For more information about BSides Detroit 13, please see:

• Rats and Rogues podcast
• Conference website
• Conference schedule

We end the podcast with an announcement from BSides: BSides Detroit Kids. In conjunction with Brain Monkeys, BSides Detroit is hosting a full day of workshops for kids ages 8-12. The sessions include Scratch Arcade, Kids CAD Lego, and Sumo Battle Bots. The event is poised to introduce the next generation to compute and hardware hacking. Tickets are available below.

Zeus C&C for Tech Support Abstract: Inspired by Adam Johnson’s presentation at GrrCON 2011 titled “ZeuS – Inside Command and Control” on how to build a ZeuS bot Exploit Kit Command & Control. I thought it would be fun to use this newly gained knowledge to build a C&C in an effort to provide tech support for my family members. Have you been in that situation where everyone you know comes to you with their computer problems? Just because you have a knack for technology, people you know seem to think that you enjoy fixing all their problems, most self-inflicted. Welp, here’s your chance to help them and have some real fun. This mostly hand’s on demonstration will walk through setting up your very own C&C and configuring the basic settings to get you started. When ready to rock, you will learn how to fun while fixing their problems. Live malware will be used during this presentation so make sure you turn off your WiFi.

For more information about BSides Detroit 13, please see:

• BSides Detroit Kids tickets
• Conference website
• Conference schedule

Abstract: What’s a trust relationship? Explicit ones are easy — these you setup explicitly and on purpose, like when you want Domain A to trust Domain B for authentication. It’s the implicit ones that will get you, the ones you didn’t setup on purpose. Like when you have the same local administrator password on a bunch of systems (own one, own them all!). Or when a domain admin leaves an access token behind on some user’s workstation (user owns the domain!). If you support or defend Windows systems, you should know about the different kinds of implicit trusts in Windows (accounts, cached credentials and access tokens) and how to reduce your risks from them. Oh, and you know the phase of an APT-style attack after the end user’s workstation is compromised but before they own your domain? The one that is sometimes glossed over with the phrases “lateral movement” and “privilege escalation”? Oftentimes, this happens by exploiting trust relationships.

For more information about BSides Detroit 13, please see:

• Conference website
• Conference tickets

Abstract: While information security is widely considered a negative-unemployment industry (it’s actually closer to 3%), most of us will look for a job at some point. Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that get you the kind of attention you want, getting short-listed for cool positions before they’re even posted, strategically riding infosec employment trends, and how to most effectively work with those delightful recruiters. This talk will have something for those just entering the workforce, mid-career security professionals, and former VAX hackers alike!

For more information about BSides Detroit 13, please see:

• Halock Security Labs
• BSides Detroit speaker voting
• Conference website

Kai Roer, the founder and Senior Partner of The Roer Group, is a European author and speaker. He has delivered speeches and trainings in more than 20 countries on four continents. Kai speaks about leadership, communication and security. He is a guest lecturer at two universities in Europe, and have consulted organizations of all sizes since 1994. Kai maintain an infosec blog at http://roer.com You can also follow him on twitter as @kairoer.

Abstract: All the talk about security awareness training the past year has boosted the idea that training is futile and a waste of time. What are the mechanisms that drive security? Can we point to areas in psychology that relates to how we treat security? Are we, the infosec community, the best resource to teach security? This talk will boggle your mind, and possibly turn everything you know and believe about users, security and awareness upside down

For more information about BSides Detroit 13, please see:

• Kai Roer on Twitter
• Kai Roer’s blog
• BSides Detroit speaker voting
• Conference website

Abstract: Hacking has gone from a sport to a high-income business where criminals in the underground net millions of dollars a year. The days of just needing anti-virus and firewalls are long gone as security threats can double in a year and have become so sophisticated and stealthy that hackers could be inside a network for years without notice. In this presentation, Jeff Multz will show you how the threat landscape has changed in the past decade, and what malware can do to your network today that was unheard of just a few years ago. You’ll see why the regulatory agencies continue to increase their security guidelines and why just having firewalls and IDS/IPS systems are not enough. Dell SecureWorks, which sells no products, will teach you about the latest threats and vectors for attacks to help you understand what you need to do to block them.

For more information about BSides Detroit 13, please see:

• Dell SecureWorks
• Conference website

Abstract: The Metasploit Framework is a must-have tool for penetration testers. Armitage builds a workflow on top of the Metasploit Framework and exposes its most advanced capabilities. Cobalt Strike augments Armitage with tools to simulate advanced persistent threat-style targeted attacks. This lab oriented class will introduce you to the penetration testing process from the perspectives of Armitage and Cobalt Strike. You’ll learn how to craft an attack package, deliver it to a target, spy on a user, attack systems from a foothold, and abuse trust relationships to gain access.

For more information about BSides Detroit 13, please see:

• Armitage and Cobalt Strike Workshop tickets
• Conference website

Abstract: Whether due to compliance needs, best practices, or customer demand, penetration testing is an increasing requirement for many organizations. The process of hiring and working with an Ethical Hacking (EH) services company is much like every other IT contracting process at first glance, but has a number of important details to consider from company selection through post-penetration remediation. Come learn from a penetration tester the types of information that will allow your organization to have the best experience possible when going through the sometimes agonizing, always interesting, process of a penetration test. Most importantly, questions will be highly encouraged so that your concerns and thoughts can be addressed during this presentation.

For more information about BSides Detroit 13, please see:

• Conference website

Abstract:

“Tweeting from the pub using my work Twitter account seemed like a good idea at the time.”

“How could our customer data be stolen? No one knows my iPhone pin except me.”

“After I send off this email to sales, I’m going to download Angry Chinese Birds. It’s free!”

It’s becoming more and more common for staff to bring their own devices to work, and blending their personal data with sensitive organizational data. What could possibly go wrong? Lack of user education concerning both physical and cyber threats to mobile devices and the sensitive data stored within them is creating an epidemic of embarrassment to organizations. This presentation will highlight the dangers of an untrained staff bringing their own devices to work and the steps that could be taken to mitigate the risk of lost data, compromised devices, and embarrassing Twitter posts.

For more information about BSides Detroit 13, please see:

• Conference website
• Tickets and registration