'Cyber' Who Done It?! Attribution Analysis Through Arrest History

Jake Kouns CISO, Risk Based Security

There have been over 20,000 data breaches disclosed exposing over 4.8 billion records, with over 4,000 breaches in 2015 alone. It is clear there is no slowdown at all and the state of security is embarrassing. The total cybercrime cost estimates have been astronomical and law enforcement has been struggling to track down even a fraction of the criminals, as usual.

Attribution in computer compromises continues to be a surprisingly complex task that ultimately isn’t definitive in most cases. Rather than focusing on learning from security issues and how companies can avoid these sorts of data breaches in the future, for most media outlets the main topic after a breach continues to be attribution. And if we are honest, the media have painted an "interesting" and varied picture of "hackers" over the years, many of which have caused collective groans or outright rage from the community.

The Arrest Tracker project was started in 2011 as a way to track arrests from all types of "cyber" (drink!) and hacking related incidents. This project aims to track computer intrusion incidents resulting in an arrest, detaining of a person or persons, seizure of goods, or other related activities that are directly linked to computer crimes.

The Arrest Tracker project currently has 936 arrests collected as of 4/23/2016. How does tracking this information help and what does the data tell us? A lot actually! Who is behind these data breaches and what are the demographics such as average age, gender, and nationality? Which day of the week are you most likely to be arrested? How many arrests lead to assisting authorities to arrest others? How many work by themselves versus part of a group? These observations, and a lot more, paint an interesting picture of the computer crime landscape.

Jake Kouns is the CISO for Risk Based Security that provides vulnerability and data breach intelligence. He has presented at many well-known security conferences including DEF CON , Black Hat, DerbyCon, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. With all of that said, many people are shocked to find out that he has a CISO title, and many others can’t believe that he has been attending DEF CON since the good old days of Alexis Park!

Twitter: @jkouns
Risk Based Security

Robot Hacks Video Games: How TASBot Exploits Consoles with Custom Controllers

Allan Cecil (dwangoAC) President, North Bay Linux User's Group

TASBot is an augmented Nintendo R.O.B. robot that can play video games without any of the button mashing limitations us humans have. By pretending to be a controller connected to a game console, TASBot triggers glitches and exploits weaknesses to execute arbitrary opcodes and rewrite games. This talk will cover how these exploits were found and will explore the idea that breaking video games using Tool-Assisted emulators can be a fun way to learn the basics of discovering security vulnerabilities. After a brief overview of video game emulators and the tools they offer, I'll show a live demo of how the high accuracy of these emulators makes it possible to create a frame-by-frame sequence of button presses accurate enough to produce the same results even on real hardware. After demonstrating beating a game quickly I'll show how the same tools can be used to find exploitable weaknesses in a game's code that can be used to trigger an Arbitrary Code Execution, ultimately treating the combination of buttons being pressed as opcodes. Using this ability, I'll execute a payload that will connect a console directly to the internet and will allow the audience to interact with it. An overview of some of the details that will be described in the talk can be found in an article I coauthored for the PoC||GTFO journal (Pokemon Plays Twitch, page 6 ).

Allan Cecil (dwangoAC) is the President of the North Bay Linux User's Group. He acts as an ambassador for Tasvideos.org, a website devoted to using emulators to complete video games as quickly as the hardware allows. He participates in Games Done Quick charity speedrunning marathons using TASBot to entertain viewers with never-before-seen glitches in games. By day, he is a senior engineer at Ciena Corporation working on OpenStack Network Functions Virtualization orchestration and Linux packet performance optimization testing.

Twitter: @MrTASBot
Twitch.TV: dwangoac
YouTube: dwangoac

(Ab)using Smart Cities: The Dark Age of Modern Mobility

Matteo Beccaro CTO, Opposing Force
Matteo Collura Electronic Engineering Student, Politecnico di Torino

Since these last few years our world has been getting smarter and smarter. We may ask ourselves: what does smart mean? It is the possibility of building systems which are nodes of a more complex network, digitally connected to the internet and to the final users. Our cities are becoming one of those networks and over time more and more elements are getting connected to such network: from traffic lights to information signs, from traffic and surveillance cameras to transport systems.

This last element, also called as Smart Mobility is the subject of our analysis, divided in three sub-element, each one describing a different method of transport in our city: Private transport: for this method we analyze the smart alternatives aimed to make parking activity easy, hassle free and more convenient Shared transport: we focus our attention on those systems which are sharing transport vehicles. In particular we deal with bike sharing which seems to be the most wide spread system in European cities Public transport: object of our analysis for this section is the bus, metro and tram network The aim of our analysis is understanding the ecosystem which each element belongs to and performing a security evaluation of such system. In this way the most plausible attack and fraud scenarios are pointed out and the presence of proper security measures is checked.

All the details discussed here are collected from a sample city, but the same methodology and concept can be applied to most of the smart cities in the world.

Matteo Beccaro is a security researcher, enrolled in Computer Engineering at Politecnico of Turin. He's co-founder and CTO of Opposing Force s.r.l., the first Italian offensive physical security company. Matteo works and researches on network protocols, NFC and EACS security. He's been selected as speaker at some of most prestigious international conferences like: DEF CON 21, 30th Chaos Communication Congress (30C3), BlackHat USA Arsenal 2014, DEF CON 22 SkyTalks, BlackHat Europe 2014, TetCon 2015, DEF CON 23 e ZeroNights 2015. As Chief Technical Officer of Opposing Force, Matteo works on vulnerability research activities and building physical intrusion.

Twitter: @_bughardy_

Matteo Collura is a student of Electronic Engineering at Politecnico di Torino. He has been studying Wireless networks and in the last few years he focused on NFC and Bluetooth. He presented the results of a progressive work of research at several conferences: DEF CON 21 (Las Vegas, 2013), 30C3 (Hamburg 2013), DEF CON Skytalks (Las Vegas, 2014), BlackHat USA 2014 Arsenal (Las Vegas), DEF CON 23 (Las Vegas, 2015), ZeroNights 2015 (Moscow) . He is going to continue his studies with a MSc in Electronic Engineering , Systems and Controls.

Twitter: @eagle1753

101 Ways to Brick your Hardware

Joe FitzPatrick SecuringHardware.com
Joe Grand (Kingpin) Grand Idea Studio

Spend some time hacking hardware and you'll eventually render a piece of equipment unusable either by accident or intentionally. Between us, we've got decades of bricking experience that we'd like to share. We'll document the most common ways of temporarily or permanently damaging your hardware and ways to recover, if possible. We'll also talk about tips on how to avoid bricking your projects in the first place. If you're getting into hardware hacking and worried about messing something up, our stories will hopefully prevent you from experiencing the same horrors we did. If you're worried about an uprising of intelligent machines, the techniques discussed will help you disable their functionality and keep them down.

Joe FitzPatrick is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects.

Twitter: @securelyfitz

Joe Grand also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.

Twitter: @joegrand

411: A framework for managing security alerts

Kai Zhong Application Security Engineer, Etsy
Kenneth Lee Senior Security Engineer, Etsy

Modern web applications generate a ton of logs. Suites like ELK (Elasticsearch, Logstash, Kibana) exist to help manage these logs, and more people are turning to them for their log analysis needs. These logs contain a treasure trove of information regarding bad actors on your site, but surfacing that information in a timely manner can be difficult. When Etsy moved over from Splunk to ELK in mid-2014, we realized that ELK lacked necessary functionality for real-time alerting. We needed a solution that would provide a robust means of querying ELK and enrich the data with additional context. We ended up creating our own framework to give us this functionality. We’ve named this open-source framework 411. We designed 411 as a solution for detecting and alerting on interesting anomalies and security events. The Security team at Etsy was interested in using this functionality to detect everything from XSS to monitoring for potential account compromises. First, we’ll start off with a discussion of what you should be logging into Elasticsearch. This is important to help you create useful, actionable alerts in 411. We’ll note a number of configuration tips and tricks to help you get the most out of your ELK cluster. From there, we’ll dive into 411’s features and how it allows the Etsy security team to work effectively. We’ll conclude with two demos of 411 in action. This presentation will show you several examples of useful searches you can build in 411 and how this data can be manipulated to generate clear, actionable alerts. We’ll demonstrate the built-in workflow for responding to alerts and how 411 allows you to pull up additional context as you work on an alert. Additionally, while much of our discussion will be centered around ELK, 411 can in fact be used with a variety of data sources (Several of these sources are built into 411). Whether you’re a newbie looking to learn more or a security veteran with an established system, 411 will help change the way you handle security alerts.

Kai is a security engineer at Etsy. At work, he fiddles around with security features, works on 411 and responds to the occasional bug bounty report. He went to NYU-Poly and got a degree in Computer Science, with a MS in Computer Security. In his free time, he enjoys reverse engineering, CTFs board games, starting yet another project that he’ll never finish and learning all the things.

Twitter: @sixhundredns

Kenneth Lee is a senior product security engineer at Etsy.com, working on everything from managing the bug bounty program to shattering the site with new vulnerabilities. Previously, Kenneth worked at FactSet Research Systems preventing The Hackers from stealing financial data. He went to Columbia and got an MS in computer science focusing on computer security. Between sweet hacks, Kenneth enjoys drinking tea and force feeding Etsy's operations team with Japanese chocolates.

Twitter: @kennysan

A Journey Through Exploit Mitigation Techniques in iOS

Max Bazaliy Staff Engineer, Lookout

Over the past year, Apple has consistently added features to prevent exploitation of the iOS kernel. These features, while largely misunderstood, provide a path for understanding of the iOS security model going forward. This talk will examine the history of iOS’s exploit mitigations from iOS 8 to iOS 9.3 in order to teach important features of the architecture. This talk will cover various enhancements that stop attackers from dynamically modifying the functionality of system services, but also resulted in the defeat of all known exploitation through function hooking. Additionally, we will explore how the ability to use PLT interception and the use of direct memory overwrite are no longer options for exploit writers because of recent changes. Finally, we will cover the code-signing mechanism in depth, userland and kernel implementations and possible ways to bypass code-sign enforcement.

Max Bazaliy is a security researcher at Lookout. He has over 9 years of experience in the security research space. Max has experience in native code obfuscation, malware detection and iOS exploitation. Before joining Lookout Max was working in malware research and software protection areas, most recently at Bluebox Security. Currently he is focused on mobile security research, XNU and LLVM internals. Max holds a Master's degree in Computer Science.

Twitter: @mbazaliy

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors

Ang Cui PHD, CEO & Chief Scientist, Red Balloon Security
Jatin Kataria Principal Research Scientist, Red Balloon Security
Francois Charbonneau Research Scientist, Red Balloon Security

There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector.

We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna.

Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.

Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.

Jatin Kataria is a Principal Research Scientist at Red Balloon Security. His research focus is on the defense and exploitation of embedded devices. Jatin earned his master’s degree from Columbia University and a bachelor’s degree from Delhi College of Engineering. Previously, he has worked as a System Software Developer at NVIDIA and as an Associate Software Engineer at Mcafee.

Francois Charbonneau is a embedded security researcher who spent the better part of his career working for the Canadian government until he got lost and wondered into New York City. He now works as a research scientist for Red Balloon Security where he lives a happy life, trying to make the world a more secure place, one embedded device at a time.

Abusing Bleeding Edge Web Standards for AppSec Glory

Bryant Zadegan Application Security Advisor & Mentor, Mach37
Ryan Lester CEO & Chief Software Architect, Cyph

Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose. In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day).

Bryant Zadegan is an application security advisor and mentor at Mach37, a security accelerator focused on pouring substantial dollars into new security technologies. When not driving developers to embrace AppSec in continuous integration, Bryant punches holes in Amazon, Google, Reddit, etc. On days when he'd rather not touch computers, he's usually nowhere to be found near DC.

Twitter: @eganist
Keybase.io/bryant

Ryan Lester is the CEO and chief software architect for Cyph, a web-based one-click end-to-end-encrypted communications service funded in part by Mach37, Virginia's Center for Innovative Technology, and the Goel Fund. Since departing SpaceX, Ryan has dedicated the better part of a year and a half to the vision of accessible encrypted communication. Unsurprisingly, when he isn't working on building the logic for Cyph, he's usually looking for ways to break it.

Twitter: @theryanlester

Advanced Blind SQL Injection Exploitation

David Caissy Web App Penetration Tester, Albero Solutions Inc.

SQL Injection (SQLi) vulnerabilities are the most common injection flaws found in web applications today, ranking number one in the OWASP Top 10 most critical web application security risks. When an attacker is able to find and exploit such a vulnerability, the end result is often disastrous: complete database downloaded, application backdoor created or even remote code execution. Suffice to say that penetration testers need to find these vulnerabilities before the bad guys do.

But vulnerability scanners and automated exploitation tools like sqlmap can only do so much when it comes to finding and exploiting SQLi vulnerabilities. While they do a good job for regular or error-based SQLi vulnerabilities, their success rate lowers drastically when blind SQLi is encountered, especially when time-based attacks are required. And if you need to be quiet on the network, most tools are just insanely noisy…

This course is designed to help penetration testers who have been using these tools to get to the next level, where finding and exploiting SQLi is no longer easy. When only a browser and notepad are available to you or when being quiet is critical, you will be glad you know this stuff.

1. SQL crash course for hackers (15 min)
2. Error-based SQL Injection (1h 15min)
   • Bypassing login (demo)
   • UNION exploitation techniques (exercise)
3. Blind SQL Injection (2h 30min)
   • Splitting and Balancing
   • Boolean exploitation techniques (exercise)
   • Time-based exploitation techniques (exercise)

Bonus exercise: Exploiting error-based SQLi and blind SQLi using sqlmap

David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.

Max Class Size: 55
Prerequisites for students: This course is for penetration testers who have used sqlmap and other automated tools before, but now want to go to the next level. Basic knowledge of the SQL language is required as well as a basic understanding of error-based SQL injection techniques.
Materials or Equipment students will need to bring to participate: Participants need to bring a laptop with VMWare Workstation/Player/Fusion or VirtualBox pre-installed. I will give them a virtual machine containing a vulnerable web application where they will be able to do the exercises.

All Your Solar Panels are Belong to Me

Fred Bret-Mounet Hacker

I got myself a new toy: A solar array... With it, a little device by a top tier manufacturer that manages its performance and reports SLAs to the cloud. After spending a little time describing why it tickled me pink, I'll walk you through my research and yes, root is involved! Armed with the results of this pen test, we will cover the vendor's reaction to the bee sting: ostrich strategy, denial, panic, shooting the messenger and more. Finally, not because I know you get it, but because the rest of the world doesn't, we'll cover the actual threats associated with something bound to become part of our critical infrastructure. Yes, in this Shodan world, one could turn off a 1.3MW solar array but is that as valuable as using that device to infiltrate a celebrity's home network?

Fred Bret-Mounet's descent into the underworld of security began as a pen tester at @stake. Now, he leads a dual life--info sec leader by day, rogue hacker by night. His life in the shadows and endless curiosity has led to surprising home automation hacks, playing with Particle Photons and trying to emulate Charlie & Chris' car hacking on his I3.

Twitter: @fbret

An Introduction to Pinworm: Man in the Middle for your Metadata

bigezy Hacker
saci Hacker

What is the root cause of memory and network traffic bloat? Our current research using tools we previously released Badger at Black Hat in 2014 and the Kobra released at BsidesLV 2015 shows a 40 percent increase in outside unique IP traffic destinations and a 400 percent increase in data transmitted towards these destinations. But through the course of the research we found currently used IRP monitoring tools were lacking to help produce enough information to forensically investigate the exfiltration of user metadata. Pinworm is a sniffer that shows all created IRPs created in the kernel in I/O devices. The IRPs are correlated with the processes that created them and the called driver stack. With network traffic data we are off to the races. Using pinworm which we released this week, we will show forensic case studies from cradle to grave of what happens when you do things online in social media sites.

Like all of our previously released tools, Pinworm is a framework including server side code you can use to collect and display user metadata inline in browser frames. Does this metadata collection happen in the browser, in userland, or in the kernel? Come to our talk and find out. We will demonstrate the collection of user metadata and collecting this information in a live browser session. Then we will show you how to intercept your personal data before it leaves your computer keeping your privacy, well, private. BYOTFH (Bring your own tin foil hat).

bigezy has spent his career defending critical infrastructure hacking it from the inside to keep things from blowing up. Bigezy got his black badge from DEF CON in 2003. Bigezy currently works as a cyber security researcher at a place where these things are done. During the last 25 years, Bigezy has worked at fortune 500 companies in the electric sector, financial sector, and telecom. He has spoke at numerous conferences worldwide including bsidesLV and the DEF CON Crypto and Privacy village last year. Bigezy is also the president of Hackito Ergo Sum in Paris France. @bigezy_ When you are a one legged boogeyman slash system internals hacker, every kick is a flying kick.

Twitter: @bigezy

saci takes pride in his disdain for hypocrisy. We are sure you have seen him around in the usual places, and maybe you think you know who he is. But, you will never quite know who he is until you come to the talk.

Twitter: @itsasstime

Analyzing Internet Attacks with Honeypots

Ioannis Koniaris Security Engineer

In the field of computer security, honeypots are systems aimed at deceiving malicious users or software that launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms for an organization’s real systems, or as research units to study and analyze the methods employed by human hackers or malware. In this workshop we will outline the operation of two research honeypots, by manual deployment and testing in real time. A honeypot system will undertake the role of a web trap for attackers who target the SSH service in order to gain illegal server access. Another one will undertake the role of a malware collector, usually deployed by malware analysts and anti-virus companies to gather and securely store malicious binary samples. We will also talk about post-capturing activities and further analysis techniques. As an example, we will see how to index all the captured information in a search engine like Elasticsearch and then utilize ElastAlert, an easy to use framework to setup meaningful alerting. Lastly, visualization tools will be presented for the aforementioned systems, plus a honeypot bundle Linux distribution that contains pre-configured versions of the above tools and much more related utilities, which can make the deployment of honeypots in small or large networks an easy task.

Ioannis is an Information Security engineer and researcher, working to protect company assets, data and operations. His general interests are programming, security, development operations (DevOps) and cloud computing while his academic interests include honeypots, honeyclients, botnet tracking, malware analysis, intrusion detection and security visualization. Ioannis has released a number of utilities to aid information security professionals using honeypots. Some of them are Kippo-Graph, Honeyd-Viz and HoneyDrive; a self-contained honeypot bundle Linux distribution. These tools are used by numerous university researchers, various CERT teams worldwide and have also been included in the “Proactive detection of security incidents II – Honeypots” report by ENISA (European Union Agency for Network and Information Security).

Max Class Size: 55
Prerequisites for students: Setup of VirtualBox for their OS
Materials or Equipment students will need to bring to participate: Only their laptops.

Addroid-InsecureBank

Dinesh Shetty

This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source.

Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine, SecurityXploded, ClubHACK Magazine, and Exploit-Id amongst others

Anti-Forensics AF

int0x80 (of Dual Core), Hacker

This presentation is the screaming goat anti-forensics version of those ‘Stupid Pet Tricks’ segments on late night US talk shows. Nothing ground-breaking here, but we'll cover new (possibly) and trolly (definitely) techniques that forensic investigators haven't considered or encountered. Intended targets cover a variety of OS platforms.

int0x80 is the rapper in Dual Core. Drink all the booze, hack all the things!

Twitter: @dualcoremusic
DualCoreMusic on Facebook

Applied Physical Attacks on Embedded Systems, Introductory Version

Joe FitzPatrick Instructor & Researcher, SecuringHardware

This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Joe (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spend the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks on x86 or Embedded Systems, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Max Class Size: 48
Prerequisites for students: No hardware or electrical background is required. Computer architecture knowledge, Linux command-line familiarity, and low-level programming experience helpful but not required.
Materials or Equipment students will need to bring to participate: All equipment, including laptops, will be provided for use in the class. Students will be provided with a lab manual that includes an equipment list of all materials used for the class.

Ask the EFF

Kurt Opsahl Deputy Executive Director, General Counsel, EFF
Nate Cardozo Senior Staff Attorney, EFF
Andrew Crocker Staff attorney, EFF
Dr. Jeremy Giliula Staff Technologist, EFF
Eva Galperin GlobalPolicy Analyst, EFF
Katitza Rodriguez International rights director, EFF

Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.

KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

ANDREW CROCKER is a staff attorney on the Electronic Frontier Foundation’s civil liberties team. He focuses on EFF’s national security and privacy docket, as well as the Coders' Rights Project. While in law school, Andrew worked at the Berkman Center for Internet and Society, the American Civil Liberties Union’s Speech, Privacy, and Technology Project, and the Center for Democracy and Technology. He received his undergraduate and law degrees from Harvard University and an M.F.A. in creative writing from New York University. His interests include Boggle and donuts.

DR. JEREMY GILIULA is a Staff Technologist at the Electronic Frontier Foundation where he focuses on a wide variety of tech policy topics including net neutrality, big data, mobile privacy, and privacy issues associated with drones and autonomous vehicles. At a young age Jeremy was sidetracked from his ultimate goal of protecting digital civil liberties by the allure of building and programming robots. He went to Caltech for undergrad, where he spent four years participating in the DARPA Grand Challenge, a competition to create a vehicle capable of traversing the desert autonomously. He then got his PhD in computer science from Stanford University, where his research focused on the design and analysis of algorithms for guaranteeing the safety of systems that employ machine learning and other AI techniques in an online fashion.

EVA GALPERIN is EFFs Global Policy Analyst, and has been instrumental in highlighting government malware designed to spy upon activists around the world. A lifelong geek, Eva misspent her youth working as a Systems Administrator all over Silicon Valley. Since then, she has seen the error of her ways and earned degrees in Political Science and International Relations from SFSU. She comes to EFF from the US-China Policy Institute, where she researched Chinese energy policy, helped to organize conferences, and attempted to make use of her rudimentary Mandarin skills.

KATITZA RODRIGUEZ is EFF's international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF's International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF's growing Latin American programs. She is an advisor to the UN Internet Governance Forum (2009-2010), and a member of the Advisory Board of Privacy International. Before joining EFF, Katitza was director of the international privacy program at the Electronic Privacy Information Center in Washington D.C., where amongst other things, she worked on The Privacy and Human Rights Report, an international survey of privacy law and developments. Katitza is well known to many in global civil society and in international policy venues for her work at the U.N. Internet Governance Forum and her pivotal role in the creation and ongoing success of the Civil Society Information Society Advisory Council at the Organisation for Economic Co-operation and Development, for which she served as the civil society liaison while at EPIC from 2008 to March 2010. Katitza holds a Bachelor of Law degree from the University of Lima, Peru. Katitza's twitter handle is @txitua.

Attacking BaseStations - an Odyssey through a Telco's Network

Henrik Schmidt, IT Security Researcher, ERNW GmbH
Brian Butterly T Security Researcher, ERNW GmbH

As introduced in our former series of talks ‘LTE vs. Darwin‘ there are quite a few of holes in the LTE specs. Now, having our own Macro BaseStation (an eNodeB) on the desk, we will demonstrate practical approaches to and attacks on real life devices. More and more devices are using mobile radio networks such as GSM, UMTS and LTE and there has already been quite a bit of research on (in)securities on the radio part, but only few people have had a look behind the scenes. Luckily, we had the chance to have just this look and now we would like to raise the curtain for the community. Initially we will quickly cover our complete odyssey from starting up an eNodeB for the first time, checking out the available interfaces and emulating the core network through to starting attacks. In the main part of the talk we will give a rather practical insight into the (in-)security features of basestations. We will start with valid backend connections and how these connections can be abused to reconfigure both a single eNodeB and a complete subnet on a telco network. We will then continue with the ‘official’ maintenance approach with the vendor's tools and webinterfaces giving an attacker both local and remote access to the device. All in all the talk will cover general and specific vulnerabilities in both basestations and the backend network.

Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.

Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5

Luke Young Information Security Engineer, Hydrant Labs LLC

As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks. This talk explores a similar technique targeting commonly used throughput testing software typically running on very large uplinks. We will explore the process of attacking this software, eventually compromising it and gaining root access. Then we'll explore some of these servers in the real world determining the size of their uplinks and calculating the total available bandwidth at our fingertips all from a $5 VPS. We will finish up the presentation with a live demo exploiting an instance and launching a DoS.

Luke Young is a security researcher from the frozen plains of Minnesota who has spent his last three summers escaping to the much warmer Bay Area as a security intern for various tech companies, most recently as part of the Uber product security team. He presented at DEF CON 23 on the topic of exploiting bitflips in memory and has investigated a variety of well-known products and network protocols resulting in numerous CVE assignments and recognition in security Hall of Fames. He is currently attempting to balance earning his undergraduate degree with maintaining his position as one of the top 10 researchers on Bugcrowd.

Auditing 6LoWPAN Networks using Standard Penetration Testing Tools

Jonathan-Christofer Demay Airbus Defence and Space
Adam Reziouk
Arnaud Lebrun

The Internet of Things is expected to be involved in the near future in all major aspects of our modern society. On that front, we argue that 6LoWPAN is a protocol that will be a dominant player as it is the only IoT-capable protocol that brings a full IP stack to the smallest devices. As evidence of this, we can highlight the fact that even the latest ZigBee Smart Energy standard is based on ZigBee IP which itself relies on 6LoWPAN, a competitor of the initial ZigBee protocol. Efficient IP-based penetration testing tools have been available to security auditors for years now. However, it is not that easy to use them in the context of a 6LoWPAN network since you need to be able to join it first. In fact, the difficult part is to associate with the underlying IEEE 802.15.4 infrastructure.

Indeed, this standard already has two iterations since its release in 2003 and it provides with several possibilities regarding network topology, data transfer model and security suite. Unfortunately, there is no off-the-shelf component that provides, out of the box, with such a wide range of capabilities. Worst still, some of them deviate from the standard and can only communicate with components from the same manufacturer. In this paper, we present the ARSEN project: Advanced Routing for 6LoWPAN and Ethernet Networks. It provides security auditors with two new tools.

First, a radio scanner capable of identifying IEEE 802.15.4 infrastructures and for each one of them their specificities, including several deviations from the standard that we encountered in actual security audits.

Secondly, a border router capable of routing IPv6 datagrams between Ethernet and 6LoWPAN networks while adapting to the specificities identified by the scanner. As a result, the combination of both effectively allows security auditors to use available IP-based penetration testing tools on different 6LoWPAN networks.

Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.

Adam Reziouk is an electronics and automation engineer currently working on wireless communications and industrial network security at AIRBUS Defence and Space. He holds a master's degree in electrical and electronic engineering and has been conducting vulnerability research activities on programmable logic controllers, connected devices and smart grids.

Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.

Automated Penetration Tooklit (APT2)

Adam Compton

Nearly every penetration test begins the same way; run a NMAP scan, review the results, choose interesting services to enumerate and attack, and perform post-exploitation activities. What was once a fairly time consuming manual process, is now automated!

Automated Penetration Testing Toolkit (APT2) is an extendable modular framework designed to automate common tasks performed during penetration testing. APT2 can chain data gathered from different modules together to build dynamic attack paths. Starting with a NMAP scan of the target environment, discovered ports and services become triggers for the various modules which in turn can fire additional triggers. Have FTP, Telnet, or SSH? APT2 will attempt common authentication. Have SMB? APT2 determines what OS and looks for shares and other information. Modules include everything from enumeration, scanning, brute forcing, and even integration with Metasploit. Come check out how APT2 will save you time on every engagement.

Adam Compton has been a programmer, researcher, professional pentester, and farmer. Adam has over 15 years of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam's career, he has worked for both federal and international government agencies as well as within various aspects of the private sector.

Backdooring the Frontdoor

Jmaxxz Hacker

As our homes become smarter and more connected we come up with new ways of reasoning about our privacy and security. Vendors promise security, but provide little technical information to back up their claims. Further complicating the matter, many of these devices are closed systems which can be difficult to assess. This talk will explore the validity of claims made by one smart lock manufacturer about the security of their product. The entire solution will be deconstructed and examined all the way from web services to the lock itself. By exploiting multiple vulnerabilities Jmaxxz will demonstrate not only how to backdoor a front door, but also how to utilize these same techniques to protect your privacy.

Jmaxxz works as a software engineer for a Fortune 100 company, and is a security researcher for pleasure. His FlashHacker program was featured in Lifehacker's most popular free downloads of 2010. More recently he has contributed to the node_pcap project which allows interfacing with libpcap from node. His other interests include lock picking and taking things apart.

Twitter: @jmaxxz

Beyond the MCSE: Red Teaming Active Directory

Sean Metcalf Founder & Security Principal, Trimarc

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn't know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let's go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.

Sean Metcalf is founder and principal security consultant at Trimarc (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON , and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.

Twitter: @PyroTek3

Blockfighting with a Hooker -- BlockfFghter2!

K2 Director, IOACTIVE

What's your style of hooking? My hooking Style? It's like hooking without hookers.

The use cases for hooking code execution are abundant and this topic is very expansive. EhTracing (pronounced ATracing) is technique that allows monitoring/altering of code execution at a high rate with several distinct advantages.

• Full context (registers, stack & system state) hooking can be logged without needing to know a function prototype and changes to execution flow can be made as desired.
• Traditional detours like hooking requires a length disassembly engine than direct binary .text segment modifications to insert an intended hook (no changes to binary needed with EhTrace).
• Block/Branch stepping enables a simplification of analysis code (does not need to do a full procedure/function graph recognition/traversal). This will feature focus on the use of VEH and the DR7 backdoor in x64 Windows.

  In a nutshell, EhTrace enables very good performance, in proc debugging and a dead simple RoP hook primitive. Some neat graphics and visualizations will be made some of the early examples up at https://github.com/K2/EhTrace
  
  This novel implementation for hookers establishes a model for small purpose built block-fighting primitives to be used in order to analyze & do battle, code vs. code.
  
  As a special bonus "round 3 FIGHT!" we will see a hypervisor DoS that will cause a total lockup for most hypervisors (100%+ utilization per CORE). This goes to show that emulating or even adapting a hypervisor to a full CPU feature set is exceedingly hard and it’s unlikely that a sandbox/hypervisor/emulator will be a comprehensive solution to evade detection from adversarial code for some time.
  
  Let’s have some fun blockfighting with some loose boxed hookers!

  K2 likes to poke around at security cyber stuff, writing tools and exploits to get an understanding of what’s easy, hard and fun/profit! He’s written and contributed to books, papers and spent time at security conferences over the years.
  
  K2 currently works with IOActive and enjoys a diverse and challenging role analyzing some of the most complex software systems around.
  
  ktwo
  Twitter @IOACTIVE
  github.com/K2
  github.com/ShaneK2

Boscloner - All in One RFID Cloning Toolkit

Phillip Bosco

The Boscloner is an All in One RFID Cloning Toolkit designed to make RFID badge cloning during a penetration testing engagement trivial, accessible, and lightning fast. The Boscloner’s core functionality set revolves around its ability to capture RFID badges from three feet away, automatically clone the captured badge (in seconds!), and allow the penetration tester to reach into a pocket and pull out a cloned and fully functioning badge providing instantaneous access to a restricted area. Access granted!

With its open source nature, high accessibility, and focus on furthering the security industry through community collaboration, the Boscloner has become the new golden standard for RFID penetration testing engagements.

Phillip Bosco possesses over 10 years of experience information security via both commercial and government positions. While currently employed as a Senior Security Consultant for Rapid7, Phillip’s previous employment includes the United States Marine Corps as a Cyber Marine and CSC as a penetration tester. Phillip is active in research, focusing primarily on social engineering and physical security. During his research into home security systems, he discovered a flaw that allows malicious individuals to break into a house without triggering an alarm and the attack works against multiple vendors. His discovery has captured the media’s attention by such publications as Wired Magazine, Washington Times, NetworkWorld, ArsTechnica, ZDNet, CSO Online, InfoSecurity Magazine, The Verge, and more. Phillip is scheduled to complete his Master’s Degree in Information Security Engineering from SANS Institute by the Fall of 2016. Phillip holds the following information security credentials: OSCP, OSWP, CISSP, GSEC (Gold), GCIA (Gold), GPEN, GWAPT, GCIH, CEH, ECSA, CNDA, A+, Network+, Security+

Brainwashing Embedded Systems

Craig Young Security Researcher, Tripwire

Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat. Attendees to this tutorial session will learn the ropes of firmware dissection, app decompilation, and manual fuzz testing in a hands-on hack lab. Participants will be provided with a customized Kali Linux virtual appliance and given access to several consumer devices for analysis. These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has more recently turned his attention to a different part of the wireless spectrum with research into home automation products as well as RFID/NFC technology.

Max Class Size: 55
Prerequisites for students: Basic *nix knowledge; comfort with a shell; understanding of HTTP
Materials or Equipment students will need to bring to participate: If you need to collect a fee for materials, list them in your application, you will need to provide a list so attendees can purchase materials themselves in advance.

Nothing is required but in order to make the most out of the workshop, students will want to have a laptop with an 802.11 adapter and virtualization software capable of running an x86_64 virtual machine from an OVA/OVF (e.g. VirtualBox or VMWare). Virtual machine files will be made available on USB so an open USB port is preferred.

Breaking the Internet of Vibrating Things : What We Learned Reverse Engineering Bluetooth- and Internet-Enabled Adult Toys

follower Hacker
goldfisk Hacker

The Internet of Things is filled with vulnerabilities, would you expect the Internet of Vibrating Things to be any different? As teledildonics come into the mainstream, human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover. Do you care if someone else knows if you or your lover is wearing a remote control vibrator? Do you care if the manufacturer is tracking your activity, sexual health and to whom you give control? How do you really know who is making you squirm with pleasure? And what happens when your government decides your sex toy is an aid to political dissidents? Because there’s nothing more sexy than reverse engineering we looked into one product (the We-Vibe 4 Plus from the innocuously named "Standard Innovation Corporation") to get answers for you.

Attend our talk to learn the unexpected political and legal implications of internet connected sex toys and, perhaps more importantly, how you can explore and gain more control over the intimate devices in your life. Learn the reverse engineering approach we took--suitable for both first timers and the more experienced--to analyze a product that integrates a Bluetooth LE/Smart wireless hardware device, mobile app and server-side functionality. More parts means more attack surfaces! Alongside the talk, we are releasing the "Weevil" suite of tools to enable you to simulate and control We-Vibe compatible vibrators. We invite you to bring your knowledge of mobile app exploits, wireless communication hijacking (you already hacked your electronic skateboard last year, right?) and back-end server vulnerabilities to the party. It’s time for you to get to play with your toys more privately and creatively than before.

Please note: This talk contains content related to human sexuality but does not contain sexually explicit material. The presenters endorse the DEF CON Code of Conduct and human decency in relation to matters of consent--attendees are welcome in the audience if they do the same. Keep the good vibes. :)

follower talks with computers and humans. Six years after first speaking at DEF CON about vulnerabilities in the Internet of Things, the fad hasn’t blown over so is back doing it again. An interest in code and hardware has lead to Arduino networking and USB projects and teaching others how to get started with Arduino. Tim O'Reilly once called follower a ‘troublemaker’ for his Google Maps reverse engineering.

Twitter: @rancidbacon

goldfisk spins fire by night and catches up with computer science lectures, also by night. And wishes headphone cables would stop getting caught on stuff. An interest in reverse engineering can be blamed on a childhood playing with electronics and re-implementing browser games in Scratch.

Twitter: @g0ldfisk

BSODomizer HD: A Mischievous FPGA and HDMI Platform for the (M)asses

Joe Grand (Kingpin) Grand Idea Studio
Zoz Hacker

At DEF CON 16 in 2008, we released the original BSODomizer (www.bsodomizer.com), an open source VGA pranking tool and introductory hacking platform for the multicore Propeller micro-controller. Hours of productivity were replaced with rage and frustration as unwitting computer users were confronted with fake Blue Screens of Death and revolting ASCII art. But, the world has changed. The machines have risen in capability. HDMI is the graphical transmission protocol of choice and hacking with micro-controllers is standard issue. The as-seen-on-HDTV duo of Joe Grand and Zoz return with the next generation of mischievous hardware, a device that supplants or captures any inline HDMI signal in a discreet, pentest-worthy package. BSODomizer HD is an FPGA-based system that not only improves on the graphics interception and triggering features of its predecessor, but can now capture screenshots of a target system and also provides a fully open design that you can use for your own experiments into the mystical world of massive, customizable arrays of digital logic. We'll guide you through the process of going from lamer zero to hacker hero with FPGAs, while savagely fucking with a few unfortunate friends along the way!

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio.

Twitter: @joegrand

Zoz is a robotics engineer, prankster, and renaissance hacker. Other than BSODs, things he enjoys faking include meteorite impacts, crop circles, and alien crash landings.

BurpSmartBuster

Patrick Mathieu

Bruteforcing non-indexed data is often use to discover hidden files and directories which can lead to information disclosure or even a system compromise when a backup file is found. This bruteforce technique is still useful today, but the tools are lacking the application context and aren't using any smart behaviour to reduce the bruteforce scanning time or even be stealthier. BurpSmartBuster, a Burp Suite Plugin offers to use the application context and add the smart into the Buster!

This presentation will reveal this new open-source plugin and will show practical case of how you can use this new tool to accelerate your Web pentest to find hidden treasures! The following will be covered:

- How to add context to a web bruteforce tool
- How we can be stealthier
- How to limit the number of requests: Focus only on what is the most critical
- Show how simple the code is and how you can help to make it even better

Patrick Mathieu is cofounder of Hackfest.ca the largest security event in Eastern Canada and has been involved in computer security for more than 10 years in the hacking community around Quebec, Canada for more than 20 years starting when he found text about hacking in the last online BBS. He is currently employed as Senior Security Consultant where he’s specialised in application security for both offence and defence currently assign to multiple webapp pentests and trainings. Patrick holds a Bachelor and College degree in computer science.

Bypassing Captive Portals and Limited Networks

Grant Bugher Perimeter Grid

Common hotspot software like Chilispot and Sputnik allow anyone to set up a restricted WiFi router or Ethernet network with a captive portal, asking for money, advertising, or personal information in exchange for access to the Internet. In this talk I take a look at how these and similar restrictive networks work, how they identify and restrict users, and how with a little preparation we can reach the Internet regardless of what barriers they throw up.

Grant Bugher has been hacking and coding since the early 90's and working professionally in information security for the last 12 years. He is currently a security engineer for a cloud service provider, and has previously been an architect, program manager and software engineer on a variety of online services, developer tools and platforms. Grant is a prior speaker at BlackHat and DEF CON and a regular DEF CON attendee since DEF CON 16. Most of his research and work is on cloud computing and storage platforms, application security, and detecting & investigating attacks against web-scale applications.

Twitter: @fishsupreme.
perimetergrid.com

C/C++ Boot Camp for Hackers

Eijah Founder, demonsaw

The C/C++ programming language is one of the most important programming languages ever created. Ever since Dennis Ritchie invented the language and Bjarne Stroustrup added object-oriented capabilities to it, C/C++ has been the standard by which all other languages are judged. C/C++ is considered the lingua franca of UNIX, Linux, BSD, and Windows as well as many software toolsets including GNU, Aircrack-ng, and the GCC compiler. And not only that, but C/C++ has influenced many other languages including C#, Java, Perl, PHP, and Python.

As hackers, we sometimes have to write code. And while there are more modern and higher-level languages available, C/C++ still plays a strong and prominent role in the hacking world due to its close ties to Linux and BSD. Whether we're writing shell scripts, python programs, PHP websites, contributing to a FOSS project, reverse engineering a binary, or rebuilding/patching the OS kernel; having a familiarity with C/C++ gives us a tremendous advantage and adds a powerful tool to our hacker arsenal.

This workshop is a C/C++ boot camp for hackers. It's an intense hands-on experience designed to get you up-to-speed with the most important parts of the C/C++ programming language using the GCC/G++ compiler. You'll learn about variables, functions, pointers, operators, classes, libraries, threads, templates, data structures, algorithms, exception handling, memory management, and design patterns. Whether you're a professional programmer, find yourself a little rusty and simply want a refresher course, or even if you'd never programmed in C/C++ before; this workshop is for you.

Please note that this is an intermediate-level, technical workshop and requires that attendees have prior experience in at least one programming language. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.7 or msvc 2013).

Eijah is the founder of demonsaw, a secure and anonymous information sharing program. For the last 5 years he was also a Senior Programmer at Rockstar Games where he worked on Grand Theft Auto V for PS3, Xbox 360, PS4, Xbox One, and PC. Eijah has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at DEF CON and Hack Miami conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Max Class Size: 55
Prerequisites for students: Previous experience in at least one programming language is required, although it doesn't have to be in C/C++.
Materials or Equipment students will need to bring to participate: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

CAN i haz car secret plz?

Javier Vazquez Vidal Hardware Security Specialist at Code White Gmbh
Ferdinand Noelscher Information Security Specialist at Code White Gmbh

The CAN bus is really mainstream, and every now and then there are new tools coming out to deal with it. Everyone wants to control vehicles and already knows that you can make the horn honk by replaying that frame you captured. But is this all that there is on this topic? Reversing OEM and third party tools, capturing firmware update files on the fly, and hijacking Security Sessions on a bus are just a few examples of things that can be done as well. For this and more, we will introduce to you the CanBadger! It's not just a logger, neither an injector. It's a reversing tool for vehicles that allows you to interact in realtime with individual components, scan a bus using several protocols (yup, UDS is not the only one) and perform a series of tests that no other tool offers. The CanBadger is where the real fun begins when dealing with a vehicle, and you can build it under $60USD! If you are already done with replaying frames on the CAN bus and want to learn how that fancy chip-tuning tool deals with your car, or simply want to get Security Access to your vehicle without caring about the security key or algorithm, we are waiting for you!

Javier Vazquez Vidal is passionate about technology and specializes in hardware and embedded systems security. He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth. He has been part of several projects that involved well-known hardware, but his first public work was presented at DEF CON 21, the ECU tool. He developed the CHT, a tool to take over the CAN network, and had some fun with the ‘paella country’ smart meters. He is currently working as a Product Security Engineer at Code White GmbH, and has worked at companies such as Tesla, Daimler, Airbus Military and Visteon.

Ferdinand Noelscher is an information security researcher from Germany. He has been working in Information Security for several years now. Ferdinand is very passionate about Offensive Security research and has been working on numerous embedded security projects, and some lasers too. Furthermore, he gave a training together with Javier at hardwear.io. He is currently a Security Researcher at Code White.

Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle

Jianhao Liu Director of ADLAB, Qihoo 360
Chen Yan PhD student, Zhejiang University
Wenyuan Xu Professor, Electrical Engineering, Zhejiang University

To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end of the talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks.

Jianhao Liu is the director of ADLAB at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test.

Chen Yan is a PhD student at Zhejiang University in the Ubiquitous System Security Laboratory. His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices.

Wenyuan Xu is a professor in the College of Electrical Engineering at Zhejiang University and an associate professor in the Department of Computer Science and Engineering at University of South Carolina. She received her Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security.

CANSPY: a Framework for Auditing CAN Devices

Jonathan-Christofer Demay Airbus Defence and Space
Arnaud Lebrun Airbus Defence and Space

In the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars. This is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its use is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance companies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance. Nonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In fact, they will do less as they do not have knowledge of upper-layer protocols. Security auditors are used to deal with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly. This is why, for example, a framework such as Burp Suite is popular when it comes to auditing web applications. In this paper, we present CANSPY, a framework giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy.

It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we demonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of auditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs in order to audit a device that connects to this very connector.

Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering.

Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.

Car Hacking Workshop

Robert Leale President, CanBusHack

KC Johnson Security Researcher

Introduction to connecting to Vehicle Networks. In the workshop we'll connect and send data to vehicle simulators and use scripts to fuzz messages. We will learn about vehicle systems and how they are connected.

Robert Leale is the President of CanBusHack a company specializing in vehicle network reverse engineering. He currently runs the DEF CON Car Hacking Village and is the trainer for Black Hat's Car Hacking Hands-On.

Hey, KC Johnson is really good at car hacking, no really! I saw him hack a car so that it's blinkers turned on. True Story. He can also connect things to cars, like, really fast. Also, he is like totally good at volleyball. OMG.

Max Class Size: 50
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop with Windows

Cheap Tools for Hacking Heavy Trucks

Six_Volts Research Mercenary
Haystack Vehicle Data Ninja

There has been much buzz about car hacking, but what about the larger heavy-duty brother, the big rig? Heavy trucks are increasingly networked, connected and susceptible to attack. Networks inside trucks frequently use Internet connected devices even on safety-critical networks where access to brakes and engine control is possible. Unfortunately, tools for doing analysis on heavy trucks are expensive and proprietary. Six_Volts and Haystack have put together a set of tools that include open hardware and software to make analyzing these beasts easier and more affordable.

Six_Volts is a "research mercenary" and has worked on High Performance Computing, embedded systems, vehicle networking and forensics, electronics prototyping and design, among other things. He's crashed cars for science, done digital forensics on a tangled mess of wires that used to be a semi truck, built HPC clusters out of old (and new) hardware, designed tools to extract data from vehicle EDRs, and in his spare time trains teams of students to defend enterprise networks.

Twitter: @Six_Volts

Haystack Haystack was a computer science student researching process control security, when one day he was recruited by a nefarious mechanical engineering professor hell-bent on dominating the field of accident reconstruction. After a series of dangerous training missions to various accident sites and junkyards, Haystack can now cut electronic control modules from wrecked trucks with surgical precision and extract crash data from them that was previously thought to be unrecoverable.

Cloakify Exfiltration Toolset

TryCatchHCF

The Cloakify Toolset is a data exfiltration tool that uses text-based steganography to hide data in plain sight, evade DLP/MLS devices, perform social engineering of SecOps analysts, and evade AV detection. Very simple tools, powerful concept, proven in real-world ops. Too many secure enclaves rely solely on the combination of AV + Automated Data Inspection + Analyst Review to prevent data exfiltration. This toolset easily defeats them all.

TryCatchHCF is the Principal InfoSec Engineer & Lead Pentester at LifeLock. He has 25+ years of security- and software engineering experience, mostly in US gov't/DoD sectors, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. He hacked into his first systems in 1981 and wrote his first malware the following year, all while nearly being eaten by a grue. More recently he took 1st place in the 2013 Lockheed Martin Cyber Challenge. Education includes a bachelors degree in Cognitive Science, a masters degree in Information Assurance, and the collective hivemind of the global hacking community.

Compelled Decryption - State of the Art in Doctrinal Perversions

Ladar LevisonFounder, Lavabit, LLC.

Get mirandized for an encrypted world. This talk will cover the legal doctrines and statues our government is perverting to compel individuals into decrypting their data, or conscript technology companies into subverting the security of their own products. We’ll survey the arguments being advanced by prosecutors, the resulting case law, and the ethical dilemmas facing technology companies. The session will cover the rights and civil liberties we’ve already lost, and review the current threats to our collective freedoms. We’ll cover what an individual needs to know if they want to avoid compelled decryption, and keep their data private. We’ll also discuss strategies that third parties (friends, f/oss developers, and technology companies) can use to resist conscription and build trust through transparency. Because knowing your rights, is only half the battle

Ladar Levison serves as the founder, president, and chief executive of Lavabit, where he has worked the past 12 years. Founded in 2004 (and originally called Nerdshack), Lavabit was created because Mr. Levison believes that privacy is a fundamental, necessary right for a functioning, free and fair democratic society. Presently, Mr. Levison is focused on Lavabit's Dark Mail Initiative, which aims to make end-to-end email encryption automatic and ubiquitous, while continuing to vigorously advocate for the privacy and free speech rights of all. Mr. Levison’s involvement in the internet can be traced to the early days of the world wide web, when he built his first website, in the early nineties for the fledgling Mosiac web browser (from the National Center for Supercomputing Applications).

Prior, Mr. Levison operated a dialup bulletin board service, and worked as a computer technician assembling custom computer systems. With more than 10 years of experience as an independent consultant, Mr. Levison has brought to bear his skills as a project manager, business analyst, systems engineer, software developer, database administrator, systems administrator, and information security specialist.

Mr. Levison’s career has involved working with several dozen multinational companies in the financial, consumer electronics, and retail sectors. The websites Mr. Levison built have drawn millions of visitors, and the software he's written has touched, albeit behind the scenes, the lives of millions more. Over the years, Mr. Levison has written and published numerous technical specifications and authored several editorial pieces. Mr. Levison frequently speaks at a variety of conferences, has appeared as an expert on numerous network television shows, and appeared in several documentaries; including the Oscar winning film, /Citizenfour/.

Mr. Levison has also been involved with several popular free open source software projects. Mr. Levison holds fifteen certifications, with the vast majority from Microsoft and International Business Machines. Mr. Levison received his Bachelor of Arts and Bachelor of Science degrees from Southern Methodist University, where he studied finance, English, political science and computer science. Additionally, Mr. Levison spent a year studying international relations at Georgetown University. A native of San Francisco, California, he currently resides in Dallas, Texas where he lives with his best friend, and principal cheerleader, Princess, the Italian Greyhound he rescued in 2010.

Twitter: @kingladar
Facebook
Darkmail
Lavabit

CrackMapExec

Marcello Salvati

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!

Written in Python and fully concurrent, it allows you to enumerate logged on users, spider SMB shares, execute psexec style attacks, auto-inject Mimikatz/Shellcode/DLL's into memory using Powershell, dump the NTDS.dit and much much more!

Equipment Requirements (Network Needs, Displays, etc): Internet connection is preferred but not necessary. 1 Display to clone laptop screen.

Marcello Salvati is a full-time pentester/security consultant at Coalfire Labs who has a passion for creating tools and eating Sushi in his free time. He is an active contributor to multiple open-source projects/tools such as Responder, Impacket, Kali Nethunter, the Veil Framework and has also created and been actively maintaining multiple open-source projects.

Crypto: State of the Law

Nate Cardozo Senior Staff Attorney, Electronic Frontier Foundation

Strong end-to-end encryption is legal in the United States today, thanks to our victory in what’s come to be known as the Crypto Wars of the 1990s. But in the wake of Paris and San Bernardino, there is increasing pressure from law enforcement and policy makers, both here and abroad, to mandate so-called backdoors in encryption products. In this presentation, I will discuss in brief the history of the first Crypto Wars, and the state of the law coming into 2016. I will then discuss what happened in the fight between Apple and the FBI in San Bernardino and the current proposals to weaken or ban encryption, covering proposed and recently enacted laws in New York, California, Australia, India, and the UK. Finally, I will discuss possible realistic outcomes to the Second Crypto Wars, and give my predictions on what the State of the Law will be at the end of 2016.

Nate Cardozo is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF’s cryptography policy and the Coders’ Rights Project. Nate has projects involving export controls on software, state-sponsored malware, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings.

Twitter: @ncardozo

CuckooDroid 2.0

Idan Revivo

To combat the growing problem of Android malware, we present a new solution based on the popular open source framework Cuckoo Sandbox to automate the malware investigation process. Our extension enables the use of Cuckoo's features to analyze Android malware and provides new functionality for dynamic and static analysis. Our framework is an all in one solution for malware analysis on Android. It is extensible and modular, allowing the use of new, as well as existing, tools for custom analysis.

Idan Revivo is a Mobile Security Technology/Team Leader at IBM-Trusteer focusing on mobile malware, previously a mobile malware researcher at Checkpoint's malware research team. He has presented at numerous security conferences. He specializes in Android internals and sandboxing techniques. This includes automated static and dynamic malware analysis. He has a diverse security background, which includes vulnerability analysis and electronic warfare providing him with a broad and unique perspective on the cyber arena. Idan holds a bachelor's degree in Software Engineering, specializing in Mobile Systems.

Cunning with CNG: Soliciting Secrets from Schannel

Jake Kambic Hacker

Secure Channel (Schannel) is Microsoft's standard SSL/TLS Library underpinning services like RDP, Outlook, Internet Explorer, Windows Update, SQL Server, LDAPS, Skype and many third party applications. Schannel has been the subject of scrutiny in the past several years from an external perspective due to reported vulnerabilities, including a RCE.

What about the internals? How does Schannel guard its secrets? This talk looks at how Schannel leverages Microsoft's CryptoAPI-NG (CNG) to cache the master keys, session keys, private and ephemeral keys, and session tickets used in TLS/SSL connections. It discusses the underlying data structures, and how to extract both the keys and other useful information that provides forensic context about connection. This information is then leveraged to decrypt session that use ephemeral cipher suites, which don't rely on the private key for decryption. Information in the cache lives for at least 10 hours by default on modern configurations, storing up to 20,000 entries for client and server each. This makes it forensically relevant in cases where other evidence of connection may have dissipated.

Jake Kambic is a DFIR researcher and network penetration tester

Twitter: @TinRabbit

Cyber Deception: Hunting advanced attacks with MazeRunner

Dean Sysman CTO and co-founder @ Cymmetria

Detecting advanced threats is now under the assumption of impossibility or unlikeliness. One of the main waves in cyber security promising to enable that ability is cyber deception, a field that has garnered much attention and investments in the last couple of years. Based on the same concepts as honeypots, but on a different technology, cyber deception promises to create decoys and other assets to make attackers expose themselves and allow it's users to not only detect them, but collect forensics that can be used for immediate mitigation.

During this workshop, attendees will learn about MazeRunner, Cymmetria's cyber deception solution which is being released for the first time as the first cyber deception free general use tool. Along with it they will be able to set up deception across environments that will be composed of decoys - real virtual machines that can be linux/windows systems. Configure these machines with different network protocols and content to make them look like anything to deceive a hacker, and lastly creating the connections and credentials to these configurations to deploy to the endpoints, thereby creating a complete layer of deception to lead an attacker. Next we will show how to use the alerts and forensics gathered in order to enable automatic mitigation of threats and enrich your threat intel efforts.

Dean Sysman is CTO and co-founder of Cymmetria, an Israeli cyber deception start-up. A unit 8200 veteran, Dean started his military intelligence career first as a low-level security researcher, later on promoted to the rank of Captain to lead high level security research, earning multiple awards for his service. Already when he was 15, he won first place in the prestigious Robotics Olympiad, and by the age of 19 earned his B.Sc. in computer sciences. Before joining Cymmetria, Dean was involved in the development of cross platform translation compiler for embedded processors.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Laptop with these software requirements: web browser, Metasploit framework is optional.

Cyber Grand Shellphish

Yan Shoshitaishvili PhD Student, UC Santa Barbara
Antonio Bianchi UC Santa Barbara
Kevin Borgolte UC Santa Barbara
Jacopo Corbetta UC Santa Barbara
Francesco Disperati UC Santa Barbara
Andrew Dutcher UC Santa Barbara
Giovanni Vigna UC Santa Barbarae
Aravind Machiry UC Santa Barbara
Chris Salls UC Santa Barbara
Nick Stephens UC Santa Barbara
Fish Wang UC Santa Barbara
John Grosen UC Santa Barbara

Last year, DARPA ran the qualifying event for the Cyber Grand Challenge to usher in the era of automated hacking. Shellphish, a rag-tag team of disorganized hackers mostly from UC Santa Barbara, decided to join the competition about ten minutes before the signups closed.

Characteristically, we proceeded to put everything off until the last minute, and spent 3 sleepless weeks preparing our Cyber Reasoning System for the contest. Our efforts paid off and, as we talked about last DEF CON , against all expectations, we qualified and became one of the 7 finalist teams. The finals of the CGC will be held the day before DEF CON.

If we win, this talk will be about how we won, or, in the overwhelmingly likely scenario of something going horribly wrong, this talk will be about butterflies.

In all seriousness, we've spent the last year working hard on building a really kickass Cyber Reasoning System, and there are tons of interesting aspects of it that we will talk about. Much of the process of building the CRS involved inventing new approaches to automated program analysis, exploitation, and patching. We'll talk about those, and try to convey how hackers new to the field can make their own innovations.

Other aspects of the CRS involved extreme amounts of engineering efforts to make sure that the system optimally used its computing power and was properly fault-tolerant. We'll talk about how automated hacking systems should be built to best handle this. Critically, our CRS needed to be able to adapt to the strategies of the systems fielded by the other competitors. We'll talk about the AI that we built to strategize throughout the game and decide what actions should be taken.

At the end of this talk, you will know how to go about building your own autonomous hacking system! Or you might know a lot about butterflies.

Shellphish is a mysterious hacking collective famous for being great partiers and questionable hackers. The secret identities of the Shellphish CGC team are those of researchers in the security lab of UC Santa Barbara. When they're not CTFing or surfing, they're doing hard-hitting security research. Their works have been published in numerous academic venues and featured in many conferences. In 2015, they unleashed angr, the next (current?) generation of binary analysis, and have been working hard on it ever since!

DARPA Cyber Grand Challenge Award Ceremony

Mike Walker DARPA Program Manager
Dr. Arati Prabhakar DARPA Director

On Friday morning, August 5th, DARPA will announce the prize winners and recognize the parties responsible for building and competing in the Cyber Grand Challenge (CGC), the world's first all-machine hacking tournament, which was completed August 4th. Seven high performance computers will have completed an all-machine Capture the Flag contest, reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses. Come hear about what transpired at CGC, and learn which team will be taking home the $2M grand prize, as well as the $1M second place and $750K third place prizes

Mike Walker is the DARPA program manager for the Cyber Grand Challenge. His research interests include machine reasoning about software in situ and the automation of application security lifecycles. Prior to joining DARPA, Mr. Walker worked in industry as a security software developer, Red Team analyst, enterprise security architect and research lab leader. As part of the Computer Science Corporation ‘Strikeforce’ Red Team, Mr. Walker helped develop the HEAT Vulnerability Scanner and performed Red Team engagements. Serving as a principal at the Intrepidus Group, Mr. Walker worked on Red Teams that tested America's financial and energy infrastructure for security weaknesses. Also, on the DARPA SAFER Red Team, Mr. Walker discovered flaws in prototype communications technologies. Mr. Walker has participated in various roles in numerous applied computer security competitions. He contributed challenges to DEF CON Capture the Flag (CTF) and competed on and led CTF teams at the highest levels of international competition. Mr. Walker was formerly a mentor of the Computer Security Competition Club at Thomas Jefferson High School for Science and Technology (TJHSST).

Arati Prabhakar, Ph.D., is director of the Defense Advanced Research Projects Agency (DARPA). Serving in this position since July 2012, she has focused the agency's efforts on rethinking complex military systems in fundamental ways; harnessing the information explosion to address national security challenges; and planting new seeds of technological surprise in fields as diverse as mathematics, synthetic biology, and neurotechnology.

Dr. Prabhakar has spent her career investing in world-class engineers and scientists to create new technologies and businesses. Her first service to national security started in 1986 when she joined DARPA as a program manager. She initiated and managed programs in advanced semiconductor technology and flexible manufacturing, as well as demonstration projects to insert new semiconductor technologies into military systems. As the founding director of DARPA's Microelectronics Technology Office, she led a team of program managers whose efforts spanned these areas, as well as optoelectronics, infrared imaging and nanoelectronics.

In 1993, President William Clinton appointed Dr. Prabhakar director of the National Institute of Standards and Technology, where she led the 3,000-person organization in its work with companies across multiple industries.

Dr. Prabhakar moved to Silicon Valley in 1997, first as chief technology officer and senior vice president at Raychem, and later vice president and then president of Interval Research. From 2001 to 2011, she was a partner with U.S. Venture Partners, an early-stage venture capital firm. Dr. Prabhakar identified and served as a director for startup companies with the promise of significant growth. She worked with entrepreneurs focused on energy and efficiency technologies, consumer electronics components, and semiconductor process and design technologies.

Dr. Prabhakar received her Doctor of Philosophy in applied physics and Master of Science in electrical engineering from the California Institute of Technology. She received her Bachelor of Science in electrical engineering from Texas Tech University. She began her career as a Congressional Fellow at the Office of Technology Assessment.

Dr. Prabhakar has served in recent years on the National Academies' Science Technology and Economic Policy Board, the College of Engineering Advisory Board at the University of California, Berkeley, and the red team of DARPA's Defense Sciences Research Council. In addition, she chaired the Efficiency and Renewables Advisory Committee for the U.S. Department of Energy. Dr. Prabhakar is a Fellow of the Institute of Electrical and Electronics Engineers, a Member of the National Academy of Engineering, a Texas Tech Distinguished Engineer, and a Caltech Distinguished Alumna.

Twitter: @DARPA,
#DARPACGC
Facebook

DataSploit

Shubham Mittal

-Performs automated OSINT on a domain / email / username / phone and find out relevant information from different sources.
-Useful for Pen-testers, Cyber Investigators, Product companies, etc.
-Correlates and collaborate the results, show them in a consolidated manner.
-Tries to find out credentials, api-keys, tokens, subdomains, domain history, legacy portals, etc. related to the target.
-Available as single consolidating tool as well as standalone scripts.
-Available in both web GUI and Console.

Shubham is an active Information Security researcher with 4 years of experience in offensive and defensive security, with interests in defensive security and OSINT. He has given training, conducted numerous workshops and delivered talks at local security chapters and multiple conferences, including Nullcon 2016, Blackhat Asia 2016, Null Delhi and Bangalore chapters, IETF, etc. In his free time, he loves to craft open source tools in python, and if the weather is nice, he loves to ride his bike. Twitter handle: @upgoingst

Deep look at back end systems of the future of credit card fraud

Weston Hecker

Taking a deeper look at the future of credit card fraud platforms including custom built carder site for sale of live skimmed data, Designing a "Blockchain" style deliver systems for live credit card data to Cash out devices. building a banking and credit processor back end from scratch. The DMVPN network design of the Carder site back end building "Lacara" and automating credit card cash out runs the devices behind the attack.

Weston Hecker 11 years pen-testing, Security Research, Programming. Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016,B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto. worked on several opensource tools. Including Skimbad Anti-CC-Fraud Platform,Opencodec, Hacker tools such as "CompanyBAN" a AD automated company wide lock out tool. Several SDR tools, Reversing Engineering of Malware. Telephone DDOS tools. Open-CV. Hardware includes ATM Shimmers Anti-Skimmers, Gaspump (Anti)Skimmers and OldyellerUSB./p>

DEF CON 101 Panel

Mike Petruzzi (wiseacre)
Ryan Clark (LosT)
CrYpT
HighWiz
Jay
Nikita Kronenberg

DEF CON has changed for the better since the days at the Alexis Park. It has evolved from a few speaking tracks to an event that still offers the speakers, but also Villages, where you can get hands-on experience and Demo Labs where you can see tools in action. Of course, there is still the Entertainment and Contest Area, as well as Capture The Flag. There is so much more to DEF CON than there was in the past and it is our goal to help you get the best experience possible. In addition to introducing each of the different aspects and areas of DEF CON, we have a panel of speakers that will talk about how they came to be part of DEF CON and their personal experiences over the years. Oh yeah, there is the time honored "Name the Noob", lots of laughs and maybe even some prizes. Plus, stay for the after party. Seriously, there is an after party. How awesome is that?

Mike Petruzzi (wiseacre) started at DEF CON participating in the Capture the Flag contest. Determined to do better the next year, he participated again. This time the format was 36 hours straight. He realized he was missing out on everything else that was happening at DEF CON. From then on he made a point to participate in as much as he could. Of course, within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all. Mike would like to thank Highwiz for everything.

Ryan "LosT" Clarke has been involved with DEF CON for 16 years. In addition to his role on the CFP board, LosT serve's as DEF CON's official Cryptographer and Puzzle Master. He is best known for his early LosT @ CON Mystery Challanges designed to force creative thinking, and also introduced him to his amazing wife! Now he is responsible for designing the badges and lanyards for DEF CON, in addition to torturing a subculture of enthusiastic crypto fans with his ever-so-subtle clues and red herring rabbit holes in his yearly Badge challenge. LosT enjoys learning as much as he can about as much as he can. He can usually be found around CON in the 1o57 room, mostly encouraging and sometimes distracting a ragged band of sleep-deprived attendees who are racing to complete the challenge.

CrYpT first attended DEF CON at DC10 as CrAzE, where he made the common mistake of staying on the sidelines and not actively participating in all DEF CON had to offer. The experience was tough for him and he did not return for many years. He tried again at DC17, but this time he made the decision to start putting himself out there. After a marked improvement in the quality of his experience, he was determined to make each year better than the last. At DC20 he received the handle CrYpT from Y3t1 and met some people who would remain his closest friends to this day (looking at you Clutch). Now he leads the awesome, hard-working Inhuman Registration team in their quest to badge all the people. He's a member of the CFP Review Board and Security Tribe. In an effort to help welcome all the new faces at DEF CON, he is returning for his second year to the DC 101 panel. He encourages people to reach out and ask questions so they can get the most bang for their badge.

Born of glitter and moon beams, HighWiz is the things that dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people* he set about to create an event that would give the n00bs of Def Con a place to feel welcomed and further their own pursuit of knowledge. For years he has held onto the simple tenet that "You get out of Def Con what you put into it". Sometimes HighWiz can be a bit much to swallow and hard to take. HighWiz is a member of the CFP Review Board and Security Tribe.

*Some (but not all) of the people HighWiz would like to thank for helping to make 101 into what it is today : Runnerup, Wiseacre, Nikita, Roamer, Lockheed, Pyr0, Zac, V3rtgio, 1o57, Neil, Beaker, AlxRogan, Jenn, Zant, GM1, Clutch, TheDarkTangent, Siviak, Ripshy, Valkyrie, Xodia, Flipper and all the members of Security Tribe. After taking a year off from the 101 Panel, HighWiz is honored to once again be participating in it, as it marks its eighth year.

Jay Korpi is not of the traditional hacker world; CrYpT invited him to DEF CON 6 years ago, and as a surgical first assist, he decided it was not of any interest to him. CrYpT insisted every year until finally three years ago CrYpT told him "there are people there smarter than you..." Jay couldn't believe it and had to see it for himself. His first year, it was obvious there were MANY people smarter than he was. Once he met some amazing people who were both inviting and generous, Jay vowed to get involved with DEF CON somehow so he could provide the same experience to others. He found his opportunity last year when he joined the Inhuman Registration team and was invited to share his experiences on the DC 101 panel. He attributes these opportunities to his willingness to put himself out there and meet as many people as possible from his very first CON.

Nikita Kronenberg Nikita works to ensure DEF CON runs as smoothly as one can expect from a hacker conference. In addition to planning a vast array of details prior to DEF CON and thwarting issues while onsite, she also serves as the Director of Call For Papers and Workshops. In this role she systematically processes hundreds of submissions, organizes the CFP Board, and manages the entire CFP process from beginning to end. While no one relishes the job of rejecting submissions, Nikita strives to make the experience more positive with personal feedback and alternative speaking opportunities. Once talks have been selected, she weaves the final list into a comprehensive four day schedule over multiple speaking tracks. She serves as a primary point-of-contact for speakers leading up to DEF CON and acts as a liaison between speakers, press, and social media content organizers. Beyond the CFP, Nikita also works full-time on various behind-the-scenes administration and project management for DEF CON. As a DEF CON goon for the past 13 years, her superpowers involve putting out fires before they spark and juggling a multitude of tasks while balancing on an over-inflated ball. - rkut nefr ldbj gtjd bjws oayh qtmf york uykr fqwx awtr kumf giwk nxtw -

Twitter: @Niki7a

DEF CON Wireless Collection Service (DCWCS)

darkmatter

Lots of information is encoded on electromagnetic radiation, especially WiFi. The aim of this project is to listen to the WiFi bands (2.4gHz/5gHz) and see if we pick up anything interesting during DEF CON. This presentation will discuss the hardware decisions, what software is used and how to build and configure your own WiFi monitoring devices so you too can begin passive mass surveillance using WiFi. And yes, we are listening.

darkmatter is a hardware and software hacker. His skills include generating electron-hole pairs, reverse engineering, web stuff, rainbow team 4, and wifi. He thinks he's a computer scientist.

Developing Managed Code Rootkits for the Java Runtime Environment

Benjamin Holland ISU Team, DARPA's Space/Time Analysis for Cybersecurity (STAC)

Managed Code Rootkits (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn't new, practical tools for developing MCRs don't currently exist. Erez Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the way for MCRs, but the tool requires the attacker to have knowledge of intermediate languages, does not support other runtimes, and is no longer maintained. Worse yet, the ‘write once, run anywhere’ motto of managed languages is violated when dealing with runtime libraries, forcing the attacker to write new exploits for each target platform.

This talk debuts a free and open source tool called JReFrameworker aimed at solving the aforementioned challenges of developing attack code for the Java runtime while lowering the bar so that anyone with rudimentary knowledge of Java can develop a managed code rootkit. With Java being StackOverflow's most popular server side language of 2015 the Java runtime environment is a prime target for exploitation. JReFrameworker is an Eclipse plugin that allows an attacker to write simple Java source to develop, debug, and automatically modify the runtime. Best of all, working at the intended abstraction level of source code allows the attacker to ‘write once, exploit anywhere’. When the messy details of developing attack code are removed from the picture the attacker can let his creativity flow to develop some truly evil attacks, which is just what this talk aims to explore.

Ben Holland is a PhD student at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA's Automated Program Analysis for Cybersecurity (APAC) program. He's lectured on security topics for university courses in program analysis and operating system principles. Ben has given multiple talks at professional clubs as well as security and academic conferences. His past work experience has been in research at Iowa State University, mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. Ben holds a M.S. degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he serves on the ISU team for DARPA's Space/Time Analysis for Cybersecurity (STAC) program.

Twitter: @daedared
ben-holland.com

Direct Memory Attack the Kernel

Ulf Frisk Penetration Tester

Inexpensive universal DMA attacking is the new reality of today! In this talk I will explore and demonstrate how it is possible to take total control of operating system kernels by DMA code injection. Once control of the kernel has been gained I will execute code and dump gigabytes of memory in seconds. Full disk encryption will be defeated, authentication will be bypassed and shells will be spawned. This will all be made possible using a $100 piece of hardware together with the easy to use modular PCILeech toolkit - which will be published as open source after this talk.

Ulf Frisk is a penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security solutions, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.

Twitter: @UlfFrisk

GitHub: github.com/ufrisk

Dirt Simple Comms v2 (DSC2)

Tyler Oderkirk
Scott Carlson

Secure decentralized wireless text messaging using the Raspberry Pi Zero and LoRA modulation in the 900MHz band.

Tyler Oderkirk Fullstack Computer Security Engineer

Scott Calrson Systems Engineer (Mechatronics)

Disable Single Step Debug with Xmode Code

Ke Sun
Ya Ou

Single step execution is a very important debug function in modern computer programming for effective and efficient trouble shooting. How to stop single step is also a critical research topic from anti-debug perspective. During the research of xmode code obfuscation (code with runtime 32bit/64bit mode switch), we found a very interesting point that WinDbg is not able to properly carry out single step command under certain situation. We wonder what's the reason behind it, is it a WinDbg bug or due to something else? We made in-depth investigation to answer these questions.

This open-source project will demonstrate how to disable single step debugging in WinDbg with xmode code. We will also reveal the details of this issue from system perspective.

Ke Sun is an independent security researcher. He focused on malware analysis, and reverse engineering. Dr. Sun graduated from UCLA.

Ya Ou is an independent security researcher. His work has been focusing on new exploit development, malware analysis, and reverse engineering.

Discovering and Triangulating Rogue Cell Towers

JusticeBeaver (Eric Escobar) Security Engineer, Barracuda Networks Inc

The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access). In this talk I'll demonstrate how you can create a rogue cell tower detector using generic hardware available from Amazon. The detector can identify rogue towers and triangulate their location. The demonstration uses a software defined radio (SDR) to fingerprint each cell tower and determine the signal strength of each tower relative to the detector. With a handful of these detectors working together, you can identify when a rogue cell tower enters your airspace, as well as identify the signal strength relative to each detector. This makes it possible to triangulate the source of the new rogue cell tower.

JusticeBeaver (Eric Escobar) is a Security Engineer at Barracuda Networks. His interests are broad and generally include putting computers in places you wouldn't expect. From chicken coops to rockets and even bee hives. Before being called to the dark side, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR, and Ham Radio. Last year his team placed 1st in DEF CON 23's Wireless CTF.

DIY Nukeproofing: A New Dig at 'Datamining'

3AlarmLampScooter Hacker

Does the thought of nuclear war wiping out your data keep you up at night? Don't trust third party data centers? Few grand burning a hole in your pocket and looking for a new Sunday project to keep you occupied through the fall? If you answered yes to at least two out of three of these questions, then 3AlarmLampscooter's talk on extreme pervasive communications is for you! You'll learn everything from calculating radiation half layer values to approximating soil stability involved in excavating your personal apocalypse-proof underground data fortress.

3AlarmLampScooter is an enigmatic armored mammal of the genus homo sapiens sapiens sapiens troglodyte found in caves and tunnels across the southeastern United States. As moderator of the subreddit /r/Neutron, 3AlarmLampscooter's enunciation espouses pervasive communication via excavation to protect from radiation and conflagration. When above-ground, 3AlarmLampscooter is a vocal transhumanism advocate developing 3D printed construction materials.

Reddit: /u/3AlarmLampScooter

DNS Analyse

John Heise

Want to know who was patient zero from that recent phishing campaign? Or what about what’s going through that ssh tunnel? DNS is an integral part of all internet traffic both benign and malicious, despite this it can be ignored as a part of network monitoring in favor of more active protocols such as HTTP. This is a major mistake as a large amount of intelligence can be gathered from this single source, dns traffic can easily be used to determine information about hosts and users on a network and an essential tool for defending a network.

Utilizing packet sniffing libraries, open source queueing and storage projects a flexible monitoring system can be assembled relatively easily. With this tool in hand and some simple RPZ’s a security engineer can have more impact than most network analysis and prevention products on the market.

This presentation will cover a walk through of a design for dns monitoring system, then how that system can be used to watch for malware traffic, exfiltrating data on dns, and peering into ssh tunneled traffic, and finally how this system can be used to feed RPZ as a defensive mechanism.

John Heise has done operations work from many year prior to joining the LinkedIn Security team. Jon has also been involved in organizing Hack Fortress since its inception in 2010.

Drones Hijacking - multi-dimensional attack vectors and countermeasures

Aaron Luo Security Expert, Trend Micro

Drone related applications have sprung up in the recent years, and the drone security has also became a hot topic in the security industry. This talk will introduce some general security issues of the drones, including vulnerabilities existing in the radio signals, WiFi, Chipset, FPV system, GPS, App, and SDK. The most famous and popular drone product will be used to demonstrate the security vulnerabilities of each aspects, and recommendation of enforcements. The talk will also demo how to take control of the drone through the vulnerabilities.

The topic of hacking by faking the GPS signals has been shared before in Black Hat and DEF CON in the past, this talk will extend this topic to the drone security. we will demo the real-time hijacking program that we created for various drone, this program can take full control of the Drone’s maneuver by simply keyboard input. In addition, we will also introduce how to detect the fake GPS signals.

An open source tool supporting u-box GPS modules and SDR to detect fake GPS signals will be shared and published in the GitHub.

Aaron Luo is the cyber threat expert from Trend Micro Core Technology Group. Prior to joining Trend Micro, Aaron worked as a security consultant in the government cybercrime investigation department focusing on malware analysis, network forensics and protocol analysis.

He has started his security research since 2005 and is active in the information security communities in Taiwan. He was the founder of PHATE hacker group, and a core member of ZUSO Security. Now he is a member of CHROOT/HITCON security research group and is interested in reverse engineering, developing security attack/defense tools (such as Firewall, HIPS system, protocol analysis, RAT, shellcode, vulnerability scanner), network forensics, RF, IoT, and penetration testing.

Aaron has several research papers published in HITCON and SYSCAN360 such as "The Concept of Game Hacking & Bypassing Game Protection (Hackshield)" in HITCON (Hacks in Taiwan Conference) 2009 when he was just eighteen years old. Until today, he is still the youngest speaker ever in HITCON, and "Smashing iOS Apps For Fun And Profit" was also published in the 1st SYSCAN360 (2012).

Embedded system design: from electronics to microkernel development

Rodrigo Maximiano Antunes de Almeida Professor, Federal University of Itajubá

The workshop consists of a introduction on the embedded systems design. We'll start building a simple electronic embedded system design. This will be used as the target platform. Later I pretend to talk about the low level side of C language as bit fields arrays and bitwise operations, pointers to fixed memory addresses/registers, how to access the microcontroler peripherals etc. These will be the base to develop a full embedded microkernel using ISO-C without the standard libraries. They will have a better understanding on the electronics-programming relationship and how these questions can impact on the kernel development. Aside they`ll get a deep knowledge in the kernel basic functions (processes scheduling, i/o drivers controller etc).

Rodrigo is a professor at Federal University of Itajubá. He has 9 years working with embedded systems, developing projects both in home and electro-medical appliances. He actually teaches classes on electronics, microcontrollerers and embedded operational systems to electronic engineering students. His researches include topics on hardware development, RTOS security and embedded systems usability. Rodrigo has presented on DEF CON, ESC and BSides conferences, mostly talking about embedded development and related security issues.

Max Class Size: 40 Prerequisites for students:Basic/Intermediate C programming knowledge Materials or Equipment students will need to bring to participate: Just laptops. The electronic material will be provided by me to everyone.

Emo-Tool/OldYeller/Ransomware-Simulator

Weston Hecker

Emo and Old Yeller are tools that make your computer Immune to 26 different variants of Ransomware including SAMSAM Locky Cryptowall and Cryptolocker. these tools use sandbox evasion methods built into the malware against its self "Emo makes malware kill itself Oldyeller makes you crash your own system upon infection."

11 years pen-testing, Security Research, Programming. Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016,B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto. worked on several opensource tools. Including Skimbad Anti-CC-Fraud Platform,Opencodec, Hacker tools such as "CompanyBAN" a AD automated company wide lock out tool. Several SDR tools, Reversing Engineering of Malware. Telephone DDOS tools. Open-CV. Hardware includes ATM Shimmers Anti-Skimmers, Gaspump (Anti)Skimmers and OldyellerUSB.

Escaping The Sandbox By Not Breaking It

Marco Grassi KEENLAB of Tencent
Qidan He KEENLAB of Tencent

The main topic of this technical talk will be "sandboxes" and how to escape them. One of the main component of the modern operating systems security is their sandbox implementation. Android for example in recent versions added SELinux to their existing sandbox mechanism, to add an additional layer of security. As well OS X recently added System Integrity Protection as a ‘system level’ sandbox, in addition to the regular sandbox which is ‘per-process’.

All modern OS focus on defense in depth, so an attacker and a defender must know these mechanisms, to bypass them or make them more secure. We will focus on Android and iOS/OSX to show the audience the implementations of the sandbox in these operating systems, the attack surface from within interesting sandboxes, like the browser, or applications sandbox.

Then we will discuss how to attack them and escape from our restricted context to compromise further the system, showcasing vulnerabilities. We think that comparing Android with iOS/OSX can be very interesting since their implementation is different, but the goal for attackers and defenders is the same, so having knowledge of different sandboxes is very insightful to highlight the limitations of a particular implementation. The sandboxes some years ago were related mainly to our desktop, mobile phone or tablet. But if we look now at the technology trend, with Automotive and IOT, we can understand that sandboxes will be crucial in all those technologies, since they will run on mainstream operating system when they will become more popular.

Marco Grassi is currently a Senior Security Researcher of the KEEN Lab of Tencent (previously known as KEEN Team). He was one of the main contributors at Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of ‘Master Of Pwn’ at Pwn2Own 2016. Formerly he was a member of NowSecure R&D Team, where he researched solutions for mobile security products and performed reverse engineering, pentesting and vulnerability research in mobile OS applications and devices. When he’s not poking around mobile devices, he enjoys developing embedded and electronic systems. He has spoken at several international security conferences such as ZeroNights, Black Hat, Codegate, HITB and cansecwest.

Twitter: @marcograss

Qidan He (a.k.a Edward Flanker) is a security researcher focusing on mobile security at KeenLab of Tencent (former known as Keen Team). His major experience includes Android/iOS/OSX security and program analysis. He has reported several vulnerabilities in Android system core components, which were confirmed and credited in multiple advisories. He has also found multiple vulnerabilities in OSX kernel, which are awaiting patch and credit. He is the winner of Pwn2Own 2016 OSX Category and member of Master of Pwn Champion team. He has spoken at conferences like Blackhat, CanSecWest, HITCON and QCON.

Twitter: @flanker_hqd

Esoteric Exfiltration

WIlla Cassandra Riggins(abyssknight) Penetration Tester, Veracode

When the machines rise up and take away our freedom to communicate we're going to need a way out. Exfiltration of data across trust boundaries will be our only means of communication. How do we do that when the infrastructure we built to defend ourselves is the very boundary we must defeat? We use the same pathways we used to, but bend the rules to meet our needs. Whether its breaking protocol, attaching payloads, or pirating the airwaves we'll find a way. We'll cover using a custom server application to accept 'benign' traffic, using social and file sharing to hide messages, as well as demo some long range mesh RF hardware you can drop at a target for maximum covert ops.

Willa Cassandra Riggins is a penetration tester at Veracode, and was previously part of the Lockheed Martin CIS Red Team. She started her career as a developer and pivoted into security to help fight the pandemic that is developer apathy. Her background spans the software development lifecycle, but her heart is in root shells and crown jewels. She can be found making things at FamiLAB in Orlando, hacking at the local DC407 meet-ups, staffing the socials at BSides Orlando, and marketing all the things at OWASP Orlando.

Twitter: @willasaywhat
dcg

Examining the Internet's pollution

Karyn Benson Graduate Student

Network telescopes are collections of unused but BGP-announced IP addresses. They collect the pollution of the Internet: scanning, misconfigurations, backscatter from DoS attacks, bugs, etc. For example, several historical studies used network telescopes to examine worm outbreaks.

In this talk I will discuss phenomena that have recently induced many sources to send traffic to network telescopes. By examining this pollution we find a wealth of security-related data. Specifically, I'll touch on scanning trends, DoS attacks that leverage open DNS resolvers to overwhelm authoritative name servers, BitTorrent index poisoning attacks (which targeted torrents with China in their name), a byte order bug in Qihoo 360 (while updating, this security software sent acknowledgements to wrong IP addresses... for 5 years), and the consequence of an error in Sality's distributed hash table.

Karyn recently defended her PhD in computer science. Prior to starting graduate school she wrote intrusion detection software for the US Army. When not looking at packets, Karb eats tacos, runs marathons, and collects state quarters.

Exploit Development for Beginners

Sam Bowne Professor, City College San Francisco

Dylan James Smith

This workshop helps participants move beyond using attacks others have developed to understanding how programs work at the binary level and how to exploit their weaknesses. With these techniques, you can find new vulnerabilities and write proof-of-concept attack code, compete in cyber competitions, or earn bug bounties.

All materials, projects, and challenges are freely available at samsclass.info.

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, HOPE, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Dylan James Smith assisted Sam Bowne with hands-on workshops last year at DEF CON and B-Sides LV. He's a Mac guru and skilled at fixing PC's, Linux problems, and network problems too.

Max Class Size: 55
Prerequisites for students: Familiarity with C, Python, and assembly code is helpful but not required.
Materials or Equipment students will need to bring to participate: Participants need a computer with Kali Linux running, either in a virtual machine or locally. I will have a few loaner computers for students who don't have a usable computer.

Exploiting and Attacking Seismological Networks... Remotely

Bertin Bervis Bonilla Founder, NETDB.IO
James Jara Founder & CTO, NETDB.IO

In this presentation we are going to explain and demonstrate step by step in a real attack scenario how a remote attacker could elevate privileges in order to take control remotely in a production seismological network located at 183mts under the sea. We found several seismographs in production connected to the public internet providing graphs and data to anyone who connects to the embed web server running at port 80. The seismographs provide real time data based in the perturbations from earth and surroundings, we consider this as a critical infrastructure and is clear the lack of protection and implementation by the technicians in charge.

We are going to present 3 ways to exploit the seismograph which is segmented in 3 parts: Modem (GSM, Wi-Fi, Satellite, GPS,Com serial) {web server running at port 80 , ssh daemon} Sensor (Device collecting the data from ground or ocean bottom) Battery (1 year lifetime) Apollo server (MAIN acquisition core server) These vulnerabilities affect the Modem which is directly connected to the sensor , a remote connection to the modem it's all that you need to compromise the whole seismograph network. After got the root shell our goal is execute a post exploitation attack , This specific attack corrupts/modifies the whole seismological research data of a country/ area in real time. We are going to propose recommendations and best practices based on how to deploy a seismological network in order to avoid this nasty attacks.

Bertin Bervis Bonilla is a security researcher focused in offensive security, reverse engineering and network attacks and defense, Bertin has been speaker in several security conferences in his country and latin america such OWASP Latin Tour , DragonJAR conference and EKOPARTY, He is the founder of NetDB - The Network Database project , a computer fingerprint/certificate driven search engine. Formerly is a network engineer working for a five letters us networking company in San Jose Costa Rica.

Twitter: @bertinjoseb

James Jara is the founder and CTO of NETDB.IO , a search engine of internet of things focused in info-security research. He likes Bitcoin Industry, Open Source and framework development and gave various presentations on security conferences like EkoParty. Interested machine learning for mobile, Internet of Things (IoT) devices and industrial systems used in critical infrastructure networks. Sport-coder!

Feds and 0Days: From Before Heartbleed to After FBI-Apple

Jay Healey Senior Research Scholar, Columbia University

Does the FBI have to tell Apple of the vuln it used to break their iPhone? How many 0days every year go into the NSA arsenal -- dozens, hundreds or thousands? Are there any grown-ups in Washington DC watching over FBI or NSA as they decide what vulns to disclose to vendors and which to keep to themselves? These are all key questions which have dominated so much of 2016, yet there's been relatively little reliable information for us to go on, to learn what the Feds are up to and whether it passes any definition of reasonableness.

Based on open-source research and interviews with many of the principal participants, this talk starts with the pre-history starting in the 1990s before examining the current process and players (as it turns out, NSA prefers to discover their own vulns, CIA prefers to buy). The current process is run from the White House with "a bias to disclose" driven by a decision by the President (in because of the Snowden revelations). The entire process was made public when NSA was forced to deny media reports that it had prior knowledge of Heartbleed.

Jason Healy is a Senior Research Scholar at Columbia University's School for International and Public Affairs. During his time in the White House, he coordinated efforts to secure the Internet and US critical infrastructure. He started his career as a US Air Force intelligence officer where he helped create the first joint cyber command, in 1998 and is a Senior Fellow at the Atlantic Council.

Twitter: @Jason_Healey

Forcing a Targeted LTE Cellphone into an Unsafe Network

Haoqi Shan Hardware/Wireless security researcher, Qihoo 360
Wanqiao Zhang Communication security researcher, Qihoo 360

LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call. This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack.

Haiqi Shan, currently a wireless/hardware security researcher in Unicorn Team. He focuses on GSM system, router/switcher hacking etc. Other research interests include reverse engineering on embedded devices such as femto-cell base station. He has gave presentations about GSM devices hacking and wireless hacking suit on DEF CON, Cansecwest, Syscan

Wanqiao Zhang, is a communication security researcher, from Unicorn Team of Qihoo 360 China. She received her master degree in electronic information engineering form Nanjing University of Aeronautics and Astronautics in 2015. Fascinated by the world of wireless security, she is currently focus on the security research of the GPS system and the cellular network

Frontrunning the Frontrunners

Dr. Paul VixieCEO and Co-founder, Farsight Security, Inc.

-While some domainers allegedly brainstorm ideas for new domains to register while taking a shower, the more successful domain portfolio managers, working at scale, are believed to be ‘data driven.’ DNS queries are a material source of intelligence about domainer opportunities and operations, and also help us to understand the operational constraints around potentially combating domainers, should we want to do so. In this presentation co-authored with Farsight Security Scientist Dr. Joe St Sauver, Farsight Security CEO Dr. Paul Vixie will scrutinize failed DNS queries (‘NXDOMAINs’), looking for the same ‘opportunities’ that a domainer or typo squatter would (although we will not be acting on that data by actually registering domains).

Dr. Vixie will discuss two primary types of behavior: 1) Volumetrically-driven typo-squatting, which Dr. Vixie will measure by computing the volume of NXDOMAINs seen by domain during a 24 hour period, and the time between popular typos appearing in NXDOMAINs and those same domains being registered and actually used, and 2) Domainers programmatically exploring permutations of domains around high value domains, probing for available domains and automatically registering the most promising probed domains discovered to still be available. Both of these hypothesized behaviors should be externally observable and thus able to be confirmed by watching a real-time stream of NXDOMAIN errors, and a real-time stream of newly observed, actually-registered domains, as available from the Security Information Exchange.

Dr. Paul Vixie will experimentally confirm these hypothesized relationships and describe examples of (1) the most commonly observed types of typographical errors, (2) the brands apparently most-targeted for squatting, (3) the distribution of delays from NXDOMAIN detection to observed domain use, (4) the potential relationship between NXDOMAIN volume thresholds and TLD cost. Dr. Vixie will also explain how this information illuminates opportunities for tackling these types of domain name abuse. Time will be reserved for Q&A.

Dr. Paul Vixie is the CEO and Co-founder of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op-Sec-Trust. Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

Twitter: @paulvixie
LinkedIn

Fuzzing Android Devices

Anto Joseph Security Engineer, Intel

Droid-FF is the very first Android fuzzing framework which helps researchers find memory corruption bugs written in c /c ++ . In this workshop , all you need to start fuzzing mobile devices is presented as a VM which is ready to go and easy to work with. You will get hands on experience fuzzing real devices and finding bugs and tracing them back to source and triage them for exploitability.

Anto Joseph is a Security Engineer for Intel. He is enthusiastic about MobileSecurity and IOT .He is very passionate about research and is currently researching on Mobile Malware . He has developed custom tools and fuzzers for helping in PT's and Vulnerability Research .He has been speaker / trainer in various security conferences including BruCon, HackInParis, HITB Amsterdam , NullCon , GroundZero , c0c0n , XorConf etc and has good expertise in Practical Security.

Max Class Size: 55
Prerequisites for students: Familiar with Android / IOS eco-system
Materials or Equipment students will need to bring to participate: Good enough laptop to host two virtual machines in virtualbox.

Game over, man! – Reversing Video Games to Create an Unbeatable AI Player

Dan ‘AltF4’ Petro Security Associate, Bishop Fox

"Super Smash Bros: Melee." - Furrowed brows, pain in your thumbs, trash talk your Mom would blush to hear. That sweet rush of power you once knew as you beat all the kids on your block will be but a distant memory as SmashBot challenges you to a duel for your pride — live on stage. SmashBot is the Artificial Intelligence I created that plays the cult classic video game Smash Bros optimally. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, remorse, or fear. This final boss won't stop until all your lives are gone.

What started as a fun coding project in response to a simple dare grew into an obsession that encompassed the wombo-combo of hacking disciplines including binary reverse engineering, AI research, and programming. When not used to create a killer doomsday machine, these same skills translate to hacking Internet of Things (IoT) devices, developing shellcode, and more. Forget about Internet ending zero-day releases and new exploit kits. Come on down and get wrecked at a beloved old video game. Line up and take your turn trying to beat the AI yourself, live on the projectors for everyone to see. When you lose though, don't run home and go crying to yo Momma.

Dan Petro is a Security Associate at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application and network penetration testing. He has presented at numerous conferences, including Black Hat USA, DEF CON , HOPE, BSides, and ToorCon. He has also been a featured guest speaker at Arizona State University, South Mountain Community College, and the Dark Reading University series. Dan has been quoted in various industry and mainstream publications such as Business Insider, Wired, The Guardian, and Mashable among others. He is widely known for the tools he has created: the Chromecast-hacking device, the RickMote ContRoller, and Untwister, a tool used for breaking pseudorandom number generators. He also organizes Root the Box, a capture the flag security competition. Additionally, Dan often appears on local and national news to discuss topical security issues. Dan holds a Master’s Degree in Computer Science from Arizona State University and doesn’t regret it.

Graylog

Lennart Koopman

Graylog is a free and open source log management tool, aiming to be an affordable alternative to many expensive commercial solutions.

Lennart Koopman is founder and original developer of Graylog. Before that he was a software architect a XING in Germany.

Guaranteed Security

Vivek Notani PhD Student University of Verona

Dr. Roberto Giacobazzi Senior Professor, University of Verona

Can you guarantee that the software you created does not contain any runtime errors or data races and would not be susceptible to buffer overflow or floating point errors? Can you create a program that can take any arbitrary program as an input and certify it as free from such errors or alert you of possible avenues of errors? Is such a thing even possible? Turns out, yes you can, or at least after this training you will be able to.

Recent advances in the field of formal program analysis have led to development of theories and tools that can, given a program as input, either guarantee absence of certain types of errors or raise alarms to alert of possible weaknesses in the given program. Sounds like black magic? The goal of this training is to de-mystify the science behind automated program analysis and build a solid foundation for attendees to start building their own tools that can automatically analyze and certify code correctness.

The workshop will cover the challenges in automated program analysis, what is possible and what is not possible, and why. We will focus on using Abstract Interpretation, a widely used formal framework, for describing sound by construction program analysis algorithms as approximations of semantics of the language. Finally, in the hands-on session, we will build our own code analyzer for a simple language that can analyze any program written in that language and issue certificates of correctness.

Vivek Notani is a PhD student at University of Verona, under Dr. Roberto Giacobazzi. Previously, Vivek used to work as a research scholar at University of Louisiana at Lafayette (USA) focusing on dynamic methods of malware analysis and machine learning applications to malware analysis and reverse engineering. His research at UL Lafayette led to the creation of Virusbattle, an automated malware analysis system that harvests intelligence from large malware repositories which was presented at BlackHat last year. VirusBattle has since been commercialized by Cythereal LLC. USA. Early on in his career, Vivek used to work in humanoid robotics and helped create Acyut, series of India's first indigenously developed humanoid robot which created a world record in humanoid weightlifting at FIRA-2010.

Roberto Giacobazzi is a senior professor of computer science at University of Verona and the Scientific Leader of the SPY-Lab. He received his Ph.D. in Computer Science in 1993 from the University of Pisa. From 1993 to 1995 he had a Post Doctoral Research position at Laboratoire d'Informatique (LIX), Ecole Polytechnique (Paris) in the equipe Cousot, the creator of the theory of Abstract Interpretation. His research interests include abstract interpretation, static program analysis, semantics of programming languages, program verification, abstract model-checking, program transformation and optimization, digital asset protection, code obfuscation, software watermarking and lattice theory. He is author of more than 100 publications in international journals and conferences and he is involved in national (italian) and international (european) research projects in the field of static program analysis. His main current research interest is in formal methods for systematic design of domains and transfer functions or abstract interpretation, with application in security, digital asset protection, code obfuscation, watermarking, malware analysis, semantics, program analysis, and abstract model-checking. In the past, he gave a declarative semantics for Prolog control features and he studied new methodologies to design static program analyzers and optimization techniques for logic and constraint-based languages by abstract interpretation. In lattice theory he contributed to understanding of the structure of the lattice of closure operators and complete congruence relations on complete lattices. He is in the Steering Committee of the Static Analysis Symposium and of the ACM Conference on Principles of Programming Languages, POPL. Dr. Giacobazzi's research in abstract interpretation led to the creation of Julia in 2006, which has since been acquired by the Corvallis Group,a leading firm in software development and assurance in the banking market.

Max Class Size: 55
Prerequisites for students:

• Programming background in C++
• Understanding of Software development and testing methods
• Basic understanding of these theories will be helpful but is not required: static analysis, dynamic analysis, lattice theory, FixPoint Theory and, abstract interpretation.

Materials or Equipment students will need to bring to participate: Laptop with Linux. Instructors will be using Ubuntu.
Please install IKOS library. Download from:
https://ti.arc.nasa.gov/opensource/ikos/
Installation instructions available here:
https://ti.arc.nasa.gov/m/opensource/downloads/ikos/INSTALL_linux.pdf

Guaranteed Security

Vivek Notani PhD Student University of Verona

Dr. Roberto Giacobazzi Senior Professor, University of Verona

Can you guarantee that the software you created does not contain any runtime errors or data races and would not be susceptible to buffer overflow or floating point errors? Can you create a program that can take any arbitrary program as an input and certify it as free from such errors or alert you of possible avenues of errors? Is such a thing even possible? Turns out, yes you can, or at least after this training you will be able to.

Recent advances in the field of formal program analysis have led to development of theories and tools that can, given a program as input, either guarantee absence of certain types of errors or raise alarms to alert of possible weaknesses in the given program. Sounds like black magic? The goal of this training is to de-mystify the science behind automated program analysis and build a solid foundation for attendees to start building their own tools that can automatically analyze and certify code correctness.

The workshop will cover the challenges in automated program analysis, what is possible and what is not possible, and why. We will focus on using Abstract Interpretation, a widely used formal framework, for describing sound by construction program analysis algorithms as approximations of semantics of the language. Finally, in the hands-on session, we will build our own code analyzer for a simple language that can analyze any program written in that language and issue certificates of correctness.

Vivek Notani is a PhD student at University of Verona, under Dr. Roberto Giacobazzi. Previously, Vivek used to work as a research scholar at University of Louisiana at Lafayette (USA) focusing on dynamic methods of malware analysis and machine learning applications to malware analysis and reverse engineering. His research at UL Lafayette led to the creation of Virusbattle, an automated malware analysis system that harvests intelligence from large malware repositories which was presented at BlackHat last year. VirusBattle has since been commercialized by Cythereal LLC. USA. Early on in his career, Vivek used to work in humanoid robotics and helped create Acyut, series of India's first indigenously developed humanoid robot which created a world record in humanoid weightlifting at FIRA-2010.

Roberto Giacobazzi is a senior professor of computer science at University of Verona and the Scientific Leader of the SPY-Lab. He received his Ph.D. in Computer Science in 1993 from the University of Pisa. From 1993 to 1995 he had a Post Doctoral Research position at Laboratoire d'Informatique (LIX), Ecole Polytechnique (Paris) in the equipe Cousot, the creator of the theory of Abstract Interpretation. His research interests include abstract interpretation, static program analysis, semantics of programming languages, program verification, abstract model-checking, program transformation and optimization, digital asset protection, code obfuscation, software watermarking and lattice theory. He is author of more than 100 publications in international journals and conferences and he is involved in national (italian) and international (european) research projects in the field of static program analysis. His main current research interest is in formal methods for systematic design of domains and transfer functions or abstract interpretation, with application in security, digital asset protection, code obfuscation, watermarking, malware analysis, semantics, program analysis, and abstract model-checking. In the past, he gave a declarative semantics for Prolog control features and he studied new methodologies to design static program analyzers and optimization techniques for logic and constraint-based languages by abstract interpretation. In lattice theory he contributed to understanding of the structure of the lattice of closure operators and complete congruence relations on complete lattices. He is in the Steering Committee of the Static Analysis Symposium and of the ACM Conference on Principles of Programming Languages, POPL. Dr. Giacobazzi's research in abstract interpretation led to the creation of Julia in 2006, which has since been acquired by the Corvallis Group,a leading firm in software development and assurance in the banking market.

Max Class Size: 55
Prerequisites for students:

• Programming background in C++
• Understanding of Software development and testing methods
• Basic understanding of these theories will be helpful but is not required: static analysis, dynamic analysis, lattice theory, FixPoint Theory and, abstract interpretation.

Materials or Equipment students will need to bring to participate: Laptop with Linux. Instructors will be using Ubuntu.
Please install IKOS library. Download from:
https://ti.arc.nasa.gov/opensource/ikos/
Installation instructions available here:
https://ti.arc.nasa.gov/m/opensource/downloads/ikos/INSTALL_linux.pdf

Hacker Fundamentals and Cutting Through Abstraction

LosT

Continuing the series of hacker foundational skills,  YbfG jvyy nqqerff shaqnzragny fxvyyf gung rirel unpxre fubhyq xabj.  Whfg sbe sha jr jvyy nyfb tb sebz gur guerr onfvp ybtvp tngrf gb n shapgvbany cebprffbe juvyr enpvat n pybpx.  Qb lbh xabj ubj n cebprffbe ernyyl jbexf?  Jul qb lbh pner?  Pbzr svaq bhg.  Bu, naq pelcgb.

Ryan "1o57" Clarke self-identifies as a hacker. Formerly a member of the Advanced Programs Group (APG) at Intel, he continues to do 'security stuff' for other companies and groups.  Professionally LosT's history includes working for various groups and companies, as well as for the University of Advancing Technology where he set up the robotics and embedded systems degree program.  He has consulted for the Department of Energy, Fortune 50 companies, and multiple domestic and international organizations.  For DEFCON he has created the Hardware Hacking Village, the LosT@Defcon Mystery Challenge, and conference badges, cryptography, and puzzles. As DEFCON’s official cryptographer and puzzle master, his activities have included aspects of network intrusion and security, social engineering, RED and BLUE team testing, mathematics, linguistics, physical security, and various other security and hacker related skillsets.  1o57's academic background and and interests include computational mathematics, linguistics, cryptography, electrical engineering, computer systems engineering and computer science-y stuff.

Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities

Brian Gorenc Senior Manager, Trend Micro Zero Day Initiative
Fritz Sands Security Researcher, Trend Micro Zero Day Initiative

Over the last year, synchronized and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation. This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.

Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.

Twitter: @thezdi, @maliciousinput

Fritz Sands is a security researcher with Trend Micro's Zero Day Initiative. In this role, he analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. Fritz also focuses on writing tools to perform static and dynamic analysis for discovering vulnerabilities. Prior to joining the ZDI in 2014, Sands was in Microsoft's Trustworthy Computing and Secure Windows Initiative operations where he audited Windows code and developed dynamic analysis tools, and before that he was a system developer for multiple iterations of Microsoft Windows.

Twitter: @FritzSands
www.zerodayinitiative.com

Hacking Hotel Keys and Point of Sale Systems: Attacking Systems Using Magnetic Secure Transmission

Weston Hecker Senior Security Engineer & Pentester, Rapid7

Take a look at weaknesses in Point of sale systems and the foundation of hotel key data and the Property management systems that manage the keys. Using a modified MST injection method Weston will demonstrate several attacks on POS and Hotel keys including brute forcing other guest’s keys from your card information as a start point. And methods of injecting keystrokes into POS systems just as if you had a keyboard plugged into the system. This includes injecting keystrokes to open cash drawer and abusing Magstripe based rewards programs that are used a variety of environments from retail down to rewards programs in Slot Machines.

11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Hacking Network Protocols using Kali

Thomas Wilhelm Associate Professor, NSACAE University

Todd KendallSecurity Consultant

There are a lot of hacking tutorials on how to compromise servers, but what about network devices?

In this workshop, we will demonstrate how to conduct penetration tests against a number of different network protocols, specifically those at layer 2 and 3 of the OSI model, in order to assess and circumvent the security of an organization. Participants will be able to watch a demonstration on how to leverage insecurities in different protocols, and replicate the attacks themselves in a lab environment at the workshop. In addition, we will discuss what steps network engineers can do to limit the insecurities.

This workshop will contain network devices in which participants will be able to connect to and perform the demonstrated attacks. Participation will be reduced since network equipment resources are limited, unless additional lab equipment can be procured.

Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security.

Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled “Professional Penetration Testing (vol 2),” published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM

Todd Kendall is a security consultant with extensive experience in both the commercial and government security world. Todd is currently responsible for performing vulnerability assessments on operational networks to Fortune 100 companies, and has been heavily involved in incident response and management for finance, healthcare, and utility industries. Todd has expe

Max Class Size: 32
Prerequisites for students: It is required for students to understand the OSI model and specifics of well-known network protocols, particularly those found at layer 2 and layer 3 of the OSI model.
Materials or Equipment students will need to bring to participate: Participants should have a laptop that contains an up to date Kali Linux image. In addition, if they want to participate in actual network protocol attacks, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.

Hacking Next-Gen ATM's From Capture to Cashout

Weston Hecker Senior Security Engineer & Pentester, Rapid7

MV (Chip & Pin) card ATM's are taking over the industry with the deadlines passed and approaching the industry rushes ATM's to the market. Are they more secure and hack proof? Over the past year I have worked at understanding and breaking the new methods that ATM manufactures have implemented on production ‘Next Generation’ Secure ATM systems. This includes bypassing Anti-skimming/Anti-Shimming methods introduced to the latest generation ATM's. along with NFC long range attack that allows real-time card communication over 400 miles away. This talk will demonstrate how a $2000-dollar investment criminals can do unattended ‘cash outs’ touching also on failures of the past with EMV implementations and how credit card data of the future will most likely be sold with the new EMV data having such a short life span.

With a rise of the machines theme demonstration of ‘La-Cara’ and automated Cash out machine that works on Current EMV and NFC ATM's it is an entire fascia Placed on the machine to hide the auto PIN keyboard and flash-able EMV card system that is silently withdrawing money from harvested card data. This demonstration of the system can cash out around $20,000/$50,000 in 15 min.

11 Years Pen-testing, 12 years’ security research and programming experience. Working for a security Company in the Midwest Weston has recently Spoken at DEF CON 22 & 23, Black Hat USA 2016, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto, HOPE11, BSIDES Boston and over 50 other speaking engagements from telecom Regional events to University’s on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation. Attended school in Minneapolis Minnesota. Computer Science and Geophysics. Found several vulnerabilities’ in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.

Hands-on Cryptography with Python

Sam Bowne Professor, City College San Francisco

Dylan James Smith

Learn essential concepts of cryptography as it is used on the modern Internet, including hashing, symmetric encryption, and asymmetric encryption. Then perform hands-on projects calculating hashes and encrypting secrets with RSA and AES, and compete to solve challenges including cracking Windows and Linux password hashes, short and poorly-chosen RSA public keys, and poorly-chosen AES keys.

All materials, projects, and challenges are freely available at samsclass.info.

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, HOPE, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Dylan James Smith assisted Sam Bowne with hands-on workshops last year at DEF CON and B-Sides LV. He's a Mac guru and skilled at fixing PC's, Linux problems, and network problems too.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Students need to bring a computer that can run Python; any version of Mac, Windows, or Linux will be fine. I will have a few loaner computers for students who don't have a usable computer.

Help, I've got ANTs!!!

Tamas Szakaly Lead Security Researcher, PR-Audit Ltd., Hungary

As stated in my bio, besides computer security I also love fligh simulators and mountain biking. Last year I gave a talk about hacking a flight simulator (among other games), it was only fitting to research something related to my other hobby too. Old day's bike speedometers have evolved quite a bit, and nowadays a lot of bikers (swimmers, runners, ers) do their sport with tiny computers attached to them. These computers do much more than measuring speed: they have GPS, they can store your activities, can be your training buddy, and they can communicate with various sensors (cadence, power meter, heart rate monitors, you name it), mobile phones, each other, and with PCs. One of the communication protocols used by these devices is ANT. Never heard of it? Not surprising, it is not very well known despite being utilized by a lot of gadgets including, but not limited to sport watches, mobile phones, weight scales, some medical devices, and even bicycle lights and radars. When I bought my first bike computer I rationalized it with thoughts like ‘this will help me navigate on the mountain’, or ‘I can track how much I've developed’, but deep down I knew the real reason was my curiosity about this lesser known, lesser researched protocol.

One of my favorite kind of weaknesses are the ones caused by questionable design decisions, and can be spotted without actual hands-on experience with the product itself, just by reading the documentation. Well this is exactly what happened here, I had some attack vectors ready and waiting well before I received the actual device. To top it all, I've also found some implementation bugs after getting my hands on various Garmin devices.

After a brief introduction to the ANT, ANT+ and ANT-FS protocols, I'll explain and demo both the implementation and the protocol weaknesses and reach the already suspected conclusion that ANT and the devices that use it are absolutely insecure: anybody can access your information, turn off your bike light, or even replace the firmware on your sport watch over the air.

Tamas is the lead IT security researcher at PR-Audit Ltd., a company focusing mainly on penetration testing and SIEM software developing. Previously he participated in a cooperation between ELTE Department of Meteorology and the Paks Nuclear Power Plant Ltd. which goal was to develop TREX, a toxic waste emission simulator using CUDA. The scene from RoboCop where the kid defeats the evil robot with just a laptop and a serial cable made a huge impression on him, and after seeing the movie, his path was set: he was bound to be a hacker. His first experiences in this field involved poking around various copy protection schemes, and for this day his favorite areas of expertise are the ones that require some mangling of binary files. Besides computer security he also loves mountain biking and flight simulators.

Twitter: @sghctoma
Facebook: sghctoma

Hiding Wookiees in HTTP - HTTP smuggling is a thing we should know better and care about

regilero DevOp, Makina Corpus

HTTP is everywhere, everybody wants to write an HTTP server. So I wrote mine :-) But mine not fast, and come with an HTTP client which sends very bad HTTP queries. My tool is a stress tester for HTTP servers and proxies, and I wrote it because I found flaws in all HTTP agents that I have checked in the last year i.e. nodejs, golang, Apache httpd, FreeBSD http, Nginx, Varnish and even Haproxy. This presentation will try to explain how flaws in HTTP parsers can be exploited for bad things; we'll play with HTTP to inject unexpected content in the user browser, or perform actions in his name.

If you know nothing about HTTP it should be understandable, but you'll have to trust me blindly at the end. If you think you know HTTP, you have no reason to avoid this talk. Then, the short part, I will show you this new Open Source stress tool that I wrote and hope that you will remember it when you'll write your own HTTP parser for you new f** language.

regilero is a DevOp, and this started far before this term. Twenty years in open Source as web developer, sysadmin, web security training, database performance, tuning, audits. Took some time to be on the apache top responder in Stack Overflow, some stuff on SaltStack, made two daughters also. HTTP was the missing piece, like everyone he use it every day, but never took the time to really test the HTTP tools. Last year he started checking... and found some interesting issues.

Twitter: @regilero
Stack Overflow

Honey Onions: Exposing Snooping Tor HSDir Relays

Guevara Noubir Professor, College of Computer and Information Science, Northeastern University
Amirali Sanatinia PhD candidate, College of Computer and Information Science, Northeastern University

Tor is a widely used anonymity network that protects users' privacy and and identity from corporations, agencies and governments. However, Tor remains a practical system with a variety of limitations, some of which were indeed exploited in the recent past. In particular, Tor's security relies on the fact that a substantial number of its nodes do not misbehave.

Previous work showed the existence of malicious participating Tor relays. For example, there are some Exit nodes that actively interfere with users' traffic and carry out man-in-the-middle attacks. In this work we expose another category of misbehaving Tor relays (HSDirs), that are integral to the functioning of the hidden services and the dark web. The HSDirs act as the DNS directory for the dark web. Because of their nature, detecting their malicious intent and behavior is much harder. We introduce, the concept of honey onions (honions), a framework to detect misbehaving Tor relays with HSDir capability. By setting up and deploying a large scale honion over Tor for more than 72 days, we are able to obtain lower bounds on misbehavior among HSDirs.

We propose algorithms to both estimate the number of snooping HSDirs and identify them, using optimization and feasibility techniques. Our experimental results indicate that during the period of our work at least 110 such nodes were snooping information about hidden services they host. We reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback. Furthermore, we provide the geolocation map of the identified snooping Tor HSDirs

Guevera Noubir holds a PhD in Computer Science from EPFL and is currently a Professor at Northeastern University. His research focuses on privacy, and security. He is a recipient of the National Science Foundation CAREER Award (2005). He led the winning team of the 2013 DARPA Spectrum Cooperative Challenge. Dr. Noubir held visiting research positions at Eurecom, MIT, and UNL. He served as program co-chair of several conferences in his areas of expertise such as the ACM Conference on Security and Privacy in Wireless and Mobile Networks, and IEEE Conference on Communications and Network Security. He serves on the editorial board of the ACM Transaction on Information and Systems Security, and IEEE Transaction on Mobile Computing.

Amirali Sanatinia is a Computer Science PhD candidate at Northeastern advised by Professor Guevara Noubir, and holds a Bachelors degree in CS from St Andrews University. His research focuses on cyber security and privacy, and was covered by venues such as MIT Technology Review and ACM Tech News. He is also the OWASP Boston NEU Student chapter founder and leader

HoneyPy and HoneyDB

Phillip Maddux

HoneyPy is an extensible low to medium interaction honeypot written in Python. It can be used as research or production honeypot and can easily be integrated with other tools for alerting and analysis (e.g. Slack, Twitter, Splunk, Elastic Search, etc).

HoneyDB is a web site that collects data from HoneyPy sensors on the Internet and publishes this data in an easy to consume format via APIs.

Phillip Maddux recently joined Signal Sciences as a Senior Solutions Engineer where his goal is to help organizations protect their web applications by enabling visibility into web application attacks and anomalies. Prior to Signal Sciences he focused on application security in the financial services industry. In his spare time he enjoys coding and experimenting with various open source security tools.

How to Design Distributed Systems Resilient Despite Malicious Participants

Radia Perlman EMC Fellow

Often distributed systems are considered robust if one of the components halts. But a failure mode that is often neglected is when a component continues to operate, but incorrectly. This can happen due to malicious intentional compromise, or simple hardware faults, misconfiguration, or bugs. Unfortunately, there is no single add-on to designs that will fix this case. This talk presents three very different systems and how they each handle resilience despite malicious participants. The problems, and the solutions, are very different. The important message of this talk is that there is no one solution, and that this case must be considered in designs.

Radia Perlman is a Fellow at EMC. She has made many contributions to the fields of network routing and security protocols including robust and scalable network routing, spanning tree bridging, storage systems with assured delete, and distributed computation resilient to malicious participants. She wrote the textbook Interconnections , and cowrote the textbook Network Security. She holds over 100 issued patents. She has received numerous awards including lifetime achievement awards from ACM's SIGCOMM and Usenix, election to National Academy of Engineering, induction into the Internet Hall of Fame, and induction into the Inventor Hall of Fame. She has a PhD from MIT.

How to Do it Wrong: Smartphone Antivirus and Security Applications Under Fire

Stephan Huber Fraunhofer SIT
Siegfried Rasthofer Fraunhofer SIT & TU Darmstadt

-Today’s evil often comes in the form of ransomware, keyloggers, or spyware, against which AntiVirus applications are usually an end user’s only means of protection. But current security apps not only scan for malware, they also aid end users by detecting malicious URLs, scams or phishing attacks.

Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs. In this talk, however, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the phone to a number of attack vectors, making the system more instead of less vulnerable to attacks.

In a recent research we conducted on Android security apps from renowned vendors such as Kaspersky, McAfee, Androhelm, Eset, Malwarebytes or Avira. When conducting a study of the apps’ security features (Antivirus and Privacy Protection, Device Protection, Secure Web Browsing, etc.) it came as a shock to us that every inspected application contained critical vulnerabilities, and that in the end no single of the promoted security features proved to be sufficiently secure. In a simple case, we would have been able to harm the app vendor’s business model by upgrading a trial version into a premium one at no charge.

In other instances, attackers would be able to harm the end user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed "advanced" crypto implementations or through SQL-injections?

Yes, we can. On top, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into a remote access trojan (RAT) or into ransomware. In light of all those findings, one must seriously question whether the advice to install a security app onto one’s smartphone is a wise one. In this talk, we will not only explain our findings in detail but also propose possible security fixes.

Stephan Huber is a security researcher at the testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.

Siegfried Rasthofer is a fourth year PhD student at the TU Darmstadt (Germany) and Fraunhofer SIT and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and very recently he started publishing at industry conferences like BlackHat, VirusBulletin or AVAR.

How to get good seats in the security theater? Hacking boarding passes for fun and profit.

Przemek Jaroszewski CERT Polska/NASK

While traveling through airports, we usually don't give a second thought about why our boarding passes are scanned at various places. After all, it's all for the sake of passengers' security. Or is it? The fact that boarding pass security is broken has been proven many times by researchers who easily crafted their passes, effectively bypassing not just ‘passenger only’ screening, but also no-fly lists. Since then, not only security problems have not been solved, but boarding passes have become almost entirely bar-coded. And they are increasingly often checked by machines rather than humans. Effectively, we're dealing with simple unencrypted strings of characters containing all the information needed to decide on our eligibility for fast lane access, duty-free shopping, and more...

With a set of easily available tools, boarding pass hacking is easier than ever, and the checks are mostly a security theater. In my talk, I will discuss in depth how the boarding pass information is created, encoded and validated. I will demonstrate how easy it is to craft own boarding pass that works perfectly at most checkpoints (and explain why it doesn't work at other ones).

I will also discuss IATA recommendations, security measures implemented in boarding passes (such as digital signatures) and their (in)effectiveness, as well as responses I got from different institutions involved in handling boarding passes. There will be some fun, as well as some serious questions that I don't necessarily have good answers to.

Przemek Jaroszewski is a member of CERT Polska (part of Research and Academic Computer Network in Poland) since 2001, where his current position is the head of incident response. He started his education as a programmer at Warsaw University of Technology, to eventually get his master's degree in Social Psychology from University of Social Sciences and Humanities in Warsaw. A frequent flyer in both professional and private lives, and a big aviation enthusiast - using every opportunity to learn about everything from inner workings of airports, airlines, ATC etc. to life-hacking of loyalty programs.

How to Make Your Own DEF CON Black Badge

Mickey Shkatov (@Laplinker) Intel Advanced Threat Research
Michael Leibowitz (@r00tkillah) Senior Trouble Maker
Joe FitzPatrick (@securelyfitz) Instructor & Researcher, SecuringHardware.com
Dean Pierce (@deanpierce) Security Researcher, Intel
Jesse Michael (@jessemichael) Security Researcher, Intel
Kenny McElroy (@octosavvi) Hacker

Yes, we did, we made our own DEF CON black badges. Why? Because we didn't want to wait in line ever again-- Not really. We are a bunch of hackers that always look for a challenge, and what better challenge is there than to try and reverse engineer from scratch three DEF CON black badges? In this talk we will go through the 2 year long process of making the DC14, DC22 and DC23 Black badges which include amazing hacking techniques like social engineering, patience, reverse engineering, EAGLE trickery, head to desk banging and hoping it is passable to a goon and not shameful to DT, 1057, and Joe.

Speaker Name Mickey (@laplinker) is a security researcher and a member of the Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security. Mickey has presented some of his past research at DEF CON , Black Hat, BruCON, Bsides PDX, PacSec, and HES.

Twitter: @laplinker

Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days championing product security for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes DEF CON CFPs, and contributes to the NSA Playset.

Twitter: @rootkillah

Joe FitzPatrick is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and hardware penetration testing, and hardware security training. In between training and bricking hardware, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects

Twitter: @sefcurelyfitz

Dean Pierce is a computer security researcher from Portland, Oregon. Dean has 15 years of experience in the field, with former DEF CON talks on breaking WiFi, WiMAX, and GSM networks. Author of many silly tools, creator of many silly websites. Security researcher by night, and security researcher that gets paid by day, Dean is currently doing tool development and attack modeling on Intel Corporation’s internal penetration testing team.

Twitter: @deanpierce

Jesse Michael spends his time annoying Mickey and finding low-level hardware security vulnerabilities in modern computing platforms.

Twitter: @jessemichael Kenny McElroy is a Security Researcher, Lock picker, Tinkerer, Embedded hacker, Jam Skater, SMT solderer, SDR twiddler, Space Geek and Bluewire Artist.

Twitter: @octosavvi

How to Overthrow a Government

Chris Rock Founder and CEO, Kustodian

Direct from the mind of the guy who bought you the "I will kill you" presentation at DEF CON 23, is another mind bending, entertaining talk. This time it’s bigger and badder than before.

Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself.

Find out how over the last 60 years, governments and resource companies have been directly involved in architecting regime changes around world using clandestine mercenaries to ensure deniability. This has been achieved by destabilizing the ruling government, providing military equipment, assassinations, financing, training rebel groups and using government agencies like the CIA, Mossad and MI-5 or using foreign private mercenaries such as Executive Order and Sandline. Working with Simon Mann an elite ex SAS soldier turned coup architect who overthrew governments in Africa, Chris Rock will show you how mercenary coup tactics directly applied to digital mercenaries to cause regime changes as the next generation of "Cyber Dogs of War".

Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt. This will include taking ownership of all facets of government including finance, telecommunications, transportation, commercial companies and critical infrastructure such a power, water and oil. You will learn:
• Traditional military mercenary coup tactics used by the infamous 32 Battalion in Africa, Executive Order and Sandline that can be directly applied to a cyber mercenary regime change.
• How to architect a cyber coup using advisor’s, hackers and the general populace, using misinformation, professional agitators, false information and financing.
• How to gather intelligence to analyze a government’s systemic weaknesses on financial, societal values and political climates that is leader or country specific to structure your attack.
• How to identify and prioritize government resources, infrastructure and commercial companies and how to use these compromised assets to stage the coup.
• Combine physical and digital techniques and have the best of both worlds to own a countries infrastructure.
• Hot to manipulate the media using propaganda targeting journalists flawed multiple "source" rules for a story.
• The Grand finale of a cyber regime change on a real country from beginning to end using the above techniques with operational footage. Come to this talk and find out how you too can be your own dictator, benevolent or merciless that part is up to you.

Chris Rock presented "I will kill you" at DEF CON 23 has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 10 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies. Chris Rock also created SIEMonster, an open source, scalable, free Security Incident and Event Management (SIEM) as a commercial alternative to Splunk, ArcSight and AlienVault. SIEMonster can be run on Amazon AWS or Virtual machines and details can be found on www.siemonster.com

Twitter: @_kustodian_
Facebook

How to Remmote Control an Airliner: SecurityFLawsin Avionics

Sebastian Westerhold KF5OBS

This talk is exposing critical flaws in navigational aides, secondary surveillance radar, the Traffic Collision Avoidance System (TCAS) and other aviation related systems. The audience will gain insight into the inner workings of these systems and how these systems can be exploited. Several practical demonstrations on portable avionics will show just how easy it is to execute these exploits in real life.

Sebastian Westerhold, better known under his FCC assigned radio call-sign KF5OBS, is a well known electrical engineer with a general interest in security analysis and penetration testing. As a teenager, he has been writing articles for the leading German electronics Magazine FUNKAMATEUR and the leading European magazine Elektor. Today, his blog and YouTube channel attract electronics enthusiasts from all over the world.

Hunting Malware at Scale with osquery

Sereyvathana Ty Security Engineer, Facebook

Nick Anderson Security Engineer, Facebook

Javier Marcos de Prado Security Engineer, Uber

Teddy Reed Security Engineer, Facebook

Matt Moran Security Engineer Facebook

This workshop is an introduction to osquery, an open source SQL-powered operating system for instrumentation and analytics. osquery is developed and used by Facebook to proactively hunt for abnormalities. Since osquery allows us to easily ask questions about our infrastructure, it provides powerful capabilities, such as finding malware persistence techniques and scanning IOCs across our fleets of machines. This workshop is a very hands-on training and we expect participants to be comfortable with CLI. The workshop is broken into three components:

Part I - hunting malware with osquery (1.5 hours) The first section of the workshop will make use of the interactive osquery command line tool (osqueryi) to hunt for characteristics of malware residing on a local system. The goal of this section is to get students familiar with writing SQL statements and to understand how osquery makes use of core tables to abstract operating system artifacts.

Part II - osquery at scale (1.5 hours): The second part of the workshop will focus on automation and deployment of osquery at a larger scale. You will learn how to write “query packs” which are utilized to collect and analyze the results from various endpoints in an enterprise. We will demonstrate this concept with the use of virtual machines, however the methodologies can be extrapolated to larger enterprises.

Part III - osquery development (optional - 0.5 to 1 hours): The last part of the workshop focuses on osquery development. We will walk you through some of the core components of osquery so you can have a deeper understand of this application. The goal being to give the student sufficient information to hack on the osquery project. This segment is largely optional and designed for people who want to get familiar with how osquery works under the hood.

Who should attend?

This workshop is designed for information security professionals who defend small to large scale enterprise networks.

What you need to know?

• Linux/MAC operating systems and CLI environments
• Comfortable writing and operating in SQLite
• Knowledge of ELK stack or splunk deployment/functionality is helpful
• Some programming experience is helpful

What do you need to bring?

• General knowledge of malware TTP is helpful
• A laptop capable of running two virtual machines (2 cores +, 8GB RAM, and 40GB Free disk space)
• Pre-installed VMWare client

Sereyvathana Ty is a member of Detection Infrastructure at Facebook working on network security monitoring instrumentations. Before joining Facebook, he was a malware researcher for Palo Alto Networks where he was researching new techniques for detecting malware and developing mitigation strategies for WildFire, a malware analysis platform. He enjoys malware analysis, and he has a strong passion for developing security applications using machine learning techniques.

Javier Marcos Javier Marcos is a Security Engineer at Uber with experience working on both offensive and defensive teams. He is currently a member of Uber's Platform Security team and he created the Facebook CTF platform.

Nick Anderson is a Security Engineer at Facebook working in the Detection Infrastructure team on the osquery project. He came to Facebook after working at Sandia National Labratories as a Cybersecurity Engineer and enjoys malware analysis and reverse engineering in his free time.

Teddy Reed is a Security Engineer at Facebook developing production security tools. He is very passionate about trustworthy, safe, and secure code development. He loves open source and collaborative engineering when scale, resiliency, and performance enable defensive and protective software design. Teddy has published at security conferences on trusted computing, hardware trusted systems, UAVs, competition game theory, and other security-related research.

Matt Moran is a security engineer at Facebook working on building and improving network security monitoring tools. In the past, Matt worked as a system administrator deploying and maintaining scalable services for both Facebook and Yahoo. Matt has a bachelor’s degree in Information Technology from Mount Saint Mary college in New York.

Max Class Size: 55
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: A laptop capable of running two virtual machines (2 cores +, 8GB RAM, and 40GB Free disk space). Pre-installed VMWare client.

I Fight For The Users, Episode I - Attacks Against Top Consumer Products

Zack Fasel Managing Partner, Urbane
Erin Jacobs Managing Partner, Urbane

This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE.

Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services.

Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at UrbaneSecurity.com.

Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter.

Twitter: @UrbaneSec @zfasel @SecBarbie

I've got 99 Problems, but Little Snitch ain't one

Patrick Wardle Director of Research, Synack

Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail Though briefly touching on generic firewall bypass techniques, this talk will largely focus on the kernel-mode vulnerability. Specifically, I’ll discuss bypassing OS X specific anti-debugging mechanisms employed by the product, reverse-engineering the firewall's I/O Kit kernel interfaces and 'authentication' mechanisms, and the discovery of the exploitable heap-overflow.

Finally, methods of exploitation will be briefly discussed, including how an Apple kernel-fix made this previously un-exploitable bug, exploitable on OS X 10.11

So if you simply want to see yet another 'security' product fall, or more generically, learn methods of OS X kernel extension reversing in a practical manner, then this talk is for you :)

Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his website; www.Objective-See.com

Twitter: @patrickwardle