A few days ago, THOTCON 0x6 and BSidesChicago took place in Chicago. We were both privileged enough to be accepted to speak at BSidesChicago which, for an event that almost didn’t happen, was the best BSidesChicago we’ve attended.


I was finally able to speak about the results I discovered from DGA seed bruteforcing research I previously blogged about here. Botnet command and control architectures were discussed while DGA backends were focused on, Ramnit and its DGA were described, the algorithm I used to identify all Ramnit C2 domain names was presented, and finally some interesting query plots and client IPv4 graphs where explained. The slide deck for my presentation is available for download here.

Following Bruce Potter (the creator of ShmooCon) was a definite challenge, but the crowd was very receptive and asked many thought provoking questions.

Nicholas Percoco, from Rapid 7 and the founder of Thotcon, spoke to the crowd on the ‘Security of Things’. He explained his love of thinking about the future and detailed his interest in the direction of technology since a young age. As a child, he was enamored by the futuristic Epcot ride, Horizons. Nicholas verbally recreated a future version of this ride to describe the sort of future we might be in for and some of the risks we might encounter based on the current direction of technology. Examples involved self-driving cars that are hacked and crashed, robotic hospitals misdiagnosing patients and brain to computer interfaces which are compromised by hacktivists, requiring large payments to decrypt memories or unscramble thoughts.

It was pretty difficult to speak after Nicholas, but I did my best by presenting a variation of my talk about protecting a cloud server with a cloud IDS. This is a topic I’ve been explaining at several other recent conferences, providing additional research into different aspects of the topic at each opportunity. At BSides Chicago, I dug deeper into the use of compromised domains in phishing attacks and their attribution to specific hosting providers as a reason someone might want to view attack activity against their shared web host.

Richard Wartell, from CounterTack, gave an entertaining technical presentation titled, ‘The Life and Times of an APT Malware Author’. Using a potential scenario combined with malware he has analyzed or created during work engagements, he walked us through the most common thought processes and mistakes of malware authors. Richard concluded with some basic suggestions for malware authors if they want to avoid detection or make the job of a reverse engineer more challenging.

The final presentation of the day was by Runa Sandvik. It was titled, ‘Encrypt like Everyone’s Watching’. She gave an introduction to the workings of Tor and the various mobile applications available for securing communications. Her talk began by addressing the common argument of, “I’ve got nothing to hide”, used by some when considering surveillance of their communications and activities. Runa suggested that everyone use applications to promote secure communication, making it more of a normal behavior. This would result in a decrease in the targeting of smaller groups or individual users of these applications. She followed with a description of the functionality of tools such as the Tails operating system, Tor browser and applications like Orbot, Redphone and Textsecure on Android and Signal on iPhone. The latter portion of her time on stage involved multiple questions, resulting in thoughtful dialogue on privacy topics.

There were so many other great presentations that we just couldn’t get to, such as ‘Trusts You Might Have Missed’, by Will Schroeder and Justin Warner, ‘Pentesting is Broken’ by Zach Grace,  ‘Malvertisements, The Modern Targeted Attack” by Adrian Evans, ‘Evasion Techniques of Elusive Hax0rs’ by Jaeson Schultz and a two hour workshop on using Bro IDS by Liam Randall.


The “A-side” to the Bsides event was Thotcon. It occurred the Thursday and Friday before BSidesChicago. Now in its sixth year, with each occurrence this conference gets better and better. As with most conferences, the biggest benefit comes from networking and socializing; I tend to call these “hallway conversations”. These are where you get to see people’s true personalities, reactions, and thoughts which are often not as transparent over infosec practitioners typical communication medium of choice (email and chat rooms).
Between excellent conversations were top-notch presentations. The second keynote titled “Wanna Cyber?” by Tod Beardsley and egypt of the Metasploit project surfaced interesting questions such as “If we enter a cyberwar, what is a cyberwar crime?” and “As typical cyber operations require multiple people working together, who should be charged with cyberwar crimes?” I look forward to attending again next year.

This post is categorized in: