#WiFiCactus

Saturday 08/11/18 from 1000-1150 at Table One
Offense, defense, hardware

Mike Spicer

The newly upgraded #WiFiCactus for DEF CON 26 is a passive wireless monitoring backpack that listens to 60 channels of 2.4 and 5 gHz WiFi at the same time. New this year is the ability to capture 802.11AC traffic and upgrades to remove bandwidth bottlenecks. This tool uses Kismet to capture the data from the each radio and aggregates them into a single searchable web interface. This tool is also capable of identifying wireless threats, troubleshooting complex wireless environments and helping with correlation analysis between Bluetooth and WiFi.

http://palshack.org/the-hashtag-wifi-cactus-wificactus-def-con-25/

Mike Spicer
d4rkm4tter is a mad scientist who likes to hack hardware and software. He is particularly obsessed with wireless. He has a degree in computer science which he has put to use building and breaking a wide variety of systems.

80 to 0 in under 5 seconds: Falsifying a medical patient's vitals

Saturday at 16:00 in Track 1
45 minutes | Demo

Douglas McKee Senior Security Researcher for the McAfee Advanced Threat Research team

It seems each day that passes brings new technology and an increasing dependence upon it. The medical field is no exception; medical professionals rely upon technology to provide them with accurate information and base life-changing decisions on this data.

In recent years there has been more attention paid to the security of medical devices; however, there has been little research done on the unique protocols used by these devices. In large, health care systems medical personnel take advantage of to make decisions on patient treatment and other critical care, use central monitoring stations. This information is gathered from many devices on the network using uncommon networking protocols. What if this information wasn't accurate when a doctor prescribed medication? What if a patient was thought to be peacefully resting, when in fact they are under cardiac arrest?

McAfee's Advanced Threat Research team has discovered a weakness in the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient's condition. This protocol is utilized in some of the most critical systems used in hospitals. This weakness allows the data to be modified by an attacker in real-time to provide false information to medical personnel. Lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors.

This presentation will include a technical dissection of the security issues inherent in this relatively unknown protocol. It will describe real-world attack scenarios and demonstrate the ability to modify the communications in-transit to directly influence the receiving devices. We will also explore the general lack of security mitigations in the medical devices field, the risks they pose, and techniques to address them. The talk will conclude with a demonstration using actual medical device hardware and a live modification of a patient's critical data.

Douglas McKee
Douglas McKee is a Senior Security Researcher for the McAfee Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in penetration testing, reverse engineering, malware analysis and forensics and throughout his career has provided software exploitation training to many audiences, including law enforcement.

ADRecon: Active Directory Recon

Saturday 08/11/18 from 1200-1350 at Table Six
Security professionals (Blue Team, Red Team), system administrators, etc.

Prashant Mahajan

ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like system administrators, security professionals, DFIR, etc. It can also be an invaluable post-exploitation tool for a penetration tester. It can be run from any workstation that is connected to the environment, even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP.

The following information is gathered by the tool: Forest; Domain; Trusts; Sites; Subnets; Default Password Policy; Fine Grained Password Policy (if implemented); Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles; Users and their attributes; Service Principal Names (SPNs); Groups and memberships; Organizational Units (OUs); ACLs for the Domain, OUs, Root Containers and GroupPolicy objects; Group Policy Object details; DNS Zones and Records; Printers; Computers and their attributes; LAPS passwords (if implemented); BitLocker Recovery Keys (if implemented); and GPOReport (requires RSAT).

https://github.com/sense-of-security/ADRecon

Prashant Mahajan
Prashant Mahajan is a Security Consultant at Sense of Security Pty Ltd. He has experience with various aspects of Information Security including penetration testing, vulnerability analysis, digital forensics and incident response. Prashant is a founding member of Null—The Open Security Community and frequent speaker at industry events.

Advanced Custom Network Protocol Fuzzing

Saturday, 1000-1400 in Icon C

Joshua Pereyda Software Engineer

Timothy Clemans Software Engineer

Get hands on experience writing custom network protocol fuzzers. This class will cover the basics of network protocol "smart fuzzing." Exercises will utilize the open source network protocol fuzzing framework, boofuzz. Attendees will gain practice reverse engineering a network protocol, implementing and iterating on a custom fuzzer, and identifying vulnerabilities.

After:
1. You will know the basics of fuzzing.
2. You will know how to write custom network protocol fuzzers using state of the art open source tools.
3. You will have hands on experience with this widely-discussed but still largely mysterious test method.

Before:
1.You should be comfortable doing some programming in Python.
2. You should understand basic network protocol concepts.
3. You should be familiar with WireShark and how to use it.

What you won't learn:
1. Exploit development.
2. Python programming. Because you can already do that (see above).

Prerequisites:
- Some basic Python programming experience (some programming ability is REQUIRED).
- Basic understanding of network protocols.
- Basic familiarity with Wireshark.
- Optional: Fuzzing experience.

Materials:
- Laptop with physical Ethernet port -- strongly recommended: configure for secure Wi-Fi access beforehand.
- Python 2.7 and pip installed and updated.
- Linux recommended but Windows OK.

Max students: 66

Registration: -CLASS FULL- https://www.eventbrite.com/e/advanced-custom-network-protocol-fuzzing-icon-c-tickets-47194829004
(Opens July 8, 2018 at 15:00 PDT)

Joshua Pereyda
Joshua is a software engineer specializing in information and network security. He has worked in the critical infrastructure and cloud computing industries with employers heavily invested in software and hardware security. Among his passions are hacking, teaching kids to program, listening to upper-crust orchestral performances with his wife, and figuring out how he can get paid to do it all... legally. Joshua is the maintainer of the boofuzz network protocol fuzzing framework. He has written fuzzers for fun, and profit (literally).

Timothy Clemans
Tim is a software engineer working in information security. He has worked for a startup and data analytics companies. He currently works in critical infrastructure with a focus on security and fuzzing. He cringes at the thought of insecure systems and so he seeks to improve the security of anyone who will listen. He enjoys a good hike, ice cream, and long walks on the beach.

Adventures in Radio Scanning: Advanced Scanning Techniques with SDR

Saturday, 1000-1400 in Icon D

Richard Henderson

Bryan Passifiume

Many cities around the world have implemented multi-million dollar "trunked" radio systems for their transit, municipal, public safety, police, fire and EMS radio networks. Large commercial organizations (like Caesar's) also use frequency sharing trunked radio systems due to the hundreds (if not thousands) of staff... all requiring radio access. This workshop will walk you through the basics of trunked radio systems, how they work, and how you can set up a listening post to decode these systems and listen in. This workshop will cover setting up and using the Trunk88 scanning software, and how to scan other conventional (non-trunked) radio systems such as MOTOTRBO, Tetra, EDACS, and other systems. Live interception and decoding of a trunked system and a DMR/TRBO system will be done by students. We will also quickly walk through scanning popular archaic pager systems like POCSAG.

Prerequisites: A basic understanding of SDR scanning would be incredibly helpful, but is not essential. We can walk students through it.

Materials: In this case, we will require each student to bring a Windows laptop (not a Surface tablet please) and *at least* 2 USB DVB-T RTL2832U+R820T sticks in order to properly intercept and decode trunked radio systems. The more sticks students bring, the more voice channels they will be able to simultaneously monitor and record. A very limited number of additional sticks will be available to borrow. Please make sure you have them!

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/adventures-in-radio-scanning-advanced-scanning-techniques-with-sdr-icon-d-tickets-47194754782
(Opens July 8, 2018 at 15:00 PDT)

Richard Henderson
Richard Henderson is a writer, researcher, and ham radio/electronics nerd who has worked in infosec and technology for well over a decade. Richard is currently co-authoring a book on cybersecurity for ICS/Scada systems.

Bryan Passifiume
Bryan Passifiume is a journalist, writer and photographer who writes for one of Toronto's largest newspapers. A National Newspaper Awards nominee, and a co-founder of the alt-amateur radio group Hamsexy, he's been involved in the monitoring and radio hacking scene for nearly twenty years.

All your family secrets belong to us—Worrisome security issues in tracker apps

Saturday at 16:00 in Track 2
45 minutes | Demo, Exploit

Dr. Siegfried Rasthofer Fraunhofer SIT

Stephan Huber Hacker

Dr. Steven Arzt Hacker

Google Play Store provides thousands of applications for monitoring your children/family members. Since these apps deal with highly sensitive information, they immediately raise questions on privacy and security. Who else can track the users? Is this data properly protected? To answer these questions, we analyzed a selection of the most popular tracking apps from the Google Play Store.

Many apps and services suffer from grave security issues. Some apps use self-made algorithms instead of proper cryptography for data storage and transmission. Others do not even attempt to protect their communication at all and make use of the unprotected http protocol, or even give an attacker full access to a vulnerable backend system. Hard coded database credentials in apps allowed access to all stored user locations. We would be able to extract hundreds of thousands of tracking profiles, even in real time. In others, this wasn't even necessary, because the user authentication could be bypassed altogether. Flaws in server API allowed us to extract all user credentials (1.7m plain text passwords), further we saw full communication histories containing messages, pictures and location data.

In total, the state of tracker apps is worrisome, effectively leading to users unknowingly installing espionage software on their devices.

Dr. Siegfried Rasthofer
Siegfried is the head of department Secure Software Engineering at Fraunhofer SIT (Germany) and his main research focus is on

applied software security. He has received a PhD, master's degree and bachelor's degree in computer science and IT-security. He is the founder of the CodeInspect reverse engineering tool and founded TeamSIK.

During his research, he develops tools that combine static and dynamic code analysis for security purposes. Most of his research is published at top tier academic conferences and industry conferences

like DEF CON, BlackHat, AVAR or VirusBulletin.

Stephan Huber
Stephan is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT).

His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation.

He found different vulnerabilities in well-known Android applications and the AOSP. He gave talks on conferences like DEF CON, HITB, AppSec or VirusBulletin. In his spare time he enjoys teaching students in Android hacking.

Dr. Steven Arzt
Steven is currently a researcher at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt.

He has received a PhD, a master's degree in computer science, and a master's degree in IT Security from Technische Universität Darmstadt.

Steven is one of the core maintainers of the Soot open-source compiler framework that is now used for static analysis and program instrumentation by various research groups around the world. He is also actively maintaining the FLOWDROID open-source static data flow tracker.

His main research interests center on (mobile) security and static and dynamic program analysis applied to real-world security problems, an area in which he has published various research papers over the last years.

All your math are belong to us

Saturday at 15:00 in Track 1
45 minutes | Demo, Tool, Exploit, Audience Participation

sghctoma Lead security researcher @ PR-Audit Ltd., Hungary

First of all, it's math. Not meth. So everybody be cool, I'm not gonna touch your central nervous system stimulant substances. Now that this is established, I can start telling my story. And this story, like all good stories, begins where it ends.

Wait, no, not really.

It begins at a birthday party where the sister of a friend asked if I could help her with MATLAB. No matter how horrible memories I had about MATLAB, I just couldn't say no. So the next day, there was I, sitting in my room, installing the trial. And that's when the hacking started...

Believe me, there were a lot to hack in this case! Several gigabytes of installed materials, a few web servers, cloud integration, clustering capabilities, you name it. These software are bloated, they are basically their own little operating systems.

Yup, I used plural. Because I thought why discriminate MATLAB? I should really give a chance to Maple and Mathematica to fail too!. I did, and they did fail, and these failures gave the material for my talk. Basically this will be a dump of exploits (RCEs, file disclosures, etc.), and if you use any of those software and you are at least a bit security conscious, you should definitely listen to it.

sghctoma
Toma is the lead IT security researcher at PR-Audit Ltd., a company focusing mainly on penetration testing and SIEM software development. Previously he participated in a cooperation between ELTE Department of Meteorology and the Paks Nuclear Power Plant Ltd., the goal of which was to develop TREX, a toxic waste emission simulator using CUDA.

The scene from RoboCop where Nikko defeats the ED-209 with just a laptop and a serial cable made a huge impression on him, and after seeing the movie, his path was set: he was bound to be a hacker. His first experiences in this field involved poking around various copy protection schemes, and to this day his favorite areas of expertise are the ones that require some mangling of binary files. Besides computer security he also loves mountain biking, flight simulators, and builds and flies acro quadcopters.

Analyzing Malscripts: Return of the Exploits!

Saturday, 1430-1830 in Icon E

Sergei Frankoff Co-Founder, Open Analysis

Sean Wilson Co-Founder, Open Analysis

In recent years malscripts and file based exploits have become a main delivery method for malware. Malscripts are often heavily obfuscated and they can take many different forms including WScript, Javascript, macros, and PowerShell. There has also been been a rise in document based exploits used to deliver and execute these malscripts. As a result incident responders and malware analysts need to be comfortable analyzing different document formats, identifying potential exploits, and analyze malscripts.

In this workshop you will work through the triage of a live malware delivery chain that includes a malicious document, malicious scripts, and a final malware payload. During this process you will be exposed to different document based exploits, and you will practice the skills required to manually analyze malscripts. This workshop focuses on the fundamental analysis techniques used when identifying, deobfuscating, and analyzing maldocs and malscripts. However, we will also provide an introduction to automation tools and techniques that can be used to speed up the analysis process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop. You will be provided with a VirtualMachine to use during the workshop, please make sure to bring a laptop that meets the following requirements. Your laptop must have VirtualBox installed and working (VMWare is not supported). Your laptop must have at least 60GB of disk space free, preferably 100GB. Your laptop must be able to mount USB storage devices. Make sure you have the appropriate dongle if you need one.

Prerequisites: None

Materials: Students will be provided with a VirtualMachine to use during the workshop. They will need to bring a laptop that meets the following requirements:

- The laptop must have VirtualBox installed and working (VMWare is not supported).
- The laptop must have at least 60GB of disk space free, preferably 100GB.
- The laptop must be able to mount USB storage devices (ensure you have the appropriate dongle if you need one).

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/analyzing-malscripts-return-of-the-exploits-icon-e-tickets-47194482969
(Opens July 8, 2018 at 15:00 PDT)

Sergei Frankoff
Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime. He actively contributes to open source tools and tries to publish as much analysis as possible. With over a decade of experience Sergei has held roles both as the manager of an incident response team, and as a malware researcher.

YouTube: https://www.youtube.com/oalabs

Sean Wilson
Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modeling. In his free time Sean loves fly fishing.

YouTube: https://www.youtube.com/oalabs

Angad: A Malware Detection Framework using Multi-Dimensional Visualization

Saturday 08/11/18 from 1600-1750 at Table Two
Defense, Forensics, Network, Malware

Ankur Tyagi

Angad is a framework to automate classification of an unlabelled malware dataset using multi-dimensional modelling. The input dataset is analyzed to collect various attributes which are then arranged in a number of feature vectors. These vectors are then individually visualized, indexed and then queried for each new input file. Matching vectors are labelled as per their AV detection categories for now but this could be changed to a heuristics approach if needed. If dynamic behavior or network traffic details are available, vectors are also converted into activity graphs that depict evolution of activity with a predefined time scale. This results into an animation of malware/malware category's behavior traits and is also useful in identifying activity overlaps across the input dataset.

Malware detection is a challenging task as the landscape is ever-evolving. Every other day, a new variant or a known malware family is reported and signature driven tools race against time to add detection. The process worsens when the rate of incoming samples is in thousands on a daily basis, making static/dynamic analysis alone of no use.

Angad tries to address this issue by leveraging well-known data classification techniques to the malware domain. It tries to provide a known interface to the multi-dimensional modelling approach within a standalone package.

https://github.com/7h3rAm/angad

Ankur Tyagi
Bio: Ankur Tyagi is a Sr. Malware Research Engineer at Qualys Inc., where he analyzes malicious code and applies statistical modelling to identify suspicious patterns and evolving trends. His research interests include structural visualization techniques for classifying large collections of uncategorized samples. He has completed MS in Software Systems with focus on Applied Security.

Archery—Open Source Vulnerability Assessment and Management

Saturday 08/11/18 from 1000-1150 at Table Two
Offense

Anand Tiwari

Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scanning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.

https://github.com/archerysec/archerysec/

Anand Tiwari
Anand Tiwari is an information security professional with nearly 5 years of experience in offensive security, with expertise in Mobile and Web Application Security. Currently working with Philips Healthcare on securing medical devices. He has authored Archery—open source tool and has presented at Black Hat Asia 2018. In his free time, he enjoys coding and experimenting with various open source security tools. Twitter handle: @anandtiwarics

Attack & Defense in AWS Environments

Saturday, 1000-1400 in Icon E

Vaibhav Gupta Security Researcher, Adobe Systems

Sandeep Singh Security Managing Consultant, NotSoSecure

AWS is the most widely used cloud environments today and almost every security professional have to encounter this environment whether you are attacking an organization or defending it. In this fast-paced workshop we will teach participants with some neat tools, techniques and procedures to attack the most widely used AWS services as well as to defend them.

- Recon / Information Gathering on AWS Services
- Attacking S3 buckets
- Exploiting web application flaws to compromise AWS services (IAM/KMS)
- Attacking Serverless applications
- Disrupting AWS Logging
- Attacking Misconfigured Cloud SDN

Takeaways: Students will be able to understand and appreciate the delta in attack surface which gets added due to moving to cloud. And subsequently design architecture and develop applications to defend them.

What will participants be provided?
- PDF copy of slide deck
- Lab VM
- Workshop lab manual
- Bonus labs

Target Audience:
- Cloud Security Engineers
- DevOps engineers
- Security Analyst
- Penetration Testers
- Anyone else who is interested in Cloud Security
- If you are an Expert or Advanced user, you may join us as co-trainers! :-)

Prerequisites: - Need to have AWS account (Free-tier) - Basic understanding of AWS

Materials: - Machine with at least 8 GB RAM and 20 GB free HD space - VirtualBox [VMs will be provided]

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/attack-defense-in-aws-environments-icon-e-tickets-47194715665
(Opens July 8, 2018 at 15:00 PDT)

Vaibhav Gupta
Vaibhav is working as a Security Researcher with Adobe Systems. His expertise lies in infusing design and architecture level security in applications hosted in-house and on cloud environments. With ~9 years of diverse InfoSec exposure, he has strong experience in attacking and defending applications including the ones hosted on the cloud. He is co-leading the OWASP and Null community in Delhi region and has delivered multiple sessions at the local and global stage. Vaibhav is also co-organizer for BSides Delhi.

Sandeep Singh
Sandeep is a Security Managing Consultant with NotSoSecure. He has over 5 years of experience in delivering high end security consulting services to clients across the globe. Sandeep has also worked in Detection and Response teams in the past. He is the co-lead of OWASP Delhi chapter and Community Manager of null community and actively contributes to the local security community. He has conducted and delivered many talks and workshops for the local community in the past. Sandeep is also one of the organizers of BSides Delhi.

Beyond the Lulz: Black-Hat Trolling, White-Hat Trolling, Attacking and Defending Our Attention Landscape

Saturday at 20:00 in Octavius 9
Fireside Hax |

Matt Goerzen Researcher, Data & Society

Dr. Jeanna Matthews Fellow at Data & Society, Associate Professor of Computer Science at Clarkson University

Joan Donovan Media Manipulation/Platform Accountability Research Lead, Data and Society in Manhattan

White hat or critical grey hat trolling? Trolling as art? Trolling as hybrid warfare? Trolling as propaganda? In this Fireside Hax, we will challenge your assumptions about trolling. Trolls are attention hackers, using social and technical means to bait journalists, set agendas, game media gatekeepers, and direct audiences. Sometimes they also have fun. We will discuss a range of trolling techniques like sockpuppeting, dogpiling, doxing, attention honeypots, and cognitive denial of service attacks that we have not seen concisely catalogued elsewhere. We will also discuss high-profile examples of trolling such as"training" the Microsoft Tay chatbot, fake Antifa accounts, Russian sockpuppet accounts, and Phineas Fisher's use of Hacking Team's twitter account--and ask attendees to consider each as black hat attacks or grey hat attempts to point out critical societal vulnerabilities that should be"patched." We will also talk about"troll the troll" accounts like ImposterBuster and YesYoureRacist and the role"white hat trolls" might play in auditing platforms or proposing platform-based controls. Time permitting, we will discuss art projects that trollishly critiqued the European Commission, Google AdSense, and the NSA. This will not be a lecture and it will not shy away from controversy. Join two members of the Media Manipulation Team at Data & Society to collectively consider the role trolling can play in pointing out the flaws in our attention/media landscape.

Matt Goerzen
Matt Goerzen studies trolling techniques and cultures as part of the Media Manipulation team at Data & Society. He's also applied many of the techniques in the art world, for example by once developing an absurdist AdSense campaign ostensibly designed to sell a hideous sculpture to art collector Shaquille O'Neal, but more accurately designed to piggyback off of free clickbait media attention to inform readers about psychometric ad tech practices. He has written an academic study of contemporary artists who function as what he calls"critical trolls," arguing that trolling can be seen as an extension of the politicized attentional strategies used by the 20th-century avant-garde. His current work at Data & Society focuses on mapping the way white supremacists and state actors have appropriated trolling techniques for use in influence operations as a form of"bottom-up agenda setting."

Dr. Jeanna Matthews
Jeanna Matthews is an associate professor of Computer Science at Clarkson University and a 2017-18 fellow at Data and Society where she has been collaborating with the Media Manipulation team. She was a speaker and DEF CON 23 and 24, both times on the topic of vulnerabilities in virtual networks. Her broader research interests include virtualization, cloud computing, computer security, computer networks, operating systems and algorithmic accountability and transparency. Jeanna received her Ph.D. in Computer Science from the University of California at Berkeley and is an ACM Distinguished Speaker.

@jeanna_matthews

Joan Donovan
Joan Donovan is the Media Manipulation/Platform Accountability Research Lead at Data and Society in Manhattan. After completing her PhD in Sociology and Science Studies at the University of California San Diego, she was a postdoctoral fellow at the UCLA Institute for Society and Genetics, where she researched white supremacists' use of DNA ancestry tests, social movements, and technology. For several years, Joan has conducted action research with different networked social movements in order to map and improve the communication infrastructures built by protesters. In her role as a participant, she identifies information bottlenecks, decodes algorithmic behavior, and connects organizations with other like-minded networks.

BLEMystique—Affordable custom BLE target

Saturday 08/11/18 from 1200-1350 at Table Five
Attack and Defence

Nishant Sharma

Jeswin Mathai

BLEMystique is an ESP32 based custom BLE target which can be configured by the user to behave like one of the multiple BLE devices. BLEMystique allows a pentester to play with the BLE side of different kind of smart devices with a single piece of affordable ESP32 chip. BLEMystique contains multiple device profiles, for example, Smart Lock, Smart health band, Smart bulb, Heart rate monitor, Smart Bottle and more.

The BLEMystique code and manuals will be released to general public. So, apart from using the pre-configured devices, the users can also add support for devices for their choice and use their ESP32 board for target practice. In this manner, this tool can improve the overall experience of learning BLE pentesting.

Nishant Sharma
Nishant Sharma is a Technical Manager at Pentester Academy and Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX, WiMini and course/training content. He has presented/published his work at Blackhat Arsenal, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the WIPS solution. He has a Master degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Jeswin Mathai
Jeswin Mathai is a Researcher at Pentester Academy. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals and conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

Booby Trapping Boxes

Saturday at 15:00 in Track 3
45 minutes | Demo, Tool

Ladar Levison Founder, Lavabit LLC

hon1nbo Proprietor, Hacking & Coffee LLC

Ever worry about the hardware you leave behind? In a world where servers are co-located, and notebooks get left in hotel rooms, the ability to resist tampering, and if necessary actively respond to attack, has become increasingly important. And of course everybody knows the best booby traps are the ones you don't know are there. This talk will prepare you for life in 1984, where the maids are evil, and step brothers can't be trusted. Whether your running servers as a high value target, or simply want to protect your Monero private key, this talk will show you to achieve FIPS 140-2 level 4 security, without the FIPS 140-2 level 4 price tag. Specifically, we'll cover acquisition considerations, physical hardening, firmware mitigation, tamper detection and more.

Ladar Levison
Ladar Levison serves as the founder, president, and chief executive of Lavabit, where he has worked the past 14 years. Founded in 2004 (and originally called Nerdshack), Lavabit was created because Mr. Levison believes that privacy is a fundamental, necessary right for a functioning, free and fair democratic society. Presently, Mr. Levison is focused on Lavabit's Dark Mail Initiative, which aims to make end-to-end email encryption automatic and ubiquitous, while continuing to vigorously advocate for the privacy and free speech rights of all. Mr. Levison’s involvement in the internet can be traced to the early days of the world wide web, when he built his first website, in the early nineties for the fledgling Mosiac web browser (from the National Center for Supercomputing Applications).

Prior, Mr. Levison operated a dialup bulletin board service, and worked as a computer technician assembling custom computer systems. With more than 10 years of experience as an independent consultant, Mr. Levison has brought to bear his skills as a project manager, business analyst, systems engineer, software developer, database administrator, systems administrator, and information security specialist.

Mr. Levison’s career has involved working with several dozen multinational companies in the financial, consumer electronics, and retail sectors. The websites Mr. Levison built have drawn millions of visitors, and the software he's written has touched, albeit behind the scenes, the lives of millions more. Over the years, Mr. Levison has written and published numerous technical specifications and authored several editorial pieces. Mr. Levison frequently speaks at a variety of conferences, has appeared as an expert on numerous network television shows, and appeared in several documentaries; including the Oscar winning film, /Citizenfour/.

Mr. Levison has also been involved with several popular free open source software projects. Mr. Levison holds fifteen certifications, with the vast majority from Microsoft and International Business Machines. Mr. Levison received his Bachelor of Arts and Bachelor of Science degrees from Southern Methodist University, where he studied finance, English, political science and computer science. Additionally, Mr. Levison spent a year studying international relations at Georgetown University. A native of San Francisco, California, he currently resides in Dallas, Texas where he lives with his best friend, and principal cheerleader, Princess, the Italian Greyhound he rescued in 2010.

Twitter: @kingladar
Facebook: kingladar
Website: https://lavabit.com

hon1nbo
Hon1nbo is a hacker who tinkers for fun and to satisfy the basic human need to light things on fire. Hon1nbo allegedly has a job, where they get paid to take selfies in other people’s secure vaults in the middle of the night. We don’t know if this job is real, or merely a cover story. This possible delusion has taken them around the world entering into some of the largest organizations in both people size and technical expanse, using every possible entry method at their disposal. No domain left without an admin, no email left without a phish, and every office a wolf tail hiding in the air vents.

In addition to their night job, Hon1nbo runs Hacking & Coffee, a small hosting firm in Texas, where excess network capacity abounds, to perform security research and mirror F/OSS repositories. They also provide infrastructure support to a variety community projects, small businesses, and student groups.

A wild Hon1nbo can be spotted at DEF CON, its natural habitat, and identified via their purple tail, ears, and getting into shenanigans.

Twitter: @hon1nbo
Facebook: hon1nbo
Website: https://hackingand.coffee
Species: Wolf-Dog
Pronouns: them/their/schlee/generalisimo whatever be consistent

boofuzz

Saturday 08/11/18 from 1600-1750 at Table Five
Vulnerability Analysis, AppSec, Offense.

Joshua Pereyda

boofuzz is an open source network protocol fuzzing framework, competing with closed source commercial products like Defensics and Peach.

Inheriting from the open source tools Spike and Sulley, boofuzz improves on a long line of block-based fuzzing frameworks.

The framework allows hackers to specify protocol formats, and boofuzz does the heavy lifting of generating mutations specific to the format. boofuzz makes developing protocol-specific "smart" fuzzers relatively easy. Make no mistake, designing a smart network protocol fuzzer is no trivial task, but boofuzz provides a solid foundation for producing quality fuzzers.

Written in Python, boofuzz builds on its predecessor, Sulley, with key features including:

• Online documentation.
• More extensibility including support for arbitrary communications mediums.
• Built-in support for serial fuzzing, ethernet- and IP-layer, UDP broadcast.
• Much easier install experience!
• Far fewer bugs.

https://github.com/jtpereyda/boofuzz

Joshua Pereyda
Joshua is a software engineer specializing in information and network security. He has worked in the critical infrastructure and cloud computing industries with employers heavily invested in software and hardware security. He currently hunts vulnerabilities full time. Among his passions are hacking, teaching kids to program, listening to upper-crust orchestral performances with his wife, and figuring out how he can get paid to do it all... legally.

Build Your Own OpticSpy Receiver Module

Saturday, 1430-1830 in Icon A

Joe Grand Grand Idea Studio

OpticSpy is an open source hardware module for experimenting with optical data transmissions. It captures, amplifies, and converts an optical signal from a visible or infrared light source into a digital form that can be analyzed or decoded with a computer. With OpticSpy, electronics hobbyists and hardware hackers can search for covert channels, which intentionally exfiltrate data in a way undetectable to the human eye, add data transfer functionality to a project, or explore signals from remote controls and other systems that send information through light waves.

In this workshop, creator Joe Grand will present a brief history of the project and then guide you through the process of building, calibrating, and testing your own kit version of OpticSpy.

Prerequisites: None. No prior soldering experience necessary.

Materials: None

Max students: 12

Registration: -CLASS FULL- https://www.eventbrite.com/e/build-your-own-opticspy-receiver-module-icon-a-tickets-47193834028
(Opens July 8, 2018 at 15:00 PDT)

Joe Grand
Joe Grand (@joegrand), also known as Kingpin, is a computer engineer, hardware hacker, former DEFCON badge designer, teacher, advisor, runner, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com). He has been creating, exploring, and manipulating electronic systems since the 1980s.

Building Absurd Christmas Light Shows

Saturday at 12:00 in 101 Track
45 minutes

Rob Joyce

Learn about the elements that go into a computerized light display and how you outfit your own house with dazzling blinking lights set to music.  Components of the show are individually explained and live demonstrations of the technology are on display.  Come get inspired to computerize your  own holiday cheer!

Rob Joyce
Rob Joyce (@RGB_Lights) has been with the Nation Security Agency (NSA) for 29 years and has led organizations doing both foreign intelligence and cybersecurity work.  He is the Senior Advisor for Cybersecurity, having recently returned from the White House as the Cybersecurity Coordinator where he worked national policy, synchronizing activity across the government and partners.  His previous assignment was leading Tailored Access Operations (TAO), the organization developing tools, techniques and capabilities to exploit computers for NSA's foreign intelligence mission.  Prior to that, he was the Deputy Director for Information Assurance, overseeing the protection of national security systems, which includes the nation's cryptographic key material, classified networks and warfighting networks.  In his spare time, Rob builds a computerized Christmas light show.  His most recent display was likely visible from the International Space Station. In addition to an infatuation with Christmas light displays, he helped a Boy Scout troop built catapults for the annual Punkin Chunkin competition until lawyers ruined it for all of us.

Building Environmentally Responsive Implants with Gscript

Saturday, 1430-1830 in Icon C

Dan Borges

Alex Levinson Senior Security Engineer, Uber

Attendees to this workshop will experience a step by step walk through in setting up a Gscript build environment (which will include the Golang programing language as a requirement, along with the required libraries). Subsequently, attendees will obtain a basic overview of the Gscript capabilities in using conditional logic to navigate within, and deploy persistence mechanisms upon, target hosts.

Upon completion, each attendee will depart with a laptop (whichever one they brought _)containing a full Gscript build & testing environment, and at least 1 custom Gscript of their own design and purpose.

Prerequisites:
1. A general understanding of what an implant is, and how to use one.
2. Experience with Javascript
3. Experience with Metasploit and or meterpreter is a plus
4. Experience with the Golang programing language is also a plus

Materials: A laptop with an ethernet port

Max students: 66

Registration: -CLASS FULL- https://www.eventbrite.com/e/building-environmentally-responsive-implants-with-gscript-icon-c-tickets-47194616368
(Opens July 8, 2018 at 15:00 PDT)

Dan Borges
Dan Borges is an information security professional with over 15 years in computer science. Dan participates in a number of cyber security competitions each year, from being on the National CCDC Red Team, to leading a Blue Team in Pros Versus Joes, and helping run the Collegiate Penetration Testing Competition (CPTC). He has been publishing a blog on infosec education for more than 10 years.

Alex Levinson
Alex Levinson is a Senior Security Engineer at Uber with experience in red teaming, software engineering, and incident response. Outside of Uber, he is a core member of the red team for the National Collegiate Cyber Defense Competition (CCDC), as well as the Competition Director for the Collegiate Penetration Testing Competition (CPTC). Previously, Alex worked as a Senior Consultant and Development Manager at Lares Consulting.

Cloud Security Suite—One stop tool for AWS, GCP & Azure Security Audit

Saturday 08/11/18 from 1200-1350 at Table Two
Defense, Cloud professionals

Jayesh Singh Chauhan

Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the organisations have partially or entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS, GCP & Azure provide you protection with traditional security methodologies and have a neat structure for authorisation/configuration, their security is as robust as the person in-charge of creating/assigning these configuration policies. We all know, human error is inevitable and any such human mistake could lead to catastrophic damage to the environment.

Knowing this, audit of cloud infrastructure becomes a hectic task! There are a few open source tools which help in cloud auditing but none of them have an exhaustive checklist. Also, collecting, setting up all the tools and looking at different result sets is a painful task. Moreover, while maintaining big infrastructures, system audit of server instances is a major task as well.

CS Suite is a one stop tool for auditing the security posture of the AWS/GCP/Azure infrastructures and does OS audits as well. CS Suite leverages current open source tools capabilities and has custom checks added into one tool to rule them all.

https://github.com/SecurityFTW/cs-suite

Jayesh Singh Chauhan
Jayesh Singh Chauhan is a security professional with 7 years of experience in the security space. In past, he has been part of security teams of PayPal, PwC and currently works as the senior security engineer for Sprinklr. He has authored CS-Suite, OWASP Skanda, RFID_Cloner and CSRF PoC generator and has presented in BlackHat Asia, BlackHat EU, hackmiami, c0c0n, GES and Ground Zero Summit. He is the project leader for OWASP Skanda and leads the NULL Bangalore chapter.

Compression Oracle Attacks on VPN Networks

Saturday at 11:00 in Track 2
45 minutes | Demo, Tool

Nafeez Security Researcher

Security researchers have done a good amount of practical attacks in the past using chosen plain-text attacks on compressed traffic to steal sensitive data. In spite of how popular CRIME and BREACH were, little was talked about how this class of attacks was relevant to VPN networks. Compression oracle attacks are not limited to just TLS protected data. In this talk, we try these attacks on browser requests and responses which usually tunnel their HTTP traffic through VPNs. We also show a case study with a well-known VPN server and their plethora of clients. We then go into practical defenses and how mitigations in HTTP/2's HPACK and other mitigation techniques are the way forward rather than claiming 'Thou shall not compress traffic at all.' One of the things that we would like to showcase is how impedance mismatches in these different layers of technologies affect security and how they don't play well together.

Nafeez
Ahamed Nafeez has a varied offensive security background with some emphasis on browsers, web services, and cryptography. He believes defending is much harder than attacking most of the time and appreciates the variables and challenges defenders have. These days he is interested in writing secure frameworks, automating attacks and more or less trying to learn to write good code.

He has spoken at a few security conferences in the past around web apps, browsers and security analysis of javascript. He tweets at @skeptic_fx and builds his side project assetwatch.io in free time, an automated asset discovery/monitoring service.

Decentralized Hacker Net

Saturday, 1000-1400 in Icon F

Eijah Founder, Promether

As hackers, sometimes we need to send data without anybody knowing anything. We don't want anybody to know what we're sending, so we use encryption. That's the easy part. We also don't want anybody to know that we're sending any data. That's the hard part. The observation of our presence on the network could be enough to get us in trouble. And that's just not acceptable. We need to figure out a way to hide in plain sight.

Creating an environment where data can be sent securely and our presence on the network is hidden, is not an easy thing to do. We can't rely on centralized technologies, which means we need to build a decentralized network. The network should be adaptive and flexible enough to send any type of data to any number of users. But how do we inject anonymity into a network while still supporting the verification of identity between parties? Can we establish trust without having to trust?

This workshop takes you through the process of creating a decentralized network that allows you to circumvent detection by governments and corporations. You'll be able to securely communicate and share data while masking your online identity. You'll create an adaptive, node-based infrastructure where data is shared via Distributed Hash Tables (DHT) backed by real-time asymmetric Elliptic-curve cryptography (ECC). If you've ever wanted to punch a hole through a great (or not-so-great) firewall, this workshop is for you.

Please note that this is a medium-level, technical workshop and requires that attendees have prior experience in at least one programming language, preferably C or C++. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.9.2 or msvc 2015).

Prerequisites: Previous experience in at least one programming language is required. Previous experience with C/C++ and cryptography is helpful, but not required.

Materials: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

Max students: 84

Registration: -CLASS FULL- https://www.eventbrite.com/e/decentralized-hacker-net-icon-f-tickets-47194682566
(Opens July 8, 2018 at 15:00 PDT)

Eijah
Eijah is the founder of Promether and has 20+ years of software development and security experience. He is also the creator of Demonsaw, an encrypted communications platform that allows you to chat, message, and transfer files without fear of data collection or surveillance. Before that Eijah was a Lead Programmer at Rockstar Games where he created games like Grand Theft Auto V. He has been a faculty member at multiple colleges, has spoken about security and development at DEFCON and other security conferences, and holds a master's degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Detecting Blue Team Research Through Targeted Ads

Saturday at 13:30 in Track 2
20 minutes |

0x200b Hacker

When my implant gets discovered how will I know? Did the implant stop responding for some benign reason or is the IR team responding? With any luck they'll upload the sample somewhere public so I can find it, but what if I can find out if they start looking for specific bread crumbles in public data sources? At some point without any internal data all blue teams turn to OSINT which puts their searches within view of the advertising industry. In this talk I will detail how I was able to use online advertising to detect when a blue team is hot on my trail.

0x200b
I'm just a Security researcher who's always using tools in unintended ways. I'm a defender by trade, I work on understating the adversary then designing the mitigations based on what I've learned. Currently I work at the intersection of healthcare and the cloud, designing systems that make it harder for the adversary to operate.

Digital Leviathan: a comprehensive list of Nation-State Big Brothers (from huge to little ones

Saturday at 14:00 in Track 2
20 minutes |

Eduardo Izycki Hacker

Rodrigo Colli Hacker

In his notorious book Leviathan, the XVII century English philosopher Thomas Hobbes stated that: we should give our obedience to an unaccountable sovereign otherwise what awaits us is a state of nature that closely resembles civil war—a situation of universal insecurity. It looks like a lot of current political leaders have red and found the teachings of Hobbes applicable to modern day online life.

We witness the rise of the Digital Leviathan. The same apps and applications that people use to connect, express opinions and dissatisfaction are used by governments (even democratic ones) to perform surveillance and censorship.

This talk will focus on evidence of Nation-State spying, performing surveillance, and censorship. The aim is to present a systematical approach of data regarding cyber attacks against political targets (NGO/political groups/media outlets/opposition), acquisition and/or use of spywares from private vendors, requested content/metadata from social media/content providers, and blocking of websites/censorship reported by multiple sources.

The findings of the research imply that:
- 25 nations that have already used cyber offensive capabilities against political targets.
- 60 nations acquired/developed spyware.
- 117 nations requested content/metadata from social media/content providers.
- 21 countries perform some level of censorship to online content.

Eduardo Izycki
Eduardo Izycki and Rodrigo Colli are both independent researchers with experience on information security and incident response. They worked in private-public task force for threat and risk assessment to major events in Brazil during the Confederations Cup 2013, World Cup 2014 and Olympic Games 2016.

Rodrigo Colli

EAPHammer

Saturday 08/11/18 from 1400-1550 at Table One
Offensive security professionals, red teamers, penetration testers, researchers.

Gabriel Ryan

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-EAP network in just two commands:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth wpa --essid CorpWifi --creds

EAPHammer’s userbase has doubled since its debut in early 2017, and the project has matured substantially to meet this demand. It is now the first rogue AP attack tool to offer out-of-the-box support for attacks against 802.11n/ac. Most of the added complexity associated with these protocols is managed automatically by EAPHammer.

We’ve also added some cool feature like Hashcat support, Karma, and SSID cloaking, as well as an extended UI and config management system for advanced users who require granular control over their rogue access points.

To check out the codebase, head to https://github.com/s0lst1c3/eaphammer

Gabriel Ryan
Gabriel Ryan is a penetration tester and researcher with a passion for wireless and infrastructure testing. He currently serves a co-founder and managing security consultant for Digital Silence, a Denver-based consulting firm that specializes in impact driven testing and red team engagements. Prior to joining Digital Silence, Gabriel worked in penetration tester for security services firm Gotham Digital Science as well as OGSystems, a Virginia-based geospatial intelligence contractor. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys writing music and riding motorcycles.

EFF Fireside Hax (AKA Ask the EFF)

Saturday at 20:00 in Roman Chillout
Fireside Hax | Audience Participation

Kurt Opsahl Deputy Executive Director & General Counsel, Electronic Frontier Foundation

Nate Cardozo EFF Senior Staff Attorney

Jamie Lee Williams EFF Staff Attorney

Andrés Arrieta Technology Products Manager

Katiza Rodriguez International Rights Director

Nathan 'nash' Sheard Grassroots Advocacy Organizer

Relax and enjoy a Fireside Hax chat while you get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This Fireside Hax discussion will include updates on current EFF issues such as the government's effort to undermine encryption (and add backdoors), the fight for network neutrality, discussion of our technology projects to spread encryption across the Web and emails, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

Kurt Opsahl
Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

@kurtopsahl

Nate Cardozo
Nate Cardozo is a Senior Staff Attorney on the Electronic Frontier Foundation's digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

Jamie Lee Williams
Jamie Williams is a staff attorney at the Electronic Frontier Foundation, where she is part of EFF's civil liberties team. Jamie focuses on the First and Fourth Amendment implications of new technologies, and is part of EFF's Coder's Rights Project, which protects programmers and developers engaged in cutting-edge exploration of technology. Jamie joined EFF in 2014. Prior to joining EFF, Jamie clerked for Judge Saundra Brown Armstrong in the Northern District of California, and practiced at Paul Hastings LLP, as an associate in the firms' litigation department. Jamie was also a law clerk at the Alameda County Public Defender. Jamie has a J.D. from the University of California, Berkeley School of Law (Boalt Hall) and a B.A. in journalism from the University of Wisconsin, Madison.

Andrés Arrieta
Andrés Arrieta is the Technology Projects Manager for the Electronic Frontier Foundation. A Telecom and Electronics Engineer, he previously worked for Mobile Operators managing and developing projects from the Radio and Core networks to IT systems like Spotify Premium for Movistar. Seeing the state of privacy in the digital world from previous experiences, he joins the EFF to help develop tools that address these issues.

Katiza Rodriguez
Katitza Rodriguez is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She was an advisor to the UN Internet Governance Forum (2009-2010). Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report,an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru. Katitza's twitter handle is @txitua.

Nathan 'nash' Sheard
Nathan 'nash' Sheard is EFF's Grassroots Advocacy Organizer. nash works directly with community members and organizations to take advantage of the full range of tools provided by access to tech, while engaging in empowering action toward the maintenance of digital privacy and information security.

Exploiting Active Directory Administrator Insecurities

Saturday at 11:00 in Track 1
45 minutes | Demo

Sean Metcalf CTO, Trimarc

Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer?

Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process.

This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement.

Some of the areas explored in this talk:

• Current methods organizations use to administer Active Directory and the weaknesses around them.
• Using RODCs in the environment in ways the organization didn't plan for (including persistence).
• Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose.
• Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest.

If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked.

Sean Metcalf
Sean Metcalf is founder and principal consultant at Trimarc (www.TrimarcSecurity.com) a consulting company which focuses on improving enterprise Active Directory security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a former Microsoft MVP, and has presented on Active Directory attack and defense at Black Hat, BSides, DEF CON, DerbyCon, BlueHat, & Shakacon security conferences. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.

Fire & Ice: Making and Breaking macOS Firewalls

Saturday at 14:30 in Track 3
20 minutes | Demo, Tool, Exploit

Patrick Wardle Chief Research Officer, Digita Security

In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.

However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.

This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.

In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).

Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.

But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!

Patrick Wardle
Patrick Wardle is the Chief Research Officer at Digita Security and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.

@patrickwardle

firstorder

Saturday 08/11/18 from 1000-1150 at Table Three
Offense

Utku Sen

Gozde Sinturk

Perimeter defenses are holding an important role in computer security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on "assume breach" type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intrusion Detection Systems). firstorder is designed to evade Empire's C2-Agent communication from anomaly-based intrusion detection systems. It takes a traffic capture file (pcap) of the network and tries to identify normal traffic profile. According to results, it creates an Empire HTTP listener with appropriate options.

Utku Sen
Utku Sen is a security researcher who is mostly focused on following areas: application security, network security, tool development. He presented his tool, Leviathan Framework in Black Hat USA Arsenal and DEF CON Demo Labs in 2017. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016.". He currently works in Tear Security.

Gozde Sinturk
Gozde Sinturk is Security Researcher and Python Developer who involved in projects related to machine learning, natural language processing, and big data. She is developing security tools in her current position. She currently works in Tear Security.

Fuzzing with AFL (American Fuzzy Lop)

Saturday, 1000-1400 in Icon B

Jakub Botwicz Primary Security Engineer, Samsun Poland R&D Center

Wojciech Rauner Security Engineer, Samsung Research

This workshop will give participants information how to use afl (American fuzzy lop) to identify vulnerabilities in different applications and modules. afl is a security-oriented fuzzer, that allows to efficiently and automatically test software components allowing to find interesting security issues. It is one of leading tools and essential component in the toolbox of security researcher and hacker (penetration tester). List of afl trophies (issues found using afl) can be read at: http://lcamtuf.coredump.cx/afl/ Participants will have possibility to learn how afl works and how to use it successfully based on real life cases - vulnerabilities found by trainers in different open source components. During the training multiple cases and tips will be presented (see detailed outline for more complete list).

Prerequisites: None

Materials: To participate in the hands-on sections, attendees need to bring a laptop with minimum 2 GB RAM which can run a virtual machine or a Docker container. Virtual machine and Docker container with all necessary tools will be provided before the workshop.

Max students: 30

Registration: -CLASS FULL- https://www.eventbrite.com/e/fuzzing-with-afl-american-fuzzy-lop-icon-b-tickets-47194653479
(Opens July 8, 2018 at 15:00 PDT)

Jakub Botwicz
Jakub works as Primary Security Engineer in Samsung Poland R&D Center leading a team of security researchers. He has more than 15 years of experience in information security and previously worked e.g. in: one of world leading payment card service providers, Big4 consulting company and vendor of network encryption devices. Jakub holds PhD degree of Warsaw University of Technology and security community certificates including: GWAPT, CISSP, ECSA. Currently he works providing security assessments (static and dynamic analysis) of different mobile and IoT components. afl helped him find numerous vulnerabilities, also in open source components.

Wojciech Rauner
Wojciech has background as a full-stack developer, currently works as a Security Engineer for Samsung Research Poland. His current area of research is IoT and mobile devices. Likes to talk about cryptography and higher level languages. Loves to take things apart, build new things (because old ones got irreversibly broken in the process) and make stuff work (again). Plays in CTF Samsung R&D PL team (crypto/net/programming).

GreyNoise

Saturday 08/11/18 from 1200-1350 at Table Three
Defenders, blue teamers, SOC and network analysts

Andrew Morris

GreyNoise is a system that collects all of the background noise of the Internet. Using a large network of geographically and logically dispersed passive collector nodes, GreyNoise collects, labels, and analyzes all of the omnidirectional, indiscriminate Internet-wide scan and attack traffic. GreyNoise data can be used to filter pointless alerts in the SOC, identify compromised devices, pinpoint targeted reconnaissance, track emerging threats, and quantify vulnerability weaponization timelines.

https://greynoise.io/

Andrew Morris
Andrew Morris is the founder of GreyNoise Intelligence, a DC-based cyber security company, and likely holds the world record for amount of time spent staring at Internet-wide scan traffic. Prior to founding GreyNoise, Andrew worked as a researcher, red team operator, and consultant for several large cyber security firms including Endgame, NCC group, and KCG. Outside of work, Andrew enjoys playing fingerstyle acoustic guitar and tries to figure out what his dreams mean.

Hacking PLCs and Causing Havoc on Critical Infrastructures

Saturday at 11:00 in 101 Track, Flamingo
45 minutes | Demo, Exploit

Thiago Alves Ph.D. Student and Graduate Research Assistant at the University of Alabama in Huntsville

Programmable Logic Controllers (PLCs) are devices used on a variety of industrial plants, from small factories to critical infrastructures like nuclear power plants, dams and wastewater systems. Although PLCs were made robust to sustain tough environments, little care was taken to raise defenses against potential cyber threats. As a consequence, threats started pouring in and causing havoc. During this presentation I will talk about the architecture of a PLC and how it can be p0wned. There will be some live demonstration attacks against 3 different brands of PLCs (if the demo demons allow it, if not I will just show a video). Additionally, I will demonstrate two vulnerabilities I recently discovered, affecting the Rockwell MicroLogix 1400 series and the Schneider Modicon M221 controllers.

Thiago Alves
Thiago Alves received his B.S. degree in electrical engineering from the"Pontifícia Universidade Católica" (PUC) in 2013. In 2014 he created OpenPLC, the world's first open source industrial controller. OpenPLC is being used as a valuable tool for control system research and education. The OpenPLC project has contributions from several universities and private companies, such as Johns Hopkins and FreeWave Technologies. In 2017 Thiago won first place in CSAW, the world's largest student-run cybersecurity competition, with his innovative embedded security solution for OpenPLC. Currently Thiago is a Ph.D. student at the University of Alabama in Huntsville. His research interests include cybersecurity for SCADA systems, industrial controllers and embedded systems.

Halcyon IDE

Saturday 08/11/18 from 1000-1150 at Table Six
Offense, Defense, AppSec, Network Security, Nmap Scanners & Developers

Sanoop Thomas

Halcyon IDE lets you quickly and easily develop Nmap scripts for performing advanced scans on applications and infrastructures with a wide range capabilities from recon to exploitation. It is the first IDE released exclusively for Nmap script development. Halcyon IDE is free and open source project (always will be) released under MIT license to provide an easier development interface for rapidly growing information security community around the world. The project was initially started as an evening free time "coffee shop" project and has taken a serious step for its developer/contributors to spend dedicated time for its improvements very actively. More information and source code: https://halcyon-ide.org

https://halcyon-ide.org

Sanoop Thomas
Sanoop Thomas (@s4n7h0) is a seasoned security professional with diverse background in consulting, teaching, research and product-based industries with a passion to solve complex security problems. Today, Sanoop works as information security specialist focusing on application security and secure coding. His field of interest includes reverse engineering, malware analysis, application security and automating security pentest/analysis methodologies. He is moderating null open community chapter in Singapore and organised over 60 events & workshops to spread security awareness across country. Sanoop is also the author of Halcyon IDE (https://halcyon-ide.org) an IDE that is focused to develop Nmap scripts. He has spoken at security conferences like Nullcon, OWASP India, HITBGSEC, Rootcon, and Blackhat Arsenal.

Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices

Saturday at 14:00 in 101 Track, Flamingo
45 minutes | Demo, Tool, Exploit

Dennis Giese Hacker

While most IoT accessory manufacturers have a narrow area of focus, Xiaomi, an Asian based vendor, controls a vast IoT ecosystem, including smart lightbulbs, sensors, cameras, vacuum cleaners, network speakers, electric scooters and even washing machines. In addition, Xiaomi also manufactures smartphones. Their products are sold not only in Asia, but also in Europe and North America. The company claims to have the biggest IoT platform worldwide.

In my talk, I will give a brief overview of the most common, Wi-Fi based, Xiaomi IoT devices. Their devices may have a deep integration in the daily life (like vacuum cleaners, smart toilet seats, cameras, sensors, lights).

I will focus on the features, computational power, sensors, security and ability to root the devices. Let’s explore how you can have fun with the devices or use them for something useful, like mapping Wi-Fi signal strength while vacuuming your house. I will also cover some interesting things I discovered while reverse engineering Xiaomi's devices and discuss which protections were deployed by the developers (and which not).

Be prepared to see the guts of many of these devices. We will exploit them and use them to exploit other devices.

Dennis Giese
Dennis is a grad student at TU Darmstadt and a researcher at Northeastern University. He was a member of one european ISP's CERT for several years.

While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kind of devices.

His latest victim is the Xiaomi IoT cloud. Hehas presented at the Chaos Communication Congress and the REcon BRX.

HealthyPi—Connected Health

Saturday 08/11/18 from 1400-1550 at Table Four
Hardware and biohacking

Ashwin K Whitchurch

We (at ProtoCentral) developed the HealthyPi HAT for the Raspberry Pi as a way of opening up the healthcare and open source medical to anyone. The HealthyPi is made of the same "medical-grade" components found in regular vital sign monitors, for a fraction of the cost of such system. This is our way of democratizing medical hardware to develop new areas of research.

Our objective when we began developing the HealthyPi was to make a simple vital sign monitoring system which is simple, affordable, open-source (important !) and accessible. HealthyPI is completely open-source and is our way of "hacking" patient monitoring systems by getting data that you need, in the way that you need and extending on that without getting involved in sticky proprietary NDAs and such.

*Demo will allow people to come, check out and play with (and possibly hack) the HealthyPi device while getting their vital signs monitored.*

https://github.com/Protocentral/protocentral-healthypi-v3

Ashwin K Whitchurch
Ashwin K Whitchurch is the CEO of ProtoCentral (Circuitects Electronics Solutions Pvt Ltd) based out of Bangalore in India. The company makes, sells and supprts open source hardware products, most of them for healthcare and medical applications. Ashwin has published research papers, book chapters and reviews in well-known international journals and conferences. ProtoCentral (and Ashwin) has been present in many hardware gatherings including Maker Faire ( New York & Rome), Hackaday Superconference, OSHWA Summit and has given talks on his projects with open source hardware.

Honeycomb—An extensible honeypot framework

Saturday 08/11/18 from 1600-1750 at Table Three
Incident Responders, Security Researchers, Developers

Omer Cohen

Imri Goldberg

We present Honeycomb—A repository of honeypot services and integrations for the information security community. Our vision: Honeycomb will be the pip or apt-get for honeypots.

While working hard to create various honeypots for several high profile vulnerabilities, we realized we were repeating some of the underlying work that’s involved in creating a honeypot—a useful honeypot is easy to deploy, configure and collects reports. We have these capabilities in Cymmetria’s commercial deception product but we wanted to open source this functionality to the community so everyone could benefit from it.

Eventually came the idea for honeycomb—an extensible platform for writing honeypots which comes with a repository of useful honeypots which makes it super easy to create new honeypots. Honeycomb and the honeypot repository together form a powerful tool for security professionals looking to gain threat intelligence on the latest threats.

We are currently in the process of finalizing the release of the project and working on releasing additional plugins. Join us to learn how to utilize existing honeycomb capabilities as well as writing honeypot services and integrations on your own!

https://github.com/Cymmetria/honeycomb

Omer Cohen
As an experienced Incident Response investigator and team leader, Omer has a wealth of knowledge and experience in the areas of cyber security, security research, software development and system administration, as well as network architecture and design. Omer has delivered and implemented numerous projects involving cutting edge technologies for multiple security related applications in addition to providing accurate and appropriate information security consulting and incident response services to Fortune 500 companies and other leading organization. Omer currently manages Customer Success in EMEA and APAC at Demisto, the leading Security Orchestration, Automation and Response (SOAR) solution provider.

Imri Goldberg
An experienced technical entrepreneur, Imri has significant experience in development, architecture and security. Before joining Cymmetria as VP R&D, Imri was the founder & CTO of Desti, a travel startup that was acquired by Nokia-HERE in 2014. Today Imri serves as the CTO of Cymmetria, heading innovation and research and working on product and architecture. Cymmetria is the leading Cyber Deception vendor with its main product MazeRunner® used by Fortune 500 companies in multiple verticals including finance, insurance, health, government, retail, etc.

House of Roman—a "leakless" heap fengshui to achieve RCE on PIE Binaries

Saturday at 13:30 in 101 Track, Flamingo
20 minutes | Demo, Exploit

Sanat Sharma Hacker

Regarding ptmalloc2, many heap exploitation techniques have been invented in the recent years, well documented on the famous how2heap repository, or as writeups of famous CTF challenges (like House of Orange). However, most of them require atleast a libc/heap leak , or fail in non-PIE binaries. My new technique titled House of Roman leverages a single bug to gain shell leaklessly on a PIE enabled Binary. I shall showcase the ease of aligning the heap to perform this attack, thus demonstrating its versatility.

Since this a 20 mins talk, attendees should be aware of basic heap exploitation techniques, like fastbin attacks and unsorted bin attacks, and have a general idea of how the ptmalloc2 algorithm works. As a bonus, I also discuss how to land a fastbin chunk in memory regions with no size alignment (like __free_hook ).

Sanat Sharma
Sanat (@romanking98) is a 19 y o Junior Security Engineer at GoRoot GmbH in Berlin, Germany. He regularly plays CTFs with "dcua" , globally ranked in the world top 10 teams on ctftime.org , qualified for multiple prestigious onsite finals, including an invitation for DEF CON China offline CTF.

@romanking98

In Soviet Russia Smartcard Hacks You

Saturday at 13:00 in Track 1
20 minutes | Demo, Tool, Exploit

Eric Sesterhenn Principal Security Consultant at X41, D-Sec GmbH

The classic spy movie hacking sequence: The spy inserts a magic smartcard provided by the agency technicians into the enemy's computer, ...the screen unlocks... What we all laughed about is possible!

Smartcards are secure and trustworthy. This is the idea smartcard driver developers have in mind when developing drivers and smartcard software. The work presented in this talk not only challenges, but crushes this assumption by attacking smartcard drivers using malicious smartcards.

A fuzzing framework for *nix and Windows is presented along with some interesting bugs found by auditing and fuzzing smartcard drivers and middleware. Among them classic stack and heap buffer overflows, double frees, but also a replay attack against smartcard authentication.

Since smartcards are used in the authentication process, a lot of vulnerabilities can be triggered by an unauthenticated user, in code running with high privileges. During the authors research, bugs were discovered in OpenSC (EPass, PIV, OpenPGP, CAC, Cryptoflex,...), YubiKey drivers, pam_p11, pam_pkc11, Apple smartcardservices...

Eric Sesterhenn
Eric Sesterhenn is working as an IT Security consultant for more than 15 years, working mostly in the areas of source code auditing and penetration testing. His experience in the field includes:

• Identified vulnerabilities in various software projects including the Linux kernel, X.org and multiple IoT Operating Systems
• Speaker at nullcon 2018, Internet of Teens (Issues in IoT Operating Systems)
• Speaker at 30C3 about fingerprinting Java web-applications (lightning talk).
• Part of the winning team of the Deutsche Post Security Cup 2013.

Infecting The Embedded Supply Chain

Saturday at 13:30 in Track 3
45 minutes | Demo, Exploit

Zach Security Researcher at Somerset Recon

Alex Security Researcher at Somerset Recon

With a surge in the production of internet of things (IoT) devices, embedded development tools are becoming commonplace and the software they run on is often trusted to run in escalated modes. However, some of the embedded development tools on the market contain serious vulnerabilities that put users at risk. In this talk we discuss the various attack vectors that these embedded development tools expose users to, and why users should not blindly trust their tools. This talk will detail a variety reverse engineering, fuzzing, exploit development and protocol analysis techniques that we used to analyze and exploit the security of a common embedded debugger.

Zach
Zach is a security researcher with Somerset Recon, a security consulting firm in San Diego. In this role he focuses on reverse engineering and web application penetration testing. In his free time Zach loves reading and long walks through the PE file format. Prior to working at Somerset Recon, Zach was a goat farmer in Maryland.

Alex
Alex is a security researcher with Somerset Recon, a security consulting firm in San Diego. In this role he focuses on hardware security and reverse engineering.

Inside the Fake Science Factory

Saturday at 16:00 in Track 3
45 minutes |

Dr Cindy Poppins - Computer Scientist (AKA Svea Eckert)

Dr Dade Murphy - Reformed Hacker (AKA Suggy)

Professor Dr Edgar Munchhausen – Struwwelpeter Fellow (AKA Till Krause)

Fake News has got a sidekick and it's called Fake Science. This talk presents the findings and methodology from a team of investigative journalists, hackers and data scientists who delved into the parallel universe of fraudulent pseudo-academic conferences and journals; Fake science factories, twilight companies whose sole purpose is to give studies an air of scientific credibility while cashing in on millions of dollars in the process. Until recently, these fake science factories have remained relatively under the radar, with few outside of academia aware of their presence; but the highly profitable industry is growing significantly and with it, so are the implications. To the public, fake science is indistinguishable from legitimate science, which is facing similar accusations itself. Our findings highlight the prevalence of the pseudo-academic conferences, journals and publications and the damage they can and are doing to society.

Svea Eckert
Svea is a freelance journalist for Germany’s main public service broadcaster “Das Erste” (ARD). She is researching and reporting investigative issues with main focus on new technology, computer and network security, digital economics and data protection. Svea’s academic alter ego is Dr Cindy Poppins, a well-known computer scientist from the University of Applied Sciences of Lower Saxony at Wiepenkathen, Germany. Dr Poppin’s main focus lies on novel solutions for the analysis of agents. She recently discovered COP, an algorithm which improves compact technology and suffix trees, winning her the best presentation award at an international conference.

@sveckert

Chris "Suggy" Sumner
Suggy is the lead researcher and co-founder of the not-for-profit Online Privacy Foundation, who contribute to the field of psychological research in online contexts. He has authored papers and spoken on this topic at DEF CON, other noteworthy conferences and a fake conference. For the past five years, Suggy has served as a member of the DEF CON CFP review board. Suggy’s academic alter ego is Dr Dade Murphy, a reformed hacker whose eagerly anticipated work on polymorphic machine learning defences for Gibson mainframe computers was recently accepted at an international cyber security conference.

@5uggy

Till Krause
Till is an editor and investigative reporter at Süddeutsche Zeitung Magazine, the supplement of Germany’s major broadsheet newspaper. Ever since he studied Electronic Communication Arts as a Fulbright Scholar in the Bay Area in 2005, he is interested in all things tech, writing about surveillance, data protection and cybercrime. Till’s academic alter ego is Professor Dr. Edgar Munchhausen, a Struwwelpeter Fellow for Applied Sciences at various universities in Europe and Asia and a renowned researcher who has published his research in countless peer-reviewed journals. He holds a PhD from the University of Wiepenkathen and is a laureate of the Horst Schimanski Award and CEO of IOIR, the Institute of International Research.

ioc2rpz

Saturday 08/11/18 from 1400-1550 at Table Three
Defence/Network security

Vadim Pavlov

DNS is the control plane of the Internet. Usually DNS is used for good but:

• It can be used to track users locations and their behaviour;
  
• Malware uses DNS to command and control, exfiltrate data or redirect traffic;
  
• According with 2016 Cisco annual security report, 91.3% of malware use DNS;
  
• Advertisements companies usually use separate and obscure domains to show ads;
  
• Free DNS services (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9 etc) can help you to address some concerns but you can not define your own protection settings or ad filters.

ioc2rpz is a custom DNS server which automatically converts indicators (e.g. malicious FQDNs, IPs) from various sources into RPZ feeds and automatically maintains/updates them. The feeds can be distributed to any open source and/or commercial DNS servers which support RPZ, e.g. ISC Bind, PowerDNS. You can run your own DNS server with RPZ filtering on a router, desktop, server and even Arduino. System memory is the only limitation.

With ioc2rpz you can define your own feeds, actions and prevent undesired communications.

https://github.com/Homas/ioc2rpz

Vadim Pavlov
Vadim Pavlov is passionate about traveling, learning foreign and programming languages, writing scripts/software, integrating solutions, interacting with colleagues and customers to solve complex problems. As a truly lazy person Vadim wants to automate all routine.

Vadim has 15+ years of IT experience and last 5 years Vadim spent at Infoblox and became an expert in DNS and DNS Security: did researches, wrote articles, created custom DNS servers, Infoblox's DNS Data Exfiltration(Infiltration) Demo and Security Assessments portals, created integrations with security solutions. He achieved a masters degree with honors in Computer Science (Software Development) from Russia.

It WISN't me, attacking industrial wireless mesh networks

Saturday at 10:00 in Track 1
45 minutes | Demo

Erwin Paternotte Lead security consultant at Nixu

Mattijs van Ommeren principal security consultant at Nixu

Wireless sensor networks are commonly thought of as IoT devices communicating using familiar short-range wireless protocols like Zigbee, MiWi, Thread and OpenWSN. A lesser known fact is that about a decade ago, two industrial wireless protocols (WirelessHART and ISA100.11a) have been designed for industrial applications, which are based on the common IEEE 802.15.4 RF standard. These Wireless Industrial Sensor Networks (WISN) are used in process field device networks to monitor temperature, pressure, levels, flow or vibrations. The petrochemical industry uses WISN in oil and gas fields and plants around the world.

Both IEC ratified standards have been commonly praised by the ICS industry for their security features, including strong encryption on multiple layers within the protocol stack, resistance to RF interference, and replay protection. While the standards in general look safe on paper, there are potential interesting attack vectors that require verification. However, security research so far has not yielded any significant results beyond basic attack vectors. Often these attacks have only been theorized, and not (publically) demonstrated. In addition, vendor implementations have not been thoroughly tested for security by independent third parties, due to protocol complexity and the lack of proper (hardware/software) tools. We strongly believe in Wright's principle,"Security does not improve until practical tools for exploration of the attack surface are made available."

Erwin Paternotte
Erwin works as a lead security consultant at Nixu Benelux. He has 15 years experience conducting penetration tests and security assessments on a wide variety of systems and technology. In the recent years his focus is shifting towards more advanced tests like red teaming, embedded systems, ICS/SCADA, and telco systems. Within Nixu he is also the practice lead for penetration and security testing.

Mattijs van Ommeren
Mattijs leads the Red Teaming and Hardware Testing team at Nixu Benelux. He has spent most of his career as an information security consultant, both on the offensive as well as the defensive side. Mattijs has a special interest in process automation and industrial systems. Over the years he has discovered numerous vulnerabilities in RTUs, process controllers, industrial firewalls and other equipment. Industrial sensor networks currently have most of his focus, as this is still mainly unexplored terrain.

Jailbreaking the 3DS through 7 years of hardening

Saturday at 11:00 in Track 3
45 minutes | Demo, Exploit

smea Hacker

The 3DS was one of Nintendo's first serious attempts at security, featuring a cool microkernel based OS and actual exploit mitigations. That didn't stop it from getting hacked pretty hard, making it possible for people to write their own homebrew software for the console. But Nintendo isn't one to back off from a fight and, as a result, has put significant effort into not only fixing vulnerabilities but also introducing new security features targeted specifically at killing exploit techniques used by hackers. This talk will describe hacking the console through all these defensive features by walking through a 0-day exploit chain that takes us all the way from zero access to a full system jailbreak.

smea
smea got his start making video games for closed consoles like the Nintendo DS using whatever hacks were available at the time. At some point consoles started getting actual security features and he transitioned from simply making homebrew software to making the jailbreaks that let people run it. He's best known for his work on the Nintendo 3DS and Wii U but has also done exploitation work against high profile web browsers and virtualization stacks.

@smealum, https://github.com/smealum

Joe Grand's Hardware Hacking Basics

Saturday, 1000-1400 in Icon A

Joe Grand Grand Idea Studio

Interested in hardware hacking, but don't know where to start? This workshop covers the basic skills you'll need for hacking modern embedded systems, including soldering/desoldering, circuit board modification, signal monitoring/analysis, and memory extraction. It is a subset of Joe Grand's Hands-on Hardware Hacking training class that he has been teaching since 2005.

Prerequisites: None. No prior electronics experience necessary.

Materials: Attendees must bring their own laptop (Windows, macOS, or Linux) with the following software pre-installed:

- Saleae Logic, https://www.saleae.com/downloads
- FTDI Virtual COM Port (VCP) drivers, http://www.ftdichip.com/Drivers/VCP.htm
- PuTTY (or other suitable terminal program), https://www.chiark.greenend.org.uk/~sgtatham/putty/
- libmpsse, https://github.com/l29ah/libmpsse

All other hardware and tools will be provided.

Max students: 24

Registration: -CLASS FULL- https://www.eventbrite.com/e/joe-grands-hardware-hacking-basics-icon-a-tickets-47194166021
(Opens July 8, 2018 at 15:00 PDT)

Joe Grand
Joe Grand (@joegrand), also known as Kingpin, is a computer engineer, hardware hacker, former DEFCON badge designer, teacher, advisor, runner, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com). He has been creating, exploring, and manipulating electronic systems since the 1980s.

Lateral Movement 101: 2018 Update

Saturday, 1430-1830 in Icon D

Walter Cuestas Team Lead, Open-Sec

Mauricio Velazco Threat Management Team Lead

During a targeted penetration test or red team engagement, consultants will have clear engagement goals and targets such as a particular database or access to specific blueprints within the environment. During the engagement, obtaining shells on servers & workstations as standalone devices will not provide access to the target data. The pentesters will need to move from one host to another in order perform reconnaissance and eventually, get to the target. This workshop aims to provide the necessary background knowledge to understand and execute lateral movement techniques on both MS Windows and Linux. More than just showing which tools and parameters to use like Youtube video would, this workshop will dive deep and describe with detail, the specific services of each OS and how they can be abused to achieve lateral movement. This knowledge will allow the students to learn the actual techniques and not just a bunch of tools.

Prerequisites: Knowledge and experience with Microsoft Windows and Linux at network and admin level.

Materials: To participate in the hands-on sections, attendees need to bring a laptop with 2 GB RAM that must be dedicated to a virtual machine running lastest version of Kali Linux (installed and updated before the workshop). Both VirtualBox and VMware player will be okay.

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/lateral-movement-101-2018-update-icon-d-tickets-47194431816
(Opens July 8, 2018 at 15:00 PDT)

Walter Cuestas
Walter (@wcu35745) leads the team of pentesters at Open-Sec (Peruvian company dedicated solely to provide pentesting services) since 2006. His work is based on developing attack vectors and his main interest is in the development of scripts for pentesting. He has participated as speaker in events such as LimaHack, Campus Party Quito, CSI Pereira, events of OWASP Latam and as trainer at Ekoparty. He has also published articles in trade magazines such as Hakin9, PenTest Magazine and Hack-in-Sight. During 2016, he was part of the team of instructors approved by the US Northern Command (US Army) for training in cybersecurity (hacking techniques and breach of security controls). Currently holds OSCP certification.

Mauricio Velazco
Mauricio (@mvelazco) is a security geek and python scripter with more than 9 years of experience in computer security developing offensive evaluations and implementing solutions in Latin America and North America. He currently leads the Threat Management team at a financial services organization in New York performing tasks such as Penetration Testing, Incident Response, Vulnerability Management, Application Security, Threat Intelligence, etc. He holds certifications like OSCP and OSCE. Mauricio has presented at conferences like Derbycon and BSides.

LHT (Lossy Hash Table)

Saturday 08/11/18 from 1400-1550 at Table Six
Offense

Steve Thomas

Cracks passwords or keys from a small key space near instantly. A small key space being a few trillion (40+ bits). It costs about 3 bytes/key and usually <100ms. The largest known deployment (made by a different less efficient program) is 160 TB. It is assumed that people are running similar ones to attack brain wallets.

https://tobtu.com/lhtcalc.php

Steve Thomas
Steve specializes in crypto and password research. Steve was one of the panelists for the Password Hash Completion. "I do stuff... sometimes." Like PAKE to HSM or finding bugs in Signal Protocol, CryptoCat, Adobe ColdFusion 9's password encryption key generator, and password hashing functions (MySQL323 meet in the middle attack, XSHA1 [Blizzard's old hash function], etc).

Local Sheriff

Saturday 08/11/18 from 1000-1150 at Table Five
Target audience would be AppSec, Code Assesments, and privacy researchers.

Konark Modi

Think of Local sheriff as a reconnaissance tool in your browser for gathering information about what companies know about you. While you as a user normally browse the internet it works in the background and helps you identify what sensitive information(PII—Name, Date Of Birth, Email, Passwords, Passport number, Auth tokens.) are being shared/leaked to which all third-parties and by which all websites.

The issues that Local Sheriff helps identify:

• What sensitive information with is being shared this which parties?
• What companies are behind these third parties?
• What can they doing with this information? EG: de-anonymize users on the internet, create shadow profiles.

Local Sheriff can also be used by organizations to audit:

• Which all the third-parties that are being used on their websites.
• The third-parties on the websites are implemented in a way that respect user’s privacy and sensitive data is not being leaked to them.

Local Sheriff is a web-extension that can used with Chrome, Opera, Firefox.

https://github.com/cliqz-oss/local-sheriff

Konark Modi
Konark works as a Tech lead with Cliqz GmbH developing privacy-focused search engine and browser. He works on projects ranging across Privacy by design, Anonymous Data collection like Human Web, Anti-Tracking etc.

Prior to Cliqz, Konark was working with one of the largest e-commerce website in India(Makemytrip.com) in data platform and security team, solving interesting challenges related to DWH, BI and data security.

His recent personal projects, in an endeavor to help organizations fix vulnerabilities have spanned across browsers, health trackers, Government services, travel mobile apps etc.

Konark has been a speaker and presenter at numerous international conferences.

Blog: https://medium.com/@konarkmodi

Looking for the perfect signature: an automatic YARA rules generation algorithm in the AI-era

Saturday at 13:00 in Track 3
20 minutes | Demo, Tool

Andrea Marcelli PhD Student and Security Researcher. Politecnico di Torino

Given the high pace at which new malware variants are generated, antivirus programs struggle to keep their signatures up-to-date, and AV scanners suffer from a considerable quantity of false negatives. The generation of effective signatures against new malware variants, while avoiding false positive detections, is a highly desirable but challenging task, typically requiring a substantial portion of human expert’s time. Artificial intelligence techniques can be applied to solve the malware signature generation problem.

The ultimate goal is to develop an algorithm able to automatically create a generalized family signature, eventually reducing threat exposure and increasing the quality of the detection. The proposed technique automatically generates an optimal signature to identify a malware family with very high precision and good recall using heuristics, evolutionary and linear programming algorithms.

In this talk I will present YaYaGen (Yet Another YARA Rule Generator), a tool to automatically generate Android malware signatures. Performances have been evaluated on a massive dataset of millions of applications available in the Koodous project, showing that in a few minutes the algorithm can generate precise ruleset able to catch 0-day malware, better than human generated ones.

Andrea Marcelli
Andrea Marcelli is a PhD Student and Security Researcher at Hispasec Sistemas. He received his M.Sc. degree in Computer Engineering from Politecnico of Torino, Italy, in 2015 and he is currently a third year doctoral student in Computer and Control Engineering at the same institute. His research interests include malware analysis, semi-supervised modeling, machine learning and optimization problems, with main applications in computer security. Since the end of 2016 he has been part of the security research team at Hispasec Sistemas, working on the Koodous project, where he develops new AI-based tools to automate large scale Android malware analysis, including malware clustering, network graph analytics and automatic YARA signatures generation.

@_S0nn1_, https://jimmy-sonny.github.io/

One Step Ahead of Cheaters -- Instrumenting Android Emulators

Saturday at 13:00 in 101 Track, Flamingo
20 minutes | Demo, Tool

Nevermoe (@n3v3rm03) Security Engineer, DeNA Co., Ltd.

Commercial Android emulators such as NOX, BlueStacks and Leidian are very popular at the moment and most games can run on these emulators fast and soundly. The bad news for game vendors is that these emulators are usually shipped with root permission in the first place. On the other hand, cheating tools developers are happy because they can easily distribute their tools to abusers without requiring the abusers to have a physical rooted device, nor do they need to perform laborious tuning for different Android OS / firmware version. However, luckily for game vendors, commercial Android emulators usually use an x86/ARM mixed-mode emulation for speed-up. As a result, a standard native hooking/DBI framework won't work on this kind of platform. This drawback could discourage the cheating developers.

In this talk, I will introduce a native hooking framework on such a kind of mixed-mode emulators. The talk will include the process start routine of both command-line applications and Android JNI applications as well as how these routines differ on an emulator. The different emulation strategies adopted by different emulators and runtime environments (Dalvik/ART) will also be discussed. Based on these knowledge, I will explain why the existing hooking/DBI frameworks do not work on these emulators and how to make one that works.

Lastly, I will present a demo of using this hooking framework to cheat a game on emulator. With this demo, I will discuss how the dark market of mobile game cheating may develop in the foreseeable future.

Nevermoe (@n3v3rm03)
Nevermoe (@n3v3rm03) is a security engineer in DeNA Co., Ltd. His main focuses are web security, game hacking and reverse engineering. He loves writing tools for game hacking / analyzing and publishing them on https://github.com/nevermoe.

Orthrus

Saturday 08/11/18 from 1000-1150 at Table Four
InfoSec

Nick Sayer

Orthrus is a small appliance that allows the user to create a cryptographically secured USB volume from two microSD cards. The data on the two cards is encrypted with AES-256 XEX mode, and all of the key material used to derive the volume key is spread between the two cards. There are no passwords to manage. If you have both cards, you have everything. If you have only one, you have half the data encrypted with a key you cannot reconstruct. This allows for “two-man control” over a dataset. Orthrus itself has no keys of its own and a volume created or written with one Orthrus can be used with any other (or on any other thing that implements the Orthrus open specification). Orthrus is open source hardware and firmware.

https://hackaday.io/project/20772-orthrus

Nick Sayer
Nick Sayer has been a software developer for most of his life and has spent the last ten years specializing in his day job on security and cryptography. He recently rediscovered the hardware hobby he abandoned in his teens and has a store on Tindie full of his creations, all of which are open.

Outsmarting the Smart City

Saturday at 16:00 in 101 Track, Flamingo
45 minutes | Demo, Exploit

Daniel "unicornFurnace" Crowley Research Baron, IBM X-Force Red

Mauro Paredes Hacker

Jen "savagejen" Savage Hacker

The term"smart city" evokes imagery of flying cars, shop windows that double as informational touchscreens, and other retro-futuristic fantasies of what the future may hold. Stepping away from the smart city fantasy, the reality is actually much more mundane. Many of these technologies have already quietly been deployed in cities across the world. In this talk, we examine the security of a cross-section of smart city devices currently in use today to reveal how deeply flawed they are and how the implications of these vulnerabilities could have serious consequences.

In addition to discussing newly discovered pre-auth attacks against multiple smart city devices from different categories of smart city technology, this presentation will discuss methods for how to figure out what smart city tech a given city is using, the privacy implications of smart cities, the implications of successful attacks on smart city tech, and what the future of smart city tech may hold.

Daniel "unicornFurnace" Crowley
Daniel has been working in infosec since 2004, is TIME's 2006 Person of the Year, and brews his own beer. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool.

@dan_crowley

Mauro Paredes
Mauro has many years of experience performing penetration testing and security assessments for clients in Canada, USA, Germany, Mexico and Venezuela. Mauro has experience across several industries, including finance, telecommunication, e-commerce, technology providers, retail, energy, healthcare, logistics and transportation, government; and education.

Jen "savagejen" Savage
Jennifer Savage has over a decade of experience in tech including penetration testing, vulnerability assessment, vulnerability management, software development, technical management, and consulting services for companies ranging from startups to the Fortune 100.

@savagejen

PA Toolkit—Wireshark plugins for Pentesters

Saturday 08/11/18 from 1600-1750 at Table Six
Defence

Nishant Sharma

Jeswin Mathai

PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter. PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

• WiFi (WiFi network summary, Detecting beacon, deauth floods, Evil twin etc.)
  
• VoIP ( Overview of extensions, servers, Detecting invite flood, message flood, SIP auth bruteforcing, Decrypting encrypted VoIP conversation)
  
• HTTP (Listing all visited websites, downloaded files, streaming files, Detecting HTTP Tunnels)
  
• HTTPS (Listing all websites opened on HTTPS, Detecting self-signed certificates)
  
• ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
  
• DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)
  
  

Nishant Sharma
Nishant Sharma is a Technical Manager at Pentester Academy and Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX, WiMini and course/training content. He has presented/published his work at Blackhat Arsenal, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the WIPS solution. He has a Master degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Jeswin Mathai
Jeswin Mathai is a Researcher at Pentester Academy. He has a Bachelor degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals and conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

Playing Malware Injection with Exploit thoughts

Saturday at 14:00 in Track 3
20 minutes | Demo, Tool, Exploit

Sheng-Hao Ma CSIE, NTUST

In the past, when hackers did malicious program code injection, they used to adopt RunPE, AtomBombing, cross-process creation threads, and other approaches. They could forge their own execution program as any critical system service. However with increasing process of anti-virus techniques, these sensitive approaches have been gradually proactively killed. Therefore, hackers began to aim at another place, namely memory-level weakness, due to the breakages of critical system service itself.

This agenda will simply introduce a new memory injection technique that emerged after 2013, PowerLoadEx. Based on this concept, three new injection methods will be disclosed as well. These makes good use of the memory vulnerability in Windows to inject malicious behavior into system critical services. The content will cover Windows reverse analysis, memory weakness analysis, how to use and utilize, and so on. The relevant PoC will be released at the end of the agenda.

Sheng-Hao Ma
Sheng-Hao Ma (aaaddress1) is a core member of CHROOT Security Group and TDOHacker security community in Taiwan, he has over ten years of experience in reverse engineering and machine language, and mastered the intel 8086. He expert in Windows vulnerability, reverse engineering.

Moreover, Sheng-Hao Ma has many papers presented in security conferences such as BlackHat Asia Arsenal, BSidesLV, ICNC, MC2015 and CISC, he was also a speaker at HITCON (Hackers In Taiwan Conference), SITCON (Students In Taiwan Conference), iThome#Chatbot.

@aaaddress1

Privacy Is Equality—And It's Far from Dead

Saturday at 20:00 in Octavius 13
Fireside Hax

Sarah St. Vincent Researcher/Advocate on National Security, Surveillance, and Domestic Law Enforcement, Human Rights Watch

A talk at DEF CON 25 claimed that privacy is "gone and never coming back." This talk offers a different view, inviting the audience to see privacy as fundamentally about equality-something we have never fully had but also should never regard as gone.

The speaker is a human rights lawyer and investigator, and will draw on decades of human rights thinking about state surveillance as well as her 2017 revelations about Defense Department monitoring of "homegrown violent extremists." Adopting a feminist and race-conscious perspective and inviting audience participation, the talk will challenge received wisdom about basic concepts such as privacy, national security, the warrant requirement, and online radicalization. With a view to the future, it will also offer a thought-provoking history of the connections between privacy and equality in the United States-and the ways unchecked surveillance operates to categorize us and reinforce divisions between us.

It is easy to forget that _1984_ was partly a story about poverty and economic inequality. This talk embraces Orwell's insight into the connection between the erosion of privacy and a dangerous loss of equality, and carries it forward.

Sarah St. Vincent
Sarah St. Vincent is a researcher and advocate on national security, surveillance, and domestic law enforcement for the US Program at Human Rights Watch. She has investigated and documented the deliberate concealment of surveillance-based and other evidence from US criminal defendants, the Defense Department's monitoring of "homegrown violent extremists," and the potential use of US intelligence surveillance for anti-drug purposes. Before joining Human Rights Watch, she was a legal fellow on international human rights and surveillance at the Center for Democracy & Technology. She writes regularly about surveillance, privacy, and related issues under US and European Union law and is a member of the New York bar.

@SarahStV_HRW

Project Interceptor: avoiding counter-drone systems with nanodrones

Saturday at 15:00 in 101 Track, Flamingo
45 minutes | Demo, Tool, Audience Participation

David Melendez Cano R&D Embedded Systems Engineer. Albalá Ingenieros S.A.

Antidrone system industries have arised. Due to several, and even classic, vulnerabilities in communication systems now used by drones , anti-drone systems are able to take down those drone by means of well documented attacks.

Drone/antidrone competition has already been set into the scene. This talk provides a new vision about drone protection against anti-drone systems, presenting "The Interceptor Project", a hand-sized nano drone based on single-core tiniest Linux Board: Vocore2.

This Linux board manages a WiFi (side/hidden) bidirectional channel communication that cannot be deauthenticated and it is replay-resistant, keeping all 802.11 hacking capabilities and standard utilities as any other WiFi hacker drone, with only the built-in adapter of the tiny Vocore2. Also, a "just in case", fallback control by SDR is implemented taking advantage of all the goods that SDR radio gives. All embedded into a hand-sized aircraft to make detection and mitigation a real and new pain, with a very low budget: About $70.

David Melendez Cano
David Melendez Cano, Spain, works as R&D software engineer for TV Studio manufacturer company, Albalá Ingenieros S.A. in Madrid. He has won several prices in robotic contests and he has been a speaker at Nuit Du Hack, RootedCON, NoConName, Codemotion, HKOSCON, etc. Author of the book "Hacking con Drones" and robot builder.

@taiksontexas

Reaping and breaking keys at scale: when crypto meets big data

Saturday at 13:00 in Track 2
20 minutes | Demo, Audience Participation, Tool

Yolan Romailler Security Researcher at Kudelski Security

Nils Amiet Security Engineer at Kudelski Security

Public keys are everywhere, after all, they are public. These keys are waiting to be reaped by those who know their real value. Hidden behind this public face lurks some potentially dangerous issues which could lead to a compromise of data and privacy.

Leveraging hundreds of minion devices, we built a public key reaping machine (which we are open sourcing) and operated it on a global scale. Collected keys are tested for vulnerabilities such as the recent ROCA vulnerability or factorization using batch-GCD. We've collected over 300 million keys so far and built a database 4 to 10 times bigger than previous public works.

Performing the initial computation on over 300 million keys took about 10 days on a 280 vCPU cluster. Many optimizations allow our tool to incrementally test new RSA keys for common prime factors against the whole dataset in just a few minutes.

As a result of our research, we could have impersonated hundreds of people by breaking their PGP keys, mimicked thousands of servers thanks to their factored SSH keys and performed MitM attacks on over 200k websites relying on vulnerable X509 certificates.

In the end, we were able to do this in an entirely passive way. Going further is possible, but it would lead us to the dark side. Would big brother hesitate to go there?

Yolan Romailler
Yolan Romailler is a Security Researcher at Kudelski Security, where he delves into (and dwells on) cryptography, crypto code, blockchains and other fun things. He has spoken at Black Hat USA, BSidesLV and DEF CON's Cryptovillage on automation in cryptography, vulnerability research, and presented at FDTC 2017 the first known practical fault attack against EdDSA. Yolan tweets as @anomalroil.

Nils Amiet
Nils Amiet is a Security Engineer at Kudelski Security, where he performs big data analytics, leveraging Spark, Hadoop and Chapel clusters to analyze large datasets. He designed a data pipeline to snapshot the whole IPv4 address space for selected network protocols, allowing automated and reproducible offline data analysis. He also built an automated country security ranking. Nils likes open source software, data analytics, distributed systems and data processing.

Relocation Bonus: Attacking the Windows Loader Makes Analysts Switch Careers

Saturday at 17:00 in Track 2
45 minutes | Demo, Tool

Nick Cano Senior Security Architect @ Cylance

The arbiters of defense wield many static analysis tools; disassemblers, PE viewers, and anti-viruses are among them. When you peer into their minds, these tools reveal their perilous implementations of PE file parsing. They assume PE files come as-is, but the Windows Loader actually applies many mutations (some at the command of the PE itself) before execution ever begins. This talk is about bending that loader to one's whim with the Relocations Table as a command spell. It will demonstrate how the loader can be instrumented into a mutation engine capable of transforming an utterly mangled PE file into a valid executable. This method starts with multiple ASLR Preselection attacks that force binary mapping at a predictable address. It then mangles the PE file, garbling any byte not required prior to relocation. Finally, it embeds a new Relocations Table which, when paired with a preselected base address, causes the loader to reconstruct the PE and execute it with ease. This isn't a packer or a POC, it is a PE rebuilder which generates completely valid, stable, and vastly tool-breaking executables. This talk will show you how this attack twists the protocols of a machine against the controls meant to protect it. It flexes on tools with various look-what-I-can-break demonstrations and, if you write similar tools, it'll make you rethink how you do it.

Nick Cano
Nick is a self-taught software engineer, hacker, and an avid CTFer. He started coding when he was 11 and planted his roots in video game hacking by 14. His game hacking endeavors lead to a profitable business which became the foothold for his career. Nick is the author of"Game Hacking: Developing Autonomous Bots for Online Games," and has spoken about topics such as malware analysis, Windows internals, game hacking, and memory forensics at DEF CON, DerbyCon, HOPE, and other prestigious conferences. Previously a Senior Engineer at Bromium and currently a Senior Architect at Cylance, he's using his Windows internals experience to help make advances with endpoint protection, detection, and response.

https://twitter.com/nickcano93, https://nickcano.com/, https://github.com/nickcano

Reverse Engineering Windows Defender's Emulator

Saturday at 15:00 in Track 2
45 minutes | Demo, Tool

Alexei Bulazel Hacker

Windows Defender Antivirus's mpengine.dll implements the core of Defender's functionality in an enormous ~11 MB, 30,000+ function DLL.

In this presentation, we'll look at Defender's emulator for analysis of potentially malicious Windows binaries on the endpoint. To the best of my knowledge, there has never been a conference talk or publication on reverse engineering any antivirus binary emulator before.

We'll cover a range of topics including emulator internals—machine code to intermediate language translation and execution; memory management; Windows API emulation; NT kernel emulation; file system and registry emulation; integration with Defender's antivirus features; the virtual environment; etc.—building custom tooling for instrumenting the emulator; tricks that binaries can use to evade or subvert analysis; and attack surface within the emulator.

Attendees will leave with an understanding of how modern antivirus software conducts emulation-based dynamic analysis on the endpoint, and how attackers might go about subverting or attacking these systems. I'll publish code for a binary for exploring the emulator from within, patches that I developed for instrumenting Defender built on top of Tavis Ormandy's loadlibrary project, and IDA scripts to help with analyzing mpengine.dll and Defender's "VDLLs"

Alexei Bulazel
Alexei Bulazel (@0xAlexei) is a security researcher at ForAllSecure. He also provides expertise on reverse engineering and cyber policy at River Loop Security. Alexei has previously presented his research at venues such as Black Hat, REcon, and ShmooCon, among many others, and has published scholarly work at USENIX WOOT and ROOTS. Alexei is a proud alumnus of RPISEC.

@0xAlexei

Ridealong Adventures—Critical Issues with Police Body Cameras

Saturday at 12:00 in Track 3
45 minutes | Demo, Tool, Exploit

Josh Mitchell Principal cybersecurity Consultant, Nuix

The police body camera market has been growing in popularity over the last few years. A recent (2016) Johns Hopkins University market survey found 60 different models have been produced specifically for law enforcement use. Rapid adoption is fueling this meteoric increase in availability and utilization. Additionally, device manufactures are attempting to package more and more technology into these devices. This has caused a deficiency in local municipalities' skills and budget to accurately assess the attack surface and exposure to the organization. Furthermore, departmental policies and procedures governing the secure deployment of these devices is largely insufficient.

At DEF CON, we will be introducing tactics, techniques, and procedures to assess the security of these devices. We will cover attacks against the physical devices, RF components, smartphone app's, and desktop software. The capabilities demonstrated and discussed will encompass publicly and privately available technologies. Additionally, the talk will cover multiple products and vendors, shedding light on industry wide issues and trends. Finally, we will be releasing software to detect and track various devices and tie these issues into real world events.

Josh Mitchell
Josh Mitchell (Twitter: @bx_lr) has more than a decade's experience as an information security researcher. He has authored numerous technical documents and presented his findings at conferences, academic discussions, and in the classroom. Josh is an expert at discovering and exploiting vulnerabilities and writing code to protect operating systems and programs. Josh has served in the United States Air Force and held numerous defense contracting roles covering electronic signals intelligence exploitation, electronic warfare, malware analysis, exploit development, and reverse engineering

@bx_lr

Securing Big Data in Hadoop

Saturday, 1430-1830 in Icon F

Miguel Guirao

Big Data have been for quiet a good time the driving force for innovation in many markets around. Data is the current asset that companies from around the world look for to crunch and extract information and knowledge, get new insights in order to create new services and products to deliver to their customers and finally improve their profits.

Because of that, it is imperative to protect such an important asset. In this workshop we will look at Haddoop from the point of view of security. We will learn what the Hadoop ecosystem has to offer us to protect our data, starting with Kerberos, perimeter security with Apache Knox, Configuring authorization with Apache Ranger and enabling encryption of the HDFS (Hadoop File System).

1) Kerberos is used in Hadoop to provide an authentication system for users and other system interacting with the Hadoop cluster and it's services. Strongly authenticating and establishing a user's identity is the basis for secure access in Hadoop. Users need to be able to reliably "identify" themselves and then have that identity propagated throughout the Hadoop cluster. Hadoop uses Kerberos as the basis for strong authentication and identity propagation for both user and services. More info: https://web.mit.edu/kerberos/

2) The Apache Knox Gateway (Knox) is a system to extend the reach of Apache Hadoop services to users outside of a Hadoop cluster without reducing Hadoop Security. Knox also simplifies Hadoop security for users who access the cluster data and execute jobs. The Knox Gateway is designed as a reverse proxy. The Apache Knox Gateway is an Application Gateway for interacting with the REST APIs and UIs of Apache Hadoop deployments. The Knox Gateway provides a single access point for all REST and HTTP interactions with Apache Hadoop clusters. More info: https://knox.apache.org/

3) Apache Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. The vision with Ranger is to provide comprehensive security across the Apache Hadoop ecosystem

Prerequisites: In order to get out the most of this workshop, the student needs to be comfortable working in the command line, moving around the filesystem, editing files with vi or nano, visualizing and understanding processes and the top or htop command outputs. If you have been using the UNIX or UNIX-like command line for a time, you should be good and al set.

Materials: Since this is NOT a class of how to setup a Hadoop cluster, but instead on how to secure a Hadoop cluster, it is a must that students taking this workshop come with the Hortonworks Data Platform (HDP) Docker image (https://hortonworks.com/products/sandbox/) already installed! The Docker image image is very big and it will take you a considerable time to download it during the workshop. Warning!! DO NOT download Hortonworks Data Flow (HDF), it is NOT THE SAME!

Please read the Intall Guide for the the type of the HDP and OS you will be using!

The workshop is prepared using Ubuntu Linux 18.04 and Docker!

Max students: 84

Registration: -CLASS FULL- https://www.eventbrite.com/e/securing-big-data-in-hadoop-icon-f-tickets-47194514062
(Opens July 8, 2018 at 15:00 PDT)

Miguel Guirao
Miguel Guirao (aka Chicolinux), as been in the information security industry for around twelve years, he is a freelance consultant at Futura - Open Solutions, where he also has been training professionals about Linux Management, Information Security and Programming. He has been also a professor since 2009 for the Anahuac Mayab University where he teaches at the School of CS Engineering and at the School of Multimedia Design. He teaches Information Security in the Master of Information Technology Management. He is also VicePresident of Security & Internet for the National Chamber of the Electronics, Telecommunications and Information Technology in Mexico, where he helps to create awareness and infosec training in IT companies.

He is a Community Mentor for SANS Institute. He holds a GIAC GCIH Certification from the SANS Institute. Thechnical Reviewer for SANS Securing The Human Project, eForensics Magazine.

Since 2017 he got an interest in Big Data and DevOps, specially from the security perspective, and he currently runs the lab that test and research ways to to protect big data and devops systems, where he and his students have fun protecting and hacking this systems.

This is his second workshop at DEFCON!

Sex Work After SESTA/FOSTA

Saturday at 14:30 in Track 2
20 minutes |

Maggie Mayhem MaggieMayhem.Com

Surveillance had been a fact of life for sex workers wherever they have faced prohibition. Only two elements, communication and association, can differentiate between commercial and personal sex, criminal enforcement of prostitution laws have necessarily meant targeting the speech and affiliation of perceived sex workers. Enforcement of this nature is facilitated by profiling, institutional bias, and broad overreaching policies that fundamentally violate individual human rights. This has included condoms as evidence, non-consensual medical screenings, and targeted harassment of black transgender women as well as license plate recording projects and stings that focus disrupting immigration or migrant workers.

For all of its risks, screening potential clients is safer over email than it is in person during a street based negotiation often in an isolated part of town. SESTA (Stop Enabling Sex Traffickers Act) comes at a time when compelling research demonstrates that Craigslist resulted in a 17% drop in the female homicide rate. SESTA will also put victims at risk by delaying their identification and recovery by eliminating a digital paper trail. Additionally, Section 230 of the Communications Decency Act is a vital protection for a free internet. Subverting SESTA will create greater economic disparity between sex workers and ultimately empower pimps and agencies over independent providers.

Maggie Mayhem
Maggie Mayhem is a sex worker, birth worker, and death worker from San Francisco, CA. She has served on the Board of Directors for the Sex Worker Outreach Project-USA and founded the health, hygiene, and harm reduction project HarmReduxSF. She has been involved in public health since 2003 and is an international advocate for sex worker rights and reproductive justice. She has spoken about sexual biometrics at SxSW; debated pornography at Yale with Gail Dines; shared the history of pre-WWII porn at the University of Toronto; was artist-in-residence at the Museumsquartier in Vienna; talked about developing sex worker centered policy at DymaxiCon in Helsinki; presented her crack pipe distribution project at the Harm Reduction Coalition conference; shared statistics and research on sex workers and violence at the University of Winchester; and examined public mourning in human rights activism at the University of Southampton. Her independent adult website MeetTheMayhems was the recipient of a feminist porn award.

@MsMaggieMayhem // Insta @MaggieMayhem // Web MaggieMayhem.Com //

Sh00t—An open platform for manual security testers & bug hunters

Saturday 08/11/18 from 1400-1550 at Table Two
AppSec, Mobile and Offensive security

Pavan Mohan

An open platform for bug hunters emphasizing on manual security testing.

Sh00t is a dynamic task manager to replace simple text editors or task management tools that are NOT meant for security testing provides checklists for security testing helps in reporting with custom bug templates

Sh00t benefits best for pen testers, bug bounty hunters, security researchers and anybody who love bugs!

Written in Python and powered by Django web framework.

Pavan Mohan
Pavan aka pavanw3b is a Senior Security Engineer at ServiceNow. He is one of the core members of Null security community—Hyderabad chapter. He participates in bug bounty programs in his free time and made it to hall of fames of some companies.

SMBetray—Backdooring and breaking signatures

Saturday at 14:00 in Track 1
45 minutes | Demo, Tool

William Martin Security & Privacy Senior Associate

When it comes to taking advantage of SMB connections, most tools available to penetration testers aim for system enumeration or for performing relay attacks to gain RCE. If signatures are required, or if the victims relayed are not local admins anywhere, that can put a real stint in leveraging SMB to gain any serious footholds in a network. Fortunately, the mentioned attacks are only the tip of the iceberg of the ways to gain RCE with insecure SMB connections – and there’s a new tool to help take full advantage of these opportunities.

William Martin
William Martin is a penetration tester & information security researcher with more than five years of experience in the Information Security Industry. William became an Offensive Security Certified Professional(OSCP) in November of 2015, and is currently a senior associate at RSM US LLP in the Security and Privacy practice with a focus on penetration testing and social engineering.

@quickbreach
www.linkedin.com/in/william-martin-OSCP

Swissduino—Stealthy USB HID Networking & Attack

Saturday 08/11/18 from 1600-1750 at Table Four
Offense

Mike Westmacott

The Swissduino is a set of tools on an Arduino Yun that allow for the upload of binaries to target systems remotely via USB HID Keyboard, and then provide TCP connectivity between the remote attacker system and the target purely through USB HID. The demonstration shows a Metasploit Meterpreter stub being uploaded, and then actively used without triggering anti-virus (Win 7 host…). New for 2018: (In development) Expanded toolset that allows for password extraction from login and automated installation of toolkit in Windows 10 with anti-malware/local firewall, also targeting of Linux.

Github: https://github.com/drwesty/swissduino

Mike Westmacott
Mike works for Thales Cyber & Consulting at the technical end of the cyber security practice and operates broadly on the same basis as an attacker. He has conducted over one hundred penetration tests and audits against a wide variety of systems and targets, combined with activities such as secure code review, reverse engineering and wireless assessment. Mike has worked as a CREST Certified Network Intrusion Analyst and has performed breach assessments in a number of different industry sectors including finance, engineering and government. He has managed and delivered a CVI (Cyber Vulnerability Investigation) for the UK MOD in the first of a series of industry-delivered assessments.

He has provided incident response training at board level in the form of desktop scenarios with red and blue teams engaged in a fictitious cyber-attack. This has proven to be an excellent tool for extracting tactics, forming future strategies, and educating participants.

Mike founded a volunteer group in BCS (The Chartered Institute for IT) to introduce IT practitioners to the information security industry and has presented at a government select committee and taken part in numerous senior panels at industry and government events. He has also written articles for well-known industry publications included ITnow, Computer Weekly, InfoSecurity Magazine.

Prior to working in information security Mike worked as an application support analyst on a financial trading platform and later an enterprise succession planning system. Before this Mike gained his PhD in Computer Vision at the University of Southampton.