July 24 - Virtual InfoSec Conference (2020)

Luke Crouch

Crypto: 500 BC – Present (sorta)

VIVA LA PRIVACY!

Luke is a Privacy & Security Engineer for Mozilla Firefox. He applies his 20 years of holistic, “full-stack” software engineering experience to protect against the privacy & security threats facing billions of global internet users every day. His work focuses on data breaches, passwords, and online tracking, and he has also contributed to networking & cryptographic privacy & security. He is a board member of Techlahoma Foundation, an advisor for University of Tulsa and Oklahoma State University technology programs, and a member of the Electronic Frontier Foundation, Tor Foundation, and the OWASP Foundation.

Jimmy the James

PKI and HTTPS Interception

A high level overview of what PKI is, how it works, ways you can install your own internal PKI and gotchas with doing that in order to do it better than I did originally. Then the next part will be over how to lawfully intercept or MITM HTTPS traffic and the gotchas and lessons learned from first hand experience.

Passionate and paranoid information technology professional, who also loves to serve the community. Been in IT for over 15 years, with almost 10 years of that in Information Security. I have been fortunate enough to have had the opportunity to work on just about everything there is to do in InfoSec, with some deep knowledge in SIEM and reverse/forward web proxy technologies. My current focus is on infrastructure and endpoint automation mostly for hardening and resiliency purposes.

Kristopher Wall

SQL Injection on Steroids: Going Deep

You’ve seen the basics. Let’s crank it up and do some cool stuff with your injections.

Kris is a Security Specialist with Stinnett & Associates. He is based in Oklahoma City and has more than 15 years of experience as an IT and security consultant. Kris is passionate about application security and regularly gives offensive and defensive talks at information security conferences, including BSidesOK and the Federal Bureau of Investigation’s Information Warfare Summit.

Kris is an Offensive Security Certified Professional (OSCP), an ISC2 Certified Information Systems Security Professional (CISSP), and an ISC2 Certified Cloud Security Practitioner (CCSP). Kris has also obtained CompTIA certification for Pentest+, Security+, A+, Network+, and is a Certified AWS Cloud Practitioner. He is a member of the Institute of Internal Auditors (IIA), InfraGard, the Information Systems Audit and Control Association (ISACA), and the Information Systems Security Association (ISSA.)

Hunter Jones

2020: A Forensic Odyssey

2020: A Forensic Odyssey is a high-level overview of the digital forensic process, the tools involved, and why digital forensics are important now and are only going to become more important as time goes on. Using real world examples and experience, this presentation will help improve the audience’s familiarity with digital forensics, and clear up some of the misconceptions about the field. In addition, this presentation will provide a way for those that are interested to ask questions, or gain a better idea of how to get into the field.

Hunter is a digital forensic expert for Guernsey.

Aaron Ralls

Security Simplified with IdentityServer4

OAuth 2.0 and OpenID Connect and SSO, Oh My! This can be hard to do on your own.

Are you building your own security into your applications? If you are STOP!

Join me as I walk you through how to use IdentityServer4 to secure your API’s, MVC applications, services, and mobile applications.

Aaron is a Cloud Solutions Architect with Microsoft focusing on migrating applications to the cloud. Aaron is also the President of the Fort Smith Tech Users Group since April 2018.

Aaron started as a developer and later served as a Manager of Developers, Business Analysts, Test Analysts, Vendor Managers. During his twenty plus years, Aaron has worked in banking, electric utilities, health care, transportation.

Aaron is an analytical and solution-oriented professional with expertise in guiding teams to improve efficiency by identifying the core issues.

In his free time, Aaron enjoys music and food festivals, video games, the occasional workout, and spending time with his family.

Nick Harris

Leveraging Information Leakage & Misconfiguration

Issues related to Information Leakage & Misconfiguration are surprisingly common in modern web applications. Seemingly harmless oversights in the deployment and configuration of network assets can be leveraged into more malicious attacks, and can have potentially severe (negative) impacts on critical business operations.

Предоставлено вашими дружелюбными местными русскими

dolphins

Ochaun Marshall

The DevOps Crusade

Lately, organizations have been embracing DevOps, a set of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity. This has allowed organizations to grow and deliver products faster than more traditional approaches. This has also led to misconfigurations that cause massive data leaks.

This talk is focused on developers, DevOps engineers and the security professionals who work with them. It lays down some strategies on how to continue using DevOps practices while incorporating security in Amazon Web Services. Without integrating security standards with DevOps, misconfigurations will continue to occur and data links will continue.

Ochaun (pronounced O-shawn) Marshall is a developer and security consultant with a background in computer science education and machine learning. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people’s web applications. When he is not swallowing gallons of the DevOps Kool Aid, he can be found blasting Two Steps from Hell while hacking, blogging and coding.

Nathan Sweaney

Privacy as a Service: Exploring the Results of Modern Technology Advances

In this talk we’ll discuss recent tech developments that threaten privacy on a large scale. We’ll consider the future of that tech. And then we’ll hypothesize on future services for privacy-seeking consumers. Buckle your seat belts for this fast-paced drive into the future of privacy.

Nathan is a Senior Security Consultant for Secure Ideas.

Aaron Crawford

Proven AI for Security

Many vendors and influencers wax endlessly about Artificial Intelligence but what exactly is it? How does it apply to security? Discover from Aaron Crawford, one of the leading independent researchers in the field how to quick start your path into AI for security, complete with hands on examples.

As a certified security professional with over 25 years of experience in the information security industry, Aaron Crawford eats, sleeps and continually drinks from the security fire hose. This passion for IT and Security lead him to form the Insider Security Agency. There he has authored several books on security and is professionally known as one of the most proficient and successful Social Engineers. When he is not helping others learn about security, he can be found developing new solutions in the field of Artificial Intelligence, as one of the leading independent certified researchers in the field.

Pedro Serrano

Ten Easy Things that you can do to secure your cyber presence

Ten easy to remember things that you can do TODAY to make your Cyber life and your families life a lot safer … This is a funny talk about the easy to do changes in our social media, passwords, how to protect our PC, two factor authentication, online purchases, and the very simple credit freeze

Pedro Serrano has over 35 years of experience managing and installing technical controls in networks around the world, 20 of those in military systems. He is the Chief Information Security Officer (CISO) at Grand River Dam Authority (GRDA) a State of Oklahoma Agency producing and distributing reliable electricity from Hydro Electric plants. Pedro has two postgraduates degrees one in Telecommunications Management from Oklahoma State University and the other in Computer Science from Tulsa University. Pedro serves as the President of the Information System Security Association (ISSA) chapter in Tulsa, Oklahoma and holds the CISSP certification from ISC2.

Aaron Moss

How To Basic(s): Basic Controls (1-6) from the CIS Top 20

Today’s organizations are being hit left and right by data breaches, network attacks, and social engineering campaigns, some rolled up in one nice, neat package. This talk will show how implementing the Basic (1-6) CIS Controls can help secure your organization from –Mayhem– Bad Guys, like me.

I’m one of the BSidesOK coordinators. 🙂

Cameron Mac Millan

It’s 2020, so why am I still able to read your pager traffic?

This talk explores why pagers remain a potential threat vector in many environments despite the technology being 40 years old. This is not a the-sky-is-falling presentation: everything from paging history to how simple it is to decode pager traffic (and the associated risks) is covered without FUD.

I enjoy poking things with sticks and turn over rocks to see what crawls out from under them. One of my interests is seeing how technologies believed to be obsolete can still pose a problem for security today, and do that from the perspective of a 20-year career in infosec. When not creating tomorrow’s problems with yesterday’s technology, I can usually be found wrenching on unusual cars.

Geoff Wilson

Don’t Get Hacked in 2020 – Top Breach Threats and Breach Prevention Controls

We studied hundreds of recent data breaches to identify the top breach causing threats and the most effective breach preventing security controls. In this talk we will dissect these breaches, discuss lessons learned, and help you build an actionable plan to prevent breaches in your organization.

Geoff Wilson is CEO and Founder of Go Security Pro. Geoff uses data breach analytics to help companies cut through the noise, decipher what is important, maintain threat alignment, and consistently mitigate risks. Geoff has a Master’s of Information Security from Carnegie Mellon University and a Bachelor’s of Computer Science from the University of Oklahoma. He taught a graduate-level Information Security course at the University of Oklahoma for four years. Geoff is a published author, has worked with the National Security Agency, has consulted with the Executive Office of the President, and has been in Information Security for 17 years.

Crux Conception

When Stress Meets Tech

The pressure of working in the field of computer technology can be a dream for the observers
and the nightmare for the workers.

Working in the world of technology can be a great experience, which Developers, Specialists,
Designers, Engineers, Experts, Managers, and Technicians create and dive each time they start
working.

The lecture offers solutions to support individuals who are afflicted by stress within the IT
community is employee input, better task content, amplified job control, equal production values,
career expansion, enhanced peer socialization, and more excellent workplace ergonomics.

Key Takeaways:

Overall alertness- regarding the onset to stress
Stress at one’s place of employment
Mentally supporting yourself
Recognize the best method in a tense setting

Crux resides in Fort Wayne, Indiana, and has over 20 years of Law Enforcement (LEO), Criminal Profiling and teaching experience.

@CruxConception (TWITTER)

@CruxConception (LinkedIn)

Michael Gough

You need a PROcess to check your running processes and modules. The bad guys, and red teams are coming after them!

If there is a file on disk, you can easily SEE the bad fu, but what if the malware is nowhere to be found on the disk? Malware can be broken up into several types, some call it ‘fileless malware’ (poor non-descript term). The malware really isn’t fileless, the file, or code lives somewhere.

Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is a primary contributor to the Open Source project ARTHIR. Michael is also co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael also blogs on HackerHurricane.com on various InfoSec topics. Michael also is co-host of the â€œBrakeing Down Incident Responseâ€ BDIR Podcast to education on Incident Response daily tasks. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.

Austin Gossmeyer

99 panes but Tmux ain’t one. Hacking with Tmux.

Trying to wrangle too many terminal windows. Trying to manage
too much info. Do I have the tool for you!

He is one of the founders of Co-Laboratory makerspace, the Irregulars, and Root 66 security conference. He is also an organizer of OKC Lugnuts. Austin is also an active member of of the Oklahoma City hacker and OSS communities, including but not limited to Infraguard, DC405, OKCSec, and OKC2600. He considers himself a journeyman mage under two master wizards and a nomad.

Alex Bliskavka

Script your phishing mailbox processing with powershell & O365

Working your SOC’s phishing mailbox is a pain in the rear and taxing for analysts. Use powershell to create tools that help reduce rework and do initial triage.
Learn:
– Powershell resources: Get-Help, Get-member, Microsoft docs for object methods
– Hook Outlook client or connect to O365 via the EWS API to index and move email with powershell
– Use regex to remove url click protection re-writing and allow for urlquery.net analysis
– Email a ticket to your ticketing system with email content via Send-MailMessage

SOC/IR analyst, powershell tinkerer

Dan Strachan

The New Illiteracy in America

Many Americans are familiar with technical tools ranging from e-mail to Twitter. However, many Americans are borderline Luddites when it comes to technology. This can cause a myriad of problems from scams to what happened in the Iowa caucuses. I’ll show how we can mitigate this problem.

Dan Strachan is the Principal and Owner of Loyal Dog Consulting LLC in Annapolis, Maryland. Dan started Loyal Dog in 2019 after more than 30 years of trade association management. Dan was a Director at the American Fuel and Petrochemical Manufacturers where he started the associationâ€™s cybersecurity committee. It is known as one of the strongest voices in DC for cybersecurity in the energy infrastructure today. Dan has written articles on cybersecurity for numerous publications and has spoken on the subject at conferences.

A native of Quincy, Massachusetts, Dan holds a BA in International Affairs from the University of Central Florida and an MBA from the Johns Hopkins University.

Phil 'Soldier of FORTRAN' Young

Mainframe Hackin’: Choose Your Own Adventure

Mainframe hacking is hard, so they say, but not for you. It’s a rainy day when you find out some kids get accused of some really gnarly stuff like launching a virus against a megacorp. None of it is true, but the secret service doesn’t know that. Two media icons have reached out to you for your help. Are you a bad enough hacker to worm your way through a real mainframe and steal the data your friends need to set those kids free?

Join us for a Mainframe Hacking Choose Your Own Adventure. There are multiple paths, and endings. Some of them good, some of them bad. You’ll learn about how to hack a mainframe in the process.

This talk is an experiment in stream mode, so if that fails we’ll go on a detailed deep dive in to the network job entry protocol and how you can use that to own a network of mainframes.

Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting at both SHARE and GSE Europe, he works very hard to teach and show how easy it is to red team (and blue team) mainframes. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to multiple opensource projects including Nmap, and metasploit, allowing those with little mainframe capabilities the chance to test their mainframes. His hope is that through raising awareness about mainframe security more organizations will take their risk profile seriously.

BSidesOK 2020,

Oklahoma’s Premiere

Cyber Security Conference

has gone virtual!

Conference – July 24th, 2020

Join the Conversation

Watch our full Streams

Track 1

Track 2

Track 3

See the latest on our Twitter feed!

Conference

Schedule

There’s No

Playbook

for This

Jordan Wright

10:00 AM

Crypto: 500 BC - Present (sorta)

When Stress Meets Tech

Basic Controls (1-6) from the CIS Top 20

11:00 AM

You Need a PROcess to check your running processes and modules.

Don't Get Hacked in 2020 - Top Breach Threats and Breach Prevention Controls

99 Panes, but Tmux ain't one. Hacking with Tmux

Script Your Phishing Mailbox Processing with Powershell & Office 365

12:00 PM

Leveraging Information Leakage & Misconfiguration

Introduction to Application Security

It's 2020, so why am I still able to read your pager traffic?

1:00 PM

SQL Injection on Steroids: Going Deep

The New Illiteracy in America

The DevOps Crusade

2:00 PM

A Forensic Odyssey

Privacy as a Service: Exploring the Results of Modern Technology Advances

Mainframe Hackin': Choose Your Own Adventure

3:00 PM

Proven AI for Security

Security Simplified with IdentityServer4

PKI and HTTPS Interception

Platinum

Sponsors

Gold

Sponsors

Silver

Sponsors

Contributing

Sponsors

Speakers

Ochaun Marshall

Cameron Mac Millan

Alex Bliskavka

Michael Gough

Kristopher Wall

Austin Gossmeyer

Luke Crouch

Crux Conception

Aaron Moss

Geoff Wilson

Dan Strachan

Aaron Ralls

Jimmy the James

Nathan Sweaney

Aaron Crawford

Nick Harris

Hunter Jones

Phil 'Soldier of Fortran' Young

CTF Challenge

Code of

Conduct