BSides 2024 - Friday, July 12, 2024 at Virginia Western Community College
BSides Roanoke 2024 will be held at Virginia Western Community College on Friday, July 12, 2024 in the Whitman Theater located in the Hall Family Business/Science Building.
Tickets are available for purchase now!
Introduction
Join us for an exciting lineup of security talks & demos featuring regional IT/security experts and thought leaders — all deep diving into various cybersecurity topics that are currently shaping our ever-changing cybersecurity landscape. From Randy Marchany’s keynote on the enduring nature of IT-evolution to Logan Diomedi’s talk on how Microsoft’s SCCM can be turned and used against you, to talks on the Flipper-zero/RF signal hacking, and social engineering deception tactics. Learn how blackhat attackers are currently attempting to gain access to your networks and systems, and how to fortify your defenses against them. Other talks include Jupyter anomaly detection, the dangers of Linux/eBPF, next-level password cracking, infrastructure encryption strategies, and much more. We even have a live Capture the Flag with RF badge challenges and Zeek network vulnerability analysis with awards and prizes! We even have all day coffee and lunch provided. Don’t miss out on this opportunity to expand your knowledge and network with other IT-Security peers and vendors!
Agenda
We’ve got four key areas to explore throughout the event:
-
Auditorium This is your center stage for knowledge bombs! Catch the inspiring keynote address and insightful closing comments here.
-
DefSec Room Buckle up for the second talk track. This room will be buzzing with workshops and presentations focusing on defensive security practices.
-
CTF Arena Calling all codebreakers! The Virginia Cyber Range is hosting a thrilling Capture the Flag (CTF) competition in this dedicated space. Put your hacking skills to the test!
-
Sponsor & Cafeteria Hub Mingle with our esteemed sponsors and fuel up for the day! This area features delicious food and drinks to keep you energized, alongside booths from the companies who make BSides Roanoke possible.
The breakdown of schedule by room is below.
Auditorium
| Begin | End | Topic | Speaker |
|---|---|---|---|
| 9:00 | 9:30 | Opening Comments | BSides Host |
| 9:30 | 10:15 | Keynote: The More It Changes, the More It Stays the Same | Randy Marchany |
| 10:25 | 11:10 | Talk: Encrypting Your Infrastructure Without Getting Fired | Matt Moen |
| 11:20 | 12:05 | Talk: Deception inception is met with hilarious reception | Justin Varner |
| 12:15 | 1:00 | Lunch Break | Go to the cafeteria across from the auditorium |
| 1:10 | 1:55 | Talk: Taking over Enterprise Networks via SCCM | Logan Diomedi |
| 2:05 | 2:50 | Talk: eBPF: The Double-Edged Sword of Linux Security and Malware | David Mitchell (digish0) |
| 3:00 | 3:45 | Talk: Cyber Risk Quantification – Pitfalls and Fixes | Charlene Deaver-Vazquez |
| 3:55 | 4:40 | Talk: Ek47 – Payload Encryption with Environmental Keys | Kevin Clark and Skyler Knecht |
| 4:50 | 5:35 | Talk: Post Quantum Cryptography: A Mundane-12 Powerball Dot Upgrade to Your Entire Life and Everything! | Schr0ding3r |
| 5:45 | 6:30 | Closing Comments | BSides Host |
DefSec Room
| Begin | End | Topic | Speaker |
|---|---|---|---|
| 9:00 | 9:30 | Opening Comments | BSides Host |
| 10:25 | 11:10 | Talk: Leveling Up Password Cracking | James “Jimmy” Ririe |
| 11:20 | 12:05 | Talk: Analyzing android APKs using static and dynamic analysis | Hristo Asenov |
| 12:15 | 1:00 | Lunch | Go to the cafeteria across from the auditorium |
| 1:10 | 1:55 | Talk: Beyond the Flipper - A guide to basic wireless communication protocols | Brandon Lester |
| 2:05 | 2:50 | Talk: Trailblazing through Data: A Jupyter Anomaly Quest | Kai Iyer |
| 3:00 | 5:35 | Workshop: Modifying Impacket for Better OPSEC | Ryan O’Donnell |
CTF
Our CTF is beginner friendly and meant to be fun. All you need to participate is your laptop (don’t forget your charger!) and the sign up link which will be provided in person.
T.Weeks will be giving a demo/overview of the CTF after the keynote (10:25am) in room M302. You’re free to camp out in the CTF room. So we encourage you to get out and play from anywhere in the grounds so you won’t miss the other great speakers and workshops! Play throughout the day from wherever you are! You can even play the CTF from the bathrooms (if you have good connectivity ;).
Speakers and Talks
Randy Marchany
Randy is the Chief Information Security Officer of Virginia Tech and the Director of Virginia Tech’s IT Security Laboratory and has 25 years experience as a systems administrator, IT auditor, and security specialist. He is a co-author of the original SANS Top 10 Internet Threats, the SANS Top 20 Internet Threats, the SANS Consensus Roadmap for Defeating DDoS Attacks, and the SANS Incident Response: Step-by-Step guides. Randy is currently a senior instructor for the SANS Institute and has taught a wide variety of courses over the years. Currently, he can be found teaching SEC566: Implementing and Auditing the Critical Security Controls on a regular basis.
Talk: The More It Changes, the More It Stays the Same
Abstract:
The infosec industry hasn’t done very much to eliminate the root causes of cyber attacks. This talk reviews the types of cyber attacks seen over the past 30 years and how the same vectors that worked back then are still effective in 2024. Cybersecurity is multi-billion dollar industry. Why haven’t we been able to mitigate the root causes of cyber attacks? We’ll end with a few suggestions for addressing some of these root causes.
Kai Iyer
Kai is a Senior Security Engineer at EY’s Cyber Threat Management team and manages Security Engineering and Applied Machine Learning Research. He holds multiple certifications and has extensive knowledge in various domains, including Web-App Development, Data Science, Incident Response, DevSecOps and Purple Teaming. He is also an advocate for open source software and data privacy. He dreams of a world where no one clicks on phishing e-mails.
Talk: Trailblazing through Data: A Jupyter Anomaly Quest
Abstract:
The talk will introduce ready-to-use Jupyter Notebooks for large-scale threat hunting in production environment. Rather than looking at terabytes of data in a traditional tabular format, we will explore the effectiveness of visualizations, emphasizing graphs, to identify and investigate outliers. The primary area of focus would be Anomaly Detection applied to substantial volume of data to generate Alerts for SOC based on Windows Sysmon Endpoint Logs and Zeek/Suricata Netflow Logs.
Justin Varner
Justin Varner is a seasoned and passionate security professional with over 18 years of experience in the industry across a variety of security domains and disciplines.
His career started as a cryptographer at NASA where he spent time redesigning the cryptographic messaging system used to communicate from the mission control center to the International Space Station. During a focused and driven career, he has had the opportunity to work across a multitude of different industries in various roles that have ranged from security architecture to offensive security to DevSecOps and everything in between.
His most recent endeavors have been focused on helping others improve their ability to rapidly detect breaches and generally bolster their overall security posture with simple and pragmatic means and methods.
Justin embraces any opportunity to teach fundamental security concepts to those who need help but have no idea where to look, and he prides himself on being able to break down and articulate complex topics in a fun, interesting, and engaging manner that appeals to people from all backgrounds.
Talk: Deception inception is met with hilarious reception
Abstract:
Breaches continue happening at unprecedented levels with huge financial impact to the global economy year after year.
Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of data from disparate sources is not working. Adversaries know this fact and regularly benefit from it.
The average breach goes unnoticed for 212 days. That’s an ample amount of time for anyone to surreptitiously run off with the crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage.
We need a new approach if we’re ever going to stop the madness. Hackers also deserve a better opponent.
This talk discusses a different way of thinking about breach detection that is intended to reduce the number of false positives, improve alert fidelity, reduce time-to-detection, and prevent the massive level of burnout affecting our industry.
We will cover the history of breach detection, the current state of affairs, the paradigm shift to new ways of thinking about the problem, practical examples of how to deploy effective breach detection technology, and the results of a red team campaign against a heavily layered network of deception inception.
Charlene Deaver-Vazquez
Charlene has over 35 years of experience in network design and security. She is a Security Specialist at the Nuclear Regulatory Commission where she performs agency-wide cybersecurity risk analyses and risk quantification. She is also an Adjunct Professor teaching Cybersecurity Risk Quantification at Boise State University’s Cyber Resilience and Operations Program (CORe). The BSU CORe program was recently named one of the top 10 cyber programs in the US by FORBES Magazine.
Talk: Cyber Risk Quantification – Pitfalls and Fixes
Abstract:
Want to know which attack your organization is most likely to experience? This crash course in risk quantification will open your eyes to the fast path of forecasting. Fully functional models and training materials available FREE.
Logan Diomedi
Logan Diomedi is a lifelong information security professional who works as a Senior Offensive Security Consultant at Depth Security. At Depth, he performs enterprise penetration tests from everything including small businesses, all the way up to fortune 200 sized networks. He’s a Roanoke native who graduated from Hidden Valley High School and has a background in many IT facets beyond just information security. He’s been attending RISE and sometimes RBTC events for the last 5 years and loves to compete in CTFs.
Talk: Taking over Enterprise Networks via Microsoft SCCM
Abstract:
This presentation should be a gold mine for both attackers and defenders. Defenders will learn how to mitigate trivial privilege escalation paths in their enterprise networks and attackers will add new tricks up their sleeves for penetration tests.
Brandon Lester
Brandon has a wide range of experience, including ham radio, hardware hacking, and penetration testing.
Talk: Beyond the Flipper - A guide to basic wireless communication protocols
Abstract:
This talk will explore the basic concepts relating to wireless protocols used by consumer devices, how to decode, fuzz, and repeat commands, and a comparison between the Flipper Zero and other open-source hardware/software solutions.
David Mitchell (digish0)
David Mitchell, aka digish0, started his hacking career as a script kiddie running 7th Sphere in mIRC in high school. Later falling in with some Linux/RedHat nerds at a local 2600 group at college while studying CS, etc. He got into Linux, started an IT career, later rediscovering his hacking script kiddie roots when a local hacker space opened up and shared members with a lockpicking group that worked in infosec as penetration testers, etc where he discovered he could get paid to do the things he liked doing in high school/college. He now works professionally as a red team member and cyber security researcher at a large financial institution. You can catch him attending and speaking at many conferences like CackalackyCon and BSides, DefCon.The rest of the time he spends being a dad/husband, trying not to get injured in Muay Thai/BJJ or mountain biking, and listening to either very expensive or very cheap vinyl.
Talk: eBPF: The Double-Edged Sword of Linux Security and Malware
Abstract:
“Extended Berkeley Packet Filter (eBPF) has emerged as a powerful tool in the Linux kernel, enabling developers to write custom programs that can be loaded into the kernel at runtime. While eBPF offers tremendous potential for enhancing system performance, monitoring, and security, it also presents a significant risk when misused for malicious purposes. In this talk, we will explore the dual nature of eBPF and its implications for Linux security and malware development. We’ll begin by discussing the legitimate uses of eBPF, such as creating efficient network filters, tracing and profiling applications, and implementing security policies at the kernel level. We’ll examine real-world examples of how eBPF is being leveraged to enhance system visibility, detect threats, and enforce access controls.
However, we’ll also delve into the darker side of eBPF and its potential for abuse. We’ll demonstrate how attackers can exploit eBPF to develop sophisticated rootkits that operate at the kernel level, making them extremely difficult to detect and remove. We’ll analyze the techniques used to inject malicious eBPF programs into the kernel, hijack system calls, and establish persistence on compromised systems.
Furthermore, we’ll discuss the challenges and limitations of traditional security solutions when faced with eBPF-based malware. We’ll highlight the need for advanced detection mechanisms and the importance of monitoring eBPF programs loaded into the kernel.
Throughout the talk, we’ll provide practical examples, live demonstrations, and code snippets to illustrate the concepts discussed. We’ll also explore potential mitigations and best practices for securing systems against eBPF-based threats.
Attendees will gain a deep understanding of eBPF’s role in Linux security and malware development. They’ll learn how to leverage eBPF for legitimate purposes while also being aware of its potential for abuse. We’ll empower attendees with the knowledge and tools necessary to detect, analyze, and defend against eBPF-based malware.
Whether you’re a security researcher, system administrator, or malware analyst, this talk will provide valuable insights into the complex landscape of eBPF and its implications for Linux security. Join us as we explore the double-edged sword of eBPF and arm ourselves with the knowledge to wield it responsibly.”
James “Jimmy” Ririe
James “Jimmy” Ririe is a recent graduate from Radford University with degrees in cybersecurity and computer science. He was president of Radford’s cybersecurity club and leader of its CTF team.
Talk: Leveling Up Password Cracking
Abstract:
In this session I’ll show you how I turned Radford University’s Esports Center into a password-cracking supercomputer. I’ll also tell you what I learned about password security, better ways to handle authentication, and tips for choosing and storing passwords if you must use them.
Matt Moen
Matt has been involved with all things Security, Open Source and Linux since before they were cool. He’s worked with everything from Fortune 100’s and Wall Street Fintech firms to a tropical fish wholesaler. When not working tech, hiking or bicycling, he enjoys geeking out with symphonies, prog rock, jazz, bluegrass and whatever else tickles his melodic, harmonic and rhythmic fancy, because it don’t mean a thing if it ain’t got that certain je ne sais quoi. Matt holds CISSP & CISA certifications and is currently serving as the Vice-President of the Austin chapter of the Information Systems Security Association.
Talk: Encrypting Your Infrastructure Without Getting Fired
Abstract:
As we push things like Kubernetes clusters to edge installations for reduced latency and increased availability, how protected are they against crowbar theft? Encrypting their disks reduces these risks, but then you discover corner cases in production where your servers aren’t automatically decrypting, and you’ve effectively DoSed yourself. Oops. We’ll explore an alternative with network-based decryption without escrow or proprietary hardware using the Open Source Linux tools Tang and Clevis.
Ryan O’Donnell
Ryan O’Donnell is a Red Team Operator at Altus Consulting. Over the last 12+ years, Ryan has been performing Penetration Tests, Red Team assessments, and Incident Response investigations. Ryan has conducted workshops at Hack Space Con and Bsides Nova. Ryan has a Masters in Computer Forensics from GMU and the following Certifications: OSCP, OSEP, CRTO, GREM, GCFE, GCIH, CRTO.
Workshop: Modifying Impacket for Better OpSec
Abstract:
“Operational security (OpSec) is a cornerstone in red teaming, necessitating continuous refinement of tools and techniques to avoid detection. This workshop is designed for penetration testers, aspiring red teamers, and individuals seeking to enhance their offensive capabilities. It focuses on customizing the Impacket toolset to improve OpSec during engagements.
Impacket tools such as wmiexec, smbexec, and secretsdump are staples in the toolkit of any red teamer due to their versatility and flexibility in Windows environments. However, their detectability has increased as defensive measures have become more sophisticated. This session proposes modifications to these tools to avoid default IOCs and detections.
Participants will explore various customization strategies, including changing default settings, altering network signatures, and integrating stealthier execution methods. Practical exercises will guide attendees through the process of modifying the Impacket scripts, demonstrating how these changes can significantly enhance operational security in simulated environments.
Attendees will gain hands-on experience modifying the Impacket tool set to remove common IOCs. The workshop aims to foster a deeper understanding of both the tools and the underlying network protocols, enabling participants to tailor their approaches to specific operational contexts and defensive landscapes.”
Hristo Asenov
Hristo Asenov has about ten years of professional experience, working in both military, academic and private sectors. He completed graduate studies at University of Delaware.
Talk: Analyzing android APKs using static and dynamic analysis
Abstract:
This talk will look at modern tools that are currently being used to analyze android APKs. We will dive into smali, explain what it is, and look at tools to help with static application analysis. We will also look at dynamic analysis tools such as frida, and talk about how to make an app debuggable via JDB.
Kevin Clark and Skyler Knecht
Kevin Clark is a Software Developer turned Penetration Tester at TrustedSec. He focuses on initial access and Active Directory exploitation. He contributes to open-source tools such as PowerShell Empire and Metasploit. He also writes his own custom security tools such as Badrats and Ek47. Kevin has a passion for education and volunteers on the Midwest Collegiate Cyber Defense Competition (CCDC) red team. He teaches courses with BC-SECURITY at BlackHat and other venues about Evasion, Red Teaming, Empire Operations, and Active Directory. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog.
Skyler Knecht is an Information Security Specialist who performs a variety of security assessments including, phishing, internal/external penetration tests and red teaming. Skyler Knecht worked as a consultant for three years and has recently pivoted to an internal team at Navy Federal Credit Union. Skyler Knecht is continually researching all fields of study but is primarily focused developing offensive tooling such as command and control frameworks and implants.
Talk: Ek47 – Payload Encryption with Environmental Keys
Abstract:
Ek47 is a payload encryptor that leverages user-selected environmental keys associated with a target execution context. In the absence of these environmental keys, Ek47 payloads will not decrypt and execute. This creates a strong resistance to automated/manual analysis and reverse engineering of payloads. Ek47 supports many different environmental keys such as current user, domain, computer name, installed programs, and more. Additionally, Ek47 supports packing payloads of .NET assemblies, unmanaged DLLs, and raw shellcode. Ek47 payloads are themselves .NET assemblies and can be uploaded to disk or executed reflectively via any execute-assembly method. By default, a standard AMSI/ETW bypass is executed before the main payload is executed, but Ek47 makes it easy to add custom bypasses for more advanced evasion functionality. Additional features are provided such as entropy management, PE header stomping, and a variety of payload output formats.
Schr0ding3r
Schr0ding3r, a B.S. holder in physics and mathematics (with a cybersecurity degree on the horizon!), possesses a boundless curiosity that extends to hacking, programming, philosophy, and even ancient Hebrew.
Talk: PQC: A Mundane-12 Powerball Dot Upgrade to Your Entire Life and Everything!
Abstract:
Quantum computing, driven by AI, will take over the world. You’ll lose your job, your privacy, your freedom, even your life. How??? MAGIC. LITERAL MAGIC. Your situation is hopeless. You can’t fight magic!
UNTIL NOW. Introducing: post-quantum cryptography! If you thought your typical gold-level cryptography was effective, get ready to blow right past platinum and quantum levels straight to POST-QUANTUM level. This stuff is literally the “Expelliarmus” to quantum computing’s “Avada Kedavra.” In this thrilling talk, we will discuss quantum mechanics (magic), quantum computing (also magic), and how to fight these evil tools of government conspirators with the maximum 1000XP top-quality get-it-while-supplies-last post-quantum cryptography!
…or maybe, in the spirit of Craig Martell, we will reveal how overhyped and mundane this highly-specialized computing system is, and then look into some of the interesting algorithms being developed to resist these efficient password-cracking machines.
…but which talk will you receive??? YOU’LL HAVE TO SHOW UP TO FIND OUT!
Sponsors and Partners
BSides Roanoke would like to thank the following institutions for their support in making this event a reality.
Posts
-
BSides Roanoke 2024 CFP Announcement
Calling all Roanoke Valley cybersecurity wizards, infosec enthusiasts, and hacking heroes! Are you bursting with insights you’re eager to share? Do you have a burning desire to educate, inspire, and ignite the local security scene? Then gear up, because BSides Roanoke 2024 wants YOU!
-
BSides Roanoke 2023 CFP Closure!
BSides Roanoke 2023 CFP is now closed
-
BSides Roanoke 2023 CFP Announcement
Do you have an interesting security project that you’d like to share with the community? Maybe it’s that new insight you gathered during a recent exercise? If so, then please consider speaking at BSides Roanoke 2023!
subscribe via RSS