Fitting it all in

With all the events, speakers, training sessions, and more going on at ISSW, find out when and where it is all happening to maximize your experience.
2019 InfoSec Southwest
Friday, March 29 – Sunday March 31,2019
Hotel Ella
1900 Rio Grande, Austin TX 78705

Unless otherwise noted, all events take place at Hotel Ella, 1900 Rio Grande, Austin TX 78705 

2019 Schedule

Friday, March 29, 2019

1:00 – 10:00 PM

  Badge Pickup

2:00 – 5:00 PM

Trevor Rosen
Bootstrap Go – a Hands-On Workshop (Sign-up Required)

Are you sad because Go is hot and you’re not? Let’s change that. IMPORTANT: If you want to participate, DO THIS STUFF FIRST! (~20 minutes).

In this 3-hour workshop, infosec interloper Trevor Rosen will teach you the basics of Go, the Google-originated programming language behind Docker, Kubernetes, Keybase, Lantern, CoreOS, and more. Start from “hello world” and end with a concurrent, 2-endpoint web server. Along the way you’ll learn practical basics like data serialization, dependency injection, testing, and (of course!) get your feet wet with Go’s powerful concurrency support. Armed with this knowledge, you’ll go forth and perform wondrous deeds like finding sweet vulns in container runtimes or the Kubernetes control plane. Or use the excellent stdlib and static compilation to write the next awesomely portable security tool that everyone hateloves!

Interested? Sign-up to reserve a spot.

6:00 – 10:00 PM

ISSW 2019
Welcome Cocktail Reception & Registration

Saturday, March 30, 2019

10:00 AM

Ricky Lawshae
Your Wish is My Command: A Deep Dive into DirectTV’s Genie System

DirectTV is one of the largest satellite content providers in the nation, and their Genie system is their flagship line of products. In this talk, we will take a look at what that system is composed of, including device hardware, proprietary network protocols, and content protection mechanisms. We will demonstrate vulnerabilities in the system and ways to manipulate content as well as other fun things you can do. Magic lamp not included.

11:00 AM

HD Moore
Reflecting on Network Discovery

Although network discovery is a critical component of security, current tools struggle to obtain comprehensive results on modern networks. Security hardening of endpoints, adoption of the BeyondCorp model, the explosion of networked devices, and complications arising from software defined networks, virtual machine environments, use of containers, and hybrid clouds have all challenged our ability to accurately identify assets. This talk covers the current state of network discovery techniques, digs into older, relatively unknown methods, and introduces a handful of new tricks that can immediately improve the discovery phase of security and IT efforts.

12:00 PM

Alamo Drafthouse: Turbo Talks!

2:30 PM

Wandering Glitch
Bugs so Nice they Patched them Twice! A (Continuing)? Story About Failed Patches

Over the last several years, the industry has experienced a spike in research focused on finding a wide variety of vulnerabilities in PDF rendering applications. Just look at the security advisories from Adobe, FoxIt, Google, and Microsoft. Everything from classic memory corruption issues like buffer overflows, use-after-frees, and type confusions to the more esoteric JavaScript API restriction bypasses are being patched on a monthly basis. This increase in discoveries is driven by the hardening of previously popular attack vectors, like the web browser, and the fact that the PDF rendering engines support a tremendous amount of functionality. Along with standard PDF viewing, they offer ways of annotating and indexing PDF files and expose a rich set of JavaScript APIs that help in automating tasks. It’s a unique playground for attackers to take advantage of when conducting targeted attacks.

With all these bugs being patched, one begins to wonder if these are all new discoveries or something a little bit more unnerving. Is it possible that the vendor patches were ineffective and that researchers are discovering ways to re-trigger previously patched vulnerabilities? The answer is yes! This talk drills into this topic by exposing modern vulnerabilities targeting Adobe Acrobat and, more importantly, how these vulnerabilities were ultimately resolved after multiple disclosures. We start by taking a detailed look at the attack surface exposed by Adobe Acrobat. We then dive into multiple vulnerabilities that were purchased by the Zero Day Initiative program and describe how Adobe found the bugs so nice they patched them twice. These failed patches highlight the complexities of Acrobat and demonstrate the need for vigilance amongst researchers reporting bugs to Adobe. A patch is good; a solution is better.

3:30 PM

Claire Reynolds
How to Respond to a C&D: Keep Calm But Don’t Necessarily Carry On

In this talk, I will discuss: (1) how to interpret the language of a C&D, including a brief discussion of the various underlying legal authority that may be cited by the attorney; (2) how to formulate a response on your own and when to seek outside help; and (3) potential consequences for failing to respond. I’ll be providing real world examples of C&Ds that have legal merit and ones that should never have been sent out.

4:30 PM

Pedram Amini
Worm Charming: Harvesting Malware Lures for Examination

It’s no secret that client-side attacks are a common source of compromise for many organizations. Web browser and e-mail borne malware campaigns target users by way of phishing, social engineering, and exploitation. Office suites from vendors such as Adobe and Microsoft are ubiquitous and provide a rich and ever-changing attack surface. Poor user awareness and clever social engineering tactics frequently result in users consenting to the execution of malicious embedded logic such as macros, JavaScript, ActionScript, and Java applets. In this talk we’ll explore a mechanism for harvesting a variety of these malware lures for the purposes of research and detection.

Worm charming (grunting or fiddling) is an increasingly rare real-world skill for attracting earthworms from the ground. A competitive sport in east Texas, most worm charming methods involve some vibration of the soil, which encourages the worms to surface. In our context, we’ll apply a series of YARA rules to charm interesting samples to the surface from the nearly 1M files uploaded to Virus Total daily. Once aggregated, we’ll explore mechanisms for clustering and identifying “interesting” samples. Specifically, we’re on the hunt for malware lures that can provide a heads up to defenders on upcoming campaigns as adversaries frequently test their lures against AV consensus.

Sunday March 31, 2019

10:00 AM

Jonathan Cran
Beyond Internet Scanning; Open Source Attack Surface Discovery with Intrigue Core

SHODAN, Rapid7, Censys and others have made vast swaths of raw data scan data available to researchers over the last 10 years, but enumerating the exposed attack surface of a given organization remains an open challenge. Database leaks, application layer misconfigurations and default creds still pose significant risk to security teams. We are left living the unpleasant reality: “You can’t fix what you can’t find”. In this session, the speaker will dig into the open source Intrigue Core engine, a framework to iteratively enumerate attack surface, walking through lessons learned and exposures found while scaling the engine to discover the attack surface of tens of thousands of organizations.

11:00 AM

Todd Manning, Michael DePlante Jr, and Tony Fuller
Project Redlion – Industrial Control HMI security

Industrial control HMIs are a window into industrial processes. They allow people to monitor and control the industrial environments of which they are a part. This talk investigates the Windows-based software which configures an HMI, and will cover topics such as Windows binary analysis, the fuzzing of Windows programs, and triaging crashes. In addition, hardware reverse engineering and firmware analysis of an embedded HMI will be discussed. This talk will also discuss the reverse engineering and analysis of both the custom HMI protocol, as well as the custom HMI file format. Finally, the talk will cover the analysis of the network attack surface presented by the HMI. Todd will be joined by Michael DePlante Jr and Tony Fuller of Trend Micro ZDI.

2:30 PM

Brandon Perry
Operational Security Across the Spectrum

Opsec is so hot right now. How do people outside of infosec keep themselves secure? What about outside “first world countries”? What are your risks /really/? Not your typical opsec talk about threat models.

3:30 PM

Summer Lee
Defense Against the Social Engineering Arts

This talk will start by covering techniques recently used to break into multiple banks and an airlines’ system operations center. Highlights include convincing a helpdesk technician to bypass their multi-factor authentication solution and a detailed review of what would have prevented these attacks from being successful.

4:30 PM

Rick Redman
This One Time On A Pentest: Last 20 Years Edition

Rick loves telling “this one time on a pentest” stories. Usually they are a highlight of the worst things he’s seen. With a few of the most amazingly secure systems he has run across. In this full-length version of his talk, Rick will talk about the things he seen in the last 20 years of being a pentester. Worst of the worst and the best of the best will be discussed.

5:30 PM

Baron Daniel Crowley
Building Crypto Flaw Recon and Attack Tools for Web Hackers

Cryptographic attacks are often in the realm of theory. Many long known attack techniques in the cryptographic world have no corresponding practical tooling or weaponized exploit. Because of the nature of cryptography, encrypted data is often (and should be) indistinguishable from random data. This presents certain unique challenges when attempting to build crypto flaw scan or attack tools. This talk will discuss several cryptographic flaws, how they manifest in web applications, how to find them, and will discuss newly developed crypto attack tools to be released alongside the talk.