Here is a listing of most of the talks and presentations I have given. I have not included any presentations older than five years.
DNS is the engine that drive the Internet, converting recognizable names into IP addresses behind the scenes. Only recently has the InfoSec community recognized the importance and value of logging DNS traffic and analyzing these logs to detect malicious activity. The development of a variety of open source tools has given network and security admins amazing resources for investigating DNS traffic for signs of improper configuration as well as tell-tale signs of compromise.
This discussion will examine examples of the common ways we see DNS being used to compromise networks including DNS Amplification, data exfiltration, Botnet C&C communication, DDoS via DNS and other less well known DNS exploits. We will then review some of the available open source tools including Graylog, Elasticsearch, Kibana, Packetbeat and NXLog that can be used to proactively log and monitor DNS and other traffic. The discussion will conclude by covering some practical solutions that can easily be implemented to enhance the security of any network. We will demonstrate simple and effective ways to discover compromised devices through DNS log analysis.
You've planned this engagement for weeks. Everything's mapped out. You have tested all your proxy and VPN connections. You are confident your anonymity will be protected. You fire off the first round and begin attacking your target. Suddenly something goes south. Your access to the target site is completely blocked no matter what proxy or VPN you use. Soon, your ISP contacts you reminding you of their TOS while referencing complaints from the target of your engagement. You quickly switch MAC addresses and retry only to find that you are quickly blocked again!
What happened? How were you betrayed? The culprit? Your dastardly DNS resolvers and more specifically, the use of certain EDNS0 options by those resolvers.
This presentation will cover the ways in which EDNS OPT code data can divulge details about your online activity, look at methods for discovering implementation by upstream DNS providers and discuss ways in which malicious actors can abuse these features. We will also examine steps you can take to protect yourself from these invasive disclosures.
The details covered will be only moderately technical. Having a basic understanding of RFC 6891 and general DNS processes will help in understanding. We will discuss the use of basic tools including Wireshark, Packetbeat, Graylog and Dig.
Every day we are bombarded with news from every direction warning of impending doom for those connected to the thing we call the Internet. The InfoSec community banters about the Twitters discussing, dissecting and dissing those upon whom misfortune has fallen while forgetting that they too might one day suffer the same fate. George Santayana said “Those who cannot remember the past are condemned to repeat it.” Many in the community are far too young, have far too little history under their belts and spend little time understanding the path we all took to get to where we are today.
This talk relates the path I’ve taken from a being a degreed Biologist and Microbiologist through starting several Internet services companies to my current position. I’ll relate my failures and successes during that journey to the state of tech at that point in time examining common practices of the day that now seem ludicrous by today’s standards. The goal will be to help everyone learn some history from someone who has been there so that we might start using that knowledge as a lens to help us better understand the current state of our industry and make better decisions moving forward. After all, what we view as standard, prudent and cutting edge today might not appear that way to those who come after us. Seeing where we have once been might help us really appreciate how far we have come!
Come join me in a twenty plus year trip down memory lane.
Be honest – do you cringe when you hear others using the word “cyber?” You are not alone. And now that the media uses “cyber” in every conceivable context, the public is completely confused. If you ask ten people what “cyber” means, you will get ten different answers! Many in our profession continue to perpetuate these lexical faux pas, parroting what they hear without fully understanding the meaning of what they are saying. At many talks, attendees play games often betting on the number of times “cyber” will be used in each talk!
As specialists in information security, we should be choosing our words carefully and conveying the clear meaning of those words. Allowing the media and other non-technical people to dictate the language we use to describe the intricacies of our profession leads to more harm than good. The InfoSec world is changing rapidly and we should be the ones leading the way. Using the proper language is critical to better understanding for everyone.
This talk will dig into the evolution of the use of “cyber” while attempting define the proper terms we all should be using to describe the various realms of our profession. We will examine these realms and set a solid lexical foundation that will help us all be better prepared when explaining highly technical concepts to the average non-technical person. The goal – better security for everyone.