Rob O

Rob O

InfoSec Professor / Penetration Tester / Reformed CogSci

Talks and presentations

Getting Started with Windows Implant Development

March 18, 2022

Industry Conference Talk, Bsides Rochester, Rochester, NY

This talk will cover the basics of building custom Windows malware, from constructing your environment to achieving code execution. Unfortunately, content around the Windows API is often relatively inaccessible to those new to the industry. Security talks in this area are often directed towards experienced practitioners rather that novices. The intent of this talk is to demonstrate that, with a little bit of C and some Windows API documentation, you can do some real damage. Specific techniques covered will include AppCertDLLs (T1546.009), droppers, and Process Injection (T1055.002). This talk will also attempt to present custom malware development as a software engineering process that has very real challenges and real costs to adversaries. The target audience is one that is familiar with C, memory management, and concepts typically taught in an Operating Systems course.

ATT&CKing Windows

March 12, 2020

Local Meetup Presentation, InfoSec 716, Buffalo, NY (Zoom)

This talk with address how to get started with using the MITRE ATT&CK Framework to develop offensive tooling for Windows enviroments. The talk with introduce the ATT&CK framework, provide some examples demonstrating how to work with the Windows API, and will provide a overview of popular tools that make use the of the ATT&CK framework. Finally, some preliminary research related to calibrating existing publicly available offensive tools oriented ot the ATT&CK framework to publicy available defensive tooling.

Operationalizing the MITRE ATT&CK Framework

June 22, 2019

Industry Conference Talk, Bsides Cleveland, Cleveland, OH

The MITRE ATT&CK framework is all the rage these days. Many are looking at this as a research framework that can help standardize many aspects of information security, particularly with respect to offensive methodology. This talk will look at the MITRE ATT&CK framework from a different angle aby examining how the information MITRE has organized can improve penetration testing and, based on preliminary results, defensive posture. I will provide an overview of the ATT&CK framework, discuss the techniques that are useful for penetration testing, and present a case study of homebrew malware written to be aligned with the ATT&CK Framework. The talk will conclude with a discussion of using existing tools aligned with MITRE’s ATT&CK Framework for detection and automating analysis of log data generated by those tools. It is important to note that this talk as supported by a significant amount of student work through both undergraduate and graduate capstone projects.

An Analysis of Cyber Security Educational Standards

August 10, 2018

Industry Conference Talk, DC 26 Packet Hacking Village, Las Vegas, NV

Penetration testing is a challenge for higher education. Students are demanding this course in increasing numbers and faculty are scrambling to meet the demand. This talk will explore some of the curricular factors that influence why, where, and how higher education teaches penetration testing. Approaches to teaching this content can be wildly different, though, and can range from the theoretical to intensely technical. The strengths and weaknesses of these approaches will be discussed and some suggestions will be presented for how higher education can modernize their approach to teaching penetration testing.

Evolving the Teaching of Pen Testing in Higher Education

June 23, 2018

Industry Conference Talk, Bsides Cleveland, Cleveland, OH

Penetration testing is a challenge for higher education. Students are demanding this course in increasing numbers and faculty are scrambling to meet the demand. This talk will explore some of the curricular factors that influence why, where, and how higher education teaches penetration testing. Approaches to teaching this content can be wildly different, though, and can range from the theoretical to intensely technical. The strengths and weaknesses of these approaches will be discussed and some suggestions will be presented for how higher education can modernize their approach to teaching penetration testing.

What They’re Teaching Kids These Days: Comparing Security Curricula and Accreditations to Industry Needs

July 26, 2017

Industry Conference Talk, Black Hat USA, Las Vegas, NV

Security is hard, but security education may be harder. Few academic institutions have the skills or resources to dedicate solely to security education. Rather, most security programs in higher education have grown out of or have been welded on to other technology programs. The resulting fractured educational ecosystem has created a disparity in the skill sets of graduating students and has made it challenging to develop standards to ensure consistency across educational programs. This talk will take a look at how security curricula have traditionally been developed and continued to be shaped by a variety of forces. We will examine some of the proposed solutions for accrediting programs and analyze their strengths and weaknesses. Subsequently, we will try to determine which type of student each model is designed to produce and provide our own recommendations about how to standardize security education.

What They’re Teaching Kids These Days

June 24, 2017

Industry Conference Talk, Bsides Cleveland, Cleveland, OH

Penetration testing is a challenge for higher education. Students are demanding this course in increasing numbers and faculty are scrambling to meet the demand. This talk will explore some of the curricular factors that influence why, where, and how higher education teaches penetration testing. Approaches to teaching this content can be wildly different, though, and can range from the theoretical to intensely technical. The strengths and weaknesses of these approaches will be discussed and some suggestions will be presented for how higher education can modernize their approach to teaching penetration testing.

Whose Idea Was That? Comparing Security Curriculums and Accreditations to Industry Needs

June 16, 2017

Industry Conference Talk, Anycon, Albany, NY

Security is hard but security education may be harder. Few academic institutions have the skills or resources to dedicate solely to security education. Rather, most security programs in higher education have grown out of or have been welded on to other technology programs. The resulting fractured educational ecosystem has created a disparity in the skill sets of graduating students and has it challenging to develop standards to ensure consistency across educational programs. This talk will take a look at how security curricula have traditionally been developed and continued to be shaped by a variety of forces. We will examine some of the proposed solutions for accrediting programs and analyze their strengths and weaknesses. Subsequently we will try to determine which type of student each model designed to produce and provide our own recommendations about how to standardize security education.

Writing Your First Exploit

August 04, 2016

Industry Conference Workship, DEFCON, Las Vegas, NV

DEF CON isn’t just for hardened hackers with 5up3r 3l173 hacking skills. As DEF CON has grown, more and more attendees are looking for knowledge that will help them get started in the world of hacking. If that’s what you’re looking for, this training workshop is for you!

A Software Framework for Patient Data Handling in Emergencies and Disasters

July 31, 2014

Academic Conference Talk, 2014 International Conference on Collaboration Technologies and Systems, Minneapolis, MN

In this paper, we describe the development of a software framework and its guiding principles for patient handling and processing in emergencies and disasters. The MEDTOC system developed earlier is modified and enhanced to include a complete object oriented software model for patient classification, patient handling and patient data processing. The client and server side processing is specified, the patient clustering considerations are discussed and initial results are outlined in terms of software models, algorithms and medical guidelines for effective collaboration.

Project CASSI: A Social-Graph Based Tool for Classrom Behavior Analysis and Optimization

July 06, 2013

Industry Conference Workshop, 2013 International Conference on Educational Data Mining, Memphis, TN

Although educational data mining is a well-established field, it has not yet sought to provide serious, actionable intelligence that can be used by teachers to address bullying in a reasonable amount of time. This paper seeks to propose a system that will streamline the processing and storage of bullying data in social graph form so that it will be available to be mined by expert systems that can help educators in the classroom. In addition, one such expert system will be proposed demonstrating how this data may be used to automate a common classroom management task that may improve students’ classroom experiences.

Client-Server Based Transmission Scheme over GSM Network for MEDTOC with Patient Classification

May 21, 2012

Academic Conference Talk, 2012 International Conference on Collaboration Technologies and Systems, Denver, CO

Cellular networks are becoming most prevalent network. Different applications are being deployed on them due to their ubiquity and reliability. We have been working on designing an emergency medical data transmission system named MEDTOC that would carry aggregated patient data on cellular network to the hospital. In this paper, we present an efficient scheme which implements the transfer of moving patient’s vital signs to hospital via GSM network. This scheme was implemented and tested by writing a Java based client-server application to transfer patients’ vital sign information. Post-transmission operations include archiving, classifying and presenting the vital signs data on demand. We have investigated the problem of classifying patients based on their condition, as assessed through vital signs. With that information, patients can be assigned to the appropriate physician for remote monitoring.