ABOUT FIRETALKS

Firetalks is an evening event that tests the skills of those who stand on the stage. Six people are given 15 minutes to dive right into the core of their content and present their ideas.

Several judges will be on hand, American Idol-style, to listen to and critique the presentation on both style and content. This is done in both a serious and humorous manner in front of the audience. After the event the judges will vote on the best presentations–with the top three being awarded some cool prizes to be handed out at ShmooCon closing ceremonies.

Firetalks is a ShmooCon event and both submitters and attendees must already have a ShmooCon Barcode to participate.

Questions can be sent to firetalks@shmoocon.org.

FIRETALKS 2020 SCHEDULE

Friday, January 31, 2020
Time Firetalks
1900

Firetalks Opening

1910
Cybersecurity Clubs and You

Shannon McHale

1930
Flipping Bits on NSRL

Billy Trobbiani

1950
Using Abusing the Freedom of Information Act

Christine Giglio

2010
Using Android WebViews to Steal All the Files

Jesson Soto Ventura

2030
Do Unto Others: A Red Team Ethical Framework for Offensive Rules Of Engagement

Roy Iversen and Tarah Wheeler

2050
DNS New World Order: QuadX! DoH! DoT! Da Fuq?

James Troutman

FIRETALKS 2020 PARTICIPANTS

Cybersecurity Clubs and You

Shannon McHale

Dedicated students around the country have formed cybersecurity clubs to continue their learning outside of the classroom. These clubs have created communities focused on research, competing and celebrating a passion for security. In this talk we will cover the amazing things students are accomplishing and explain the different ways industry professionals can get involved.

Shannon McHale (@little_hack3r) is the President RIT’s cybersecurity club, RITSEC (formerly SPARSA and RC3). The “Lil Prez” stands at 5’3″ and is in the middle of her 3rd year of school. She may be small, but she hopes to make a big impact on the industry. Her security interests are social engineering, physical pentesting, red teaming, and competition infrastructures.


Flipping Bits on NSRL

Billy Trobbiani

The National Software Reference Library (NSRL) is a project run by NIST, where they collect and archive file hashes for operating system files. These enormous data sets could not be queried with ease until 2011 when the NSRL Server (nsrlsvr) and NSRL Lookup (nsrllookup) tools were produced by Robert Hansen and posted on GitHub. The tools were largely designed for forensics professionals to compare files in their custody to system files designated as known-good by NIST. In 2019, I thought I would test out the application and see if there was room for the abuse of implied trust between the lookup tool (nsrllookup) and the server (nsrlsvr). Developing a man-in-the-middle capability, I was able to alter the responses from the server to give false and erroneous information. This presentation is to showcase the evolution of this project with code samples/tools/infrastructure that made it possible.

Billy Trobbiani (@billycontra) is currently a threat hunter that works for IronNet Cybersecurity. In his past, he has spent thirteen years working at the Department of Defense in a variety of roles involving the expenditure of $1.7B on contract vehicles to leading operations against state-sponsored intrusion sets. He holds a Master of Science in Computer Science from Johns Hopkins University and the top score on Q-Bert at Crabtown USA. Action figures sold separately.


Using Abusing the Freedom of Information Act

Christine Giglio

Almost everyone in the United States has heard of the federal Freedom of Information Act. Many people also know that each state has their own requirements for FOIA and requests for documentation under FOIA. After many years working in local government, particularly in public safety, I’ve seen many different FOIA requests for information from 9-1-1 phone calls and radio traffic, police reports, contract information, and even text messages. Each request issues out information that can be used nefariously. The purpose of this talk is to give a few examples of how information that is publicly available to anyone can be used to harass or obtain information on you.

Christine Giglio (@kesseret) is a Computer Aided Dispatch Administrator for a rural 9-1-1 center. She started her career in the world of Information Technology and gravitated towards public safety IT and eventually making the shift to fully support 9-1-1. Urban Dictionary has defined her (kesseret) as a cat-loving computer expert extraordinaire, which is probably the most tasteful thing you can reference on that site. She is also the reason why law enforcement entities are leery about opening suspicious email attachments (except for Shane.)


Using Android WebViews to Steal All the Files

Jesson Soto Ventura

WebViews can be dangerous – especially misconfigured WebViews. Let’s take two case studies – an Android email application and an advertising SDK, to explore the ramifications of using insecure WebViews. From these case studies, we’ll see that misconfigured WebViews can have serious implications. In particular, we’ll see that a misconfigured email application allowed remote users to steal files from a user’s Android device and we’ll see how an otherwise normal advertising SDK allowed advertisers to track users and read files from a user’s external storage.

Jesson Soto Ventura is a security consultant at Carve Systems, where he is routinely working on breaking something. When he isn’t breaking something at work, he’s working on hacking IoT devices and contributing to open source projects.


Do Unto Others: A Red Team Ethical Framework for Offensive Rules Of Engagement

Roy Iversen and Tarah Wheeler

What are the effects of red team tactics on the people who conduct them as well as the people who become the targets? This follow-up session from our 2019 Firetalk will provide a previously-nonexistent Red Team Ethical Framework to guide the conduct of offensive security engagements.This new framework is the result of refining a detailed survey conducted across the wider information security community. We have over 500 respondents already who have answered questions about bribery, threats, and other potential tactics in offensive security testing to determine whether or not some things are always wrong…and while most ethical choices appear at first to be obvious, our research revealed a somewhat shocking twist which we will share with all of you.

Roy Iversen (@royiversen) is Director of Security Engineering & Operations at Fortalice Solutions, where he leads a team of security engineers and incident handlers. Prior to joining Fortalice, Mr. Iversen served under the CISO as Director of Security Operations Division at the U.S. General Services Administration (GSA).

Tarah Wheeler (@tarah) is an offensive security researcher, political scientist in the area of international conflict, and poker player. She is a Cybersecurity Policy Fellow at New America, as well as a cybersecurity expert for the Washington Post and a Foreign Policy contributor on cyberwarfare.


DNS New World Order: QuadX! DoH! DoT! Da Fuq?

James Troutman

DNS is the fundamental glue that makes the Internet function, but it often goes unloved — unless you an ISP looking to further monetize subscribers, or you are trying to track malware on your network. Recently, some new ways to provide and secure DNS for end users have been created and are being rolled out by some browsers. Additionally, there are multiple vendors offering easy to remember public DNS resolvers. This Firetalk will cover both the technical aspects of DNS over HTTPS (DoH), DNS over TLS (DoT), verses original RFC882 DNS and the various privacy and operations challenges that are looming.

James Troutman (@troutman) is is an Internet “Old Timer” & consultant for hire. His first online experiences involved a “paper TTY” with a 300 bps acoustic coupler modem in 1982. A user of the Internet & UNIX since 1987, he has been tasked with building and running Internet infrastructure off and on since the early 90s, having held a wide variety of roles in Internet operations, engineering, and management at various regional ISPs, CLECs, ILECs, cable TV companies, & web hosts. He helps operate a regional Internet Exchange in Maine (NNENIX.NET) and is a frequent ShmooCon Labs volunteer.


IMPORTANT DATES

Monday, December  16, 2019 – Firetalks CFP opens
Sunday, 11:59 PM EST, December 31, 2019 – Firetalks CFP closes
Sunday, January 5, 2019 – Firetalks notifications sent


WHO SHOULD SUBMIT

Anyone who already has a ShmooCon Barcode and thinks they have something to say.


HOW DO I SUBMIT

Firetalks will use a web-based submission process. Please be prepared with the following information:

    1. Title
    2. Contestant(s) Name  and contact info
    3. Abstract –  limited to 150 words or less
    4. Document in TXT or PDF format that contains the following information (in order):
      • Title of presentation
      • Contestant(s) name
      • Abstract – same as above
      • Bio(s) – limited to 100 words total
      • Detailed description of your submission – this should be more information than is contained in your abstract.  Do not send us your slides.
      • Has this information been presented before? Where?
      • Do you already have a ticket to ShmooCon?

Submissions will be reviewed by a small committee of ShmooCon Staff.