Speaker Feature: Travis McCormack

@HaknSlack

Travis has 10 years of experience in information security roles. Starting out as a Network Administrator and later SOC Analyst he has built his experience and knowledge up through blue teaming before deciding to try out offensive security. Travis has spent the past 2 years as a penetration tester primarily focused in application security with Cigital/Synopsys and now Walmart.

From Web App to ATM: Why the Basics Matter

This is a technical application security discussion for junior penetration testers or anyone interested in the world of penetration testing. Advanced members of the community are welcome, but the content is geared at newer testers. From Web App to ATM will showcase a penetration test I performed where the only previous work done was web vulnerability scanners that completely missed the iceberg lurking just below the water. In this talk I will cover some “back to basics” of web app security and show real world examples of critical applications exposing these flaws. Unauthenticated APIs, forceful browsing, privilege escalation, and total ownage of ATMs managed by this app are all up for discussion.

Come see Travis at RVAsec! Register Now.


Speaker Feature: Chris Czub

labs.duosecurity.com

@chrisczub

Related imageChris Czub is an information security engineer on Duo Security’s Corporate Security team where he helps keep their employee endpoints and servers monitored and safe.

OS X App Whitelisting Without Losing Your Job

Application whitelisting: it’s easy to say it should be practiced as part of a complete endpoint security practice, but in reality it can be hard to deploy widely without causing friction and frustration across the organization. This talk will look at the tools and processes that enabled Duo’s Corporate Security team to progressively deploy and monitor application whitelisting across their fleet of OS X endpoints.

Come see Chris at RVAsec. Register Now.

 

 


RVAsec 7 CTF

The CTF crew is once again hard at work preparing challenges for this year’s competition. As in the past, the first day of the conference will be CTF prep while the actual competition will take place on Day 2 (Friday, June 8th). Even though it will contain some hard challenges, this is a learning CTF – not just a bash-your-head-against-the-wall competition. As such, there will be plenty of challenges from lockpicking to recon and web exploitation for people of all levels and backgrounds. Additionally, you may choose to compete as an individual or form teams of up to 4 people – there are separate prize categories for both.

You will need an updated Kali machine, but we will provide everything else.

Below is a list of some of the skills/topics that have been covered in previous years.

Entry Level: Primarily aimed at beginners and those with a less technical background, focusing on basic infosec skills and concepts.

  • Rot N encoding
  • Google Fu / OSINT
  • Examining website source code
  • Basic file analysis (eg. file, strings)
  • Trivia

Intermediate: Expect to begin taking a deep dive into the core categories by finding and exploiting vulnerabilities, cracking passwords, etc.

  • Extracting objects from Wireshark dump
  • SQL Injection
  • URL Fuzzing
  • Cracking password hashes (using john, Hashcat, etc)
  • Reverse Engineering and Disassembly

Hard: For our battle-hardened, seasoned CTF players which will challenge competitors to truly think outside the box, crack encryption, exploit binaries, and more.

  • Blacklist filter evasion for SQL Injection
  • Binary Exploitation (buffer overflows and more)
  • Cracking RSA Encryption
  • Multi-step OSINT investigation
  • Hardware

In addition, we are always looking for volunteers to help out with creating and testing all of the problems. If that interests you, please reach out to us at contact [at] metactf.com, and we’ll add you to the mailing list.

We are pleased to announce that CrowdStrike has sponsored the CTF this year!

Finally, good luck to everyone and we’ll see you in June!

 


Speaker Feature: Mark Arnold and Will Gragido

@lotusebhat

Mark Arnold

@eg0sum

Mark Arnold, PhD, GXPN, CISSP, CISM has more than 20 years of technical and senior leadership in the information security space. He’s an advisory board member for OWASP Boston, SOURCE Conference, Boston Application Security Conference (BASC), and InfoSecWorld 2018. He is CISO/Sr. Director at Navisite and most recently a cloud researcher at Optiv.

Image result for will gragidoWill Gragido is a seasoned security professional with over 20 years’ experience in networking and information security. Will’s extensive background is the result of his service as a United States Marine, a consultant with the world renowned International Network Services, Internet Security Systems (now IBM ISS), McAfee, Damballa, Cassandra Security, RSA NetWitness, Carbon Black, Digital Shadows and now Digital Guardian where he leads the organization’s Advanced Threat Protection Product Line as its Director. Lead author and co-author of three Syngress Press titles

Hacking Intelligence – The Use, Abuse, and Misappropriation of Intel for for Fun and Mostly Profit

The appropriation of intelligence (and/or its art) within the security industry has raised the ire of many trained intelligence practitioners in the field. Some bemoan the fact that intelligence has been hijacked for profit with disregard of the discipline’s basic tenets. These tenets include but are not limited to tradecraft, life cycle, theory, analysis, application, and generation of actionable intelligence. On the other side of the aisle, security leaders have been tasked to implement threat intelligence within their respective security programs (maybe *because it has become fashionable to do so). More than not, however, such goals have proven elusive. Further, security leaders who procure intelligence products marketed to them are often left feeling they’ve been sold a bill of goods when those products fail to deliver.
This talk shares the results from conversations between a security expert/professional trained in the field of intelligence and a practitioner/researcher/leader not classically trained in the discipline. We discuss the uses, abuses, and misappropriations of intel with the hopes of forging a better path forward in this subject area. We do this by asking questions like \”What is cyber intelligence,” What does it look like and where is it going,” and lastly, \”How should it be used?”
To be covered:
• Tenets of intelligence
• The discipline of intelligence
• Why has CTI been in the “hype cycle”? Why do people care?
• What does cyber threat intelligence get us? Hacking the discipline

Come and see Mark and Will at RVAsec! Register Now.


Speaker Feature: Ksenia Peguero

@KseniaDmitrieva

Ksenia Peguero is a Sr. Research Lead within Synopsys Software Integrity Group. She has eight years of experience in application security and five years in software development. Ksenia is a subject matter expert in static analysis and JavaScript frameworks and technologies. Before diving into research, she worked in a variety of software security practices including penetration testing, threat modeling, code review, static analysis tool design, customization, and deployment. Over the years, she performed numerous engagements for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Throughout her consulting career, Ksenia has established and evolved secure coding guidance for many different firms, and has delivered numerous software security training sessions. Ksenia speaks regularly at events around the world, such as BSides Security in London, Nullcon in India, RSA in Singapore, and AppSec Europe in Italy. She has also served on review boards of AppSec USA and AppSec EU conferences.

How to REACT to JavaScript [In]Security

According to a StackOverflow survey, JavaScript is the most commonly used programming language on earth. Today just the client-side JavaScript ecosystem has over 50 frameworks available, and JavaScript is successfully conquering the server-side space. The amount of application logic that is executed in the browser is growing every year, which means the attack surface is growing as well. Which security issues are most common in JavaScript applications? Do new frameworks provide the security controls needed to protect the growing amount of client-side code? In this talk we will answer these questions and, as an example, we will look at one of the hottest JavaScript frameworks today – React. We will discuss its new features like components and server-side DOM rendering, analyze React’s security posture and demonstrate existing vulnerabilities.

Come see Ksenia at RVAsec. Register Now.


Speaker Feature: Dennis Rand

www.ecrimelabs.com

@DennisRandImage result for dennis rand ecrime labs

Dennis Rand is a security researcher from Denmark. He specializes in vulnerability research, network analysis, penetration testing and incident response. Dennis has over seventeen years of experience in various security roles including researcher, consultanting, and simply loves breaking stuff. In his spare time (Of what is left), he loves to observe and capture the world through photography.

So you think IoT DDoS botnets are dangerous – Bypassing ISP and Enterprise Anti-DDoS with 90’s technology

Stressers/Booter services is providing “DDoS as A Service” and they are getting more and more powerfull, measured in amount of traffic, but the current resources they use could be improved, and optimized, and perform a much more
dangerous and advanced attack patterns that can bypass large Anti-DDoS solutions through pre-analysis and data-mining with big data analysis and OSINT informaiton as source.
The research will show a framework on how attackers can optimize attacks based on a combination of big-data analysis and pre-attack analysis, that will show that terabit attacks are not necessarily needed, and why 90’s technology is prefered over IoT Worms and other fancy gadgets.

Come see Dennis at RVAsec! Register Now.


Speaker Feature: Michael Marriott

www.digitalshadows.com/blog-and-research

@digitalshadows

Michael Marriott is a Senior Strategy and Research Analyst at Digital Shadows, which he joined in late 2014. Michael has a passion for security analysis and the trends they indicate, in order to better protect clients. He has written several articles and papers, and his research is regularly features in the press. He holds a BA in History and a Masters in Applied Security and Strategy, both from the University of Exeter.

Seize and Desist? Criminal Evolution One Year After AlphaBay’s Demise

As we’re approaching the one year anniversary of AlphaBay’s seizure, the talk will demonstrate the impact this has had on the criminal ecosystem. This includes new, alternative mechanisms and technologies for discussing and trading criminal goods and services. The talk will also outline the drivers that will determine the future of the criminal ecosystem and outline what this means for all organizations.

Come and see Michael at RVAsec! Register Now.


Badge Sponsor: Okta

www.okta.com

@Okta

We are very pleased to announce that Okta is the 2018 sponsor for our very cool badges! Please stop by and say hi to their representatives in the Capture the Flag room.

RVAsec 2018 Register now!


RVAsec 7 After Party at The Circuit — Register Now!

The RVAsec 7 after party sponsored by Risk Based Security and GuidePoint Security, will be at The Circuit on Thursday, June 7th, after the conference!

Thu, June 7, 2018
5:30 PM – 7:30 PM

The Circuit is located at:

3121 W. Leigh St
Richmond, Virginia 23230

The Circuit is an arcade bar in the Scott’s Addition Beverage District of Richmond, VA. We have a growing family of 70 arcade games, pinball machines, and skeeball lanes, as well as a forever rotating 50-tap beer wall boasting both local and national favorites.

This is an exclusive event with limited availability, so you must be registered to attend and bring your RVAsec badge or you will not be allowed entrance–no exceptions!

Even if you have a ticket for RVAsec and said that you wanted to attend during the signup process, you MUST now registered for the party!

Register Now!

https://www.eventbrite.com/e/rvasec-7-after-party-tickets-45987727531


Speaker Feature: Derek Banks and Beau Bullock

www.blackhillsinfosec.com

@0xderuke

Related image

@dafthack

Derek Banks: Derek is a Senior Security Analyst at Black Hills Information Security and has over 20 years of experience in the IT industry as a systems administrator for multiple operating system platforms, and monitoring and defending those systems from potential intruders. He has worked in the aerospace, defense, banking, manufacturing, and software development industries. Derek has experience with creating custom host and network based monitoring solutions.

 

Image result for Beau bullock blackhills

Beau Bullock: Beau is a Senior Security Analyst at Black Hills Information Security where he performs penetration tests and red team assessments. He is the author of various red team/pentest tools such as MailSniper, PowerMeta, HostRecon, and DomainPasswordSpray. Beau is a host of the web shows Tradecraft Security Weekly & Hack Naked TV, and is a frequent speaker at industry events including Black Hat, DerbyCon, Wild West Hackin’ Fest, SANS, and various BSides events.

 

Red Team Apocalypse

TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go.

Come see Derek and Beau at RVAsec! Register Now.