The Rise of the "Green Hat" Hacker - Ethical, Technical and Economic Implications of the Corporate Hacker Class
Much has been written lately about the maturing and forking of hacker culture and hacker groups. Dino Dai Zovi recently asked the question "Has hacking jumped the shark?" to which Gabriella Coleman quanswered "Why are hackers and hacking ? despite existing in different forms for close to 50 years? suddenly something that is being taken seriously at every level?" Most interesting to the speaker is the rise of a professional "green hat" hacker class. We'll redefine "green hat" from a n00b to a hacker who makes a living at what they do, regardless of the ethical implications. We will explore in an open-ended way the ethical, technical, and financial implications of the fracturing of hacker culture, particularly the issues brought about by this professional class of hackers in private and public spaces. We'll talk about some economic issues with the current model of infosec, as both private and public parties struggle to make "teh cyber" fit within traditional business models. This is intended as an open-ended discussion, with observations and questions with very few answers.
Starting a Neighborhood Watch for your SaaS Apps
Presenter: Bob Bregant
Modern companies have adopted SaaS at a furious pace. The bigger companies often dictate that security features, such as audit logging APIs exist, but that's where the tooling often ends. Large enterprises pull that data into custom BigCorp(TM) monitoring systems monitored by tens or hundreds of analysts. The rest of us, though, don't touch those features unless something goes horribly wrong because they don't have the resources to develop the monitoring nor do they have the analysts to watch the dashboards (and we can't afford to pay someone to do it for us). Let's fix that. This talk shows off a new open source tool that accesses common SaaS audit logging APIs in an easily extensible way and uses machine learning-based anomaly detection to use the historical record that these APIs can provide to analyze new data points.
Improv in Social Engineering
Presenter: Randoh Sapien
What do improv comedy and Social Engineering have in common? Whether the average person knows it or not, life prepares us for both every day. We don't wake up every day with a script to read or cues to hit, we're improvising everything we do every hour of every day. In this talk I'll describe how studying improv comedy can be a useful learning tool for both novice and seasoned Social Engineers. I'll discuss tactics such as building rapport, playing to the top of your intelligence, active listening and ego suspension as a means to end of not only a great improv scene and a successful SE engagement but as tools to use in every day life.
Suck My Disk: Building Liveboot Media for Red Teams
Presenter: Brent S
In this talk, the author of BDisk (https://bdisk.square-r00t.net/) will provide examples of how one can use BDisk to build and boot arbitrary system images- even remotely booting, and running entirely off of RAM once started- to plunder, harass, harangue, fold, spindle, mutilate, bend, masticate, and generally fuck up and ruin the day of target's resources. (There's some Good Guy(TM) blue team uses, as well!)
SIGINT on a Budget - Listen In, Gather Data and Be Terrified For Under $100
Presenter: Bleep & Nop
It's 2017 and many dumbasses are still using unencrypted wireless communications. Seriously.
We will review how to build a robust, and open, signals intelligence (SIGINT) platform. To show off its capabilities, we started with the pager bands from 929-932 MHz. The talk will center about how we demodulate, decode and analyze pages across the entire band on a Raspberry Pi. Some SDR-related design and development issues, discussion of DSP and other sundries will be covered in inadequate detail. Along with that, we?ll make a few observations about how pagers are used today, using data captured from midtown Manhattan. Finally, there will be discussion of some other applications that the same capture infrastructure can be used for.
Some other tidbits, like:
- how pager infrastructure sort of works
- a history of pager protocols
- how unencrypted pages actually are
- how encrypted pagers (barely) work these days and;
- a survey of the idiots still using pagers will be thrown in there.
We'll also run a real-time capture during the talk, showing what can be seen around the con venue. All from a single Raspberry Pi.
By day, Bleep focuses on how to ensure users do not steal his employer's service. In spite of delusions of grandeur though, most of his day job involves advocating for practicing safe statistics. Calling him a data fetishist might be an understatement, though. His career highlights include spending time as a maple syrup smuggler, living under a bridge (eating goats that attempt to cross) and finding new ways to oppress peoples' freedom.
Nop is a corporate minion for sanity and pragmatism, diligently toiling away in the ad mines producing products no one wants. His triggers are nodejs, ruby, and big data. Corporate accomplishments of note are helping two unicorns flail, chewing bubble gum and walking at the same time. The safe word is 'cuttlefish'.