AvengerCon welcomes Jeff Moss a.k.a. DarkTangent as our keynote speaker!

Hacking Government Bureaucracy

In theory, bureaucracy isn’t a bad thing. Really. Bureaucracy allows large organizations to scale and accomplish complex missions that would otherwise be impossible. In practice however, bureaucracies easily become their own worst enemy. Bureaucracies can be soul crushing, destroyers of efficiency and agility. Particularly vulnerable are the innovative people, new missions, and new organizations essential for success in cyber conflict. However, if navigated appropriately, success is still possible despite the bureaucracy, and sometimes even because of it. Hackers are adept at bending complex systems to their will, and bureaucracies are nothing if not complex systems. The techniques, tactics, and rules of the game are a bit different in the bureaucratic domain, but the hacker mindset is the same.

Why crack passwords when you can just relay?

NTLM Relaying is the process of directing credentials that are captured by an attacker and forwarding those to another machine for processing. If successful, the technique can be used to circumvent the strictest password policy or Privileged Access Management Solution (PAM). Relaying of credentials can be useful in establishing a presence on a workstation, retrieving information on an Active Directory Domain (AD), or escalating privileges on the AD Domain. The best part for an operator is that this an be done without knowledge of what the clear-text password of the user is. This talk will be full of pre-recorded demonstrations, and will cover defensive tactics that can be implemented to prevent against this attack. Demonstrations will show:

Advanced DCO Techniques - A Different Way to Hunt

Defensive Cyber Operations have become increasingly focused on the “Hunt Methodology” - a mechanism geared towards locating an adversary in a network, as opposed to improving that network’s defensive posture. The 1CYBN began to develop the idea of “Advanced DCO Techniques” as a way to focus on securing the networks we visit, improving the capabilities of local defenders, and imposing cost on our adversaries. CPTs implement Advanced DCO Techniques during the SECURE or DEFEND phase of their operations, redesigning existing solutions or generating new use cases based on the unique characteristics of their environment. These solutions fall into two broad categories, Detective and Protective, that leverage the same core principle: engineer an environment that forces the adversary to illuminate themselves by expending resources on assets with little to no value. Detective techniques are similar to military deception operations: they do not force an adversary to do anything, but represent high-value targets where defenders can focus their observation and analysis capabilities. Protective techniques involve placing high value assets behind additional security mechanisms, further segmenting them from more exploitable areas of the network. From the defender’s perspective, detective techniques can be relatively trivial to implement, while protective techniques require a much longer period of dedicated engineering and observation to configure effectively. From the adversary’s perspective, detective techniques can be avoided even if implemented well, whereas protective techniques cannot be avoided and will consistently affect their operations. This presentation will illustrate the differences between the traditional Hunt Methodology and Advanced DCO Techniques. It will also present a use case to highlight the value of implementing Protective Techniques through a new technique called Restricted Access Domain Controllers, or RADCs. RADCs is a novel use case for Microsoft Read-Only Domain Controllers that, when combined with appropriate layer 2 and layer 3 network segmentation techniques, provides a relatively immediate no-cost security control alternative to Microsoft Enhanced Security Administrative Environment.

The wild west of WASM: Is web assembly a new frontier for memory corruption exploits?

Web Assembly was designed to be a safe, compact, efficient, and portable solution to bring the web up to speed with native code; but has it it breathed new life into old and obsolete memory corruption techniques? How much damage can really be done by playing nice in the sandbox? This talk will examine the design and security considerations of Web Assembly, possible shortcomings, and recent research into its memory-safety.

Reproducible, Version-Controlled Image Creation

How many hours of your life have been wasted staring at an OS installation screen, setting up a test environment you intend to use once? Or even worse, how many times have you installed vim so you weren’t stuck with Nano? The goal of this presentation is to give you the working knowledge and toolkit required for reproducible, version-controlled image creation for deployment. The tools and techniques explained within can be used against anything from VirtualBox and Vagrant to AWS and OpenStack, though the focus will be on small, personal deployments.

Feedback - Importance in Cyber, Intel and Mental Health Life Cycles

In a cyber threat intelligence and intelligence fields feedback is critical to the intelligence life cycle. Entire groups, collectors and organizations can be shut down or given an incredible amount of money based on feedback from consumers. You might have heard before…”you need to a producer not a consumer”. While this is true, you also need be a good consumer and help the producers, who produce the best things, to continue to produce.

Weapon of Mass Destruction: A Look at the Ransomware Epidemic

The use of ransomware has taken organizations by surprise. While most organizations have dedicated staff to minimize and reduce the attack surface for such threats, the malware is still successful. Once infected, the attack has huge impacts on an organization’s business and its ability to operate. In some cases, organizations pay the fee to return their systems to normal. In other cases, organizations take to remediating the attack by restoring backups or seeking to reverse the encryption used through internal means. In this talk, we will dive into the ransomware epidemic and its effect on organizations. Additionally, we will look at defensive measures an organization can take to limit their chances of becoming a statistic and the headline on the evening news.

SCADA SPLUNK: A stop-gap solution to process variable anomaly detection

In industrial control systems, or ICS, there is a large amount of data that goes unused. This process data routinely sits in something called a historian and is just another way to consume energy. My goal is to display some of the benefits, mostly related to cybersecurity, of sending process data to an analysis platform like Splunk.

Autodyne: Rapid IoT firmware emulation for the discerning professional

Firmadyne is an amazing tool that allows users to emulate firmware images of embedded devices. Over the years, we began creating simple shell wrappers for all the Firmadyne commands. We determined that scripting a Docker container that simplifies installation and usage of the scripts used within Firmadyne will help other individuals get started in IoT firmware emulation.

Ransomware by the numbers - script-driven attacks by Dharma RaaS actors (and others)

Over the past year, ransomware gangs have increasingly turned to otherwise legitimate information security tools and a variety of automation scripts to carry out post-exploitation lateral movement, data exfiltration and defense evasion,among other tasks. Recent data on attacks by Dharma “affiliate” actors takes this to the extreme—the attackers used a “toolbelt”of packaged tools and scripts to automate their attacks. Other ransomware gangs, including Ryuk and LockBit, have also increasinglyused tools originally developed for penetration testing. In this presentation, I’ll review the most commonly-used tools and frameworks, and review the way they’re used by ransomware attackers.

Blockchain - Slowly, then all at once

Blockchain is a decentralized digital ledger technology that aims to change the status-quo of current business models and the structure of transactions made around the world. While Bitcoin and other cryptocurrencies represent the most popular application of the technology today, there are many possible implementations in industries known and unknown, each with a strength for its own domain. This presentation discusses the birth and evolution of the technology to present day and shines a spotlight on the coming technical revolution and the many use cases of blockchain today and in the future. Attendees will also receive a custom-made token, created by the presenter.

Automating Your Persona Ops - Tools to create your own troll farm

This talk is focused on how to automate the technical aspects of persona ops in order to create realistic and credible technical personas which reinforce the believability of the account personas built on-top of them. We will look at custom tools designed to provision servers, manage system and browser fingerprints and break browser isolation so a single user can control multiple simultaneous account sessions on a single Windows system without clunky VMs. The takeaway is that it is unfortunately easier than ever to create a small troll farm built on a solid technical foundation and as adversarial influence operations become more sophisticated, identification of technical anomalies that indicate signs of deception will be an important instrument to highlight malign activity.

Cars CAN be secure or: How to stop worrying and make ICS unhackable for < $5

Bit smashing transceivers are a cost effective method for making multicast industrial control systems (ICS) practically un-hackable. For passenger vehicles, manufacturing robotics, medical devices, and other industries using multicast ICS protocols like the Controller Area Network (CAN), this includes stopping denial of service attacks which are commonly thought to be unstoppable. Low-cost bit smashing transceivers are already on the market. This talk is intended to inform and be a call to action for manufacturers to adopt this technology into their products.Brent introduces the concepts of a network’s physical and data link layer, bit smashing, and the CAN multicast ICS. Then, he explains how using bit smashing transceivers effectively creates a ‘perfect’ intrusion detection and prevention system for multicast ICS.

Techniques for Covert Communications Within Windows

Microsoft has made great progress in securing the windows kernel with things like Kernel Patch Protection and soon to come Control Enforcement Technology (with help from hardware). However, you’ll still find vulnerabilities in SMB and RDP that allow forkernel mode execution. Most researchers like to stop there and then grab your normal double APC scheduling mechanism with a reverse shell payload. In this talk we go beyond that and survey current payloads, and develop new foundations and methods for backdoorsthat allow for arbitrary code execution in user mode with system privileges. We plan to cover simple payloads such as double APC and move towards more advanced in-memory backdoors. Finally, build off of a existing project that allows a metasploit-like framework in the kernel.

A Survey of the Additive Manufacturing Cyber Killchain

In terms of IOT devices, 3D printers and other additive manufacturing technologies present a kinetic exploitation vector with the potential to impact a vast number of other systems. As 3D printing finds itself at the bleeding edge of producing replacement parts or manufacturing improvised weapons, the ability to understand this exciting technology’s weaknesses in order to defend our capabilities while degrading the enemy’s is paramount. The abilities of additive manufacturing technologies, the production pipeline from concept to physical parts, and the gaps and surfaces in the respective kill chain will be discussed.

Better Best Practices

Best practices are an aggregate of shared experiences and lessons learned. Other than anecdotal evidence, there’s no proof they actually work. Until now. This presentation showcases 5 years of case studies that demonstrate the efficacy of proactive security measures — and highlights gaping holes in security practices that are ripe for exploitation.

Rapid Development for Emergency Response Scenarios

Rapid application development tools, sometimes referred to as “low code” or “no-code” in common buzzword, provide a clear boost when you need to quickly adapt to a changing situation on the ground during an emergency response situation. Higher headquarters information gathering requirements change, reporting formats proliferate, and oftentimes the Tactical Operations Center is left massaging data from emails, texts, and attached spreadsheets into the format of the day.

An Analysis of the Strategic and Tactical Risks of Cyberattack Against Unmanned Ground Vehicles (UGVs)

This presentation explores the risks from the strategic to the tactical levels of cyberattack against unmanned ground vehicles (UGVs). As the modern battlefield becomes increasingly digitized, the number of unmanned weapons platforms is only increasing. Utilizing the case study of the newly-announced TEXTRON Ripsaw M5, this analysis explores the risk that UGVs, particularly whose capabilities could replace current armored infantry fighting vehicles, pose when looked at through a vulnerability assessment. Despite TEXTRON’s claims that this technology is “proven” and “hardened,” the U.S. Armed Forces has not fought a true peer competitor since World War II. Therefore, this analysis exploits these claims by identifying five potential vulnerabilities in peer versus peer combat: disablement or hindering of weapons systems or sensors; hijacking of systems to attack friendly forces; potential utilization of compromised sensors by enemy ISR; feeding of false data into sensors and the potential for “Terminator”-esque scenarios if advanced AI control is implemented. The analysis also discussed three historical incidents: from an air defense cannon’s failure which killed 9 South African soldiers; to the compromise of a U.S. RQ-170 Sentinel; to this year’s hacking of F-15 computer systems by ethical hackers which prove that these vulnerabilities are already plausible. Analysis also highlights how current adversary doctrine (particularly Chinese and Russian) is poised to utilize these vulnerabilities in warfare. The climax occurs through a scenario depicting how a theoretical tactical usage of cyberattack against UGVs in combat could result in strategic implications for U.S. forces in the future. The presentation then culminates with three discussion questions: which methods could mitigate the risks posed to UGVs; could the notion of UGVs be more a liability than a positive; and what are some potential advantages of networking in UGVs in cyberwarfare?

Know Where to Go: Using Go for Cyber Security

Since its rise in popularity in the 1980s, C has been the primary language of choice for systems programmers due to its ability to interact with the operating system via system calls, its fine-grained memory control and the speed of its binaries. However, C is often criticized because it lacks memory safety guarantees and cross-compiling for different operating systems and architectures is non-trivial.

An introduction to APRS

This presentation will provide a brief introduction to the Automatic Packet Reporting System an open standard for digital communication for sending data, predominantly positional data automatically in short digital beacons over amateur radio frequencies, how it works, and it’s intended use. Then I will go into an analysis of the vulnerabilities of the system as well as where the protocol succeeds in the context of the CIA triad. Initially I’ll outline its use in search and rescue applications. Next, I’ll dive into finding individuals to contact in the amateur radio community. Finally, I’ll go into sending out weather data. I will then move into an explanation of the packet format and a very brief look at the AX25 data link layer protocol APRS utilizes and a brief explanation of digipeaters and igates that expands the range of the APRS network. I will move into the security strengths and weaknesses. The sole strength being only that the system is very de-centralized making it fairly reliable in the local area and easily expanded. The weaknesses include a lack of true authentication in that anyone can claim to be anyone, no encryption is permitted due to FCC regulation on the airwaves. Due to this it is easy to feed the system false data interfering with other users and preventing any guaranty of integrity. The lack of encryption also results in absolutely no confidentiality as anyone can hear the packets getting beaconed out.

Thanks SpaceX! Client-side JavaScript for the Win!

In May, SpaceX successfully launched a manned mission to the International Space Station on a Crew Dragon Spacecraft. For the Crew Dragon User Interface, SpaceX engineers used JavaScript and Chromium based software. SpaceX’s choice of JavaScript for the user interface surprised many people because JavaScript is seen as a language used to program websites that are commonly unresponsive. The same techniques SpaceX used for user interface design can be currently employed to process and display information on computers with internet access.

Indicators of Targeting - Indicators of Compromise Vs Indicators of Attack

While cyber vulnerabilities are common knowledge across the Department of Defense, the fundamentals of how to discover and think like your adversaries are less well known. Learning about each individual phase within the Cyber Kill Chain can help with this process. The Cyber Kill chain breaks down the mechanisms of an attack, so you can understand each phase from reconnaissance to actions on objectives. The lecture on the Cyber Kill Chain will be followed by an interactive capture the flag exercise.

Closing Remarks

Brief remarks from the AvengerCon V lead organizer to say thank you to everyone who made the event possible.