A Journey Into Hexagon: Dissecting a Qualcomm Baseband

Thursday at 13:00 in 101 Track, Flamingo
45 minutes |

Seamus Burke Hacker

Mobile phones are quite complicated and feature multiple embedded processors handling wifi, cellular connectivity, bluetooth, and other signal processing in addition to the application processor. Have you ever been curious about how your phone actually makes calls and texts on a low level? Or maybe you want to learn more about the internals of the baseband but have no clue where to start. We will dive into the internals of a qualcomm baseband, tracing it's evolution over the years until its current state. We will discuss the custom, in-house DSP architecture they now run on, and the proprietary RTOS running on it. We will also cover the architecture of the cellular stack, likely places vulnerabilities lie, and exploit mitigations in place. Finally we will cover debugging possibilities, and how to get started analyzing the baseband firmware—how to differentiate between RTOS and cellular functions, how to find C std library functions, and more.

Seamus Burke
Seamus Burke is an undergraduate student at UMBC pursing a degree in CS, he has been working in the security field field since he was 16 and has held a variety of positions from SOC analyst to malware analyst, to vulnerability researcher. Currently his research focus is on cellular baseband and kernel rootkits. When he's not staring at IDA, he likes to spend his time wrenching on cars and racing.

@AlternateAdmin

Advanced Wireless Attacks Against Enterprise Networks

Thursday, 1430-1830 in Icon C

Gabriel Ryan Co-Founder & Principle Security Consultant, Digital Silence

Justin Whitehead CEO & Co-Founder, Digital Silence

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Attendees will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and perform replay attacks to gain administrative control over an Active Directory environment. External wireless adapters and additional required equipment will be provided to all workshop attendees, and material learned in the lectures will be practiced within a realistic lab environment.

Areas of focus include:

* Wireless reconnaissance and target identification within a red team environment
* Attacking and gaining entry to WPA2-EAP wireless networks
* LLMNR/NBT-NS Poisoning
* Firewall and NAC Evasion Using Indirect Wireless Pivots
* MITM and SMB Relay Attacks
* Downgrading modern SSL/TLS implementations using partial HSTS bypasses

Prerequisites: None

Materials: Students will need to bring a laptop with at least 8 gigs of RAM, a 64-bit operating system, at least 100 gigs of hard drive space (external drives are fine), and at least one free USB port. Students will also be required to download and install a virtual lab environment prior to participating in the workshop. Everything else will be provided by the instructor team.

Max students: 66

Registration: -CLASS FULL- https://www.eventbrite.com/e/advanced-wireless-attacks-against-enterprise-networks-icon-c-tickets-47086648433
(Opens July 8, 2018 at 15:00 PDT)

Gabriel Ryan
Gabriel Ryan is a penetration tester and researcher with a passion for wireless and infrastructure testing. He currently serves a co-founder and principle security consultant for Digital Silence, a Denver based consulting firm that specializes in impact driven penetration testing and red team engagements.

Prior to joining Digital Silence, Gabriel worked as a penetration tester and researcher for Gotham Digital Silence, contributing heavily to their wireless security practice and regularly performing large scale infrastructure assessments and red teams for Fortune 500 companies. Some of Gabriel's most recent work includes the development of EAPHammer, an 802.11ac focused tool for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys producing music, exploring the outdoors, and riding motorcycles.

Justin Whitehead
Justin is an Army infantry veteran with over a decade of service. After retiring from the military, he went on to have a successful 7 year career in computer forensics and incident response. In 2015, he became a penetration tester at One World Labs, working under renowned security researcher Chris Roberts. He now serves as CEO and Co-Founder of Digital Silence, bringing a unique attention to detail and blend of blue and red team experience to the company. When he's not focused on his role as a security professional, Justin happily pursues his hobby of synchronized figure skating.

Building Autonomous AppSec Test Pipelines with the Robot Framework

Thursday, 1000-1400 in Icon E

Abhay Bhargav CTO, we45

Sharath Kumar Ramadas Senior Solutions Engineer, we45

It is common knowledge that automating security testing, especially for rapid-release applications is an essential requirement from multiple perspectives. One perspective is that of security testing in a Continuous Delivery Pipeline (as part of CI/CD) and the other is the perspective of a Penetration Tester. In a CI/CD Pipeline, one would like security tests to be triggered in an automated manner. These tests should provide information related to application vulnerabilities to engineering teams, early in the SDL (Software Development Lifecycle), preferably before these apps are deployed to production. From the perspective of the Pentester, there is the obvious shortage of time and resources. Pentesters spend a lot of time repeating standard manual processes, thereby losing out on time to perform more deep, insightful analysis of the target application to uncover serious security flaws. Targeted Automation, can be very useful for a Pentester as well.

Prerequisites: Basic Knowledge of Application Security Testing Techniques

Materials: Laptop with Virtualbox loaded - VM will be provided

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/building-autonomous-appsec-test-pipelines-with-the-robot-framework-icon-e-tickets-47086284344
(Opens July 8, 2018 at 15:00 PDT)

Abhay Bhargav
Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. "Secure Java for Web Application Development" and "PCI Compliance: A Definitive Guide". Abhay is a builder and breaker of applications, and has authored multiple applications in Django and NodeJS. He is the Chief Architect of "Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He is a passionate Pythonista and loves the idea of automation in security. This passion prompted him to author the world's first hands-on Security in DevOps training that has been delivered in multiple locations, and recently as a highly successful training programs at the OWASP AppSecUSA 2016, OWASP AppSec EU and USA 2017. Abhay recently delivered a workshop on SecDevOps at DEFCON 25. In addition , Abhay speaks regularly at industry events including OWASP, ISACA, Oracle OpenWorld, JavaOne, and others.

Sharath Kumar Ramadas
Sharath is a Senior Solutions Engineer at we45. As part of his role, Sharath has architected and developed multiple solutions around security engineering, including an Application Vulnerability Correlation tool called Orchestron. As part of his experience with Application Security, Sharath has developed integrations for multiple security products including DAST, SAST, SCA and Cloud environments, In addition, Sharath has extensive experience with Cloud Deployments and Container Native Deployments. As part of his role in a security organization, Sharath has led teams that have created intentionally vulnerable apps for CTF competitions both inside and outside the organization.

Building the Hacker Tracker

Thursday at 15:00 in 101 Track, Flamingo
20 minutes |

Whitney Champion Senior Systems Engineer

Seth Law Application Security Consultant, Redpoint Security

In 2012, back when DEF CON still fit in the Riviera (RIP), I recognized a gap to fill. I wanted to create a mobile version of the paper DEF CON booklet that everyone could use at the con.

I was unable to attend the conference that year. I was 8 months pregnant with my first child, and because I couldn't be there in person, I spent a lot of time wishing I was.

So I built it. I spent countless hours pouring my heart into what became the Hacker Tracker, shiny graphics and all, and was committing code up until the minute I went into labor.

Fast forward a few years: Seth was frustrated with the lack of a mobile app for iOS while attending DEF CON. Subsequently, he found the Android version of Hacker Tracker and reached out to me about creating an iOS version. I was thrilled that someone wanted to join me and help grow the project. Not long after that, I recruited Chris to work on the app as well.

Now, 6 years since its inception, a small team supports the app development across iOS and Android and the apps are being used by half a dozen different conferences, representing several thousand users.

From nothing to something, we've experienced quite a bit in 6 years. Join us as we share our moments of joy, fear, and panic,"things not to do", and more.

Whitney Champion
Whitney is a systems architect in South Carolina. She has held several roles throughout her career- security engineer, systems engineer, mobile developer, cloud architect, consulting architect, to name a few. In the last 15 years, she has worked on operations teams, support teams, development teams, and consulting teams, in both the private and public sector, supporting anywhere from a handful of users to hundreds of thousands. No matter the role, security has always been an area of passion and focus.

@shortxstack

Seth Law
Seth is an independent security consultant with Redpoint Security in Salt Lake City, where he performs security research and consulting for a various clients. He spends the majority of his time thinking up ways to exploit and secure applications, but has been known to pull out an IDE as the need arises. Over the course of his career, Seth has honed application security skills using offensive and defensive techniques, including tool development and research. He has an (un)healthy obsession with all things security related and regularly heads down the rabbit hole to research the latest vulnerability or possible exposures. Seth can regularly be found at developer meetups and security get-togethers, whether speaking or learning.

@sethlaw

DEF CON 101 Panel

Thursday at 15:30 in 101 Track, Flamingo
105 minutes | Audience Participation

HighWiz Founder, DC 101

Nikita Director of Content & Coordination, DEF CON

Roamer CFP Vocal Antagonizer

Chris "Suggy" Sumner Co-Founder, Online Privacy Foundation

Jericho "Squirrel"

Wiseacre Former Doer Of Things

Shaggy The Mountain

Ten years ago, DEF CON 101 was founded by HighWiz as a way to introduce n00bs to DEF CON. The idea was to help attendees get the best experience out of DEF CON (and also tell them how to survive the weekend!). The DEF CON 101 panel has been a way for people who have participated in making DEF CON what it is today to share those experiences and, hopefully, inspire attendees to expand their horizons. DEF CON offers so much more than just talks and the DEF CON 101 panel is the perfect place to learn about all things DEF CON so you, dear reader, can get the best experience possible. The panel will end with the time honored tradition of "Name the n00b" where lucky attendees will be brought up on stage to introduce themselves to you and earn the coveted 101 n00b handle. Don't worry if you don't make it on to the stage, there will be plenty of other prizes for you to enjoy!

HighWiz
HighWiz is born of glitter and moon beams and he has all the right moves. He is the things that sweet dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people*, he set about to create an event that would give the n00bs of DEF CON a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of DEF CON what you put into it". HighWiz is the fabled Man on the Mountain whom people seek to gain a taste of his forbidden knowledge. He is a rare sighting at DEF CON only to be glimpsed by those lucky few. HighWiz is a member of the DEF CON CFP Review Board and Security Tribe.

*Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Shaggy, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Sethalump, AlxRogan, Jenn, Zant, MalwareUnicorn, Clutch, TheDarkTangent, Siviak, Ripshy, Valkyrie, Xodia, Flipper and all the members of Security Tribe.

@highwiz

Nikita
For over 15 years, Nikita has worked to ensure DEF CON runs as smoothly as one can expect from a hacker conference. In addition to planning a vast array of details prior to DEF CON and thwarting issues while onsite, she also serves as the Director of Content for the CFP Review Board.

@niki7a

Roamer
Appearing in a cloud of (cigarette) smoke, Roamer is a man full of whiskey and ideas. He has appeared at DEF CON since before (almost) the beginning. He is a renown author, speaker, pontificator and is famous for giving the most entertaining Worldwide Wardrive talk. He is also the Grand Vizier of All Things Vendor—you are welcome. When Roamer speaks, people listen. And often fall in love.

Chris "Suggy" Sumner
Chris "Suggy" Sumner is the polite one. He is a co-founder of the not-for-profit Online Privacy Foundation, who contribute to the field of online behavioural research. Suggy is also the CFP review board's undisputed fence sitting champion.

@5uggy

Jericho
Since 1992, Jericho has been poking about the hacker/security scene. His experience has allowed him to develop (and deliver—often in the form of rants) a great perspective on many topics, mostly security related. He has been a speaker at security conferences worldwide, primarily for the free travel to exotic locales. A founding member of Attrition.org, he was also the content manager for the Open Source Vulnerability Database (OSVDB) and an officer in the Open Security Foundation (OSF). He is a champion of security industry integrity and small misunderstood creatures. He epitomizes the saying, "Why be a pessimist? It won't work, anyway."

@attritionorg

Wiseacre
Wiseacre was introduced to DEF CON by Roamer. Though he appeared at his first DEF CON because of the Capture the Flag contest, Roamer and HighWiz showed him how to make DEF CON so much more than simply attending the talks. From then on he made a point to participate in as much as he could. Of course, this was all within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all.

wiseacre_mike

Shaggy
Shaggy has the Voice of Barry White, the brains of Albert Einstein and the soul of Bea Arthur. He has a few philosophies on life: He believes that while the righteous keep moving forward, those with clean hands become stronger and stronger . That the field of battle between God and Satan is the human soul. It is in the soul that the battle rages every moment of life. He also believes that one should Start by doing what's necessary; then do what's possible; and suddenly you are doing the impossible. Because You learn to speak by speaking, to study by studying, to run by running, to work by working, and just so, you learn to love by loving. All those who think to learn in any other way deceive themselves.

Finding Needles in Haystacks

Thursday, 1000-1400 in Icon D

Louis Nyffenegger Security Engineer, Pentester Lab

Luke Jahnke Security Researcher, Elttam

With more and more teams moving to Agile, security engineers need to be ready to find bugs by just looking at a diff in Stash or Github. This workshop will give you the basics to get started and know what to look for. Based on 3 exercises in 3 different languages (PHP, Golang and Ruby), we will cover simple to more advanced issues and show you where to look and what you can find. After this workshop, you will be ready to start doing code review for fun or as a way to get further as part of a post-exploitation.

Prerequisites: The students should be able to use a text editor and navigate source code. Basic knowledge of Git, PHP, Ruby and Go will definitely help but is not mandatory.

Materials: A laptop with 4Gb of RAM. Internet access during the class.

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/finding-needles-in-haystacks-icon-d-tickets-47086263281
(Opens July 8, 2018 at 15:00 PDT)

Louis Nyffenegger
Louis Nyffenegger is a security engineer and entrepreneur based in Melbourne, Australia. He performs pentest, architecture and code review on a daily basis. Louis is the founder of PentesterLab, a learning platform for web penetration testing.

Luke Jahnke
Luke Jahnke is a Security Researcher at Elttam. He has extensive experience performing security assessments and running training. He enjoys working on interest vulnerabilities and runs the biennial BitcoinCTF competition.

Forensic Investigation for the Non-Forensic Investigator

Thursday, 1430-1830 in Icon A

Gary Bates Technology Director

This workshop will provide a foundation to attendees on the basics of performing a forensic investigation on a corporate or SOHO network. The course will primarily discuss forensics on a Windows system and network, but, Linux and Mac systems will be briefly discusses during the workshop where applicable. Attendees will learn techniques on how to properly collect possible evidentiary data, how to store the collected data, how to analyze the information and evaluate the data. Topics that will be covered include: - Pre-incident.. Setting up your forensic analysis toolkit. - First contact with an incident. What should you do and not do. - Collecting volatile data. Tools and techniques - Collecting and storing non-volatile data. - Utilizing open source software to analyze the data - Making a determination and writing the report based on the analyzed data. - What to do with the collected and analyzed information. This workshop is intended to provide a basic overview of how to properly collect and handle data in a corporate or enterprise network. The course will cover several tools and provide labs for the students to complete to familiarize themselves with how the tools work and the proper procedures to use. However, this class will not make a deep dive into any of the tools. Nor is this class intended for the professional forensic investigator.

Prerequisites: Students need to have a knowledgeable background in IT Administration, basic knowledge of file structures and how the Windows OS works. Students should be knowledgeable in utilizing VirtualBox and how to setup VMs and attach virtual hard drives.

Materials: Students will need to bring a laptop capable of running no more than 3 VMs. The latest version of VirtualBox should be installed.

Max students: 24

Registration: -CLASS FULL- https://www.eventbrite.com/e/forensic-investigation-for-the-non-forensic-investigator-icon-a-tickets-47086683538
(Opens July 8, 2018 at 15:00 PDT)

Gary Bates
Gary works as the Technology Director for a medium size city in Texas. This job requires him to wear many hats to include performing forensic analysis on enterprise systems. In addition, he has helped the City's police department with several criminal cases that involved the collection of network and stored data from systems under investigation. Additionally, he teaches information security classes at the local junior college to include a forensic investigation course for IT security students. Besides 15 years of experience in the IT field, he has a BS in Network Administration and a Masters in Information Security Assurance. He, also, holds several industry certifications to include a Certified Ethical Forensic Investigator Certification. Since he is easily distracted and always curious, he has a wide-range of interest and off-hour projects that run the gambit from in-depth study about cyber security to data analysis programming to electronic projects that use the Raspberry Pi and Arduino chips.

Fuzzing FTW

Thursday, 1430-1830 in Icon D

Bryce Kunz President, Stage 2 Security

Kevin Lustic Information Security Researcher

Join us in this hands-on introduction to fuzzing workshop, where we will explore how common fuzzing tools (e.g. AFL, libFuzzer, BooFuzz, etc..) are used to discover previously unknown bugs within applications.

We will first cover a general process to follow when fuzzing a targeted application and then provide hands-on labs where students will be able to apply this fuzzing process to quickly discover bugs within applications.

Several different fuzzing techniques will be covered including fuzzing file inputs via blind mutations (e.g. radamsa), fuzzing specific functions within an application via in-process evolutionary fuzzing (e.g. libFuzzer), compile-time instrumentation based fuzzing (e.g. AFL), and fuzzing of network services via generation based fuzzing (e.g. BooFuzz aka Sulley).

Prerequisites: Students need to be comfortable in Kali Linux which includes navigating the OS via the terminal. An understanding of basic networking concepts (i.e TCP/IP) and the HTTP protocol is highly recommended. Some knowledge of the Python scripting language is highly recommended.R26

Materials:

• A laptop with the ability to copy a Virtual Machine (VM) off a USB drive and run the VM within VMware Workstation / Fusion or VirtualBox.
• Students are required to bring their own laptops
• A minimum of 8 GB RAM installed
• At least 60 GB HD free
• USB 2 or higher support
• VMware Workstation / Fusion / VirtualBox installed
  • Tested on Windows 10 with VMware Workstation or VirtualBox.
  • Tested on macOS High Sierra with VMware Fusion or VirtualBox.

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/fuzzing-ftw-icon-d-tickets-47086572205
(Opens July 8, 2018 at 15:00 PDT)

Bryce Kunz
Bryce Kunz (@TweekFawkes) craves righteous red team hacks. Currently, the President of Stage 2 Security. Previously he supported the NSA (network exploitation & vulnerability research), Adobe (built red teaming program for cloud services), and DHS (incident response). Bryce holds numerous certifications (e.g. OSCP, etc...), and has spoken at various security conferences (i.e. BlackHat, DerbyCon, etc...).

Kevin Lustic
Kevin Lustic is an InfoSec researcher located just outside Salt Lake City, Utah. He is currently a red-teamer for Adobe in Lehi, performing offensive security testing against the various Adobe Digital Experience solutions. Prior to joining Adobe, Kevin spent five years in the Intelligence Community as a global network vulnerability analyst, cryptanalyst, and developer in various positions. He earned his Bachelor's degree in Mathematics from Ohio University, then his Master's degree in Cyberspace Operations from the Air Force Institute of Technology under a full NSF-funded CyberCorps scholarship.

Guided Tour to IEEE 802.15.4 and BLE Exploitation

Thursday, 1000-1400 in Icon A

Arun Mane Principle Researcher, SecureLayer7

Rushikesh D. Nandedkar Security Analyst

The workshop aims at delivering hands on experience to pentest 802.15.4 and BLE commercial devices. By design and purpose, IoT was meant to serve the whims of human, taking human laziness to next level. Hence in this due effort, there was least || no attention paid towards the state of security of IoT. However, this doesn't mean, the motives of users are deterred to use insecure IoT devices/setups.

Due to high demand for automation in M2M communication, the IoT concept took a position in the industrial sector for better and fast work ignoring security aspect. Absence of this aspect in the production is making all IoT communications and wireless communications vulnerable largely.

On the other hand, BLE devices have been used everywhere. They are being used in home automation, healthcare, SensorTags and Bluetooth Password Manager etc. As a matter of fact, these BLE devices are equally vulnerable as that of IEEE 802.15.4 based devices. The impact is huge as these technologies are used in industrial applications like water dams and other ICS systems.

Prebuilt VM with lab manuals will be provided to attendees. The workshop is structured for beginner to intermediate level attendees who do not have any experience in IoT wireless communication.

Prerequisites:
1. Basic knowledge of web and mobile security
2. Basic knowledge of Linux OS
3. Basic knowledge of programming (C, python) would be a plus

Materials:
1. Laptop with at least 50 GB free space
2. 8+ GB minimum RAM (4+GB for the VM)
3. External USB access
4. Administrative privileges on the system
5. Virtualization software - VirtualBox 5.X (including Virtualbox extension pack)/VMware player/VMware workstation/VMware Fusion
6. Linux machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse).
7. Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work
8. Latest OS on the host machines (For ex. Windows 7 is known to cause issues)

Max students: 24

Registration: -CLASS FULL- https://www.eventbrite.com/e/guided-tour-to-ieee-802154-and-ble-exploitation-icon-a-tickets-47085983444
(Opens July 8, 2018 at 15:00 PDT)

Arun Mane
Arun: is a Hardware, IOT and ICS Security Researcher. His areas of interest are Hardware Security, SCADA, Fault Injection, RF protocols and Firmware Reverse Engineering. He also has experience in performing Security Audits for both Government and private clients. He has presented a talk at the nullcon 2016,2017,2018 Goa, GNUnify 2017, Defcamp 2017,BsidesDelhi 2017, c0c0n x 2017,EFY 2018,X33fcon2018 Also Trainer for Practical Industrial Control Systems (ICS) hacking training, delivered in X33fcon2018 and was co-Trainer for Practical IoT hacking which was delivered in HITB 2017, HIP 2017, BlackHat Asia 2018 and private clients in London, Australia, Sweden, Netherlands etc. He is an active member of null - The open Security community and G4H community.

Rushikesh D. Nandedkar
Rushikesh: is a security analyst. Having more than six years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at NCACNS 2013, nullcon 2014, HITCON 2014, Defcamp 2014, BruCON 2015, DEFCON 24, BruCON 2016, x33fcon 2017, c0c0n-x 2017, BruCON 2017, BSides Delhi 2017, nullcon 2018, HITB Amsterdam 2018 and x33fcon 2018, as well he is a co-author of an intelligent evil twin tool "DECEPTICON". Being an avid CTF player, for him solace is messing up with packets, frames and shell codes.

Introduction to Cryptographic Attacks

Thursday, 1430-1830 in Icon B

Matt Cheung

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.

Prerequisites: Students should have experience with Python development and comfortable with mathematics such as modular arithmetic.

Materials: A laptop with VMWare or VirtualBox installed and capable of running a VM.

Max students: 30

Registration: -CLASS FULL- https://www.eventbrite.com/e/introduction-to-cryptographic-attacks-icon-b-tickets-47086369599
(Opens July 8, 2018 at 15:00 PDT)

Matt Cheung
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.

Packet Mining for Privacy Leakage

Thursday, 1000-1400 in Icon F

Dave Porcello Founder, Pwnie Express

Sean Gallagher IT & National Security Editor, Ars Technica

Join the packet hunters behind NPR's Project Eavesdrop for an interactive, hands-on workshop where we'll hunt for juicy bits of personal & corporate data on the wire. Using Wireshark, ngrep, tcpflow, xplico and other Linux packet digging tools, you'll learn how to extract PII from a packet capture or live stream, including passwords, emails, photos/images, cookies, session IDs, credit card numbers, SSNs, GPS coordinates, mobile device details, cell carrier info, vulnerable client software, weak SSL sessions, and much more. Useful for detecting privacy/data leakage, passive pentesting, & network forensics, these techniques expose what an intermediary can discern about an individual or organization through passive monitoring of network traffic.

Prerequisites: Students must be comfortable with Linux command line & Wireshark.

Materials: Students wishing to participate in the exercises should bring a laptop running Kali Linux (or a Kali virtual machine).

Max students: 84

Registration: -CLASS FULL- https://www.eventbrite.com/e/packet-mining-for-privacy-leakage-icon-f-tickets-47086301395
(Opens July 8, 2018 at 15:00 PDT)

Dave Porcello
Dave Porcello is the Founder of Pwnie Express and creator of the original Pwn Plug, Power Pwn, and other covert pentesting gadgets featured on NPR, Wired, Ars Technica, Slashdot, and "Mr. Robot". Dave is currently a freelance pentester, packet hunter, researcher, & adjunct professor at Norwich University.

Sean Gallagher
Sean Gallagher is Ars Technica's IT and National Security Editor. He evaluates security tools and conducts privacy and security testing for Ars' Technology Lab.

Pentesting ICS 101

Thursday, 1000-1400 in Icon B

Alexandrine Torrents Security Consultant, Wavestone

Arnaud SOULLIÉ Manager, Wavestone

Many people talk about ICS & SCADA security nowadays, but only a few people actually have the opportunity to get their hands dirty and understand how these systems work. Have you ever wanted to know how to make a train derail, or stop a production line? Well, this workshop is made for you! The goal of this workshop is to give you the knowledge required to start attacking SCADA networks and PLCs, and give you hands-on experience on real devices by hacking our model train! In this workshop, we will cover the main components and the commonly associated security flaws of industrial control systems, aka SCADA systems. We will then focus on their key assets, Programmable Logic Controllers (PLCs), and discover how they work, how they communicate, how they can be programmed to learn the methods and tools you can use to p*wn them. Then we will move on to real-world by attacking real PLCs from two major manufacturers on a dedicated setup featuring robot arms and a model train! Let's capture the flag!

Prerequisites: A knowledge of penetration testing is a plus, but we try to make it work for newbies as well.

Materials: A computer with 4gb of RAM, 30GB disk space and Virtualbox. We will provide 2 Virtual Machines for attendees.

Max students: 30

Registration: -CLASS FULL- https://www.eventbrite.com/e/pentesting-ics-101-icon-b-tickets-47086318446
(Opens July 8, 2018 at 15:00 PDT)

Alexandrine Torrents
Alexandrine Torrents is a cybersecurity consultant at Wavestone, a French consulting company. She is specialized in penetration testing, and performed several security assessment on ICS. She worked on a few ICS models to demonstrate attacks on PLCs and she developed a particular tool to request Siemens PLCs. Moreover, she is also working at securing ICS, in the scope of the French military law, enforcing companies offering a vital service to the nation to comply to security rules.

Arnaud SOULLIÉ
Arnaud Soullié is a manager at Wavestone, performing security audits and leading R&D projects. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015/2016, Brucon 2015/2017, DEFCON 24) as well as full trainings (Hack In Paris 2015).

Playing with RFID

Thursday, 1430-1830 in Icon E

Vinnie Vanhoecke Penetration Tester, Ernst & Young Belgium

Lorenzo Bernardi Cyber Security Consultant, Ernst & Young Belgium

This is a workshop about Radio-frequency Identification (RFID), including a basic introduction and a set of practical hands-on challenges. We will start with explaining the theory behind RFID, including the different types and protocols (e.g. HID, Mifare, �) and how to perform an RFID assessment. Afterwards, the participants can take on several challenges (of increasing difficulty) with RFID readers that we will provide. Our objective is to make this workshop fun and accessible to a wide audience.

Prerequisites: Basic Linux knowledge

Materials: Laptop (preferably Linux based OS)

Max students: 33

Registration: -CLASS FULL- https://www.eventbrite.com/e/playing-with-rfid-icon-e-tickets-47086519046
(Opens July 8, 2018 at 15:00 PDT)

Vinnie Vanhoecke
Vinnie is a penetration tester of web application & mobile application working for EY. During college he wrote a thesis about RFID and now he using his experience to provide a RFID workshop and make people aware of the vulnerabilities within RFID. In his spare time he strengthen his IT security skills by playing CTF's, reading blogs, going to conferences and develop a variety of side projects.

Lorenzo Bernardi
Lorenzo is a cyber security consultant at EY. He mainly focusses on penetration testing and red team exercises. Because of the different physical intrusion he had to perform in the scope of the red teaming activities, he extended his wireless knowledge to the RFID field, where he gained experience over the years. In his spare time Lorenzo likes to learn new topics related to cyber security. He has basic knowledge of wireless signal hacking, in addition of RFID.

Pwning "the toughest target": the exploit chain of winning the largest bug bounty in the history of ASR program

Thursday at 11:00 in 101 Track, Flamingo
45 minutes |

Guang Gong Alpha Team at Qihoo 360

Wenlin Yang Alpha Team at Qihoo 360

Jianjun Dai Security researcher of Qihoo360 Alpha Team

In recent years, Google has made many great efforts in exploit mitigation and attack surface reduction to strengthen the security of android system. It is becoming more and more difficult to remotely compromise Android phones especially Google’s Pixel phone.

The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But our team discovered a remote exploit chain—the first of its kind since the Android Security Rewards (ASR) program expansion, which could compromise The Pixel phone remotely. The exploit chain was reported to Android security team directly. They took it seriously and patched it quickly. Because of the severity and our detailed report, we were awarded the highest reward ($112,500) in the history of the ASR program.

In this talk we will detail how we used the exploit chain to inject arbitrary code into system_server process and get system user permissions. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug related with Webassembly and SharedArrayBuffer. It is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from the sandbox. The way we used for sandbox escaping is very interesting, rarely talked about before. All details of vulnerabilities and mitigation bypassing techniques will be given in this talk.

Guang Gong
Guang Gong (@oldfresher) is a senior security researcher of Qihoo360 and the team leader of 360 Alpha Team. His research interests included Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android's vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SyScan360, MOSEC, PacSec and so on. He is the winner of Mobile Pwn2Own 2015(the target: Nexus 6), Pwn0Rama 2016 (the category of mobile devices), Pwn2Own 2016 (the target: Chrome), PwnFest 2016(the target: Pixel XL), Mobile Pwn2Own 2017(the target: Galaxy S8).

@oldfresher

Wenlin Yang
Wenlin Yang is a junior researcher of Qihoo 360 and the team member of 360 Alpha Team. He currently focuses on Android's vulnerabilities. He has submitted multiple bugs to Google and several other vendors in China and received some acknowledgments.

Jianjun Dai
Jianjun Dai (@Jioun_dai) is a security researcher of Qihoo360 Alpha Team, he focus on Android system security research, vulnerability hunting and exploiting development. Previously, he is a security developer, major work include network protocol analysis, vulnerability detection, botnet and backdoor detection, sandbox technology research and development, etc. He have been in Android vulnerability research for more than two years, he found lots of vulnerabilities in AOSP, and won the Bug Bounty. He is a speaker at the CanSecWest conference.

Ring 0/-2 Rootkits: bypassing defenses

Thursday at 12:00 in 101 Track, Flamingo
45 minutes |

Alexandre Borges Malware and Security Researcher at Blackstorm Security

Advanced malware such as TDL4, Rovnix, Gapz, Omasco, Mebromi and others have exposed in recent years various techniques used to circumvent the usual defenses and have shown how much companies are not prepared to deal with these sophisticated threats.

Although the industry has implemented new protections such as Virtualized Based Security, Windows SMM Security Mitigation Table (WSMT), Kernel Code Signing, HVCI, ELAM, Secure Boot, Boot Guard, BIOS Guard, and many others, it is still unknown the professionals of the architecture of these protections, what are the components attacked by these contemporary malwares in the context of BIOS / UEFI and what are the tricks used by them. Precisely because of the lack of adequate understanding, most machines (BIOS / UEFI + operating system) remain vulnerable in the same way as a few years ago.

In addition, there are a growing number of malwares that have used kernel drivers to circumvent limitations and protections in order to gain full access to the operating system and data. Exactly for these reasons, it is necessary to understand the way that malwares act as device drivers and what are the mechanisms used by these threats to infect an operating system.

The purpose of this presentation is to show clearly and without too much details that often hinders understanding, how these threats act, which components are attacked, what are the techniques used by these advanced malware to subvert the system and how existing protections work .

Alexandre Borges
Alexandre has been working as Malware and Security researcher at Blackstorm Security, where he is daily involved with malware analysis cases, forensic and fraud investigations, reverse engineering and exploit development projects. In the past, Alexandre worked as instructor at Sun Microsystems for ten years and Symantec for six years.

Nowadays, he is reviewer of"The Journal of Digital Forensics, Security and Law", referee on "Digital Investigation—The International Journal of Digital Forensics & Incident Response" and member of the Digital Law and Compliance Committee at OAB/SP.

Slides and articles written by Alexandre are available on: http://www.blackstormsecurity.com/bs/en/en_articles.html

@ale_sp_brazil, http://www.linkedin.com/in/aleborges, http://www.blackstormsecurity.com

The Truth is in the Network: Reverse Engineering Application-Layer Protocols Via PCAP

Thursday, 1430-1830 in Icon F

David Pearson Principal Threat Researcher, Awake Security

Reverse engineering has become an increasingly important element of network security. The ability to break a system down in order to understand its base components and how they interact is critical to understanding not just how the system works, but the ways it can leave your network vulnerable. This is especially true at the application level, where insecure or poorly managed applications can leak sensitive data. In this hands-on workshop, attendees will learn how to reverse engineer real application-layer protocols. During our time together, we'll start at the surface and do a deep technical dive into the network traffic of a common remote access application. Along the way, we'll:

1. Introduce protocol reverse engineering and explain its importance
2. Learn how to discover structured data
3. Determine if data is encoded or encrypted
4. Understand how various protocols interact
5. Uncover secondary communications and information leaks in a hands-on fashion

All materials and content are freely available at https://dl.awakesecurity.com/defcon/nw_re_tools/resources.html and will remain so.

Prerequisites: Familiarity with a network packet capture and analysis tool -such as Wireshark - will provide a solid foundation on which to build. In addition, a basic understanding of lua scripts will be beneficial.

Materials: Students will need a laptop with Wireshark installed and access to the Internet. An IDE of choice is also recommended.

Max students: 84

Registration: -CLASS FULL- https://www.eventbrite.com/e/the-truth-is-in-the-network-reverse-engineering-application-layer-protocols-via-pcap-icon-f-tickets-47086494974
(Opens July 8, 2018 at 15:00 PDT)

David Pearson
Having used Wireshark ever since it was Ethereal, David has been analyzing network traffic for well over a decade. He has spent the majority of his professional career understanding how networks and applications work, currently as Principal Threat Researcher for Awake Security. David holds computer security degrees from the Rochester Institute of Technology (BS) and Carnegie Mellon University (MS).

ThinSIM-based Attacks on Mobile Money Systems

Thursday at 10:00 in 101 Track, Flamingo
45 minutes | Demo, Exploit

Rowan Phipps Undergraduate researcher, University of Washington

Phone-based mobile money is becoming the dominant paradigm for financial services in the developing world processing more than a billion dollars per day for over 690 million users. For example, mPesa has an annual cash flow of over thirty billion USD, equivalent to nearly half of Kenya's GDP. Numerous other products exist inside of nearly every other market, including GCash in the Philippines and easyPaisa in Pakistan. As a part of this growth, competitors have appeared who leverage ThinSIMS, small SIM card add ons, to provide alternative mobile money implementations without operating their own mobile networks. However, the security implications of ThinSIMs are not well understood.

This talk dives into decade old telecom standards to explore how ThinSIMs work and what attackers of mobile money systems can do when they control the interface between the SIM card and the phone. We will also demo two proof of concept exploits that use ThinSIMs to steal money from mobile money platforms and detail the difficulties of defense.

Rowan Phipps
Rowan is an undergraduate at the University of Washington where he studies Computer Science. He's a member of Batman's Kitchen and has participated in CTF and CCDC competitions. Last summer he worked in the Digital Financial Services Research Group looking into the security of mobile money. In his spare time he likes to dabble with hardware design.

@RowanPhipps

WAGGING THE TAIL—COVERT PASSIVE SURVEILLANCE AND HOW TO MAKE THEIR LIFE DIFFICULT

Thursday at 14:00 in 101 Track, Flamingo
45 minutes |

Si Independent Security Consultant

Agent X Hacker

In this modern digital age of technically competent adversaries we forget that there may still be a need to conduct old school physical surveillance against a target. Many organisations utilise surveillance teams and these may be in-house in the case of government agencies or third-party teams contracted for a specific task and their targets range from suspected terrorists to people accused of bogus insurance claims.

Whilst most people think that they may never be placed under surveillance some professions increase this probability. For example, if you are a member of the press with sources that you only meet face to face you could be a target especially if the source is a whistleblower or has information that their employer would rather they didn't give to you. Would it seem far-fetched to think that a hacker, security researcher or a member of the EFF could be placed under surveillance? Maybe even some current and former DEF CON speakers and attendees?

These teams are not the lone Private Investigator sat in their car at the bottom of your street but are highly trained individuals whose job is to remain undetected. Their mission is to observe and identify interactions and document everything they see. They aim to be "The Grey Man", that person, when asked to describe, you are unable to. Their techniques have changed very little over decades because they work.

This talk will focus on mobile and foot surveillance techniques used by surveillance teams. It will also include tips on identifying if you are under surveillance and how to make their life difficult.

Si
Si previously served 22 years in the British Army and is now an independent security consultant with over 25 years of combined experience in various security fields. He always tries to follow the mantra "security must make sense".

@SecuritySense

Agent X
Agent X is a hacker, interested in offensive security, espionage, and operational security. He's been a DEF CON goon for the last twenty years and spent a majority of that time as head of speaker operations. A loud-mouth, he's spoken at DEF CON, Notacon, Shmoocon, Hackcon, Pumpcon, and Hushcon. He travels internationally more than most but not as much as he'd like. He lives in a van down by the river.

Where's My Browser? Learn Hacking iOS and Android WebViews

Thursday, 1000-1400 in Icon C

David Turco Senior Security Consultant, Context Information Security

Jon Overgaard Christiansen Principal Security Consultant, Context Information Security

WebViews allow developers to embed HTML pages into mobile applications and their use is widespread, from merely displaying a simple help page to wrapping an entire website inside a mobile app. Developers now "control the browser" and things can go very wrong: a cross site scripting vulnerability can be catastrophic for a mobile application and result in the exfiltration of user's data stored on the device or in someone listening to user conversations. The "Where's My Browser?" vulnerable-by-design mobile applications for Android and iOS have been written by the presenter as a teaching tool for hacking WebViews. The workshop covers the attack surface of Android and iOS WebViews and presents techniques and tools for identifying and exploiting those vulnerabilities. Attendees will practice their skills against the "Where's My Browser?" mobile apps. The source code of the applications will help students in recognizing common coding mistakes.

Prerequisites: The workshop is aimed at an audience with an intermediate skill level. It is expected a basic knowledge of mobile and web application security testing (can you tell the difference between XSS and CSRF?) and a basic understanding of JavaScript and common programming concepts.

Materials: The best setup to cover all exercises is a Mac OS X laptop with Android Studio, Apple Xcode and Google Chrome installed. All exercises can be done using the Android and iOS simulators. A physical mobile device is not necessary. Alternatively a Linux or Windows laptop with Android Studio and Google Chrome installed plus an iPhone (preferably jailbroken) are sufficient. An Apple ID is required to deploy the iOS application to a physical device.

Max students: 66

Registration: -CLASS FULL- https://www.eventbrite.com/e/wheres-my-browser-learn-hacking-ios-and-android-webviews-icon-c-tickets-47086190062
(Opens July 8, 2018 at 15:00 PDT)

David Turco
David (endless) works as a Senior Security Consultant at Context Information Security. He started his professional career as a Linux administrator and then moved to information security about 5 years ago. He has a wide skill set but has developed a specific interest in web and mobile technologies. In the past he provided training on a variety of topics, including advanced web application training to developers and pentesters. Recently he's done some research work on XSLT injection attacks. He also developed BHFS, a write-only filesystem based on PGP.

Personal site: https://www.authenticationfailure.com/

Jon Overgaard Christiansen
Jon is a Principal Security Consultant at Context Information Security. After working as an enterprise dev for a few years he moved into security, spending the last 7 years breaking code instead of writing it. Mobile security has been a key topic for him since back when there was still something called the Windows Phone and he has delivered training on this topic, and others like web app hacking and scripting attacks, over the last 5 years. Most of his time these days are spent on random red teams or reverse engineer mobile applications, but other interests do include the writing of rootkits and remote access tools... just for fun... as well as the occasional dabble in game design!