Interesting Talks at Hacker Summer Camp, 2016

Hacker Summer Camp 2016 is almost upon us! There are a lot of really interesting talks this year, not to mention the I Am The Cavalry track at BSides Las Vegas. Since we can’t hit all of the talks, we’ve narrowed down some that look like they’re highly related to our mission. We might see you there!

BSides Las Vegas: August 2-3, 2016

Date Time Who Title
8/2 11:00 Leonard Bailey and Jen Ellis Shall We Play a Game? 30 Years of the CFAA
8/2 14:00 Chad Dewey Hacking the High Seas
8/2 14:00 Jens Devloo, Vito Rallo, and Jean-Georges Valle How to Securely Build Your Own IoT-Enabling Embedded Systems: from Design to Execution And Assessment (4h training)
8/2 14:30 Wendy Knox Everette Security Vulnerabilities, the Current State of Consumer Protection Law, and How IoT Might Change It
8/3 8:30 Arnaud Soullie Pentesting ICS: Capture the Flag! (3h training)
8/3 15:00 Philippe Lin PLC for Home Automation and How It Is as Hackable as A Honeypot

Black Hat Las Vegas: August 3-4, 2016

Date Time Who Title
8/3 13:50 Arnaud Lebrun and Jonathan-Christofer Demany CANSPY: A Platform for Auditing CAN Devices
8/3 13:50 Jeff Melrose Drone Attacks on Industrial Wireless: A New Front in Cyber Security
8/3 13:50 Slawomir Jasek GATTacking Bluetooth Smart Devices – Introducing a New BLE Proxy Tool
8/3 15:30 Paul Sabanal Into The Core – In-Depth Exploration of Windows 10 IoT Core
8/3 16:20 Michael Ossman GreatFET: Making GoodFET Great Again
8/3 17:30 Lei Ji and Yunding Jian The Risk from Power Lines: How to Sniff the G3 and Prime Data and Detect the Interfere Attack
8/4 9:00 Chris Sistrunk and Josh Triplett What's the DFIRence for ICS?
8/4 9:00 Colin O'Flynn A Lightbulb Worm?
8/4 9:45 Jason Healey Defense At Hyperscale: Technologies And Policies For A Defensible Cyberspace
8/4 9:45 Anirudh Duggal Abusing HL7 2.x Standards – Attacking Medical Devices, Hospitals and More
8/4 9:45 Charlie Miller and Chris Valasek Advanced CAN Injection Techniques for Vehicle Networks
8/4 11:00 Joe FitzPatrick The Tao of Hardware, the Te of Implants
8/4 14:30 Hendrik Schwartke, Maik Bruggemann, and Ralf Spennenberg PLC-Blaster: A Worm Living Solely in the PLC
8/4 17:00 Lynn Terwoerds Building Trust & Enabling Innovation for Voice Enabled IoT

DEF CON XXIV: August 5-7, 2016

Date Time Who Title
8/5 12:00 Javier Vazquez Vidal and Ferdinand Noelscher CAN I haz car secret plz?
8/5 12:30 Six_Volts and Haystack Cheap Tools for Hacking Heavy Trucks
8/5 13:00 Matteo Beccaro and Matteo Collura (Ab)using Smart Cities: The Dark Age of Modern Mobility
8/5 15:00 Sebastian Westerhold How to Remote Control An Airliner: Security Flaws in Avionics
8/6 10:00 Zack Fasel and Erin Jacobs I Fight For The Users, Episode I – Attacks Against Top Consumer Products
8/6 11:00 Lucas Lundgren and Neal Hindocha Light-Weight Protocol! Serious Equipment! Critical Implications!
8/6 11:00 Anthony Ross and Ben Ramsey Picking Bluetooth Low Energy Locks from a Quarter Mile Away
8/6 12:00 Arnaud Lebrun and Jonathan-Christofer Demany CANSPY: A Framework for Auditing CAN Devices
8/6 12:00 Brad Dixon pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
8/6 14:00 Brian Gorenc and Fritz Sands Hacker-Machine Interface – State of the Union for SCADA HMI Vulnerabilities
8/7 13:00 Jianhao Liu, Wenyuan Xu, and Chen Yan Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle

BSides Las Vegas I Am The Cavalry track 2016

I Am The Cavalry will have TWO DAYS at BSides Las Vegas this year: August 2-3. We’ll be in the Copa Lounge [1] – which I guess technically means we’re the opening act for the Rat Pack impersonators those nights! (Sorry, no karaoke.) It’s a bigger room than last year so more can attend. Let’s try to fill it up and keep it full both days. It’s in a bar, that shouldn’t be hard to do. The full agenda is on the BSides Las Vegas site, [2] below is an overview.

Tuesday, August 2nd, 11:00am – 5:00pm

The first day sketching in details from the past year or two – both within the Cavalry and in the broader world of Cyber Safety. We will cover quiet successes, visible wins, what’s worked, what hasn’t, and where things need to go. We’ve got some really cool people participating in these sessions, such as:

• Keren Elazari will lay out why security research matters for the coming decades, how Hacker Heroes can wield our skills for the greater good.

• Michael McNeil, who is responsible for Philips’ disclosure policy and other industry leading medical device cyber safety capabilities.

• Dr. Suzanne Schwartz, of the FDA who is shaping the entire healthcare industry to be more security researcher friendly.

• A yet-to-be-named congressional staffer – one of many helping us inject technical literacy in policymaking and the public debate.

• We also hope to bring high level White House staff, Members of Congress, and others who may – or may not – decide to introduce themselves.

Wednesday, August 3rd, 10:00am – 5:00pm

The second day will be an experiment to see if the BSidesLV community can bring the hacker mindset to bear at scale. Given several very uncomfortable truths about the pace, direction, and scale of what we need to do, how we can rise to these challenges. When what we know how to do doesn’t work, we must break from our normal patterns and find something that will – no matter how uncomfortable the approach is. We will confront the hard things head on and see who blinks first.

We will have a couple of dozen I Am The Cavalry track passes for those who don’t already have a BSidesLV badge and want to participate (first come first served). The track works better the more time you spend, though it can be experienced in more consumable chunks so don’t be shy if you miss a session or two. BSidesLV this year is more important than ever before, to make us safer, sooner, together.

[1] Copa Lounge is the Nightclub on the Casino level. Yeah I had to ask too. Down the escalator from Con Registration, straight past the bar, past the casino entrance, on the right, before the bathrooms. You can’t miss it!

[2] Add these talks to your Sched. https://bsideslv2016.sched.org/overview/type/I+Am+The+Cavalry

Meet Up at Hack In The Box Amsterdam

I am the Cavalry meet-up at Hack In The Box Amsterdam 2016 (HITBAMS)
There will be a meet-up for people involved in or interested in I am the Cavalry at the Hack in the box conference, which is going on from May 23 to May 27th. The meetup will be after the Women in Cyber Security (WICS) award show and will take place in the Comsec Track room at 18.30 immediately following the award ceremony. We will go over recent happenings related to I am the Cavalry, recent work done by the group and discuss how the  attendees can contribute to I am the Cavalry going forwards. We will also discuss the events that will be going on in H2 of 2016 around the world with I am the Cavalry involvement.
Since we have limited room and a kind sponsor is supplying food and beer, registration is needed

Automotive Cyber Security Summit | Detroit | March 21-23, 2016

Automotive_CyberSecurity_3rd

Last year, I Am The Cavalry was invited to participate in the 2nd Annual Automotive Cyber Security Summit. Josh Corman and Craig Smith walked through our Five Star Cyber Safety Framework members of the Auto industry, and joined several panel discussions. It was a great environment, friendly to security research and researchers. It was our first big audience with the carmakers, and led to many other great collaborations.
The organizers invited us to join again for this year’s Automotive Cyber Security Summit. We hope to help shape more conversations and to expand on relationships we built last year. It would be great to see more security researchers show up, both to educate ourselves as well as to share our perspectives. If you want to attend and can register by January 15, you can save $500 (promo code ACS16_CAVALRY).

Hardware.io, BruCON, and Virus Bulletin 2015

If you’re in Europe in late September and early October, there are a handful of conferences for you to check out. Hardwear.io is a first year conference focusing on hardware hacking. The venerable BruCON is back for it’s 0x07th year running. and the Virus Bulletin Conference celebrates its 25th year! This makes for a pretty amazing 10 day tour package. If you couldn’t slip away for the Vegas conferences this year, see if you can make it out for these.

Hardwear.io (September 29-October 2 | The Hague)

Hardware.io has a pretty impressive looking lineup for a first year conference in a specialty area. This one is focused on hardware, with trainings September 29-30, and briefings October 1-2. Here’s a sample of the goodness.

Jon Callas (Silent Circle & Blackphone) will be keynoting, as will Harald Welte (Sysmocom and other Open Source projects). Jon’s talk looks interesting – Everything is broken and always will be, we MUST be able to fix it remotely.

I’ll be moderating a C-level panel discussion with Jaya Baloo (CISO of the Dutch Telecom company KPN), Jasper Woudenberg (CTO Riscure from North America), and Christopher King (CERT/CC).

Other notable talks and trainings:

  • Security of Medical Devices | Florian Gunrow
  • Semantics-aware Intrusion Detection for ICS | Ömer Yüksel
  • Off-the-shelf embedded devices as research platforms | Lucian Cojocar & Herbert Bos
  • Low Level Hardware Reversing | Javier Vazquez Vidal & Henrik Ferdinand Nölscher
  • Integrated Circuit Security 101 | Olivier Thomas & Dmitry Nedospasov

BruCON (October 5-9 | Ghent)

BruCON is one of the premiere security community conferences globally. It’s now back for it’s 7th year and promises to be pretty awesome! They’ll run trainings from October 5-7 and briefings October 8-9. I Am The Cavalry will run a workshop (stay tuned for details). Other noteworthy trainings, talks, and workshops:

  • Offensive IoT Exploitation | Aditya Gupta and Aseem Jakhar
  • Assessing and Exploiting Control Systems | Don C. Weber
  • Brain Waves Surfing – (In)Security in EEG (Electroencephalography) Technologies | Alejandro Hernandez
  • Hacking as Practice for Transplanetary Life in the 21st Century: How Hackers Frame the Pictures in Which Others Live | Richard Thieme
  • A Hands On Introduction To Software Defined Radio | Didier Stevens

The ICS village will be a new addition this year, so if you missed it at DEF CON, come see if you can learn how those control systems work – and how to break them.

This is unrelated to I Am The Cavalry, but really cool is a DJ Workshop by Ocean Lam, Count Ninjula and Keith Myers!

Virus Bulletin Conference (September 29-October 2 | Prague)

Claus Cramon Houmann will be addressing the 25th annual Virus Bulletin Conference (VB2015) in Prague, Czech Republic. His will be a collaborative session, first introducing I Am The Cavalry and then brainstorming how to make an impact in Europe. If you’re going to be there, or nearby, come by and join the conversation!

Hope to see you at one or more of the events!

DerbyCon Talks

I was fortunate enough to attend the 4th annual DerbyCon which took place in Louisville, KY. It was exciting to see in person, a talk given by Space Rogue and Beau Woods which focused on IATC. They did an excellent job reviewing the first year and setting the tone for the upcoming year.

Another great IATC talk was given by Scott Erven. This past summer there was a Wired Article about Erven’s research regarding medical equipment security. The talk reveals some of the technical details and more importantly, a review of some success with Scott’s work with healthcare organizations, manufacturers and federal agencies.

Make sure you take the time to check out both talks and stay posted for more Cavalry talks! A big thank you to Iron Geek and volunteers for recording, editing and posting the videos.

IATC Press Mentions: Post-Vegas Edition

We’ve had a flood of press over the past few days. So much that one blog post can’t contain it all! Building on our previous post, here are the latest articles about I Am The Cavalry, our open letter to the automotive industry, and our petition to encourage carmakers and security researchers to collaborate.

Mainstream Media

  • Hacking group wants to play nice with automakers [Reuters]
  • How to Keep Your Car from Becoming a High-Tech Death Trap [Huffington Post]
  • While you were enjoying the weekend: DEF CON edition [Politico]

Security Industry Media

  • At Defcon, hacker coalition calls for safer computer systems in vehicles [Computer World]
  • Automakers Openly Challenged To Bake In Security [Dark Reading]
  • DEFCON’s latest challenge: Hacking altruism [IT World]
  • Security movement urges automakers to collaborate with researchers [SC Magazine]
  • Can you stop The Cavalry? [IT Security Guru]
  • Five Totally Believable Things Car Makers Must Do To Thwart Hackers [The Register]
  • Let us help you defend cars from cyber-attacks: Hacking group to ‘Automotive CEOs’ [TechTimes]

Foreign Language Media

  • Oeps: nieuwe auto’s nog steeds makkelijk te hacken [GeenStijl]
  • Hackersgroep wil veiligheid auto’s verbeteren [nu.nl]
  • Här är bilen som är lättast att hacka [NyTeknik]
  • Defcon: Un collectif exhorte l’industrie automobile à sécuriser les systèmes embarqués [Le Monde Informatique]

 

IATC Press Mentions: Vegas Edition

I’ve been following all the great things happening in Vegas. I had to do it from afar since I didn’t get to attend this year. I’ve heard nothing but good things about BSidesLV, Blackhat and DEF CON. Tons of a great information and better yet, a good amount of cavalry talks. The I Am The Cavalry presence did not go unnoticed. I’ve rounded up a few press mentions that IATC generated as the conference marathon comes to an end.

      • Hacker coalition sets out to improve critical device security, challenges car makers [PCWorld]
      • Want a safe car? Check its cyber safety rating [CNET]
      • Hackers Tell Car Makers: Secure Your Vulnerable Vehicles Now [Forbes]
      • Hacking group wants to play nice with automakers [TECH2]
      • Security experts take aim at the Internet of (unsafe) Things [USA Today]
      • Hackers to Automakers: Protect Cars From Cyberattacks [NBC News]

The articles mention An Open Letter to Automotive Industry. Be sure to check it out and sign the petition on Change.org.

Most of the press coverage was around the automotive, but be on the look out for the other cavalry domains. Beau Woods summed it up perfectly to me, “An amazing new day is dawning.” 

The Cavalry at BSides Las Vegas 2014

On Wednesday August 6th, BSidesLV and I Am The Cavalry will hold a day of sessions to empower security researchers to make positive change. The goal is to define the problem space, inspire people to take a leadership role in solving security problems and build up the skills needed to succeed. The schedule and locations can be found at http://bsideslv2014.sched.org/.

The day will kick off with an introduction and overview of I Am The Cavalry, an update on the current status and activities, an outlook for the future as well as a rundown of the day’s event. This will be followed by focused sessions on each of the primary areas of focus over the past year – medical devices, automotive, home electronics, public infrastructure and policy. For most of the day we will have short talks and longer drop-in sessions.

The directed sessions will use a facilitated Question and Answer format called A&Q. In this format, a primary speaker will cover the topic at a high level for 10 minutes, priming the audience for a 15 minute interactive discussion into specific audience questions.

The drop in sessions will be smaller tables, with a relative subject matter expert to answer questions and facilitate discussion on a particular topic.

Topics include:

Media – Journalists and media are a powerful way to influence public perception and to get our message out. They have their own internal operations and public interface that we can tap into like an API.

Legal – The legal system has a regular and standardized set of processes, outcomes and roles. Understanding these is key to influencing precedent so that it reflects the current technical landscape.

Public Policy – Understand the influencers, decision makers and processes that go into making new laws and administering existing ones.

Career – How you choose and follow your career path shouldn’t be a random walk and shouldn’t be set in stone. Use your career to maximize your satisfaction and impact.

Burnout – The complex state of Burnout is one that affects many in our industry, but help and resources are rare. Learn what it looks like and how to deal with it.

X Altruism – Extreme Altruists go out of their way to try and do the right thing, regardless of what others may think or what harm they may face. But these features can become bugs if they don’t find the right outlet.

Disclosure – Handling the delicate issue of notifying manufacturers about security vulnerabilities when packets meet blood and bone.

Communications – Many of us are less afraid of shaking hands with SSL or modems than real people. But that doesn’t mean we can’t effectively get our ideas across to manufacturers, managers, politicians or parents.

 

Agenda

10:00 – 11:00 Introduction and Overview – I Am The Cavalry

11:00 – 12:00 Areas of Interest (Medical, Auto, Home, Public Infrastructure, Policy)

12:00 – 17:30 A&Q Sessions (see online schedule for details)

12:00 – 17:30 Drop-In Sessions (see online schedule for details)

17:30   Wrap Up and Next Steps