetration testers and attackers to carry out advanced post exploitation attacks against the .NET runtime.
This presentation gives an overview of how to use these new open source tools.

Topher Timzen (@TTimzen) has had a research emphasis on reverse engineering malware, incident response and exploit development. He has instructed college courses in malware analysis and memory forensics while also managing a research lab. Focusing on .NET memory hijacking, he has produced tools that allow for new post exploitation attack sequences. Topher is currently a Security Researcher at Intel learning the dark insides of hardware.

Security for non-Unicorns
Security is becoming quite the thing now days, everyone wants to have one of them. The mantra that things should be built with security in mind and can't be plastered on later is a very important one, if you're based in Silicon Valley and are about to write "teh new hotness", but what happens if your company is older than say, 6 months.  You already have some legacy systems and code. I'll be talking about how it's possible to unearth some of these things. What happens when you do uncover these things. How to stop them happening. And coping strategies for dealing with them.

Ben Hughes is a security engineer at Etsy where he protects the yarn from the forces of evil and people with dirbuster.
He's tricked organisers in to letting him speak all over the free world. Partly because of this, he spends a lot of his free time enjoying airports.
He used to live in Portland and now lives in San Francisco so is well aware of the blight of long brunch lines and occasionally having to cope with coffee that isn't single origin.

Ninja Correlation of APT Binaries
Knowledge and identification of Malware binaries is a crucial part of detection and incident response. There was a time when using MD5s was sufficient to ID binaries. The reverse engineering analysis conducted once would be useful anytime that same MD5 hash was seen again. This has rapidly changed in recent years. Polymorphic samples of the same specimen change the file hash (MD5, SHAx etc) without much effort by the attacker. Also, cyber criminals and advanced adversaries reuse their codebase to create newer versions of their malware, but changes in the file hash disallow any opportunity to connect and leverage previous analyses of similar samples by defenders. This gives them an asymmetric advantage.
In recent years, there has been research into “similarity metrics”— methods that can identify whether, or to what degree, two malware binaries are similar to each other. Imphash, ssdeep and sdhash are examples of such techniques. In this talk, Bhavna Soman, Cyber Analyst at Intel Information Security will review which of these techniques is more suitable for evaluating similarities in code for APT related samples. This presentation will take a data analytics approach. We will look at binary samples from APT events from Jan- Mar 2015 and create clusters of similar binaries based on each of the three similarity metrics under consideration. We will then evaluate the accuracy of the clusters and examine their implications on the effectiveness of each technique in identifying provenance of an APT related binary. This can aid Incident responders in connecting otherwise disparate infections in their environment to a single threat group and apply past analyses of the the abilities and motivations of that adversary to conduct more effective response.

Bhavna Soman is a Cyber Analyst and Software Developer for Intel Corporation's APT response team. She works at the intersection of Threat Intelligence, Software and Data Analytics. Bhavna has a Masters degree in Information Security from Georgia Tech. Before joining Intel, she was a Threat Analyst at Damballa.

reverse reverse engineering
Richo will walk attendees through the basic architecture of a traditional AOT compiler and runtime loader, and describe the parallels between this and the operation of a modern bytecode VM (python, ruby, etc). With this newfound knowledge, we'll tackle implementing a tool to reverse engineer a sample of obfuscated ruby. However, instead of analyzing the bytecode directly, we will instead implement a malicious, but otherwise fully functional VM, and use that to explore the various anti-analysis tricks deployed.
By the end of the talk, you will have extended insight into the conceptual inner workings of a compiler, and feel equipped to implement substitutes for the interesting parts of a traditional compilation/loader pipeline to trick opaque objects into telling you how they work, instead of the other way around. While the demos will focus on ruby, the techniques demonstrated are equally applicable to python, etc."

Richö Butts (@rich0h) likes his ducks flat and his instruction sets reduced. He breaks things at Stripe, works on Rust, and will hopefully update his bio before the con.

Attacking Hypervisors via Firmware and Hardware
In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware, such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines.
We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

Yuriy Bulygin is a Principal Threat Engineer for a Fortune 50 company where he enjoys analyzing security of modern PC, server, mobile, and embedded platforms, advancing research in security threats and protections on those platforms.
Alexander Matrosov has more than ten years of experience with malware analysis, reverse engineering, and advanced exploitation techniques. He is currently a senior security researcher in the Advanced Threat Research team at Intel Security Group. Prior to this role, he spent four years focused on advanced malware research at ESET. He is co-author of the numerous research papers, including Stuxnet Under the Microscope, The Evolution of TDL: Conquering x64, and 'Mind the Gapz: The Most Complex Bootkit Ever Analyzed?' Alexander is frequently invited to speak at security conferences, such as REcon, Ekoparty, Zeronigths, AVAR, CARO, and Virus Bulletin. Nowadays, he specializes in the comprehensive analysis of advanced threats, modern vectors of exploitation, and hardware security research.
Mikhail Gorobets is a security researcher in the Intel Advanced Threat Research team. His area of expertise includes hardware security, virtualization technologies, reverse engineering, and vulnerability analysis. Previously, he led a team of security researchers working on Intel Virtualization Technology (VTx) and Intel Atom core security evaluation. Mikhail holds a MS in computing machines, systems, and networks from the Moscow Institute of Electronics and Mathematics.
Oleksandr Bazhaniuk is a security researcher in the Advanced Threat Research team at Intel, Inc. His primary interests are low-level hardware security, bios/uefi security, and automation of binary vulnerability analysis. His work has been presented at many conferences, including Black Hat USA, Hack In The Box, Hackito Ergo Sum, Positive Hack Days, Toorcon, CanSecWest, Troopers. He is also a co-founder of DCUA, the first DefCon group in Ukraine.

Putting the x & y into SELinux
SELinux is one of the most often ignored and misunderstood security technologies available on the Linux platform, often it is the first thing uninstalled by a Linux Admin after the OS is first installed. With a little knowledge and some TLC SELinux can become one of the strongest tools in your security arsenal. in this talk we will go over the basics of what SELinux is, why you want to use it, go over the basics of how it works and finally we will also talk about tools that can be used to make managing SELinux easier. 

Josh Scott is a Security Professional with over 20 years experience in the IT Industry. Josh mostly works in defensive roles, protecting networks and systems for the evils of the world. He is a lover of Thai Food, gluten free water, and organic Oreos. In his spare time he fights crime as a super hero under the alias Tad McAwesome III. He is also according to his daughters the worlds best dad.

World War Neocities: Providing free web sites to a hostile internet
I built Neocities to bring back the idea of people making their own free web sites, because I have this ""crazy"" idea that internet platforms should be about more than just spied on text boxes and pictures of your idiot friends eating ice cream. And also, I think HTML5/JS/CSS3 have re-enabled the idea of making your own awesome, beautiful, expressive web sites.
But this isn't the 90s. Web browsers that used to be dumb HTML display windows are now loaded weapons, with AJAX and advanced JavaScript enabling all kinds of nefarious craziness. Not to mention warez dumping, virus distribution, phishing attacks, DDoS attacks, comment and web site spam, controversial security disclosures, and all other sorts of ""fun"" we've had to deal with. Oh, and the 50kb of JavaScript that took down the President of Mexico's web site.
Most people thought Neocities would last a month. So did I. But I aggressively worked to solve these problems from day one, and to everyone's amazement (including mine, honestly) we actually succeeded.
Now I'm here to show how you can do it too, without resorting to expensive solutions and extra employees. After this talk, you'll have the crash course you need on what it takes to host free content on the hostile internet. And then you'll hear about how we're working to implement the Distributed Web with IPFS, and why I think it's the future of the web.

Kyle Drake is a tech entrepreneur working to bring back the lost art of amateur personal websites with Neocities.
When not working on Neocities, Kyle helps to build the open source communities, including early work on BitcoinJS, Portland hackerspaces, and providing early advice and support to startups.
Some of Kyle’s varied interests include software architecture, simplicity, API design, economics, improved startup business models, tech sustainability, and weird ways to look at old problems.

BYOL to elementary school
We wanted more technology in our 5th grade classroom and the school district had spare laptops that were too old to be re-deployed... a perfect match! This talk is by a 6th grade student in the Beaverton school district who led a group of fellow students to take 15 old laptops, replace their operating system with Linux, and deploy them in a 5th grade classroom.
We will cover background info, the build process, how the laptops were used in the classroom, and lessons learned.

Finn Rutis is an almost-12-year-old advocate of all things technology. His current interests are learning the ins-and-outs of linux, 3D printing, bitcoin mining, running a minecraft bukkit server, hacking game consoles, playing video games, doing voice overs online, and making videos.
NSA Playset: Bridging the Airgap without Radios
The NSA ANT catalog contains a number of hardware implants that enable communication, command and control, and data exfiltration over alternate channels that would not typically be monitored. The listed tools fall short when it comes to exfiltrating data from particularly secure or heavily monitored, or radio hostile locations.
This talk introduces a new addition to the NSA Playset. BLINKERCOUGH is inspired by some of the capabilities described in the ANT catalog and expands upon the features of CHUCKWAGON in a number of ways. BLINKERCOUGH is implanted inside an unremarkable cable and communicates optically to jump air gaps, escape faraday cages, and communicate out-of-band with zero radio footprint. This talk will outline the development of the hardware, present several use cases, and demonstrate its use to escape a faraday cage.

Michael (@r00tkillah) has done hard-time in real-time. An old-school computer engineer by education, he spends his days championing product security for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes Bsides CFPs, and contributes to the NSA Playset.

Jtagsploitation: JTAG to Root, 5 Ways
JTAG comes up in nearly every hardware-related hack. In order to do anything via JTAG, you generally need a hardware debugging device that connects to anything from a standard header to undocumented test points scattered around a device. JTAG access is almost always 'game over' but it's not always clear how to turn that hardware access into privileged software access on the system.
This talk will enumerate a number of different ways to turn a 'check' for jtag access into the 'checkmate' of root shell access. Each example will demonstrate a unique method for getting root access via JTAG. Each method is also general enough to be broadly applicable across different hardware architectures and implementations. Example code and scripts will be released at the talk.

Joe FitzPatrick (@securelyfitzhas spent a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He develops and delivers hardware security training at, including Applied Physical Attacks on x86 Systems. In between, he keeps busy with contributions to the NSA Playset and other misdirected hardware projects, which he presents at all sorts of fun conferences.
Matt (@syncsrc) is a hardware designer and security researcher who has over a decade of experience designing, securing and exploiting hardware test and debug features on CPUs and SoCs. When not performing pointless hardware tricks Matt tries to help educate integrated circuit designers on the risks posed by hardware debug capabilities.

Tunnel Vision
DNS Tunnels are teh new hotness for persistence. Here's how to spot them!

I'm shadejinx. I find needles in haystacks of needles.

The State of Bug Bounty
2015 saw unprecedented participation in crowdsourced bug bounty programs, as big technology vendors like Google, Facebook and even Tesla have embraced the need for bug bounty programs. Across the
board, bug bounties saw a sharp rise in both popularity and accessibility. For the first time, companies beyond the enterprise technology space have been able to participate in wide scale public or private bug bounties.
In this talk, Leif will outline the findings from a three year report that analyzes vulnerability and community data to demonstrate the rapid evolution of the bug bounty economy. 
Drawing from more than 50,000 bug submissions and an ever-expanding researcher community totaling more than 20,000 researchers, attendees will learn about the top vulnerabilities
found, the fluctuating value of a bug, who the researchers are and general trends observed like the growth of invitation-only programs. In addition, Leif will cover best practices for attendees looking to start their own bug bounty program.

As Senior Security Engineer at Bugcrowd, Leif Dreizler works to customize and support security testing solutions for Bugcrowd clients. Prior to Bugcrowd, Leif spent over two years as the Senior Application Security Engineer at Redspin, performing application security assessments. He also served as the Application Security Team Lead, liaising with clients at the engineering and sales level. 
Leif is an OWASP speaker and member, and contributed to the Firebug project in 2014. A regular presenter at security conferences and meetups, he recently spoke at BSidesSF, NY Information Security Meetup and OWASP Los Angeles and Boston, and will be speaking at (ISC)² Security Congress and BSides Raleigh in October 2015. Leif is a graduate of the University of California, Santa Barbara with a Bachelor’s Degree in Computer Science.

Distributing The Reconstruction Of High-level Intermediate Representation For Large Scale Malware Analysis
Malware is acknowledged as an important threat and the number of new samples grows at an absurd pace. Additionally, targeted and so called advanced malware became the rule, not the exception. Analysts and companies use different degrees of automation to be able to handle the challenge, but there is always a gap. Reverse engineering is an even harder task due to the increased amount of work and the stricter time-frame to accomplish it. This has a direct impact on the investigative process and thus makes prevention of future threats more challenging.
In this work, the authors discuss distributed reverse engineering techniques, using intermediate representation (thanks Hex-Rays team for support us in this research) in a clustered environment. The results presented demonstrate different uses for this kind of approach, for example to find algorithmic commonalities between malware families.
A higher level abstraction of the malware code is constructed from the abstract syntax tree (ctree) provided by Hex-Rays Decompiler. That abstraction facilitates the extraction of characteristics such as domain generation algorithms (DGA), custom encryption and specific parsers for configuration data. In order to reduce the number of false positives in some C++ metadata identification, such as virtual function tables and RTTI, the authors created the object-oriented artifacts directly from the analyzed malware.
The extracted characteristics of 2 million malware samples are analyzed and the presented results provide a rich dataset to improve malware analysis efforts and threat intelligence initiatives. With that dataset, other researchers will be able to extract a ctree from new samples and compare to the millions we performed.
As an additional contribution, the gathered representation together with all the raw information from the samples will be available to other researchers after the presentation; together with additional ideas for future development. The developed Hex-Rays Decompiler plugin and analysis/automation tools used to extract the characteristics will also be made available to the audience on Github."

Rodrigo Rubira Branco (@BSDaemon) is a Principal Security Researcher at Intel, responsible for driving security assurance of targeted security technologies in core client products and for SeCoE hackathon initiatives within Intel. Prior to joining Intel, he held positions at various companies in the security industry, such as IBM, Check Point, Coseinc, and Qualys. In 2011, he was honored as one of the top contributors to annual Adobe Vulnerabilities. He is part of the technical committee for the Brazilian Department of Cyber-Defense (CDCiber) and for many security conferences, such as Hackito, LACSEC, PHDays. He is a member of the RISE Security Group and is the organizer of the Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. He is an active contributor to open-source projects and has given keynotes and spoken at numerous security and open-source related events, including Black Hat, Hack in The Box, XCon, VNSecurity, OLS, Defcon, Hackito, Ekoparty, Troopers, and many others.
Gabriel Negreira Barbosa works as a Senior Security Researcher at Intel. Previous to that, he worked as a security researcher of the Qualys Vulnerability & Malware Research Labs (VMRL). He received the Msc title by Instituto Tecnol_gico de Aeronutica (ITA), where he also worked in security projects for the Brazilian government and Microsoft Brazil.
Eugene Rodionov (contributor, but will not be at BsidesPDX) graduated with honours from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009 and successfully defended his PhD thesis in 2012. He has worked over the past five years for several companies, performing software development and malware analysis. He currently works at ESET, where he is involved into internal research projects and also performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies and reverse engineering. Eugene has spoken at security conferences such as REcon, Virus Bulletin, Zeronights, CARO and AVAR, and has co-authored numerous research papers.
Alexander Matrosov has more than ten years of experience with malware analysis, reverse engineering, and advanced exploitation techniques. He is currently a senior security researcher in the Advanced Threat Research team at Intel Security Group. Prior to this role, he spent four years focused on advanced malware research at ESET. He is co-author of the numerous research papers, including Stuxnet Under the Microscope, The Evolution of TDL: Conquering x64, and 'Mind the Gapz: The Most Complex Bootkit Ever Analyzed?' Alexander is frequently invited to speak at security conferences, such as REcon, Ekoparty, Zeronigths, AVAR, CARO, and Virus Bulletin. Nowadays, he specializes in the comprehensive analysis of advanced threats, modern vectors of exploitation, and hardware security research.

The Linux Audit Framework
The Linux audit framework as shipped with many Linux distributions system provides a framework that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed, and by whom. Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them. This session provides a basic understanding of how audit works, how it can be set up, and how to use various utilities to display, query and archive the audit trail and how Linux Audit can be part of any overall Defense in Depth strategy.

Gary Smith started out his professional career as a chemist/materials engineer. His start down the path to the Dark Side of Computing began when he wrote a program to design an optimal extruder screw rather than face thousands of calculations with a slide rule (yes, a slide rule.) Since then, he's done a lot of different things in computing: microprocessor cross assemblers and simulators, disk device drivers, communication device drivers, TCP/IP hacking and multi-threaded printer spoolers. Always a glutton for punishment, he wrote his own from scratch. Around 1993, Gary started doing computer security when the semiconductor company he was working for was forced to get on the Internet to send/receive Integrated Circuit designs faster and a firewall/Internet gateway was needed. Since then, Gary's been involved in firewalls, intrusion detection and analysis, vulnerability assessments, system and application hardening, and anti-spam filters. Gary really does computer security to support his bicycling habit. He has more bikes than most other people have computers. And they're a lot more expensive. Gary says "Bikes are like computers: both can crash, sometimes with disastrous results to the user.

You Don't Have To Be Scared of the 'Net
Being able to be active on the internet even after being stalked is a valuable thing. We all seek connection but it can be scary after dealing with someone who wants to steal your privacy. Despite having been stalked I have been able to have a life on social media, allowing me to stay connected to my friends and family. This is a serious issue that plenty of people have experienced over the years and it is a shame when we feel cannot put ourselves out there. I feel that is important we are able to live our lives as we want to and not have to succumb to the wild whim of others.

The takeaways:
-You can live safely and sanely on the internet
-You don't have to give up your social life OR your contact with friends.
-being smart and safe isn't as hard as you think!
-you can be more than just a faceless egg on Twitter
-share smart for your well-being

Letta is a newly minted Front End Developer, who also loves the magic behind the scenes. Outside of web development, Letta loves wine, musicals, and cooking good food. She is known for her warm, friendly personality and her love of all things geeky.