What & Why
BSides Knoxville is a security conference in the spirit of Security BSides; our goals are simple:
- Provide a relaxed, comfortable environment.
- Present useful, interesting information.
- Help people connect with old friends and make new ones.
While our focus is information security, the information presented may be on varying topics of interest to the infosec / hacker (yes, this word has many meanings) community.
This event being produced by the community, for the benefit of the community; all decisions made, all actions we take are made with that in mind.
BSides Knoxville is being by members of the community. The planning team is:
The idea was hatched as part of a Twitter conversation between Adam Caudill and Adrian Sanabria; since then we have been planning and coordination to make this a reality.
How I’ve hacked and un-hacked a logic game (20 years to Lights Out)
Lights Out is a handheld electronic logic game. I was fortunate to be one of its inventors. During its design I’ve analyzed the games mathematics and realized that the gameplay can be hacked in ways that would diminish the challenge and fun. To prevent the hack we had to add a simple rule.
About five million devices were sold rendering Lights Out one of the most successful handheld electronic logic games ever.
The experience with Lights Out taught me how to methodically look for holes in design, software and hardware; a precious lesson to learn for security and R&D in general.
This talk is about logic, games, some basic math, hacking and how to think ahead to mitigate the inevitable.
Finding Bad Guys with 35 million Flows, 2 Analysts, 5 Minutes and 0 Dollars
There are a lot of proof of concepts out there for building open source networks forensics analysis environments. Taking them into production in an enterprise? Another story entirely. This talk will focus on my journey into constructing a large scale Netflow security analytics platform for a large healthcare management company’s complex environment on no additional budget. Important points to be covered were technology considerations, scalability, and how to quickly break the collected data down to find malicious activity on the network with minimal effort.
Phishing: Going from Recon to Credentials
Phishing is one of the few attack vectors that has become more prevalent over time. This presentation will explore common phishing attack tools and techniques. Additionally, we will be demoing a new tool which will assist penetration testers in quickly deploying phishing exercises in minimal time. The tool, when provided minimal input (just a domain name), can automatically search for potential targets, deploy multiple phishing websites, craft and send phishing emails to the targets, record the results, and generate a report. It will work in a stand alone fashion or make use of external tools (such as theHarvester, Recon-NG, SET, and Metasploit) if available.
Multipath TCP – Breaking Today’s Networks with Tomorrow’s Protocols
MultiPath TCP (MPTCP) is an extension to TCP that enables sessions to use multiple network endpoints and multiple network paths at the same time, and to change addresses in the middle of a connection. MPTCP works transparently over most existing network infrastructure, yet very few security and network management tools can correctly interpret MPTCP streams. With MPTCP network security is changed: how do you secure traffic when you can’t see it all and when the endpoint addresses change in the middle of a connection?
This session shows you how MPTCP breaks assumptions about how TCP works, and how it can be used to evade security controls. We will also show tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network.
Cyber Cyber Cyber: Student Security Competitions
In this talk we will dive into the recent development of security competitions for the middle school, high school and collegiate levels like CyberPatriot, the Collegiate Cyber Defense Competition (CCDC), the US Cyber Challenge (USCC) and picoCTF. We will give an overview of the competitions, their challenges and what is available for students, instructors and professionals in the Knoxville area. This talk will also offer some tips and tactics to be successful at these events. By leveraging past challenges and learning the rules and format we will show you how to “hack” the competition. We will also go over our personal experiences participating and leading teams in these events.
The Impossibility of Protecting the Enterprise at $7.25 an hour
This talk will focus on the challenges Retail organizations, kiosk companies, etc face in protecting their critical systems and data. Your typical retail location typically doesn’t have badge access doors, server rooms with biometrics, or a designated person to check and vet all visitors. Instead the security of these locations relies on a guy/girl making $7.25 an hour who cares more about lining up a ride to next years Bonaroo than questioning the person who just plugged something into their local switch. The talk will focus on the challenges (with examples of security fail) of securing the retail enterprise with limited and uninterested resources.
I’ve met the enemy information security and it is us
Performing vulnerability and risk assessments on multiple networks and within multiple types of utilities has revealed that we are our own worst enemy. This talk will discuss some of the findings and architecture mistakes which have been noted during different types of assessments over the past four years at major retailers, energy utilities, vendor products, and pretty much anywhere else you could think of. Sometime the mistakes are policy, sometimes the attacks are technical, and sometimes the password is literally written on the wall next to the computer.
The Poetry of Secrets: An Introduction to Cryptography
The exchange of information is a defining characteristic of civilization, and so follows the keeping of secrets is the focal point in all of humankind’s great acts. Despite the importance of cryptography, many today eschew its study as an inscrutable, arcane magic. “Crypto is hard,” conventional wisdom asserts; “Leave it to the experts.” While it’s entirely possible to succeed with only a utilitarian grasp of cryptography, learning about this mathematician’s munition can be deeply rewarding.
Join us for a beginner’s tour of the science and art of secret writing, ranging from the simplest substitution ciphers to the state of the art. We’ll focus on understanding cryptographic primitives through the ages, why they worked (or didn’t), and how that success impacted history.