Jake Kouns and Carsten Eiram - Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!

12/13/14 • -1 min

DEF CON 22 [Materials] Speeches from the Hacker Convention.

Slides Here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Kouns-Eiram/DEFCON-22-Kouns-Eiram-Screw-Becoming-A-Pentester-Bug-Bounty-Hunter-UPDATED.pdf

Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!
Jake Kouns CISO, RISK BASED SECURITY
Carsten Eiram CHIEF RESEARCH OFFICER, RISK BASED SECURITY
Everywhere you turn it seems that companies are having serious problems with security, and they desperately need help. Getting into information security provides an incredible career path with what appears to be no end in sight. There are so many disciplines that you can choose in InfoSec with the fundamental argument being whether you join Team Red or Team Blue. Most people tend to decide on the Red team and that becoming a professional pentester is the way to go, as it is the most sexy (and typically pays well). However, with bug bounties currently being all the rage and providing a legal and legitimate way to profit off vulnerability research, who really wants to be a pentester, when you can have so much more fun being a bug bounty hunter!

Researcher motivation in the old days and options for making money off of vulnerabilities were much different than today. This talk analyzes the history of selling vulnerabilities, the introduction of bug bounties, and their evolution. We cover many facets including the different types of programs and the ranges of money that can be made. We then focus on researchers, who have currently chosen the bug bounty hunter lifestyle and provide details on how to get involved in bug bounty programs, which likely pay the best, and which vendors you may want to avoid. What constitutes a good bug bounty program that makes it worth your time? What do you need to know to make sure that you keep yourself out of legal trouble?

Ultimately, we’ll provide thoughts on the value of bug bounties, their future, and if they can be a full-time career choice instead of a more traditional position such as pentesting.

Jake Kouns is the CISO for Risk Based Security and the CEO of the Open Security Foundation, that oversees the operations of the OSVDB.org and DataLossDB.org. Mr. Kouns has presented at many well-known security conferences including RSA, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, SOURCE and SyScan. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

Twitter: @jkouns

Carsten Eiram is the Chief Research Officer of Risk Based Security and previously worked 10 years for Secunia, managing the Research team. Carsten has a reverse engineering background and extensive experience in the field of Vulnerability Intelligence, referring to himself as a vulnerability connoisseur. He has deep insights into vulnerabilities, root causes, and trends, and is also an avid vulnerability researcher, having discovered critical vulnerabilities in high-profile products from major vendors including: Microsoft, Adobe, Symantec, IBM, Apple, Novell, SAP, Blue Coat, and Trend Micro. Carsten has been interviewed for numerous news articles about software security and has presented at conferences such as FIRST Conference, RSA Conference, DEF CON, RVAsec, as well as keynoting Defcamp 2013. He is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board and FIRST VRDX-SIG.

Twitter: @CarstenEiram

Slides Here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Kouns-Eiram/DEFCON-22-Kouns-Eiram-Screw-Becoming-A-Pentester-Bug-Bounty-Hunter-UPDATED.pdf

Ultimately, we’ll provide thoughts on the value of bug bounties, their future, and if they can be a full-time career choice instead of a more traditional position such as pentesting.

Twitter: @jkouns

Twitter: @CarstenEiram

Previous Episode

Gregory Pickett - Abusing Software Defined Networks

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Pickett/DEFCON-22-Gregory-Pickett-Abusing-Software-Defined-Networks-UPDATED.pdf

Abusing Software Defined Networks
Gregory Pickett CYBERSECURITY OPERATIONS, HELLFIRE SECURITY
Software Defined Networking (SDN) transfers all forwarding decisions to a single controller and provides the network with the same degree of control and flexibility as the cloud. And with all the major vendors onboard, it will soon be supporting networks everywhere. But current implementations are full of weaknesses that could easily turn this utopian dream of the future into a nightmare and leave networks world-wide exposed.

With clear-text wire protocol implementations, little support for switch TLS, no authentication for nodes, poorly conceived rate-limiting features in the controllers, controller APIs that don’t require authentication , and back-door netconf access, the leading platforms Floodlight and OpenDaylight, are ripe for attack.

And in this session, using a new toolkit that I developed, I’ll demonstrate by showing you how to locate and identify these controllers, impersonate switches to DoS them, and engage their wide-open APIs and backdoors to map the network, locate targets, and control access to the network ... even hide from sensors. But all is not lost, because I’ll show how to protect them too. Because dream or nightmare, SDN can make a difference in the real world if we just protect it right.

Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads up Hellfire Security’s Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.

site: www.hellfiresecurity.com
projects: sourceforge.net/users/shogun7273
twitter: @shogun7273

Next Episode

Jason Healey - Saving the Internet (for the Future)

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Healey/DEFCON-22-Jay-Healey-Saving-the-Internet-UPDATED.pdf

Saving the Internet (for the Future)
Jason Healey DIRECTOR, CYBER STATECRAFT INITIATIVE, ATLANTIC COUNCIL
Saving the Internet (for the Future): Last year, the Dark Tangent wrote in the DC XXI program that the "balance has swung radically in favor of the offense, and defense seems futile." It has always been easier to attack than to defend on the Internet, even back to 1979 when it was written that "few if any security controls can stop a dedicated" red team. We all accept this as true but the community rarely ever looks at the longer term implications of what happens to the internet if one side has a persistent advantage year after year, decade after decade. Is there a tipping point where the internet becomes no longer a Wild West but Somalia, a complete unstable chaos where the attackers don't just have an advantage but a long-term supremacy? This talk will look at trends and the role of hackers and security researchers.

Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council, focusing on international cooperation, competition and conflict in cyberspace, and the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012. He has worked cyber issues since the 1990s as a policy director at the White House, executive director at Goldman Sachs in Hong Kong and New York, vice chairman of the FS-ISAC (the information sharing and security organization for the finance sector) and a US Air Force intelligence officer. He is a board member of Cyber Conflict Studies Association, lecturer in cyber policy at Georgetown University and author of dozens of published essays and papers. Just in 2013 presented or spoke in Brussels, Rome, Istanbul, Reykjavik, London, Tallinn, Stockholm, Munich, Seoul, Bali, New York, New Orleans, Las Vegas, San Francisco, and Washington, DC.