Cryptography Pitfalls

This session will be presented at BSidesPhilly on Saturday, December 3, 2016 from 1:10 pm – 2:00 pm in Congress Hall. 

Cryptography Pitfalls” by John Downey (@jtdowney)

Over the past few years, I have given a talk on Cryptography Pitfalls at a variety of conferences. One section of the talk covers the evolution of password storage and the various data breaches the last few years. In addition to covering the ways password storage has been done wrong, I also present the best solutions. Instead of recapping it again, take a look at Coda Hale’s blog post on the topic.

A few brave souls will occasionally come up to me later and admit their company still stores passwords in a less than ideal way. There are many reasons for this, but they generally boil down to the fact that the software is old and developers just didn’t know any better when they wrote that part of the system.

When talking to them about how they plan to solve it, most come up with roughly the same solution: when a user logs in, transparently write an updated bcrypt version of the password to the database. The problem with this solution is that users don’t benefit from the new system if they never log in. When teams upgrade their passwords this way, they will often look back years later and find that some users never logged in again. This is especially true in consumer products.

My advice to them is always the same: don’t wait to fix your password storage. You should instead run the existing password hashes through bcrypt and store that as your password verifier.

For a hypothetical example, let’s say we have an application that was storing passwords as just sha1(password). We could then change the code so that the new format for password storage is bcrypt(sha1(password)). This is perfectly secure and has the benefit that we can derive the value given data we already have. This is a much better solution than silently updating on login. You can do this in three phases:

  1. Deploy the code that can detect which password a user has and verify it correctly. Write new passwords in the updated bcrypt(sha1(password)) format.
  2. Run a background job that visits each record in the users table and updates their password by taking the sha1(password) format and writing back the bcrypt(sha1(password)) format.
  3. Go back and remove the code to detect the two different formats and only ever work with the new format.

Now you have fixed your password storage and every user has the benefit right away.

How to Find A Company’s BreakPoint

This session will be presented at BSidesPhilly on Friday, December 2, 2016 from 10:00 am – 10:50 am in Congress Hall. 

How to Find A Company’s BreakPoint” with Andrew McNichol and Zack Meyers

All too often there is a huge focus on performing “scans” and running tools when conducting security assessments. The reality is critical risk vulnerabilities are seldom pulled out of vulnerability scanners. Sure, everyone once in a while you will get some great wins from these tools, but they should never drive the results of a security assessment.

In this talk we share an overview of the five (5) common ways we break into companies. When performing penetration testing and red team engagements, we often find these five (5) techniques to be highly effective which include: Phishing, Web Application Vulnerabilities, Multicast Name Resolution Poisoning, SMB Relay Attacks, and Account Compromise. These techniques are not a complete list of methods used to establish a foothold, but rather the five most common as every assessment is different, often requiring additional techniques to be leveraged. Each topic will dive into how to actually conduct the testing using manual testing techniques and how to leverage Python for automation.

The goal of this talk is to help educate those who are new to penetration testing and hacking techniques. We tend to see the same mindset applied when we speak to those new to pentesting “Scan something with Nessus to find the vulnerability, and then exploit it…Right?”. This is very far from reality when we talk about pentesting or even real world attacks. We also discuss how an organization can fix and remediate these vulnerabilities with the goal to limit their network’s attack surface.

Zack and Andrew share their experience as pentesters for BreakPoint Labs. They offer insight from a various security assessments ranging from commercial penetration tests to full scoped DoD Red Team engagements. Both speakers are also contributors to Primal Security Blog & Podcast and have spoken at several other Bsides conferences this year including: Bsides DC, Bsides Charm, Bsides JXN and RVASec.

The concepts covered in this talk are detailed further in a blog post on the BreakPoint Labs site under the “5 Ways We Get On Your Network”: .

All the BSidesPhilly After Party Details You Need to Know

After a hard day of learning new things and meeting new people, cool off with some beer, wine, or soda and appetizers. Thank you to our friends at SIG (Susquehanna International Group LLP) for their support in making this after party possible!

WHEN: Friday, December 2nd from 5:30 pm – 7:30 pm

WHERE: The Field House | 1150 Filbert Street, Philadelphia PA 19107

WHO: BSidesPhilly attendees WITH BADGES who are ages 21+

WHY: Why not?

COST: Your dynamite smile. (whispers That means FREE.)

Getting there:
(1) Car – Discount parking ($10) is available at the Gallery II garage. Must present garage ticket to Field House hostess for validation.

(2) Public Transit (Market-Frankford El) – Take the El Eastbound from either the 34th Street Station or 30th Street Station. Get off at 11th Street. Walk on block North to Filbert Street, turn left. A two-pack of tokens is $3.60. Cash-only at the machines, sales window at 30th Street accepts cash, credit, or debit.

(3) Public Transit (Regional Rail) – From 30th Street Station, take any train heading to Jefferson Station. From Jefferson Station, follow directions towards the Philadelphia Convention Center and exit at 11th & Filbert Streets. The Field House is accessible from inside the station. Cash on the train is $6.00, or $4.75 in advance if you purchase from the station ticket window.

(4) Uber or Lyft – you know what to do.

(5) Foot – It’s a 1.7 mile walk from Drexel to the Field House. Basically, straight down Market Street towards the Delaware River. But, if you get to the Delaware River, you’ve gone too far. So, just take a car or public transit.

We look forward to seeing you there!

CryptoParty at University of Pennsylvania

Penn for Privacy proudly hosts its very first CryptoParty! Penn for Privacy is a proud member of the Electronic Frontiers Alliance, a national grassroots organization dedicated to protecting your digital rights!


Saturday, December 3, 2016
Starting at 4PM and expected to run approximately 4 hours.


Houston Hall
Hall of Flags (first floor)


  • Bring your laptops & Phones & Tablets USB keys & Abacuses: this is a hands-on experience.
  • Come ready to discuss your concerns about, tool sets for, and own approaches toward safety in the digital age.
  • Have a tinfoil hat ready. If not, one will be supplied.
  • Be excellent to each other.
  • No photographing or recording of attendees [at least not without their permission].
  • Prepare your pseudonym ahead of time.

Planned Topics

Threat Modelling

  • What do you feel is important to protect?
  • Who do you need to protect it from?

Email Encryption with PGP/GPG

  • how it works, what it protects you from and what it doesn’t
  • what software is needed
  • installing and using email encryption

Safer Browsing

Best practices, tools & procedures to keep you safe while increasing privacy when browsing the web. Browser hardening and internet safety protocol to maintain your privacy on the web.

Much, much more!

Get Involved

Do you have a topic that interests you and would feel comfortable helping others? Let us know we can expect you to head a table.

Contact Information

Web: Join the EFF’s Electronic Frontiers Alliance! Huzzah!
(PGP Fingerprint: Penn for Privacy 5D73 6251 A160 BC56 154C 33DD 519D D95D 1530 636F)