- Social Engineering the Boardroom: How to Get What You Want
This is a presentation about security and how to sell it to management.
There are some lines even the gifted among us cannot cross. They are not clearly drawn in the sand but they are defined by accountants. I am of course talking about the Security budget.
I know most of you here are engineers and it's really hard to engineer around the budget. You will always get sub-optimal solutions, so my talk will focus on how to get what you want and make them pay for it.
Speaker: Freek de Man
- Threat Modeling as a Way of Architecting Resiliency
By now we are all familiar with Threat Modeling and the very positive effects that it can have on application security. I've found that by tweaking the Threat Modeling Model (is that recursive?) just a bit you can also use it as a way to think about how to keep your infrastructure operating in tip-top shape when Murphy's Law strikes. Using these principles inside of some large companies, I have found surprising holes that were laying just under the surface. We will explore some of these and how threat modeling may have shown them up before they impacted business.
Presentation by David Greer
The meeting link will request your name and email address. I don't care if you put in valid information, we don't keep it or use it.
Event is co-sponsored by Tech Collective https://tech-collective.org
- DIY Electronics Maker Bench
I started making electronics projects in mid-2019 on a shoe string budget. I also plunged head first and blind folded into surface mount technology (SMT) printed circuit board (PCB) design. I quickly realized I wanted tools to make my projects possible and - if possible - as easy as possible. (There were a lot of possibilities.) With not a lot of money, and perhaps not a lot of forethought, I started making my PCB assembly own tools.
I knew I wanted to make PCBs with SMT parts. I looked around and watched YouTube and Instagram and gradually pieced together what I wanted my PCB assembly process to be. I wanted to be able to quickly populate a PCB. I wanted to reflow the PCBs. I wanted to be able to program the microcontrollers at my bench without the need for my computer.
So, I started by making a reflow hotplate. Then I made a portable programmer for ATMega and ATTiny chips. Then I created some SMD strips holders. Then I assembled a vacuum pen. Collectively, these DIY tools make up the majority of my electronics assembly workflow.
What did you make so far:
A whole lot of PCBs. I started with 4 SCREAMZY toys ; then came 10 holiday ornaments (with blinky LEDs and beepy noises); 250 of the 2020 eChallengeCoins; and another 50 holiday ornaments.
I've made hundreds of PCBs and placed thousands of SMT parts in the past 9 months.
Speaker: Bradán Lane
- The Social Engineer's Tool Chest
A brief introduction by Edward Miro, known as @Miro_Labs on Twitter, to the art of social engineering, then a live demo of some of the most popular tools used to run social engineering campaigns including: Maltego, The Social-Engineer Toolkit (SET), King Phisher, and Gophish. Q&A after(time permitting). We will meet virtually using https://www.gotomeet.me/DC401
This meeting is in partnership with the Tech Collective (https://tech-collective.org)
- 10 Unexpected Ways I Pwned You
This presentation is about my experiences finding vulnerabilities on client pentests which were typically not found by vulnerability scanners and other pentesters, or were not remediated from previous assessments due to a lack of understanding the potential impact.
By Steve Campell (@lpha3ch0)
This event is supported by Tech Collective in Providence, Rhode Island
- Using OWASP Nettacker For Recon and Vulnerability Scanning
OWASP Nettacker project was created to automate the information gathering, vulnerability scanning and in general to aid the penetration testing engagements. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods and get reports in JSON and CSV format. This relatively new (Summer 2017) and a lesser-known OWASP project has generated a huge amount of interest at BlackHat Europe 2018 and 2010 Arsenal tracks gathering massive crowds of seasoned hackers and penetration testers eager to see this new tool in practice.
Sam Stepanyan is an OWASP London (England) Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions in the City of London specialising in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems. Sam holds a Master’s degree in Software Engineering and a CISSP certification.
Defcon401 meetings are in partnership with the Rhode Island Tech Collective in Providence, RI.
- BSides Boston
This is not a Defcon 401 event. This is the annual BSides Boston conference. I wanted to make you aware it's happening. Tickets start at just $10 and the entire conference will be virtual. You can attend from home, from Europe, Antarctica or the International Space Station!
Get your tickets and see the speaker lineup at https://bsidesbos.org
- Eeny meeny MIMEy moe: Playing the Shell Game
Unrestricted file uploads can break your web application and give attackers a pivot point into your network, whether it's in the cloud or in your data center. Learn some basic techniques that you can use to ensure your application continues to work the way you expect it to, no matter what programming language your application is written in.
Presented by Michael Rossoni
Sponsored and supported by the Tech Collective.
- Using Burp Proxy for Mobile Applications
Jesse Roberts of Compass IT Compliance will come back to talk about how to use Burp Proxy to view and intercept mobile application traffic. Have you ever wondered how a mobile application interacts with its servers? What is in the requests and responses? And can you alter the traffic to get free stuff in games (hopefully not)? Jesse will show us how to run mobile application traffic from our phone or other device through Burp Proxy to see what requests are made and what responses are coming back.
If you want to try it out yourself, install the Community Edition of Burp Suite, which you can get here: https://portswigger.net/burp/communitydownload
- Domain Categorization with DomainCat
This will be a virtual, online event. Link will be shared with those who RSVP.
Domain Categorization is a useful tactic in helping secure your organization, but what is it, how does it work, and can it stop attacks against your organization? This talk will cover how domain categorization works and how to check categorizations on domains. For those on the red team side, we will look at how to get your domains categorized to bypass your target's protections.
Kirk Hayes is a Senior Security Consultant with over five years of experience performing security assessments and penetration tests and over 15 years of experience in Information Technology. Kirk has conducted penetration tests and red teaming against the internal and external networks and applications for large and small organizations, including organizations in the financial, technical, payment processing, legal, and defense space. Kirk is an active member in the information security community. He has developed tools such as backHack, myBFF, and Spotter. He has presented at various conferences such as DerbyCon, BSides, and Chicago CyberSecurity Summit. Kirk is also active in participating in Capture the Flag (CTF) competitions.
This meeting is in partnership with Tech Collective of Providence, RI