===
NCC Group Security Open Forum - San Francisco

DATE: Thursday, March 23, 2017
TIME: 6:00pm-9:00pm
LOCATION: Dropbox Offices
333 Brannan Street
San Francisco, Ca 94107

Please RSVP via https://www.meetup.com/NCCOpenForumSF/ if you wish to attend!

technical managers and engineers only please
food and beverage provided

===
AGENDA

SPEAKER: Jake Heath / Senior Security Consultant / NCC Group

PRESO TITLE: On Adding Certificate Pinning to Android WebViews

PRESO SUMMARY: In most mobile penetration tests, certificate pinning comes up in either one form or another. However, if a mobile application makes use of WebViews to implement the core of their functionality and UI (a common theme quickly emerging with hybrid applications) certificate pinning is not so simple of a recommendation. During this talk, I will guide you through the history of Android WebViews, why certificate pinning is important, and my humble attempts at correcting the problem. We'll discuss some of the code I have written, many of the 'gotchas' I encountered, as well as a couple features Android recently released to address the issue in newer API versions.

SPEAKER BIO: Jake Heath is a senior security consultant at NCC Group, bringing years of experience building full-stack environment applications and embedded devices throughout his graduate program. At NCC Group, he has worked on a variety of engagements, including web application penetration tests, network penetration tests, architecture reviews, and source code review engagements.

Jake s current realm of expertise is in application security, with particular skill sets in various web application frameworks like Ruby on Rails, Spring, and nodejs. Jake has been very successful in finding vulnerabilities with these framework applications, as well as building effective exploits and maneuvering around various architecture defenses, such as web application and network firewalls.

-=-=-

SPEAKER: Ian Nickles / Security Engineer / Dropbox

PRESO TITLE: Adventures in red teaming at Dropbox

PRESO SUMMARY: Red teaming can be quite an adventure! Especially for those trying to play both sides. Join us to hear about Dropbox's adventures from a previous red team exercise, from interesting challenges in working as a double agent, to catching up with the red team's activities and uprooting them from the infrastructure. We'll also speak to why we do red teaming and some things we're doing to prevent attacks from being successful.

SPEAKER BIO: Ian Nickles, an iSEC/NCC Group alumni, is a long time computer and math nerd, where a healthy dosage of mischief naturally led him to security. Having started his security profession in the offensive camp, he has since jumped to fence to focus on defense as a member of Dropbox's Detection, Alerting, Response and Triage team. When not behind a computer he's probably continuing his quest of finding epic gnar to shred.

-=-=-

SPEAKER: Christian Frichot / Lead Product Security Engineer / Salesforce

PRESO TITLE: Dormant DOMination

PRESO SUMMARY: Traditional attacks to air-gapped networks have looked at vectors such as USB memory sticks (thanks Stuxnet), audio signals (thanks BadBIOS) and even cellular frequencies (thanks GSMem). But it's not entirely uncommon for portable devices (laptops, smart phones) to go from network to network, even connecting to potentially sensitive corporate networks. In fact, every day many corporate devices connect to the local coffee shop wifi on the way into the office. And it's here where things get interesting. Advanced mitigations to these vectors include things like host-health check, upon re-connecting to secure networks. But what s the chance that these scans will pick up on JavaScript that may be running in the DOM?

Leveraging a number of existing browser technology, such as WebRTC, Web-Workers and good old fashioned XMLHttpRequest objects we have everything we need to plant a JavaScript hook and monitor the local network interface for changes in connectivity. From here, we can start scanning different local subnets looking for available hosts. Once identified, we can even determine if they have any listening ports.

This presentation will discuss existing methods of subnet discovery & scanning, persistence methods and ways in which dormant JavaScript objects can periodically scan the local browser's network to discover new attack surfaces, even those that may be air-gapped. (Bloody JavaScript...)

SPEAKER BIO: Christian (@xntrik) is an app sec nerd who currently works at Salesforce, previously at LinkedIn. Originally from Australia, Christian helped start an awesome, Perth-based security consulting firm, Asterisk Information Security. Christian has a deep love/hate relationship with JavaScript, and his involvement with BeEF resulted in him toiling away in the salt-mines as a co-author of the Browser Hacker s Handbook (by Wiley). When not hacking apps, Christian spends his time either ranting about appsec or pining to get behind his drumkit.

===
About the NCC Group Security Open Forum

The NCC Group Security Open Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for security researchers from all fields to get together and share work and ideas.

The Forum meets quarterly in the Bay Area, Seattle, Chicago, New York City, and Austin. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 20-30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is limited to engineers, technical managers, and those interested in the world of information security. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc.