PancakesCon is streamed over YouTube and requires no preregistration. However, to ask questions of our speakers and participate in villages and discussion, you must register for our Slack instance. Questions will not be accepted over YouTube.
2021 Schedule
The con occurred on March 21 2021.
| (CT) | Track 1 | Speaker | | | Track 2 | Speaker |
|---|---|---|---|---|---|
| 0855-0945 | OPENING REMARKS AND KEYNOTE: Pentesting Experience and How to Get It & Hacking Health | Phillip Wylie | | | ——- | ——- |
| 0945-1030 | Steganalysis & Stegosaurus | Edward Miro | | | Removing Nudes with Law and Cyber, AND how to (fake) DJ | LaBac Collective: Aaron & Farah |
| 1030-1115 | Threat Modeling for Beginners and How to contact the ISS with Ham Radio | Gregg/K6XSS | | | The Audit Survival guide & The Festival Survival guide | kluthulhu |
| 1115-1200 | Hunting Evil File Hashes and Processes using PowerShell Automation & DIY How to Build and Paint Custom Wood Shelving | Blake Regan | | | Building a Home Lab and Hobby Farm | Justin Henderson |
| 1200-1245 | Hacking Cars and Crops on a Budget | Griffin Payne | | | Reverse Engineering Unknown Protocols // ASCII Art For Beginners | netspooky |
| 1245-1330 | Cybersecurity au Vin | Bryson Bort | | | Because it’s there: Hacking and Climbing | Julien Richard |
| 1330-1415 | Intel CET and how to stop being scared of French baking | Yarden Shafir | | | Avoiding Burnout, and Exciting Train Facts | Michael Kavka |
| 1415-1500 | Lucky Socks for Bug Bounties | Katie Paxton-Fear | | | Phishing with Caricatures | Mishaal Khan |
| 1500-1545 | Rare Collectables: Breached Credentials and Bourbon | Nick B | | | Run Towards The Fire: Forging a Career from Crisis & Stroke Awareness | Chris Traynor |
| 1545-1630 | Avoiding Murky Waters: Clear Threat Intelligence Communications and Watercolor Painting | Emily Hacker | | | GNU/Linux Tools for Blue Team and Big-Kid Rockets | Ben Goerz |
| 1630-1715 | Containers are built on a castle of lies – b&w analogue photography in your bathroom | hugo_shaka | | | It’s not Magic! Insider Threat Detection and the Perfect Cup of Coffee | Will Baggett |
| 1715-1800 | Vulnerability Analysis: Intro To Vulnerability Scanning And Trauma Therapy | David Fuhr | | | DFIR Data and World Championship Powerlifting | Lodrina Cherne |
| 1800-1845 | Machine Learning Vulnerabilities and Fabric Choices | Erick Galinkin | | | Hunting Malware Beacons and Making Pizza from Scratch | Randy Pargman |
| 1845-1900 | CLOSING REMARKS / AWARDS | Lesley Carhart | | | ——- | ——- |
Talk Synopses
Steganalysis & Stegosaurus
Edward Miro, (He/Him)
Part 1: It’s everything you’ve ever wanted to know about analyzing steganography in a 20 minute crash course focused on common CTF style challenges.
Part 2: It’s everything you’ve ever wanted to know about the coolest dinosaur STEGOSAURUS!
Threat Modeling for Beginners and How to contact the ISS with Ham Radio
Gregg K6XSS (He/Him)
This talk will cover how to do basic threat modeling to find risk and mitigate it for any size project. The second part of this talk will go over how to transmit and receive audio using the repeater on the International Space Station using a $30 Ham Radio.
Hunting Evil File Hashes and Processes using PowerShell Automation & DIY How to Build and Paint Custom Wood Shelving
Blake Regan
Hunting Evil Hashes and Processes using PowerShell will cover how to identify file hash IOCs using PowerShell, and how to automate this effort as well as identifying malicious processes on a host. Using PS Remoting, Blake will present an automation framework to find the hashes on your Domain at scale, with options to report, remove, or collect for Hunting or IR. Sample Code and Framework will shared on Github. Blake also has a fun hands on example for folks to follow along with during the talk and practice with afterwards.
DIY build and paint custom wood shelving was an idea that came to Blake when doing a house remodel project during quarantine. Blake used a go-pro to film the process from sanding and cutting bare wood stock, laying out the shelves on the wall before install, assembling and installing the shelves, and prepping and painting the shelves for a professional looking finish.
Hacking Cars and Crops on a Budget
Griffin Payne (He/Him)
Transportation and food. Two things that everyone needs. Living in America leaves much to be desired in terms of public transportation, so we’ve become reliant on cars. We’ve also become accustomed to convenience and expect our cars to tell us where to go, adjust our speed, and even drive for us. In the same vein, we’ve become accustomed to convenient food. Drive-through, delivery, call head ordering, and everything in between to make things easier for us. The downside of all this convenience is that it costs money to make things easier. As a pentester, you have an inherent curiosity to poke and prod to see what makes things tick. What can you do to cars and food that’s cheap and (relatively) easy?
Cybersecurity au vin
Bryson Bort
Taking security and the kitchen to the next level! I’ll do an overview of detection engineering with logging, analysis, and creating the threat. In the kitchen, we’ll de-snootify wine and use it to make Coq au Vin.
Intel CET and how to stop being scared of French baking
Yarden Shafir (she/her)
CET is the most exciting feature to be added to Intel processors in a long time, and after long years of trying to fight exploits using arbitrary code execution vulnerabilities, CET could lead to a new era of exploit mitigations and force attackers to rethink and redesign their techniques. In this talk I’ll explain what CET is, why it is such a game-changer, how it is currently implemented on Windows and how developers and defenders should use it to make their products safer and protect against attackers.
In the second part of the talk we’ll talk about baking and why it’s the best nerdy hobby there is (as a lot of people learned during the sourdough phase of the pandemic). I’ll focus on basic butter cookies and show how they can be easy, simple, versatile and mathematical all at the same time. I’ll explain the math and science behind this simple pastry and show that with a bit of scientific knowledge you don’t even need a recipe to make amazingly delicious and sugary pastries!
Lucky Socks for Bug Bounties
Katie Paxton-Fear (she/her)
I am a knitter, I knit a lot, I half the average age of my local knitting circle, but it is my passion. One of my favourite things to knit are socks, they are portable, only need 1 needle, you can use amazingly soft yarn, and You can zone out while you make them. Socks are perfect for meditative knitting! More than that, socks you make yourself, they are lucky, how do I know? Well I’m a bug bounty hunter, I knit and I hack companies for money, and the first time I found a bug? It happened when I was wearing hand knit socks and as I knit another pair.
To become a bug bounty hunter you need a few things, one is a knowledge of how the web works, second you need to learn how the tools of the trade work and how to use them, next you need an idea of some of the more common vulnerabilities you can find and how to exploit them, some methods to practice, and finally some lucky socks. In this talk I’ll go over the basics of how to get into bug bounty hunting, what to look for and how to get started. Then I’ll teach you how to knit your very own pair of socks, guaranteeing you bugs!
Rare Collectables: Breached Credentials and Bourbon
Nick B
Humans are collectors by nature. For whatever reason, we feel the need to seek out and collect objects that would otherwise have no value. Some collect baseball cards, others spend hours searching through coins for specific old mints, other people seek out rare stamps…
I collect two things: breached credentials and bourbon.
Avoiding Murky Waters: Clear Threat Intelligence Communications and Watercolor Painting
Emily Hacker
Part 1: Clear Threat Intelligence Communications
This section of the talk will describe tips for having clear and concise threat intelligence communications, including the different types of communication mediums (reports, presentations, etc), taking audience into consideration, and avoiding jargon. I am a threat intelligence analyst but started my career as a technical writer and want to use my experience to help other analysts.
Part 2: Watercolor Painting
This section will describe the most basic aspects of watercolor painting, including supplies needed, wet on dry and wet on wet techniques, and combining watercolor with ink for more details. I started watercolor painting during lockdown so I’m by no means an expert, and will be sharing this as a relative newbie for other newbies as I feel it has become a very nice lockdown hobby.
Containers are built on a castle of lies – b&w analogue photography in your bathroom
Hugo (he/him)
In this talk we’re going to deep dive in linux containers, how they are implemented, and what does they look like from a system point of view. The goal is to explain bit by bit all the different concepts and mechanisms used to create a container, syscalls, cgroups, namespaces, …
Additional resources will be provided for curious participants wanting to experiment and create containerized processes manually without docker.
I discovered black and white film photography by dusting off my dad’s camera. It ended up being a cheap and fascinating way to get into photography. We’ll cover the basics of b&w photography, why it is so rewarding and what you need to get started taking photos and revealing them in your bathroom.
Vulnerability Analysis: Intro To Vulnerability Scanning And Trauma Therapy
David Fuhr (he/him)
Vulnerability scanning is an automated process wherein a set of assets (potentially to be discovered by the same process) is mapped against a database of known vulnerabilities to produce a (hopefully prioritized) list of problems we might want to fix. We will look at common techniques, tools, typical outputs, limitations, and what else makes a good vuln management program.
Trauma is a soul’s reaction to distressing events overwhelming the person’s ability to integrate the emotions involved that *can* have long-term negative effects. Different psychological schools of thought have different concepts of what happens in a trauma and therefore different ideas what might help cope. We will have a look at the Gestalt therapy model of trauma and growth.
Machine Learning Vulnerabilities and Fabric Choices
Erick Galinkin, (he/him)
Machine Learning is a hot topic, but can it actually increase your attack surface? We’ll discuss attacks against machine learning systems and the systems that serve machine learning models with an eye toward how to protect yourself and your environment.
In the second half of the talk, we’ll discuss another misunderstood topic: fabric choices. Although the author has more experience dressing men, we’ll keep the topic as gender neutral as possible and discuss fabrics in shirting and trousers – something we may want to keep in mind when we leave the t-shirts and sweatpants world but still want comfort!
Removing Nudes with Law and Cyber, AND how to (fake) DJ
LaBac Collective: Aaron (they/them) Farah (she/they)
Social media policies tend to be convoluted and inconsistent, which can be frustrating when you’re trying to get unwanted pictures of you removed from the site. We will walk through some tips for identifying these pictures and starting the process of getting them removed through copyright law!
After, the talk will move to an instructional piece on being a fake DJ. Having successfully been booked at hip Brooklyn nightclubs with no DJ experience, it is easier than you think to bootstrap your DJ career!
The audit survival guide / The festival survival guide
kluthulhu (he/him)
The audit survival guide: What to expect when you’re expected to answer probing questions without prep time. The festival survival guide: Mistakes not to make based on the patients I treated.
Building a Home Lab and Hobby Farm
Justin Henderson
First part is on how a home lab can help folks progress their careers and build confidence and knowledge. Talk will also share resources on how to do it. Second part is on disconnecting from IT and enjoying life. My method is hobby farming with miniature horses, miniature donkeys, miniature cows, goats, geese, chickens, rabbits, and more. I’ll share cute pictures and talk about rural life and how it fits my life in IT.
Reverse Engineering Unknown Protocols // ASCII Art For Beginners
netspooky (he/him)
<[ Reverse Engineering Unknown Protocols ]>
This talk is a crash course in analyzing unknown protocols (network or otherwise) with resources and tools you can play with right away. The goal will be to familiarize you with protocol concepts and help you develop an eye for identifying the important bits.
<[ ASCII Art For Beginners ]>
This talk will introduce the fundamentals of ASCII art and how to get started creating your own. We will discuss tools, techniques, and design philosophy that will help you turn any text document into a work of art.
Because it’s there: Hacking and Climbing
Julien Richard AKA Cabby42
This talk will focus on the methodology used for conducting penetration testing engagements (based on the PTES standard) followed by an introduction to rock and ice climbing.
Phishing with Caricatures
Mishaal Khan
See the full lifecycle of a phishing attack, from researching the target, setting up the phishing server, mail server and social engineering your way into the organization. Drawing cartoons with likeness is very challenging but very satisfying.
Run Towards The Fire: Forging a Career from Crisis & Stroke Awareness
Chris Traynor
Part 1: In October 2017 I accepted a job at Equifax (1 month after their breach announcement). Soon thereafter it would be voted “the most hated company in the country”. So why did I do it? Simple. I wanted to work in Security ever since graduating college, but never had the chance to make it a career. Joining a company in the middle of such an intense crisis provided a great opportunity to finally make the switch! I’ll discuss how this approach can be a great path into Security. I’ve been able to take on roles from AppSec engineer to DevSecOps, Security Platforms Automater to Pen Tester. Learning a LOT in the process. Orgs on the wrong end of a breach NEED Security. We can help! So run towards the fire!
Part 2: On July 11th, 2016 my 29 year old wife of two years suffered an Ischemic Stroke to the right portion of the Pons. I’ll use this time to… – Share my wife’s story and recovery – Build awareness of stroke in younger people – Teach the B.E. F.A.S.T. stroke identification method.
GNU/Linux Tools for Blue Team and Big-Kid Rockets
Ben Goerz (he/him)
GNU/Linux Tools for Blue Team:
Learn how to use command line tools and a free/cheap Linux server to do dozens of Blue Team tasks, including DFIR actions (reading fingerprinting file type, getting hashes), acquiring data (downloading threat feeds, doing whois lookups, making API calls), and manipulating the data you collect. Even the most experienced Linux users should learn a new trick or two!
Model Rocketry:
Learn how many adults who loved model rocketry in their scout or schoolkid days are returning to the hobby and supersizing their creations. You will learn how some technological advancements (like composite motors and parachute releases) can help you make bigger rockets and land them safely in a small field.
It’s not Magic! Insider Threat Detection and the Perfect Cup of Coffee
Will Baggett (he/him)
I will speak to the psychological analyst aspect of insider threat detection and how to use human behavior to tune alert events (MICE/RASCAL/STRIDE). The human factor of insider threat detection is the difference between DFIR and DFIT.
Small batch coffee: how to make a prime serving of espresso or americano with a 21st century french press.
DFIR Data and World Championship Powerlifting
Lodrina Cherne (she/her)
Have you ever opened up your “Pictures” folder on your computer and noticed that your photos always show up as tiny previews of the full size images? Then, have you gone into your “Downloads” folder and noticed the files are displayed a list of files instead of little pictures? Because your computer remembers this information for you, it can be recovered. This recovery and reconstruction of previous activity on a device is what digital forensic (DFIR) examiners do for a job. Hear an introduction about identifying DFIR data followed by… Do you have access to a gym? Inspired by #DFIRFit #RedTeamFit #BlueTeamFit? Hear a story about how one cybersecurity professional learned to love the barbell and powerlifting enough to medal and win international championships. Whether you’re wondering how lifting weights can help you improve your focus at the keyboard or just wondering what the sport of powerlifting is, you’ll come away inspired to #GitFit
Hunting Malware Beacons and Making Pizza from Scratch
Randy Pargman (he/him)
One of the best ways to discover malware hiding in your environment is to find the repeating network connections as it checks in to its C2. I’ll show you how to do that with Sysmon logs or Defender for Endpoint. After all that analysis work, you’ll probably be a hungry threat hunter. What better way to celebrate a job well done than with fresh pizza made from scratch? I’ll share the recipe and techniques that my family used to make pizza dough and sauce every Friday!
PancakesCon 4 