Android Mobile Hacking Village

From Stagefright to rootkits the Android Mobile Hacking Village

provided by Sirgid will give mobile phones along with a virtual machine with android vulnerabilities with a mini CTF to see who can exploit the most mobile phone vulnerabilities.

 

Calls for Workshops

HackWest has the extra room that we would like to fill with community-driven workshops. We plan on having the workshops as first come first served.

Community members will run workshops, and we expect from them not collecting any fees. If your workshop or class has a fee or cost of material, please let us know as you will need to collect those charge of operations from the students directly and not through HackWest.

If you are interested in becoming an instructor

Please fill out this form
https://docs.google.com/forms/d/172ISLdCExQDkFWCOji3f6xIGaGIN3e6v8iRrIauYlmk/edit

Thanks for helping Hackwest by helping others learn and expand their knowledge.

Thank you!

801 Lock Sport Lock Picking Village

Lock Picking Village provided by Marv and DC801 for HackWest.

The lock picking village will contain sets of picks and practice locks for people to practices their skill in popping locks. The locking picking village will be open during March 21-22. Depending on availability instructors will be able to provide instruction in the art of picking common locks on the market today. Complete beginners through well-worn professionals are encouraged to join in.

 

Don’t Suck at Wireless

Jordan Drysdale  @Rev10D

Kent R Ickler @Krelkci

Wireless technologies are considered an easy target for red teams and hackers.  Infrastructure design and management is slow to respond to the barrage of new attack methods and vulnerabilities within standardized wireless protocols.  Watch as Jordan and Kent explain how rethinking wireless infrastructure can immobilize attackers in their tracks, leaving them stranded in a wireless wasteland.

The duo discusses how typical wireless deployments don’t afford security despite providing the perception of a secure environment.  Blue-Teams will learn how attackers can be identified and how to make the attacks irrelevant by reconsidering the safety of encrypted WIFI to be the truly hostile and untrusted environment it is.

Bio

Jordan is a pentester for Black Hills InfoSec, malware and packets researcher, gardener. In a previous life worked in tech support for HP’s networking division; escalations, engineering, training and wireless product focus. Also worked for a managed services provider in a firewall configuration, management, and logging role. Avid purple teamer with Active Directory expertise and a sturdy networking background; Cisco CNP, HP MASE, Fortinet CNP, Microsoft CSA.

Voting Machines

Voting Machine Village

HackWest will be providing a dozen voting machines for discovery purposes. Stop by the Voting Machine Village and spend 10 minutes, an hour, or 8 hours testing the same machines used in Utah’s general elections.

The Voting Machine Village will be open daily from 9:30am to 5:30pm during the conference in the Villages area. Attendees the opportunity to perform a blackbox assessment on the machines pictured below.

Start your research now on the Diebold Accuvote TSX systems. The village will also have a significant number of Access Cards for these machines. The rest of the hardware is up to you. The machines are currently running Premier Election Solutions BallotStation 4.7.

What are you waiting for, you should be doing your recon right now!

The best hack wins the election (and maybe even your very own voting machine)!  Johnson/Banks 2020!

https://essvote.com/products/3/7/dre/accuvote-tsx/

 

 

Schedule 😁

March 21 & 22 March 23
Track 1 Track 2
8:30 AM Registration Keynote {Announcement Coming}
9:30 AM
Trainings, Workshops,
Villages and Lightning Talks
Erich Kron – Put up a CryptoWall and Locky the Key – Stopping the Explosion of Ransomware Sherrie Cowley – Breaking Multifactor authentication
10:30 AM Pau Muñoz – Enhancing the purple team concept through security research Troy Jessop
11:30 AM Morgan Roman – Integrated security testing: finding security vulnerabilities with your existing test framework Waylon Grange – These are not the files you are looking for: Creating MD5 collisions against signed executables
12:30 PM Lunch
1:30 PM Gabriel Ryan – 5Ghz Electronic Warfare Tanya Janca (OWASP) – Pushing Left like a Boss
2:30 PM Adam Steed – For Good and Evil: Password Hash Dumping In Active Directory Seth Law and Justin Larson – Security Headers and You
3:30 PM David Thompson / Robert Neel – Zero to Hero – Building a Red Team, one step at a time Jordan Drysdale/Kent Ickler – Don’t Suck at Wireless
4:30 PM Jayme Hancock/ Marley (@mkr_ultra) – Where’s the BeEF? Pwning with the Browser Exploitation Framework and Building Effective Defenses Joe Gray – DECEPTICON: Deceptive Techniques to Derail OSINT attempts
5:30 PM Keynote {Announcement Coming}

Security Headers and You

Seth Law  @sethlaw

Justin Larson @phant0mtrav3ler

Prepare for a journey through the tangle of HTTP Security Headers. What are they? Why should you use them? Who do they protect? How do they reduce risk? This talk will review both old and new security headers, their history, adoption rates, and show examples of good and bad implementations. It will also include demonstrations of common web attacks with and without the headers in place as long as _someone_ performs the blood sacrifice to appease the demo gods.

Bio

Coming Soon…

Justin is an AppSec consultant by day and a cleaner of messes by night.

Do you work at a dot edu? Would you like a discount? Of course you would!

Hey, I was once a student. For a long time. My mother was a teacher. I know personally that both students and educators don’t have a lot of money to throw around. So in an effort to make it just a bit easier for you, we’ll give you half off of registration. Just use your school email address* to register, and it’ll happen automagically.

*If we see a bogus school in the DB, don’t count on getting your ticket. Or the discount to stick.

Breaking Multi-Factor Authentication

Sherrie Cowley @sherriecowley

Newsflash: Multi-Factor Authentication alone is not your company’s silver bullet. We will start off with a blue team perspective by exploring the common methods used in multi-factor authentication including SMS, Authenticator Apps (OTP), Message Prompts, and Security Keys and in simple terms I’ll explain the pros and cons as well as the protocols being used for each. Then, we’ll switch gears and demonstrate how a red team could still bypass strong authentication methods leaving a company’s accounts vulnerable and requiring our defensive teams to consider additional controls.

Speaker Bio:

Sherrie Cowley has a Masters in Information Systems from the University of Utah with an emphasis on software engineering and cyber security. She has managed help desk, software engineering, and identity and access management teams and is currently an Information Security Manager for a large organization. She has presented at universities, was a keynote for Splunk Live, and acts as a liaison for InfraGard members and the FBI Cyber Task Force.

 

Pushing Left Like a Boss

Tanya Janca @SheHacksPurple

With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease.  “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process.  From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left’, like a boss.

Speaker Bio:

Tanya is a developer advocate specializing in application security; evangelizing about software security through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events.  As an ethical hacker, OWASP Project and Chapter Leader, software developer, effective altruist and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.