Curt Barnard, Principal Security Researcher, Rapid7

Have you ever had to Google around trying to find a default password for a router? Are you sick of combing through user manuals just to find admin:admin buried on page 37. Then it's time you tried Defaultinator. This newly released tool is a repository for default credentials made searchable via API or the intuitive web interface. Why would someone make such a tool? Why, I'm so glad you asked!

Static device passwords are not only Really Bad, they are sometimes illegal. Yet legacy or poorly secured IoT devices still often contain default or hardcoded passwords. It's hard to know if you have default passwords in your environment, but this tool is here to help you find them. Or maybe you are on a Red Team engagement and want to audit for CWE-798 (Use of Hard-coded Credentials). Defaultinator has your back.

In this talk, I'll cover how default passwords contribute to the spread of malware, how common it is to see them used in brute force attacks 'in the wild', and how a tool like Defaultinator can help you identify them and remove them from your own environment.

Date: Wednesday, August 10
Time: 1:00 PM - 2:30 PM
Session Type: Briefings
Tracks: OSINT - Open Source Intelligence, Vulnerability Assessment

Spencer McIntyre, Lead Security Researcher, Rapid7

Modern attack emulation is a multi-step process involving different tools and techniques as testers execute custom workflows to achieve their objectives. One primary advantage of the Metasploit Framework is a unified approach to solving this problem.

This Arsenal demonstration will cover some of the latest improvements to the Metasploit Framework and showcase how these improvements maximize effectiveness while performing common tasks. Viewers will see the latest workflows for capturing credentials, UI optimizations for running modules, and demonstrations of Metasploit's new payload-less session types. Capturing credentials is an integral part of many penetration testing methodologies and, when combined with the Metasploit database, can be a powerful technique for users engaged in breaching simulations. The latest features streamline configuring all the services Metasploit has capture modules for and managing them as a single unit. Users will also learn about some of the latest improvements related to pivoting in Metasploit, which allow capturing services to be started on compromised hosts when combined.

Date: Wednesday, August 10
Time: 2:30 PM - 4:00 PM
Session Type: Arsenal
Tracks: Exploitation and Ethical Hacking, Network Attacks

Jake Baines, Lead Security Researcher, Rapid7

Cisco ASA and ASA-X are widely deployed firewalls that are relied upon to protect internal networks from the dangers of the outside world. This key piece of network infrastructure is an obvious point of attack, and a known target for exploitation and implantation by APT such as the Equation Group. Yet it's been a number of years since a new vulnerability has been published that can provide privileged access to the ASA or the protected internal network. But all good things must come to an end.

In this talk, new vulnerabilities affecting the Cisco ASA will be presented. We'll exploit the firewall, the system's administrators, and the ASA-X FirePOWER module. The result of which should call into question the firewall's trustworthiness.

The talk will focus on the practical exploitation of the ASA using these new vulnerabilities. To that end, new tooling and Metasploit modules will be presented. For IT protectors, mitigation and potential indicators of compromise will also be explored.

Date: Thursday, August 11
Time: 10:20 AM - 11:00 AM
Session Type: Briefings
Tracks: Network Security, Hardware/Embedded

Learning From and Anticipating Emergent Threats

Jake Baines, Lead Security Researcher, Rapid7

Every day, defenders contend with more vulnerabilities than even the most well-resourced organization can handle. They find themselves needing to separate signals out of an overwhelming amount of noise, and having to use vague information about critical vulnerabilities to ascertain the potential impact to them. The Rapid7 Emergent Threat Response team analyzes critical threats as they emerge in order to provide authoritative assessments to defenders. In this session, we’ll look back at the last two years of emergent threats, discuss lessons learned, and share techniques to cut through the noise in order to better anticipate and react to emergent threats.

Date: Thursday, August 11
Time: 11:30 AM
Room: Business Hall Theater B

The Future of Vulnerability Disclosure Processes

Tod Beardsley, Director of Research, Rapid7

Coordinated, global vulnerability disclosure (CVD) remains a hodgepodge of formal and informal processes. There is a better way; an international, open, and not-for-profit project poised to help everyone share and understand vulnerabilities. Rapid7's Tod Beardsley will share his experience with the CVE Program and how you can take advantage to meet today’s vulnerability challenges.

On-Demand Zone - Security Operations & Incident Response Track

From Vulnerability to CTF

Ron Bowes, Lead Security Researcher, Rapid7

What happens when you find vulnerabilities by day, and write capture the flag challenges by night? Answer: teachable moments! At their core, most long-lived vulnerabilities have a little kernel of something at their core that makes them interesting: are they hard to find? Hard to exploit? Part of a multi-part attack? In a place nobody thought to look? Too obvious? Distilling what makes a vulnerability cool, then making that into a CTF challenge, is an unusual skillset that qualifies one for a distinguished career in "edutainment".

In this presentation we'll do a deep-dive into some interesting vulnerabilities and what makes them unique, then talk about the CTF challenges where the vulnerabilities lived on in eternal undeath.

Date: Tuesday, August 9
Time: 5:00 PM
Room: Ground Floor

Hot Topics from Policy and DoJ

Jen Ellis, Vice President, Community and Public Affairs, Rapid7

With widespread disruption caused by ransomware attacks and major vulnerabilities, cybersecurity is a continuing priority for policymakers and government leaders alike. This will impact the lives and careers of all BSides attendees, and policymakers can benefit from security pros' expertise to ensure they focus on the right things and avoid unintended harms. This informal session will guide attendees through the noteworthy sights, happenings, and potential pitfalls of Policyland, and we'll talk about how security professionals can get involved to shape policy outcomes.

Date: Tuesday, August 9
Time: 5:00 PM
Room: I Am The Cavalry

Hacking law is for hackers - How recent changes to CFAA, DMCA, & other laws affect security research

Harley Geiger, Public Policy Senior Director, Rapid7

What a year for hacker law! 2021-2022 saw major changes to laws that regulate hacking, such as the notorious CFAA, the grotesque DMCA Sec. 1201, and China's grisly "Management of Security Vulnerabilities" regulation. Many of these developments are directly intended to aid or control independent security research. This presentation will explain the progress, setbacks, and current state of hacking law.

Date: Friday, August 12
Time: 12:00 PM
Room: Policy Department Roundtable Room

Moving Regulation Upstream - An Increasing focus on the Role of Digital Service Providers

Jen Ellis, Vice President, Community and Public Affairs, Rapid7

Cybercriminals are no longer focusing all their efforts on the biggest fish, which means organizations below the security poverty line - who often struggle with achieving adequate cyber resilience - are increasingly being hit. At the same time, we've seen an increase in supply chain attacks, which makes sense as more and more of the tech ecosystem is moving to cloud or managed service provider models. Various governments are paying attention to these shifts and are considering how regulating digital service providers may advance security more broadly, while also alleviating the burden on small to medium businesses. This session will be led by one or two governments working on this issue and will include an open discussion on the challenges and opportunities of this approach.

Date: Friday, August 12
Time: 4:00 PM
Room: Policy Department Roundtable Room

Do Not Trust the ASA, Trojans!

Jake Baines, Lead Security Researcher, Rapid7

In case you missed Jake at Black Hat, he will be presenting at DEF CON as well. In this talk, new vulnerabilities affecting the Cisco ASA will be presented. We'll exploit the firewall, the system's administrators, and the ASA-X FirePOWER module. The result of which should call into question the firewall's trustworthiness.

Date: Saturday, August 13
Time: 1:30 PM
Room: Track 4

International Government Action Against Ransomware

Jen Ellis, Vice President, Community and Public Affairs, Rapid7

It's been a little over a year since the Colonial Pipeline, HSE, and JBS attacks put ransomware firmly on the agenda as a threat to national security and economic stability. Since then, we've seen ransomware attacks become more openly politicized. We have also seen the White House and G7 both host international government forums to identify collaborative actions to tackle the threat. Government action has included new sanctions, public/private initiatives, bounties for criminals, and various other measures designed to disrupt attacks, encourage greater cyber resilience, and make life for cybercriminals harder. This session brings together multiple government response experts to talk about what's being done, what results have been seen, and where we're headed next. They will start off covering these points and then open to the audience for questions and open discussion on next steps and impacts.

Date: Saturday, August 13
Time: 4:00 PM
Room: Policy Department’s Collaboratorium Room