Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools
Zack Fasel Managing Partner, Urbane Security

Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home).

Zack Fasel is a Founding Partner at Urbane Security, a solutions-focused vendor-agnostic information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services. Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on him can be found at zfasel.com and on Urbane Security at UrbaneSecurity.com.

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Schroeder/DEFCON-22-Will-Schroeder-Veil-Pillage-Post-Exploitation-2.0.pdf

Veil-Pillage: Post-exploitation 2.0
Will Schroeder SECURITY RESEARCHER, VERIS GROUP
The Veil-Framework is a project that aims to bridge the gap between pentesting and red team toolsets. It began with Veil-Evasion, a tool to generate AV-evading payload executables, expanded into payload delivery with the release of Veil-Catapult, and branched into powershell functionality with the release of Veil-PowerView for domain situational awareness. This talk will unveil the newest additional to the Veil-Framework, Veil-Pillage, a fully-fledged, open-source post-exploitation framework that integrates tightly with the existing framework codebase.

We’ll start with a quick survey of the post-exploitation landscape, highlighting the advantages and disadvantages of existing tools. We will cover current toolset gap areas, and how the lack of a single solution with all the options and techniques desired drove the development of Veil-Pillage. Major features of the framework will be quickly detailed, and the underlying primitives that modules build on will be explained.

Veil-Pillage, released immediately following this presentation, makes it easy to implement the wealth of existing post-exploitation techniques out there, public or privately developed. Currently developed modules support a breadth of post-exploitation techniques, including enumeration methods, system management, persistence tricks, and more. The integration of various powershell post-exploitation components, assorted methods of hashdumping, and various ways to grab plaintext credentials demonstrate the operational usefulness of Veil-Pillage. The framework utilizes a number of triggering mechanisms with a preference toward stealth, contains complete command line flags for third-party integration, and has comprehensive logging and cleanup script capabilities. Welcome to Veil-Pillage: Post-Exploitation 2.0.

Will Schroeder (@harmj0y) is a security researcher and pentester/red-teamer for Veris Group, and is one of the co-founders and active developers of the Veil-Framework, a project aimed at bridging the gap between pentesting and red-team toolsets. Will recently presented at Shmoocon ‘14 on AV-evasion and custom payload delivery methods utilizing tools he developed, Veil-Evasion and Veil-Catapult. He has presented at various BSides events on the Cortana attack scripting language and obfuscated Pyinstaller loaders. He is also the author of Veil-PowerView, a tool for gaining situational awareness on Windows domains, and is an active powershell hacker. A former national lab security researcher, he is happy to finally be in the private sector.

twitter: @harmj0y

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Ozavci/DEFCON-22-Fatih-Ozavci-VoIP-Wars-Attack-of-the-Cisco-Phones-UPDATED.pdf

VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci SENIOR SECURITY CONSULTANT, SENSE OF SECURITY
Many hosted VoIP service providers are using Cisco hosted collaboration suite and Cisco VoIP solutions. These Cisco hosted VoIP implementations are very similar; they have Cisco Unified Communication services, SIP protocol for IP Phones of tenants, common conference solutions, Skinny protocol for compliance, generic RTP implementation, VOSS Solutions product family for management services for tenants. Cisco hosted VoIP implementations are vulnerable to many attacks, including:

VLAN attacks
SIP trust hacking
Skinny based signalling attacks
Bypassing authentication and authorisation
Call spoofing
Eavesdropping
Attacks against IP Phone management services
Web based vulnerabilities of the products
The presentation covers Skinny and SIP signalling attacks, 0day bypass technique for call spoofing and billing bypass, LAN attacks against supportive services for IP Phones, practical 0day attacks against IP Phone management and tenant services. Attacking Cisco VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by the presenter). It has a dozen modules to test trust hacking issues, signalling attacks against SIP services and Skinny services, gaining unauthorised access, call spoofing, brute-forcing VoIP accounts and debugging services using as MITM. Furthermore, Viproy provides these attack modules in a penetration testing environment and full integration. The presentation contains live demonstration of practical VoIP attacks and usage of new Viproy modules.

Fatih Ozavci is a Security Researcher and Senior Consultant with Sense of Security. He is the author of the Viproy VoIP Penetration and Exploitation Testing Kit and MBFuzzer Mobile Application MITM Fuzzer tool, he has also published a paper about Hacking SIP Trust Relationships. Fatih has discovered many unknown security vulnerabilities and design and protocol flaws in VoIP environments for his customers, and analyses VoIP design and implementation flaws which help to improve VoIP infrastructures. Additionally, he has completed numerous mobile application penetration testing services including but not limited to reverse engineering of mobile applications, exploiting mobile services level vulnerabilities, attacking data transporting and storing features of mobile applications. His current researches are based on attacking mobile VoIP clients, VoIP service level vulnerabilities, web based VoIP and video conference systems, decrypting custom mobile application protocols and MITM attacks for mobile applications. While Fatih is passionate about VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. Fatih presented his VoIP research and tool in 2013 at DEF CON 21 (USA), Blackhat Arsenal USA 2013, Cluecon 2013 (USA), Athcon 2013 (Greece), and Ruxcon 2013. Also Fatih will present 2 training sessions at Auscert 2014 as well, "Next Generation Attacks and Countermeasures for VoIP" and "Penetration Testing of Mobile Applications and Services".

http://viproy.com/fozavci/
http://fozavci.blogspot.com/
http://tr.linkedin.com/pub/fatih-ozavci/54/a71/a94
https://twitter.com/fozavci
http://packetstormsecurity.com/files/author/5820
http://www.exploit-db.com/author/?a=5425
http://www.github.com/fozavci

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/White-deVilliers/DEFCON-22-Dominic-White-Ian-de-Villiers-Manna-from-Heaven-Detailed-UPDATED.pdf

Manna from Heaven: Improving the state of wireless rogue AP attacks
Dominic White CTO, SENSEPOST
Ian de Villiers SENIOR ANALYST, SENSEPOST
The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and our ability to capture credentials at a network level has long been established. Often, the most significant protection users have are hitting the right button on an error message they rarely understand. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link.

This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this; karma attacks work poorly against modern devices, network authentication of the weakest sort defeats rogue APs and interception tools struggle to find useful details.

This talk is the result of our efforts to bring rogue AP attacks into the modern age. The talk will provides details of our research into increasing the effectiveness of spoofing wireless networks, and the benefits of doing so (i.e. gaining access). It includes the release of a new rogue access point toolkit implementing this research.

Dominic is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 10 years. He is responsible for SensePost's wireless hacking course, Unplugged. He tweets as @singe.

Ian de Villiers is a security analyst at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided security training and spoken at security conferences internationally.

Ian previously published numerous tools, such as reDuh http://research.sensepost.com/tools/web/reduh, but more recently, SapProxy http://research.sensepost.com/cms/resources/tools/servers/sapprox/44con_2011_release.pdf

Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/Self/DEFCON-22-Blake-Self-cisc0ninja-Dont-DDOS-me-bro-UPDATED.pdf

Don't DDoS Me Bro: Practical DDoS Defense
Blake Self SENIOR SECURITY ARCHITECT
Shawn "cisc0ninja" Burrell SOLDIERX CREW
Layer 7 DDoS attacks have been on the rise since at least 2010, especially attacks that take down websites via resource exhaustion. Using various tools and techniques - it is possible to defend against these attacks on even a shoestring budget. This talk will analyze and discuss the tools, techniques, and technology behind protecting your website from these types of attacks. We will be covering attacks used against soldierx.com as well as attacks seen in Operation Ababil. Source code will be released for SOLDIERX's own DDoS monitoring system, RoboAmp.

Blake Self is most widely known for co-authoring the first commercial encrypted instant messenger with Dr. Cyrus Peikari while at VirusMD. He has also worked as a SIPRNET Administrator, Department of Defense Red Team Analyst, and R&D at various corporations. He has been attending Defcon since high school and has given several talks. He currently works in the financial sector and was directly involved in defending against the DDoS attacks of Operation Ababil. Blake holds a M.S. in Computer Science from Purdue University.

Shawn "cisc0ninja" Burrell is a long time crew member of SOLDIERX. He was a critical component of projects such as the "Hacker Database" - the largest open source database of individuals involved in the security/hacking scene. He has also worked as a SIPRNET Administrator for the Department of Defense. He currently works in threat intelligence, where he discovers current campaigns and how to defend against them. He once claimed he was the only person at Defcon who could actually dance, although that was before the conference was at its current popularity.

Web: https://www.soldierx.com
Facebook: https://www.facebook.com/soldierxDOTcom

Blinding The Surveillance State
Christopher Soghoian Principal Technologist, American Civil Liberties Union

We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.

Christopher Soghoian is a privacy researcher and activist, working at the intersection of technology, law and policy. He is the Principal Technologist with the Speech, Privacy and Technology Project at the American Civil Liberties Union. Soghoian completed his Ph.D. in 2012, which focused on the role that third party service providers play in facilitating law enforcement surveillance of their customers.

A Survey of Remote Automotive Attack Surfaces
Charlie Miller Security Engineer, Twitter
Chris Valasek Director of Threat Intelligence, IOActive

Automotive security concerns have gone from the fringe to the mainstream with security researchers showing the susceptibility of the modern vehicle to local and remote attacks. A malicious attacker leveraging a remote vulnerability could do anything from enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.

Last year, we discussed 2 particular vehicles. However, since each manufacturer designs their fleets differently; analysis of remote threats must avoid generalities. This talk takes a step back and examines the automotive network of a large number of different manufacturers from a security perspective. From this larger dataset we can begin to answer questions like: Are some cars more secure from remote compromise than others? Has automotive network security changed for the better (or worse) in the last 5 years? What does the future of automotive security hold and how can we protect our vehicles from attack moving forward?

Charlie Miller is a security engineer at Twitter. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated".

Twitter: @0xcharlie

Christopher Valasek is the Director of Security Intelligence at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference.

Twitter: @nudehaberdasher

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Zoz/DEFCON-22-Zoz-Dont-Fuck-It-Up-UPDATED.pdf

Don't Fuck It Up!
Zoz ROBOTICS ENGINEER
Online antics used to be all about the lulz; now they're all about the pervasive surveillance. Whether you're the director of a TLA just trying to make a booty call or an internet entrepreneur struggling to make your marketplace transactions as smooth as silk, getting up to any kind of mischief involving electronic communications now increasingly means going up against a nation-state adversary. And if even the people who most should know better keep fucking it up, what does that mean for the rest of us? What do the revelations about massive government eavesdropping and data ingestion mean for people who feel they have a right if not a duty to occasionally be disobedient?

It's time for a rant. Analyzing what is currently known or speculated about the state of online spying through the prism of some spectacular fuckups, this talk offers an amusing introduction to how you can maximize your chances of enduring your freedom while not fucking it up. Learn how not to fuck up covering your tracks on the internet, using burner phones, collaborating with other dissidents and more. If you have anything to hide, and all of us do, pay attention and Don't. Fuck. It. Up!

Zoz is a robotics engineer, prankster and general sneaky bastard. He has been pretty successful at pulling some cool subversive shit and not fucking it up and getting caught. He once faked a crop circle for the Discovery Channel and it was all uphill from there.