Index of DEF CON 25 Activities


Venue Maps
Locations Legends and Info
Schedule   - Thursday  - Friday  - Saturday  - Sunday
Speaker List
Talk Title List
Talk Descriptions
DEF CON News
DEF CON 25 FAQ
DEF CON FAQ
Links to DEF CON 25 related pages


Venue Maps




Locations Legends and Info



BHV = Bio Hacking Village
     Promenade Level - Pisa room

CHV = Car Hacking Village
     Pool Level - Main Contest Area - down the esclators from Promenade South

CPV = Crypto Privacy Village
     Promenade Level - Florentine BR III

DC = DEF CON
     Emperor's Level - Track 1/101
     Emperor's Level - Track 2
     Promenade South - Track 3
     Promenade South - Track 4

DL = DemoLabs
     Promenade Level - Roman BR I & II

HHV = Hardware Hacking Village
     Pool Level - Main Contest Area - down the esclators from Promenade South

ICS = ICS Village (Industrial Control Systems)
     Pool Level - Main Contest Area - down the esclators from Promenade South

IOT = IOT Village (InternetOfThings)
     Pool Level - Main Contest Area - down the esclators from Promenade South

RCV = Reconnaissance Village
     Promenade Level - Palermo

SEV = Social Engineering
     Emperor's Level - Emperors Ballroom II

SKY = Skytalks
     Promenade Level - Verona/Tuin/Trevi

VMHV = Voting Machine Hacking Village
     Promenade Level - Roman 1

PHV, PHW = Wall of Sheep / Packet Hacking Village and Workshops
     Promenade Level - Neopolitan Ballroom & Milano VIII ( right behind the Vender Area )

WS = Workshops
     Octavius BR 1 = Promenade South
     Octavius BR 2 = Promenade South
     Octavius BR 3 = Promenade South
     Octavius BR 4 = Promenade South
     Octavius BR 5 = Promenade South

WV = Wireless Village
     Promenade Level - Florentine BR I & II

Talk/Event Schedule


 

Thursday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Thursday - 10:00


Return to Index  -  Locations Legend
DC - Track 1 - There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers - Luke Young
DC - Track 2 - Where are the SDN Security Talks? - Jon Medina
WS - Octavius 1 - (10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - (10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - (10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - (10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - (10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 11:00


Return to Index  -  Locations Legend
DC - Track 1 - From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices - Patrick DeSantis
DC - Track 2 - Opt Out or Deauth Trying !- Anti-Tracking Bots Radios and Keystroke Injection - Weston Hecker
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 12:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -
DC - Track 1 - Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode - Matt Suiche
DC - Track 2 - Jailbreaking Apple Watch - Max Bazaliy
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 13:00


Return to Index  -  Locations Legend
DC - Track 1 - Amateur Digital Archeology - Matt 'openfly' Joyce
DC - Track 2 - Wiping out CSRF - Joe Rozner
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x

 

Thursday - 14:00


Return to Index  -  Locations Legend
DC - Track 1 - Hacking the Cloud - Gerald Steere, Sean Metcalf
DC - Track 2 - See no evil, hear no evil: Hacking invisibly and silently with light and sound - Matt Wixey
WS - Octavius 1 - cont...(10:30-14:30) - A B C of Hunting - Julian Dana
WS - Octavius 1 - (14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(10:30-14:30) - Attacking Active Directory and Advanced Methods of Defense - Adam Steed, Andrew Allen
WS - Octavius 4 - (14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(10:30-14:30) - Building Application Security Automation with Python - Abhay Bhargav
WS - Octavius 5 - (14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(10:30-14:30) - Introduction to Cryptographic Attacks - Matt Cheung
WS - Octavius 6 - (14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(10:30-14:30) - Build your stack with Scapy, for fun and profit - stryngs, Jack64, zero-x
WS - Octavius 7 - (14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 15:00


Return to Index  -  Locations Legend
DC - Track 1 - Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks - CINCVolFLT (Trey Forgety)
DC - Track 2 - Real-time RFID Cloning in the Field - Dennis Maldonado
DC - Track 2 - (15:20-15:40) - Exploiting 0ld Mag-stripe information with New technology - Salvador Mendoza
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 16:00


Return to Index  -  Locations Legend
DC - Track 1 - DEF CON 101 Panel - HighWiz, Malware Unicorn, Niki7a, Roamer, Wiseacre, Shaggy
DC - Track 2 - The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers - Vulc@n, Hawaii John, Chris Eagle, Invisigoth, Caezar, Myles
Night Life - Sunset Park Pavilion F - DEFCON Toxic BBQ -
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 17:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -
DC - Track 1 - cont...(16:00-17:45) - DEF CON 101 Panel - HighWiz, Malware Unicorn, Niki7a, Roamer, Wiseacre, Shaggy
DC - Track 2 - cont...(16:00-17:45) - The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers - Vulc@n, Hawaii John, Chris Eagle, Invisigoth, Caezar, Myles
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 18:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 4 - (18:30-20:30) - n00b Party hosted by Duo Security. - Duo Security
WS - Octavius 1 - cont...(14:30-18:30) - Malware Triage: Malscripts Are The New Exploit Kit - Sergei Frankoff, Sean Wilson
WS - Octavius 4 - cont...(14:30-18:30) - Brainwashing Embedded Systems - Craig Young, Lane Thames, Jiva
WS - Octavius 5 - cont...(14:30-18:30) - Attacking and Defending 802.11ac Networks - Vivek Ramachandran, Thomas d'Otreppe
WS - Octavius 6 - cont...(14:30-18:30) - Introduction to Practical Network Signature Development for Open Source IDS - Jack Mott, Jason Williams
WS - Octavius 7 - cont...(14:30-18:30) - SDR Crash Course: Hacking your way to fun and profit - Neel Pandeya, Nate Temple

 

Thursday - 19:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 4 - cont...(18:30-20:30) - n00b Party hosted by Duo Security. - Duo Security

 

Thursday - 20:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 3 - (20:30-24:00) - DEF CON Movie Night -
Night Life - Track 4 - cont...(18:30-20:30) - n00b Party hosted by Duo Security. - Duo Security

 

Thursday - 21:00


Return to Index  -  Locations Legend
Night Life - Sunset Park Pavilion F - cont...(16:00-22:00) - DEFCON Toxic BBQ -
Night Life - Track 1 - Official DEF CON Welcome Party -
Night Life - Track 1 & Chillout lounges - Official Entertainment: DJDEAD -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night

 

Thursday - 22:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: SKITTISH AND BUS -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night

 

Thursday - 23:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: ACID T -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night

 

Thursday - 24:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: REID SPEED -

 

Thursday - 25:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: NINJULA -

 

Thursday - 26:00


Return to Index  -  Locations Legend
Night Life - Track 1 - cont...(21:00-27:00) - Official DEF CON Welcome Party
Night Life - Track 1 & Chillout lounges - Official Entertainment: SCOTCH AND BUBBLES -

 

Friday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Friday - 09:00


Return to Index  -  Locations Legend
SKY - Verona/Tuin/Trevi - Promenade Level - (09:30-09:59) - One-click Browser Defense - Brandon Dixon

 

Friday - 10:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biohacking: The Moral Imperative to Build a Better You - Tim Cannon
BHV - Pisa Room - (10:30-10:59) - The Patient as CEO - Robin Farmanfarmaian
CHV - Village Talks Outside Contest Area, Pool Level - Attacking Wireless Interfaces in Vehicles - Justin Montalbano__Bryan Gillispie
CPV - Florentine Ballroom 4 - (10:30-11:00) - Hacking on Multiparty Computation - Matt Cheung
DC - Track 1 - macOS/iOS Kernel Debugging and Heap Feng Shui - Min(Spark) Zheng, Xiangyu Liu
DC - Track 1 - (10:20-10:40) - Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server - Patrick Wardle
DC - Track 2 - Welcome to DEF CON 25 - The Dark Tangent
DC - Track 2 - (10:20-10:40) - Hacking travel routers like it's 1999 - Mikhail Sosonkin
DC - Track 3 - The Brain's Last Stand - Garry Kasparov
DC - Track 4 - Secret Tools: Learning about Government Surveillance Software You Can't Ever See - Peyton "Foofus" Engel
DC - Track 4 - (10:20-11:35) - Panel: Meet The Feds - Andrea Matwyshyn, Terrell McSweeny, Dr. Suzanne Schwartz, Leonard Bailey, Lisa Wiswell
ICS - ICS-Village - (10:30-10:45) - Welcome to the ICS Village - Larry Vandenaweele
IOT - Main Contest Area - Inside the Alaris Infusion Pump, not too much medication por favor! - Dan Regalado @Danuxx
PHV - Milano VIII - Promenade Level - How Hackers Changed The Security Industry - Chris Wysopal
SKY - Verona/Tuin/Trevi - Promenade Level - Financial Crime 2.0 - Marcelo Mansur
VMHV - Roman 1, Promenade Level - Verified Voting - Barbara Simons, David Jefferson
WS - Octavius 1 - (10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - (10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - (10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - (10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - (10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 11:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Psychoactive Chemicals in Combat - Amanda Plimpton/Evan Anderson
BHV - Pisa Room - (11:30-11:59) - My dog is a hacker and will steal your data! - Rafael Fontes Souza
CPV - Florentine Ballroom 3 - (11:30-12:00) - WS: Mansion Apartment Shack House: How To Explain Crypto To Practically Anyone - Tarah Wheeler
CPV - Florentine Ballroom 4 - SHA-3 vs the world - David Wong
DC - Track 1 - Rage Against the Weaponized AI Propaganda Machine - Suggy (AKA Chris Sumner)
DC - Track 2 - Weaponizing the BBC Micro:Bit - Damien "virtualabs" Cauquil
DC - Track 3 - Hacking Smart Contracts - Konstantinos Karagiannis
DC - Track 4 - cont...(10:20-11:35) - Panel: Meet The Feds - Andrea Matwyshyn, Terrell McSweeny, Dr. Suzanne Schwartz, Leonard Bailey, Lisa Wiswell
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
ICS - Calibria - Fun with Modbus function code 90. - Arnaud Soullie
ICS - ICS-Village - (11:30-11:59) - Introduction to the ICS Wall - Tom Van Norman
PHV - Milano VIII - Promenade Level - When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News - Catherine J. Ullman, Chris Roberts
PHW - Neopolitan BR IV - Promenade Level - An Intro to Hunting with Splunk - Splunk
SKY - Verona/Tuin/Trevi - Promenade Level - Neutrality? We don't need no stinkin' Neutrality - Munin
VMHV - Roman 1, Promenade Level - Introduction into hacking the equipment in the village. - Sandy Clark, Harri Hurst, Matt Blaze
WV - Florentine BR I & II - Promenade Level - (11:30-11:55) - Automating Physical Home Security Through Hacking - Eric Escobar
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 12:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Bitcoin DNA Challenge - Keoni Gandall
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - Autosar SecOC – Secure On-Board Comms - Jeff Quesnelle
CPV - Florentine Ballroom 3 - WS: Breaking the Uber Badge Ciphers - Kevin Hulin
CPV - Florentine Ballroom 4 - Alice and Bob are Slightly Less Confused - David Huerta
DC - Track 1 - CITL and the Digital Standard - A Year Later - Sarah Zatko
DC - Track 2 - Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.) - Nathan Seidle
DC - Track 3 - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Orange Tsai
DC - Track 4 - Hacking Democracy: A Socratic Dialogue - Mr. Sean Kanuck
PHV - Milano VIII - Promenade Level - Iron Sights for Your Data - Leah Figueroa
PHW - Neopolitan BR IV - Promenade Level - cont...(11:00-12:30) - An Intro to Hunting with Splunk - Splunk
SKY - Verona/Tuin/Trevi - Promenade Level - Gun control - You can’t put the Genie back into its bottle - Michael E. Taylor, Attorney at Law
VMHV - Roman 1, Promenade Level - Session on legal considerations of hacking election machines. - Joseph Hall, Candice Hoke
WV - Florentine BR I & II - Promenade Level - Hacking Some More of The Wireless World - Balint Seeber
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 13:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Tales from a healthcare hacker - Kevin Sacco
BHV - Pisa Room - (13:30-13:59) - Implants: Show and Tell - c00p3r
CHV - Village Talks Outside Contest Area, Pool Level - (13:30-14:30) - Grand Theft Radio (Stopping SDR Relay Attacks on PKES) - Weston Hecker
CPV - Florentine Ballroom 3 - WS: FeatherDuster and Cryptanalib workshop - Daniel Crowley
CPV - Florentine Ballroom 4 - Protecting Users' Privacy in a Location-Critical Enterprise: The Challenges of 9-1-1 Location - Trey Forgety
DC - Track 1 - Controlling IoT devices with crafted radio signals - Caleb Madrigal
DC - Track 2 - Teaching Old Shellcode New Tricks - Josh Pitts
DC - Track 3 - Starting the Avalanche: Application DoS In Microservice Architectures - Scott Behrens, Jeremy Heffner
DC - Track 4 - Next-Generation Tor Onion Services - Roger Dingledine
HHV - Main Contest Area, Pool Level - Robo-Sumo -
ICS - Calibria - What's the DFIRence for ICS? - Chris Sistrunk
IOT - Main Contest Area - Hide Yo Keys, Hide Yo Car - Remotely Exploiting Connected Vehicle APIs and Apps - Aaron Guzman @scriptingxss
PHV - Milano VIII - Promenade Level - CVE IDs and How to Get Them - Daniel Adinolfi, Anthony Singleton
PHW - Neopolitan BR IV - Promenade Level - Reverse Engineering Malware 101 - Malware Unicorn
SKY - Verona/Tuin/Trevi - Promenade Level - From OPSUCK to OPSEXY: An OPSEC Primer - H0m3l3ss, Steve Pordon, and minion
VMHV - Roman 1, Promenade Level - Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice. - Harri Hurst
WV - Florentine BR I & II - Promenade Level - cont...(12:00-13:25) - Hacking Some More of The Wireless World - Balint Seeber
WV - Florentine BR I & II - Promenade Level - (13:30-13:55) - Wireless Threat Modeling and Monitoring - WiNT - BASIM ALTINOK
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano

 

Friday - 14:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Sensory Augmentation 101 - Trevor Goodman
BHV - Pisa Room - (14:30-14:59) - Health as a service... - Julian Dana
CHV - Village Talks Outside Contest Area, Pool Level - cont...(13:30-14:30) - Grand Theft Radio (Stopping SDR Relay Attacks on PKES) - Weston Hecker
CHV - Village Talks Outside Contest Area, Pool Level - (14:30-15:30) - Abusing Smart Cars with QR codes - Vlad Gostomelsky
CPV - Florentine Ballroom 4 - Breaking TLS: A Year in Incremental Privacy Improvements - Andrew Brandt
DC - Track 1 - Using GPS Spoofing to control time - David "Karit" Robinson
DC - Track 2 - Death By 1000 Installers; on macOS, it's all broken! - Patrick Wardle
DC - Track 3 - Breaking the x86 Instruction Set - Christopher Domas
DC - Track 4 - How we created the first SHA-1 collision and what it means for hash security - Elie Bursztein
HHV - Main Contest Area, Pool Level - cont...(13:00-15:00) - Robo-Sumo -
ICS - Octavius 6 - (14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - (14:40-15:30) - Pwning the Industrial IoT: RCEs and backdoors are around! - Vladimir Dashchenko @raka_baraka & Sergey Temnikov
PHV - Milano VIII - Promenade Level - You're Going to Connect to the Wrong Domain - Sam Erb
PHV - Milano VIII - Promenade Level - (14:40-14:59) - XSS FTW - What Can Really Be Done With Cross-Site Scripting - Brute Logic
PHW - Neopolitan BR IV - Promenade Level - cont...(13:00-14:30) - Reverse Engineering Malware 101 - Malware Unicorn
RCV - Palermo room, Promenade level - (14:20-14:55) - It’s Going To Get Worse Before It Gets Better - The Future of Recon Data Mining - Shane McDougal
RCV - Palermo room, Promenade level - (14:55-15:40) - An Introduction to Graph Theory for OSINT - Andrew Hay
SKY - Verona/Tuin/Trevi - Promenade Level - Advanced DNS Exfil - Nolan and Cory
VMHV - Roman 1, Promenade Level - What are the national security implications of cyber attacks on our voting systems? What are the motivations of our adversaries, and how should the U.S. respond to the threat? - General Douglas Lute
WS - Octavius 1 - cont...(10:30-14:30) - Linux Lockdown: ModSecurity and AppArmor - Jay Beale
WS - Octavius 1 - (14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(10:30-14:30) - Scanning the Airwaves: building a cheap trunked radio/pager scanning system - Richard Henderson, Bryan Passifiume
WS - Octavius 4 - (14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(10:30-14:30) - Introduction to x86 disassembly - DazzleCatDuo
WS - Octavius 5 - (14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(10:30-14:30) - Mobile App Attack 2.0 - Sneha Rajguru
WS - Octavius 6 - (14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(10:30-14:30) - Applied Physical Attacks on Embedded Systems, Introductory Version - Joe FitzPatrick, Syler Clayton, Chris Castellano
WS - Octavius 7 - (14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 15:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Computational Chemistry on a Budget - Mr. Br!ml3y
BHV - Pisa Room - (15:30-15:59) - Trigraph: An Ethereum-based Teleradiology Application - Ryan Schmoll and Peter Hefley
CHV - Village Talks Outside Contest Area, Pool Level - cont...(14:30-15:30) - Abusing Smart Cars with QR codes - Vlad Gostomelsky
CPV - Florentine Ballroom 3 - WS: NoiseSocket: Extending Noise to Make Every TCP Connection Secure - Dmitry Dain, Alexey Ermishkin
CPV - Florentine Ballroom 4 - A New Political Era: Time to start wearing tin-foil hats following the 2016 elections? - Joel Wallenstrom, Robby Mook
DC - Track 1 - Assembly Language is Too High Level - XlogicX
DC - Track 2 - Phone system testing and other fun tricks - "Snide" Owen
DC - Track 3 - Dark Data - Svea Eckert, Andreas Dewes
DC - Track 4 - Abusing Certificate Transparency Logs - Hanno Böck
ICS - Calibria - (15:30-15:59) - How to create dark buildings with light speed. - Thomas Brandstetter
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - cont...(14:40-15:30) - Pwning the Industrial IoT: RCEs and backdoors are around! - Vladimir Dashchenko @raka_baraka & Sergey Temnikov
Night Life - The Nobu Hotel in Caesars Palace - Women, Wisdom & Wine - IOActive
PHV - Milano VIII - Promenade Level - IP Spoofing - Marek Majkowski
PHW - Neopolitan BR IV - Promenade Level - Serious Intro to Python for Admins - Davin Potts
RCV - Palermo room, Promenade level - cont...(14:55-15:40) - An Introduction to Graph Theory for OSINT - Andrew Hay
RCV - Palermo room, Promenade level - (15:40-16:25) - Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool - Tracy Z. Maleeff
SKY - Verona/Tuin/Trevi - Promenade Level - Death Numbers in Surgical room, Attacking Anesthesia Equipment. - Michael Hudson
VMHV - Roman 1, Promenade Level - Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why can’t we vote on touch screens or online? - Joseph Hall
WV - Florentine BR I & II - Promenade Level - Deceptacon: Wi-Fi Deception in under $5 - Vivek Ramachandran and Nishant Sharma and Ashish Bangale
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 16:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Blockchain's Role in the Disruption of the Medical Industry - John Bass
BHV - Pisa Room - (16:30-16:59) - Neurogenic Peptides: Smart Drugs 4-Minute Mile - Gingerbread
CHV - Village Talks Outside Contest Area, Pool Level - DefCon Unofficial Badges Panel - #BadgeLife Badge Makers
CPV - Florentine Ballroom 3 - Underhanded Crypto Announcement
CPV - Florentine Ballroom 4 - Security Analysis of the Telegram IM - Tomas Susanka
CPV - Florentine Ballroom 4 - (16:30-17:30) - Cryptanalysis in the Time of Ransomware - Mark Mager
DC - Track 1 - Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods - Matt Knight, Marc Newlin
DC - Track 2 - The Adventures of AV and the Leaky Sandbox - Itzik Kotler, Amit Klein
DC - Track 3 - An ACE Up the Sleeve: Designing Active Directory DACL Backdoors - Andy Robbins, Will Schroeder
DC - Track 4 - "Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC - Whitney Merrill, Terrell McSweeny
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - IoT - the gift that keeps on giving - Alex "Jay" Balan @Jaymzu
Night Life - The Nobu Hotel in Caesars Palace - cont...(15:00-17:00) - Women, Wisdom & Wine - IOActive
PHV - Milano VIII - Promenade Level - Layer 8 and Why People are the Most Important Security Tool - Damon Small
PHW - Neopolitan BR IV - Promenade Level - cont...(15:00-16:30) - Serious Intro to Python for Admins - Davin Potts
RCV - Palermo room, Promenade level - cont...(15:40-16:25) - Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool - Tracy Z. Maleeff
RCV - Palermo room, Promenade level - (16:25-16:45) - Up close and personal - Keeping an eye on mobile applications - Mikhail Sosonkin
SEV - Emperors BR II - Thematic Social Engineering - Robert Wood
SEV - Emperors BR II - (16:55-17:25) - Beyond Phishing - Building and Sustaining a Corporate SE Program - Fahey Owens
SKY - Verona/Tuin/Trevi - Promenade Level - All The Sales President's Men - Patrick McNeil
VMHV - Roman 1, Promenade Level - How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. This segment will feature a punch card machine and demo what can go wrong with it. - Matt Blaze
WV - Florentine BR I & II - Promenade Level - Designing an Automatic Gain Control - Robert Ghilduta
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 17:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science - David Bach
BHV - Pisa Room - (17:30-17:59) - Human-Human Interface - Charles Tritt
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - Turbo Talks – Getting Started With CarHacking, k-Line Hacking - Jerry Gamblin
CPV - Florentine Ballroom 3 - WS: Supersingular Isogeny Diffie-Hellman - Deirdre Connolly
CPV - Florentine Ballroom 4 - cont...(16:30-17:30) - Cryptanalysis in the Time of Ransomware - Mark Mager
CPV - Florentine Ballroom 4 - (17:30-18:30) - Unfairplay (NOT RECORDED) - [anonymous panel]
DC - Track 1 - Cisco Catalyst Exploitation - Artem Kondratenko
DC - Track 2 - Panel: DEF CON Groups - Jeff Moss (Dark Tangent), Waz, Brent White (B1TKILL3R), Jayson E. Street, Grifter, Jun Li, S0ups, Major Malfunction
DC - Track 3 - MEATPISTOL, A Modular Malware Implant Framework - FuzzyNop (Josh Schwartz), ceyx (John Cramb)
DC - Track 4 - The Internet Already Knows I'm Pregnant - Cooper Quintin, Kashmir Hill
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - (17:40-18:30) - 101 hardware hacking workshop - Ken Munro @TheKenMunroShow
PHV - Milano VIII - Promenade Level - AWS Persistence and Lateral Movement Techniques - Peter Ewane
PHW - Neopolitan BR IV - Promenade Level - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Using phonetic algorithms to increase your search space and detect misspellings. - Alex Kahan
RCV - Palermo room, Promenade level - (17:25-17:59) - Attack Surface Discovery with Intrigue - Jcran
SEV - Emperors BR II - cont...(16:55-17:25) - Beyond Phishing - Building and Sustaining a Corporate SE Program - Fahey Owens
SEV - Emperors BR II - (17:30-18:20) - SE vs Predator: Using Social Engineering in ways I never thought… - Chris Hadnagy
SKY - Verona/Tuin/Trevi - Promenade Level - Child Abuse Material, Current Issues Trends & Technologies - @h0tdish and @mickmoran
VMHV - Roman 1, Promenade Level - Panel: Securing the Election Office: A Local Response to a Global Threat - Erik Kamerling, Tim Blute, Noah Praetz
WV - Florentine BR I & II - Promenade Level - Failsafe: Yet Another SimplySafe Attack Vector - Nick 'r@ndom' Delewski
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 18:00


Return to Index  -  Locations Legend
BHV - Pisa Room - tDCS workshop - Darren and Jen
CPV - Florentine Ballroom 4 - cont...(17:30-18:30) - Unfairplay (NOT RECORDED) - [anonymous panel]
ICS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201- SOLD OUT - Matthew E. Luallen, Nadav Erez
IOT - Main Contest Area - cont...(17:40-18:30) - 101 hardware hacking workshop - Ken Munro @TheKenMunroShow
Night Life - Chillout Lounge, Roman 3, Promenade Level - "DCG" Mixer -
Night Life - Lobby Bar - DEFCON 25 Meetup for /r/Defcon -
PHV - Milano VIII - Promenade Level - Threat Intel for All: There's More to Your Data Than Meets the Eye - Cheryl Biswas
PHW - Neopolitan BR IV - Promenade Level - cont...(17:00-18:30) - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Skip tracing for fun and profit - Rhett Greenhagen
SEV - Emperors BR II - cont...(17:30-18:20) - SE vs Predator: Using Social Engineering in ways I never thought… - Chris Hadnagy
SEV - Emperors BR II - (18:25-19:15) - Hackers gonna hack - But do they know why? - Helen Thackray
SKY - Verona/Tuin/Trevi - Promenade Level - Hacking the Law: A Call for Action – Bug Bounties Legal Terms as a Case Study - Amit Elazari
WV - Florentine BR I & II - Promenade Level - Reverse Engineering DSSS Extended Cut - Michael Ossmann
WS - Octavius 1 - cont...(14:30-18:30) - Penetration Testing in Hostile Environments: Client & Tester Security - Wesley McGrew, Brad Pierce
WS - Octavius 4 - cont...(14:30-18:30) - Windows - The Undiscovered country - Chuck Easttom
WS - Octavius 5 - cont...(14:30-18:30) - Subverting Privacy Exploitation Using HTTP - Eijah
WS - Octavius 6 - cont...(14:30-18:30) - Industrial Control System Security 101 and 201 - Matthew E. Luallen, Nadav Erez
WS - Octavius 7 - cont...(14:30-18:30) - Advanced Wireless Attacks Against Enterprise Networks - Gabriel Ryan

 

Friday - 19:00


Return to Index  -  Locations Legend
Night Life - Chillout Lounge, Roman 3, Promenade Level - cont...(18:00-20:00) - "DCG" Mixer
PHW - Neopolitan BR IV - Promenade Level - Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols - SensePost
SEV - Emperors BR II - cont...(18:25-19:15) - Hackers gonna hack - But do they know why? - Helen Thackray
SEV - Emperors BR II - (19:15-20:05) - Skills For A Red-Teamer - Brent White & Tim Roberts

 

Friday - 20:00


Return to Index  -  Locations Legend
DC - Capri Room - Hacking Democracy - Mr. Sean Kanuck
DC - Modena - Horror stories of a translator and how a tweet can start a war with less than 140 characters - El Kentaro
DC - Trevi Room - Panel - An Evening with the EFF - Kurt Opsahl, Nate Cardozo, Eva Galperin, Shabid Buttar, Kit Walsh
Night Life - Roman 1, Promenade Level - Hacker Karaoke -
Night Life - Track 2 - Hacker Jeopardy -
Night Life - Track 3 - (20:30-24:00) - DEF CON Movie Night -
Night Life - Track 4 - Whose Slide is it anyway? -
PHW - Neopolitan BR IV - Promenade Level - cont...(19:00-20:30) - Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols - SensePost
SEV - Emperors BR II - cont...(19:15-20:05) - Skills For A Red-Teamer - Brent White & Tim Roberts
SEV - Emperors BR II - Heavy Diving for Credentials: Towards an Anonymous Phishing - Yaiza Rubio & Felix Brezo

 

Friday - 21:00


Return to Index  -  Locations Legend
DC - Capri Room - cont...(20:00-21:59) - Hacking Democracy - Mr. Sean Kanuck
DC - Modena - cont...(20:00-21:59) - Horror stories of a translator and how a tweet can start a war with less than 140 characters - El Kentaro
DC - Trevi Room - cont...(20:00-21:59) - Panel - An Evening with the EFF - Kurt Opsahl, Nate Cardozo, Eva Galperin, Shabid Buttar, Kit Walsh
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: Richard Cheese -
Night Life - Track 2 - cont...(20:00-24:00) - Hacker Jeopardy
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
SEV - Emperors BR II - cont...(20:10-20:40) - Heavy Diving for Credentials: Towards an Anonymous Phishing - Yaiza Rubio & Felix Brezo

 

Friday - 22:00


Return to Index  -  Locations Legend
Night Life - Modena, Promenade level - Silent Disco : Party like a Hacker -
Night Life - Promenade level, in Skytalks room. - (22:30-27:00) - 303 Party - 303
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - cont...(21:00-22:30) - Official Entertainment: -
Night Life - Track 1 & Chillout lounges - (22:30-23:00) - Official Entertainment: DUALCORE -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
Night Life - Turin, Promenade Level - INFOSEC UNLOCKED - INFOSEC UNLOCKED

 

Friday - 23:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - (23:30-24:20) - IoT Village Keynote - Friends, Not Foes: Rethinking the Researcher-Vendor Relationship - Rick Ramgattie @RRamgattie
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: MC FRONTALOT -
Night Life - Track 1 & Chillout lounges - (23:30-24:00) - Official Entertainment: YT CRACKER -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Friday - 24:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - cont...(23:30-24:20) - IoT Village Keynote - Friends, Not Foes: Rethinking the Researcher-Vendor Relationship - Rick Ramgattie @RRamgattie
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: REEL BIG FISH -
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Friday - 25:00


Return to Index  -  Locations Legend
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - cont...(24:00-25:30) - Official Entertainment:
Night Life - Track 1 & Chillout lounges - (25:30-26:00) - Official Entertainment: KRISZ KLINK -
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Friday - 26:00


Return to Index  -  Locations Legend
Night Life - Modena, Promenade level - cont...(22:00-27:00) - Silent Disco : Party like a Hacker
Night Life - Promenade level, in Skytalks room. - cont...(22:30-27:00) - 303 Party
Night Life - Turin, Promenade Level - cont...(22:00-27:00) - INFOSEC UNLOCKED

 

Saturday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Saturday - 10:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Total Recall: Implanting Passwords in Cognitive Memory - Tess Schrodinger
BHV - Pisa Room - (10:30-10:59) - Hacking the Second Genetic Code using Information Theory - Travis Lawrence
CPV - Florentine Ballroom 4 - (10:30-11:30) - The Surveillance Capitalism Will Continue Until Morale Improves - J0N J4RV1S
DC - Track 1 - Persisting with Microsoft Office: Abusing Extensibility Options - William Knowles
DC - Track 1 - (10:20-10:40) - Breaking Wind: Adventures in Hacking Wind Farm Control Networks - Jason Staggs
DC - Track 2 - $BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning? - Cory Doctorow
DC - Track 3 - Get-$pwnd: Attacking Battle-Hardened Windows Server - Lee Holmes
DC - Track 3 - (10:20-10:40) - WSUSpendu: How to hang WSUS clients - Romain Coltel, Yves Le Provost
DC - Track 4 - The spear to break the security wall of S7CommPlus - Cheng, Zhang Yunhai
DC - Track 4 - (10:20-10:40) - (Un)Fucking Forensics: Active/Passive (i.e. Offensive/Defensive) memory hacking/debugging. - K2
DL - Table 1 - Fuzzapi - Abhijeth Dugginapeddi, Lalith Rallabhandi, Srinivas Rao
DL - Table 2 - GibberSense - Ajit Hatti
DL - Table 3 - Android Tamer - Anant Shrivastava
DL - Table 4 - WiFi Cactus - darkmatter
DL - Table 5 - Maltego "Have I been pwned?" - Christian Heinrich
DL - Table 6 - PIV OPACITY - Christopher Williams
ICS - Calibria - (10:30-10:59) - Dissecting industrial wireless implementations. - Blake Johnson
IOT - Main Contest Area - From DVR worms, to fridges, via dildos, the sins of the IoT in 50 minutes - Andrew Tierney @cybergibbons & Ken Munro @TheKenMunroShow
PHV - Milano VIII - Promenade Level - Make Your Own 802.11ac Monitoring Hacker Gadget - Vivek Ramachandran, Thomas d'Otreppe
PHW - Neopolitan BR IV - Promenade Level - The Kali Linux Dojo - Angela Could Have Done Better - Mati Aharoni
RCV - Palermo room, Promenade level - Burner Phone Challenge - Dakota Nelson
SKY - Verona/Tuin/Trevi - Promenade Level - Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways - John Ives
WS - Octavius 1 - (10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - (10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - (10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - (10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - (10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 11:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biohackers Die - Jeffrey Tibbetts
BHV - Pisa Room - (11:30-11:59) - Microscopes are Stupid - Louis Auguste
CHV - Village Talks Outside Contest Area, Pool Level - GPS System Integrity - Vlad Gostomelsky
CPV - Florentine Ballroom 3 - WS: Implementing An Elliptic Curve in Go - George Tankersley
CPV - Florentine Ballroom 4 - cont...(10:30-11:30) - The Surveillance Capitalism Will Continue Until Morale Improves - J0N J4RV1S
CPV - Florentine Ballroom 4 - (11:30-12:00) - Privacy is Not An Add-On: Designing for Privacy from the Ground Up - Alisha Kloc
DC - Track 1 - Microservices and FaaS for Offensive Security - Ryan Baxendale
DC - Track 1 - (11:20-11:40) - Abusing Webhooks for Command and Control - Dimitry Snezhkov
DC - Track 2 - Secure Tokin' and Doobiekeys: How to roll your own counterfeit hardware security devices - Joe FitzPatrick , Michael Leibowitz
DC - Track 3 - If You Give a Mouse a Microchip... It will execute a payload and cheat at your high-stakes video game tournament - skud (Mark Williams), Sky (Rob Stanley)
DC - Track 4 - Evading next-gen AV using artificial intelligence - Hyrum Anderson
DC - Track 4 - (11:20-12:35) - All Your Things Are Belong To Us - Zenofex, 0x00string, CJ_000, Maximus64
DL - Table 1 - cont...(10:00-11:50) - Fuzzapi - Abhijeth Dugginapeddi, Lalith Rallabhandi, Srinivas Rao
DL - Table 2 - cont...(10:00-11:50) - GibberSense - Ajit Hatti
DL - Table 3 - cont...(10:00-11:50) - Android Tamer - Anant Shrivastava
DL - Table 4 - cont...(10:00-11:50) - WiFi Cactus - darkmatter
DL - Table 5 - cont...(10:00-11:50) - Maltego "Have I been pwned?" - Christian Heinrich
DL - Table 6 - cont...(10:00-11:50) - PIV OPACITY - Christopher Williams
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
HHV - Village Talks Outside Contest Area, Pool Level - cont...(11:00-12:00) - Ardusploit - Proof of concept for Arduino code injection - Cesare Pizzi
ICS - ICS-Village - (11:30-11:59) - Using Alexa for your Control System environment - Tom Van Norman
PHV - Milano VIII - Promenade Level - The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots - Gabriel Ryan
PHW - Neopolitan BR IV - Promenade Level - cont...(10:00-11:59) - The Kali Linux Dojo - Angela Could Have Done Better - Mati Aharoni
RCV - Palermo room, Promenade level - cont...(10:00-11:59) - Burner Phone Challenge - Dakota Nelson
SKY - Verona/Tuin/Trevi - Promenade Level - Catch me leaking your data... if you can... - Mike Raggo & Chet Hosmer
WV - Florentine BR I & II - Promenade Level - (11:30-12:55) - SIGINT for the Rest of US - Matt Blaze
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 12:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - That’s no car. It’s a network! - Mitch Johnson
CPV - Florentine Ballroom 3 - cont...(11:00-12:30) - WS: Implementing An Elliptic Curve in Go - George Tankersley
CPV - Florentine Ballroom 3 - (12:30-13:30) - WS: Secrets Management in the Cloud - Evan Johnson
CPV - Florentine Ballroom 4 - Operational Security Lessons from the Dark Web - Shea Nangle
DC - Track 1 - Driving down the rabbit hole - Mickey Shkatov, Jesse Michael, Oleksandr Bazhaniuk
DC - Track 2 - When Privacy Goes Poof! Why It's Gone and Never Coming Back - Richard Thieme a.k.a. neuralcowboy
DC - Track 3 - DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent - Jim Nitterauer
DC - Track 4 - cont...(11:20-12:35) - All Your Things Are Belong To Us - Zenofex, 0x00string, CJ_000, Maximus64
DL - Table 1 - LAMMA 1.0 - Antriksh Shah, Ajit Hatti
DL - Table 2 - https://crack.sh/ - David Hulton, Ian Foster
DL - Table 3 - GreatFET - Dominic Spill, Michael Ossmann
DL - Table 4 - Ruler - Pivoting Through Exchange - Etienne Stalmans
DL - Table 5 - SamyKam - Salvador Mendoza
DL - Table 6 - Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization - Bryce Kunz @TweekFawkes, Nathan Bates (@Brutes_)
HHV - Village Talks Outside Contest Area, Pool Level - cont...(12:00-13:00) - What is Ground? (Baby don't hurt me) - Gigs Taggart
PHV - Milano VIII - Promenade Level - Fortune 100 InfoSec on a State Government Budget - Eric Capuano
PHW - Neopolitan BR IV - Promenade Level - (12:30-13:59) - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Domain Discovery: Expanding your scope like a boss - Jason Haddix
SKY - Verona/Tuin/Trevi - Promenade Level - Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border - wendy
WV - Florentine BR I & II - Promenade Level - cont...(11:30-12:55) - SIGINT for the Rest of US - Matt Blaze
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 13:00


Return to Index  -  Locations Legend
BHV - Pisa Room - DIYBioweapons and Regulation - Meow Ludo Meow Meow
BHV - Pisa Room - (13:30-13:59) - IoT of Dongs - RenderMan
CHV - Village Talks Outside Contest Area, Pool Level - Insecure By Law - Corey Theun
CPV - Florentine Ballroom 3 - cont...(12:30-13:30) - WS: Secrets Management in the Cloud - Evan Johnson
CPV - Florentine Ballroom 4 - The Symantec/Chrome SSL debacle - how to do this better... - Jake Williams
DC - Track 1 - Demystifying Windows Kernel Exploitation by Abusing GDI Objects. - 5A1F (Saif El-Sherei)
DC - Track 2 - Koadic C3 - Windows COM Command & Control Framework - Sean Dillon (zerosum0x0), Zach Harding (Aleph-Naught-)
DC - Track 3 - Twenty Years of MMORPG Hacking: Better Graphics, Same Exploits - Manfred (@_EBFE)
DC - Track 4 - A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego - Philip Tully, Michael T. Raggo
DL - Table 1 - cont...(12:00-13:50) - LAMMA 1.0 - Antriksh Shah, Ajit Hatti
DL - Table 2 - cont...(12:00-13:50) - https://crack.sh/ - David Hulton, Ian Foster
DL - Table 3 - cont...(12:00-13:50) - GreatFET - Dominic Spill, Michael Ossmann
DL - Table 4 - cont...(12:00-13:50) - Ruler - Pivoting Through Exchange - Etienne Stalmans
DL - Table 5 - cont...(12:00-13:50) - SamyKam - Salvador Mendoza
DL - Table 6 - cont...(12:00-13:50) - Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization - Bryce Kunz @TweekFawkes, Nathan Bates (@Brutes_)
HHV - Village Talks Outside Contest Area, Pool Level - cont...(13:00-14:00) - Hardware Hacking: Old Sk00l and New Sk00l - hwbxr
IOT - Main Contest Area - The Internet of Vulnerabilities - Deral Heiland @percent_x
PHV - Milano VIII - Promenade Level - YALDA – Large Scale Data Mining for Threat Intelligence - Gita Ziabari
PHW - Neopolitan BR IV - Promenade Level - cont...(12:30-13:59) - Jailing Programs with Linux Containers - Jay Beale
RCV - Palermo room, Promenade level - Recon and bug bounties what a great love story - Abhijeth
RCV - Palermo room, Promenade level - (13:25-13:59) - Using DFIR Orchestration and Automation Tools and Playbooks For OSINT and Recon - Tyler
SKY - Verona/Tuin/Trevi - Promenade Level - Trauma in Healthcare IT: My Differential Diagnosis and Call to Action - Audie
WV - Florentine BR I & II - Promenade Level - POCSAG Amateur Pager Network - Andrew 'r0d3nt' Strutt
WV - Florentine BR I & II - Promenade Level - (13:30-13:55) - Suitcase Repeater Build for UHF - 70cm - Andrew 'r0d3nt' Strutt
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith

 

Saturday - 14:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode - Awesome Folks from Various BioHacking Podcasts
CPV - Florentine Ballroom 3 - WS: SECURE COMMUNICATIONS IN ANDROID WITH TLS/SSL - Miguel Guirao
CPV - Florentine Ballroom 4 - Have you seen my naked selfies? Neither has my snoopy boyfriend. Privacy within a Relationship - Lauren Rucker
DC - Track 1 - Attacking Autonomic Networks - Omar Eissa
DC - Track 2 - Trojan-tolerant Hardware & Supply Chain Security in Practice - Vasilios Mavroudis, Dan Cvrcek
DC - Track 3 - Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles - p3n3troot0r (Duncan Woodbury) , ginsback (Nicholas Haltmeyer)
DC - Track 4 - XenoScan: Scanning Memory Like a Boss - Nick Cano
DL - Table 1 - Mycroft - Joshua Montgomery
DL - Table 2 - bullDozer - Keith Lee
DL - Table 3 - CrackMapExec - Marcello Salvati
DL - Table 4 - Crypt-Keeper - Maurice Carey
DL - Table 5 - Bropy - Matt Domko
DL - Table 6 - Radare2 - Maxime Morin
ICS - Calibria - The gap in ICS Cyber security - Cyber security of Level 1 Field devices. - Joe Weiss
ICS - ICS-Village - (14:30-15:59) - ICS SCADA Forensics workshop/challenge - Joe Stirlandand Kevin Jones
IOT - Main Contest Area - (14:40-15:30) - IIDS: An Intrusion Detection System for IoT - Vivek Ramachandran @securitytube, Nishant Sharma, and Ashish Bhangale
PHV - Milano VIII - Promenade Level - Past, Present and Future of High Speed Packet Filtering on Linux - Gilberto Bertin
PHV - Milano VIII - Promenade Level - (14:40-14:59) - Visual Network and File Forensics - Ankur Tyagi
PHW - Neopolitan BR IV - Promenade Level - (14:30-15:59) - Introduction to 802.11 Packet Dissection - Megumi Takeshita
RCV - Palermo room, Promenade level - Total Recoll: Conducting Investigations without Missing a Thing - Dakota Nelson
RCV - Palermo room, Promenade level - (14:50-15:15) - How to obtain 100 Facebooks accounts per day through internet searches - Guillermo Buendia
SKY - Verona/Tuin/Trevi - Promenade Level - FERPA - Only Your Grades Are Safe; OSINT in Higher Education - Leah Figueroa/ Princess Leah
WS - Octavius 1 - cont...(10:30-14:30) - Practical BLE Exploitation for Internet of Things - Aditya Gupta, Dinesh Shetty
WS - Octavius 1 - (14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(10:30-14:30) - UAC 0day, all day! - Ruben Boonen
WS - Octavius 4 - (14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(10:30-14:30) - Edge cases in web hacking - John Poulin
WS - Octavius 5 - (14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(10:30-14:30) - Free and Easy DFIR Triage for Everyone: From Collection to Analysis - Alan Orlikoski, Dan M.
WS - Octavius 6 - (14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(10:30-14:30) - Practical Malware Analysis: Hands-On - Sam Bowne, Devin Duffy-Halseth, Dylan James Smith
WS - Octavius 7 - (14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 15:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biotechnology Needs a Security Patch...Badly - Ed You
BHV - Pisa Room - (15:30-15:59) - Standardizing the Secure Deployment of Medical Devices - Chris Frenz
CHV - Village Talks Outside Contest Area, Pool Level - Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles - p3n3troot0r
CPV - Florentine Ballroom 3 - cont...(14:00-16:00) - WS: SECURE COMMUNICATIONS IN ANDROID WITH TLS/SSL - Miguel Guirao
CPV - Florentine Ballroom 4 - Yet another password hashing talk - Evgeny Sidorov
CPV - Florentine Ballroom 4 - (15:30-16:00) - Core Illumination: Traffic Analysis in Cyberspace - Kenneth Geers
DC - Capri Room - DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd - Representative James Langevin , Representative Will Hurd
DC - Track 1 - MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) - Chris Thompson
DC - Track 2 - Tracking Spies in the Skies - Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy
DC - Track 3 - DOOMed Point of Sale Systems - trixr4skids
DC - Track 4 - Digital Vengeance: Exploiting the Most Notorious C&C Toolkits - Professor Plum
DL - Table 1 - cont...(14:00-15:50) - Mycroft - Joshua Montgomery
DL - Table 2 - cont...(14:00-15:50) - bullDozer - Keith Lee
DL - Table 3 - cont...(14:00-15:50) - CrackMapExec - Marcello Salvati
DL - Table 4 - cont...(14:00-15:50) - Crypt-Keeper - Maurice Carey
DL - Table 5 - cont...(14:00-15:50) - Bropy - Matt Domko
DL - Table 6 - cont...(14:00-15:50) - Radare2 - Maxime Morin
HHV - Village Talks Outside Contest Area, Pool Level - cont...(15:00-16:00) - A Tangle of Plastic Spaghetti: A Look Into the Security of 3D Printers - John Dunlap
ICS - ICS-Village - cont...(14:30-15:59) - ICS SCADA Forensics workshop/challenge - Joe Stirlandand Kevin Jones
IOT - Main Contest Area - cont...(14:40-15:30) - IIDS: An Intrusion Detection System for IoT - Vivek Ramachandran @securitytube, Nishant Sharma, and Ashish Bhangale
PHV - Milano VIII - Promenade Level - Modern Day CovertTCP with a Twist - Mike Raggo, Chet Hosmer
PHW - Neopolitan BR IV - Promenade Level - cont...(14:30-15:59) - Introduction to 802.11 Packet Dissection - Megumi Takeshita
RCV - Palermo room, Promenade level - cont...(14:50-15:15) - How to obtain 100 Facebooks accounts per day through internet searches - Guillermo Buendia
RCV - Palermo room, Promenade level - (15:15-15:59) - OSINT Tactics on Source Code & Developers - Simon Roses
WV - Florentine BR I & II - Promenade Level - Large Scale Wireless Monitoring - KISMET packet sniffer on a multi-radio array - Alexander Zakharov
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 16:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Reversing Your Own Source Code - Cosmo Mielke
CHV - Village Talks Outside Contest Area, Pool Level - (16:30-17:30) - The Bicho: An Advanced Car Backdoor Maker - Sheila Ayelen Berta
CPV - Florentine Ballroom 4 - rustls: modern, fast, safer TLS - Joseph Birr-Pixton
DC - Capri Room - cont...(15:00-16:59) - DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd - Representative James Langevin , Representative Will Hurd
DC - Track 1 - Dealing the perfect hand - Shuffling memory blocks on z/OS - Ayoul3
DC - Track 2 - From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene - Inbar Raz, Eden Shochat
DC - Track 3 - CableTap: Wirelessly Tapping Your Home Network - Marc Newlin, Logan Lamb, Chris Grayson
DC - Track 4 - Game of Drones: Putting the Emerging "Drone Defense" Market to the Test - Francis Brown, David Latimer
DL - Table 1 - Advanced Spectrum Monitoring with ShinySDR - Michael Ossmann, Dominic Spill
DL - Table 2 - DNS-Exfil-Suite - Nolan Berry, Cory Schwartz
DL - Table 3 - CellAnalysis - Pedro Cabrera
DL - Table 4 - Universal Serial aBUSe - Rogan Dawes
DL - Table 5 - EAPHammer - Gabriel Ryan
DL - Table 6/Five - ShinoBOT Family - Sh1n0g1
HHV - Main Contest Area, Pool Level - Workshop: Component Desoldering and Recovery -
ICS - Calibria - Grid insecurity - and how to really fix this shit - Bryson Bort, Atlas
IOT - Main Contest Area - Redesigning PKI for IoT because Crypto is Hard - Brian Knopf @DoYouQA
PHV - Milano VIII - Promenade Level - Fooling the Hound: Deceiving Domain Admin Hunters - Tom Sela
PHW - Neopolitan BR IV - Promenade Level - (16:30-17:59) - Serious Intro to Python for Admins - David Potts
RCV - Palermo room, Promenade level - Intro to OSINT: Zero on the way to Hero - Joe Gray
SEV - Emperors BR II - The Human Factor: Why Are We So Bad at Security and Risk Assessment? - John Nye
SEV - Emperors BR II - (16:55-17:25) - Are you Killing your security program? - Michele Fincher
SKY - Verona/Tuin/Trevi - Promenade Level - Rockin' the (vox)Vote - algorythm
WV - Florentine BR I & II - Promenade Level - WIGLE Like You Mean It - Aardvark and Darkmatter
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 17:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Brave New World of Bio-Entrepreneurship - Jun Axup
BHV - Pisa Room - (17:30-17:59) - The collision of prosthetics, robotics and the human interface - Randall Alley
BillW - Office 4A on Promenade Level - Friends of Bill W -
CHV - Village Talks Outside Contest Area, Pool Level - cont...(16:30-17:30) - The Bicho: An Advanced Car Backdoor Maker - Sheila Ayelen Berta
CPV - Florentine Ballroom 4 - Blue Team TLS Hugs - Lee Brotherston
CPV - Florentine Ballroom 4 - (17:30-18:00) - Automated Testing using Crypto Differential Fuzzing (DO NOT RECORD) - Yolan Romailler
DC - Track 1 - Here to stay: Gaining persistency by abusing advanced authentication mechanisms - Marina Simakov, Igal Gofman
DC - Track 2 - Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update - Morten Schenk
DC - Track 3 - Introducing HUNT: Data Driven Web Hacking & Manual Testing - Jason Haddix
DC - Track 4 - Popping a Smart Gun - Plore
DL - Table 1 - cont...(16:00-17:50) - Advanced Spectrum Monitoring with ShinySDR - Michael Ossmann, Dominic Spill
DL - Table 2 - cont...(16:00-17:50) - DNS-Exfil-Suite - Nolan Berry, Cory Schwartz
DL - Table 3 - cont...(16:00-17:50) - CellAnalysis - Pedro Cabrera
DL - Table 4 - cont...(16:00-17:50) - Universal Serial aBUSe - Rogan Dawes
DL - Table 5 - cont...(16:00-17:50) - EAPHammer - Gabriel Ryan
DL - Table 6/Five - cont...(16:00-17:50) - ShinoBOT Family - Sh1n0g1
IOT - Main Contest Area - (17:40-18:30) - Manufactures Panel - TBA
PHV - Milano VIII - Promenade Level - Hunting Down the Domain Admin and Rob Your Network - Keith Lee and Michael Gianarakis
PHV - Milano VIII - Promenade Level - (17:40-17:59) - Strengthen Your SecOps Team by Leveraging Neurodiversity - Megan Roddie
PHW - Neopolitan BR IV - Promenade Level - cont...(16:30-17:59) - Serious Intro to Python for Admins - David Potts
RCV - Palermo room, Promenade level - cont...(16:00-17:59) - Intro to OSINT: Zero on the way to Hero - Joe Gray
SEV - Emperors BR II - cont...(16:55-17:25) - Are you Killing your security program? - Michele Fincher
SEV - Emperors BR II - (17:30-18:20) - ….Not lose the common touch - Billy Boatright
SKY - Verona/Tuin/Trevi - Promenade Level - Everything you wanted to know about orchestration but were afraid to ask. - redbeard
WV - Florentine BR I & II - Promenade Level - GODUMP-NG packet sniffing the Gotenna - Woody and Tim Kuester
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 18:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Rise of Digital Medicine: At-home digital clinical research - Andrea Coravos
BHV - Pisa Room - (18:30-18:30) - Designer Babies - Christian and Erin
IOT - Main Contest Area - cont...(17:40-18:30) - Manufactures Panel - TBA
Night Life - Counsel Boardroom, Promenade Level - Lawyer Meetup -
PHV - Milano VIII - Promenade Level - Passwords on a Phone - Sam Bowne
PHW - Neopolitan BR IV - Promenade Level - (18:15-19:30) - Advanced Implant Detection with Bro & PacketSled - PacketSled
SEV - Emperors BR II - cont...(17:30-18:20) - ….Not lose the common touch - Billy Boatright
SEV - Emperors BR II - (18:25-19:15) - How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises) - Jayson Street
WV - Florentine BR I & II - Promenade Level - A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar. - Darren Kitchen and Seb Kinne
WS - Octavius 1 - cont...(14:30-18:30) - Hacking Network Protocols using Kali - Thomas Wilhelm, John Spearing
WS - Octavius 4 - cont...(14:30-18:30) - Principals on Leveraging PowerShell for Red Teams - Carlos Perez
WS - Octavius 5 - cont...(14:30-18:30) - Exploitation/Malware Forward Engineering - Sean Dillon, Zachary Harding
WS - Octavius 6 - cont...(14:30-18:30) - Pwning machine learning systems - Clarence Chio, Anto Joseph
WS - Octavius 7 - cont...(14:30-18:30) - Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics - Anshuman Bhartiya, Anthony Bislew

 

Saturday - 19:00


Return to Index  -  Locations Legend
PHW - Neopolitan BR IV - Promenade Level - cont...(18:15-19:30) - Advanced Implant Detection with Bro & PacketSled - PacketSled
SEV - Emperors BR II - cont...(18:25-19:15) - How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises) - Jayson Street
SEV - Emperors BR II - (19:15-20:05) - Change Agents: How to Effectively Influence Intractable Corporate Cultures - Keith Conway

 

Saturday - 20:00


Return to Index  -  Locations Legend
DC - Capri Room - Panel - Meet the Feds (who care about security research) - Allan Friedman, Amélie E. Koran, Leonard Bailey, Nick Leiserson, Kimber Dowsett
DC - Modena Room - D0 No H4RM: A Healthcare Security Conversation - Christian "quaddi" Dameff MD MS, Jeff "r3plicant" Tully MD, Beau Woods, Joshua Corman , Michael C. McNeil, Jay Radcliffe, Suzan
Night Life - Roman 1, Promenade Level - Hacker Karaoke -
Night Life - Track 2 - Hacker Jeopardy -
Night Life - Track 3 - (20:30-24:00) - DEF CON Movie Night -
Night Life - Track 4 - Whose Slide is it anyway? -
SEV - Emperors BR II - cont...(19:15-20:05) - Change Agents: How to Effectively Influence Intractable Corporate Cultures - Keith Conway
SEV - Emperors BR II - Social Engineering with Web Analytics - Tyler Rosonke

 

Saturday - 21:00


Return to Index  -  Locations Legend
DC - Capri Room - cont...(20:00-21:59) - Panel - Meet the Feds (who care about security research) - Allan Friedman, Amélie E. Koran, Leonard Bailey, Nick Leiserson, Kimber Dowsett
DC - Modena Room - cont...(20:00-21:59) - D0 No H4RM: A Healthcare Security Conversation - Christian "quaddi" Dameff MD MS, Jeff "r3plicant" Tully MD, Beau Woods, Joshua Corman , Michael C. McNeil, Jay Radcliffe, Suzan
Night Life - Octavius 3&4 - Blanketfort Con -
Night Life - Octavius 5-8 - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: MODERNS -
Night Life - Track 2 - cont...(20:00-24:00) - Hacker Jeopardy
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?
SEV - Emperors BR II - cont...(20:10-20:40) - Social Engineering with Web Analytics - Tyler Rosonke

 

Saturday - 22:00


Return to Index  -  Locations Legend
Night Life - Octavius 1&2 - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: JACKALOPE -
Night Life - Track 2 - Drunk Hacker History -
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?

 

Saturday - 23:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - (23:30-24:20) - IoT updates to help protect consumers - Aaron Alva @aalvatar & Mark Eichorn of the FTC
Night Life - Octavius 1&2 - cont...(22:00-26:00) - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: ZEBBLER ENCANTI -
Night Life - Track 1 & Chillout lounges - (23:30-24:00) - Official Entertainment: LEFT/RIGHT -
Night Life - Track 2 - cont...(20:00-24:00) - Drunk Hacker History
Night Life - Track 3 - cont...(20:30-24:00) - DEF CON Movie Night
Night Life - Track 4 - cont...(20:00-24:00) - Whose Slide is it anyway?

 

Saturday - 24:00


Return to Index  -  Locations Legend
IOT - Main Contest Area - cont...(23:30-24:20) - IoT updates to help protect consumers - Aaron Alva @aalvatar & Mark Eichorn of the FTC
Night Life - Octavius 1&2 - cont...(22:00-26:00) - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - Official Entertainment: KILL THE NOISE -

 

Saturday - 25:00


Return to Index  -  Locations Legend
Night Life - Octavius 1&2 - cont...(22:00-26:00) - Human Zoo -
Night Life - Octavius 3&4 - cont...(21:00-26:00) - Blanketfort Con -
Night Life - Octavius 5-8 - cont...(21:00-26:00) - GRIMM's AWESOME Arcade Party -
Night Life - Roman 1, Promenade Level - cont...(20:00-26:00) - Hacker Karaoke
Night Life - Track 1 & Chillout lounges - (25:30-26:00) - Official Entertainment: CTRL/RSM -

 

Sunday


This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

 

Sunday - 10:00


Return to Index  -  Locations Legend
DC - Track 1 - Unboxing Android: Everything you wanted to know about Android packers - Avi Bashan, Slava Makkaveev
DC - Track 2 - I Know What You Are by the Smell of Your Wifi - Denton Gentry
DC - Track 2 - (10:20-10:40) - PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks - Redezem
DC - Track 3 - Breaking Bitcoin Hardware Wallets - Josh Datko, Chris Quartier
DC - Track 3 - (10:20-10:40) - BITSInject - Dor Azouri
DC - Track 4 - Untrustworthy Hardware and How to Fix It - 0ctane
DC - Track 4 - (10:20-10:40) - Ghost in the Droid: Possessing Android Applications with ParaSpectre - chaosdata
DL - Table 1 - probespy - stumblebot
DL - Table 2 - Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes - Takahiro Yoshimura (alterakey), Ken-ya Yoshimura (ad3liae)
DL - Table 3 - GoFetch - Tal Maor
DL - Table 4 - Leviathan Framework - Utku Sen, Ozge Barbaros
DL - Table 5 - WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 6 - HI-Jack-2Factor - Weston Hecker
IOT - Main Contest Area - Intelligent Misusers: A Case for Adversarial Modelling on IoT Devices - Pishu Mahtani @pishumahtani
RCV - Palermo room, Promenade level - Building Google For Criminal Enterprises - Anthony
RCV - Palermo room, Promenade level - (10:35-11:25) - FERPA: Only Your Grades Are Safe; OSINT In Higher Education - Leah
SKY - Verona/Tuin/Trevi - Promenade Level - HUMSEC (or how I learned to hate my phone) - amarok

 

Sunday - 11:00


Return to Index  -  Locations Legend
BHV - Pisa Room - The Future is Fake Identities - Paul Ashley
BHV - Pisa Room - (11:30-11:59) - Might as well name it Parmigiana, American, Cheddar, and Swiss - Ken Belva
CPV - Florentine Ballroom 3 - WS: Reasoning about Consensus Algorithms - Zaki Manian
CPV - Florentine Ballroom 4 - (11:30-12:00) - Cypherpunks History - Ryan Lackey
DC - Track 1 - Total Recall: Implanting Passwords in Cognitive Memory - Tess Schrodinger
DC - Track 2 - Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years - Gus Fritschie, Evan Teitelman
DC - Track 3 - Exploiting Continuous Integration (CI) and Automated Build systems - spaceB0x
DC - Track 4 - 'Ghost Telephonist' Impersonates You Through LTE CSFB - Yuwei Zheng, Lin Huang
DL - Table 1 - cont...(10:00-11:50) - probespy - stumblebot
DL - Table 2 - cont...(10:00-11:50) - Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes - Takahiro Yoshimura (alterakey), Ken-ya Yoshimura (ad3liae)
DL - Table 3 - cont...(10:00-11:50) - GoFetch - Tal Maor
DL - Table 4 - cont...(10:00-11:50) - Leviathan Framework - Utku Sen, Ozge Barbaros
DL - Table 5 - cont...(10:00-11:50) - WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 6 - cont...(10:00-11:50) - HI-Jack-2Factor - Weston Hecker
IOT - Main Contest Area - From FAR and NEAR: Exploiting Overflows on Windows 3.x - Jacob Thompson @isesecurity
PHV - Milano VIII - Promenade Level - Demystifying the OPM breach, WTF really happened - Ron Taylor
PHW - Neopolitan BR IV - Promenade Level - An Intro to Hunting with Splunk - Splunk
RCV - Palermo room, Promenade level - cont...(10:35-11:25) - FERPA: Only Your Grades Are Safe; OSINT In Higher Education - Leah
RCV - Palermo room, Promenade level - (11:25-11:55) - Do Tinder Bots Dream of Electric Toys? How Tinder Bots are breaking hearts all over the world, and trashing Tinder’s reputation while they’re at it. - Inbar Raz
SKY - Verona/Tuin/Trevi - Promenade Level - It’s Not Just the Elections! - Malware Utkonos

 

Sunday - 12:00


Return to Index  -  Locations Legend
BHV - Pisa Room - How to use the Scientific Method in Security Research - Jay Radcliffe
BillW - Office 4A on Promenade Level - Friends of Bill W -
CPV - Florentine Ballroom 4 - The Key Management Facility of the Root Zone DNSSEC KSK - Punky Duero
CPV - Florentine Ballroom 4 - (12:30-13:30) - The Policy & Business Case for Privacy By Design - Zerina Curevac
DC - Track 1 - The Black Art of Wireless Post Exploitation - Gabriel "solstice" Ryan
DC - Track 2 - Are all BSDs are created equally? A survey of BSD kernel vulnerabilities. - Ilja van Sprundel
DC - Track 3 - The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks? - Steinthor Bjarnason, Jason Jones
DC - Track 4 - Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization... - John Sotos
DL - Table 1 - WiMonitor - an OpenWRT package for remote WiFi sniffing - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 2 - Gumbler - Willis Vandevanter
DL - Table 3 - PCILeech - Ulf Frisk
DL - Table 4 - WiFi Cactus - darkmatter
DL - Table 6 - Vapor Trail - Galen Alderson, Larry Pesce
DL - Table 6/Five - ShinoBOT Family - Sh1n0g1
PHV - Milano VIII - Promenade Level - Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform - Eric Capuano
PHW - Neopolitan BR IV - Promenade Level - cont...(11:00-12:30) - An Intro to Hunting with Splunk - Splunk
SKY - Verona/Tuin/Trevi - Promenade Level - The Automation and Commoditization of Infosec - Joshua Marpet and Scott Lyons

 

Sunday - 13:00


Return to Index  -  Locations Legend
BHV - Pisa Room - How your doctor might be trying to kill you and how personal genomics can save your life - dlaw and razzies
BHV - Pisa Room - (13:30-13:59) - Neuro Ethics - Dr. Stanislav Naydin and Vlad Gostomelsky
CPV - Florentine Ballroom 4 - cont...(12:30-13:30) - The Policy & Business Case for Privacy By Design - Zerina Curevac
CPV - Florentine Ballroom 4 - (13:30-14:00) - The Why and How for Secure Automatic Patch Management - Scott Arciszewski
DC - Track 1 - Game of Chromes: Owning the Web with Zombie Chrome Extensions - Tomer Cohen
DC - Track 2 - Bypassing Android Password Manager Apps Without Root - Stephan Huber, Siegfried Rasthofer
DC - Track 3 - Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs - Thomas Mathew, Dhia Mahjoub
DC - Track 4 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science - Daniel Bohannon (DBO), Lee Holmes
DL - Table 1 - cont...(12:00-13:50) - WiMonitor - an OpenWRT package for remote WiFi sniffing - Vivek Ramachandran, Nishant Sharma, Ashish Bhangale
DL - Table 2 - cont...(12:00-13:50) - Gumbler - Willis Vandevanter
DL - Table 3 - cont...(12:00-13:50) - PCILeech - Ulf Frisk
DL - Table 4 - cont...(12:00-13:50) - WiFi Cactus - darkmatter
DL - Table 6 - cont...(12:00-13:50) - Vapor Trail - Galen Alderson, Larry Pesce
DL - Table 6/Five - cont...(12:00-13:50) - ShinoBOT Family - Sh1n0g1
PHV - Milano VIII - Promenade Level - Stories from a 15 days SMB Honeypot: Mum, Tons of WannaCry and Evils Attacked Our Home! - Tan Kean Siong
PHW - Neopolitan BR IV - Promenade Level - Introduction to 802.11 Packet Dissection - Megumi Takeshita
SKY - Verona/Tuin/Trevi - Promenade Level - Robbing the network and ways to get there - Keith & Jerel "Low rent Nickerson"

 

Sunday - 14:00


Return to Index  -  Locations Legend
BHV - Pisa Room - Biohacking Street Law - Victoria Sutton
CPV - - Closing
DC - Track 1 - Call the plumber - you have a leak in your (named) pipe - Gil Cohen
DC - Track 2 - Weaponizing Machine Learning: Humanity Was Overrated Anyway - Dan "AltF4" Petro, Ben Morris
DC - Track 3 - Man in the NFC - Haoqi Shan , Jian Yuan
DC - Track 4 - Friday the 13th: JSON attacks! - Alvaro Muñoz, Oleksandr Mirosh
PHW - Neopolitan BR IV - Promenade Level - cont...(13:00-14:30) - Introduction to 802.11 Packet Dissection - Megumi Takeshita

 

Sunday - 15:00


Return to Index  -  Locations Legend
DC - Track 1 - DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd - Representative James Langevin , Representative Will Hurd , Joshua Corman
DC - Track 1 - 25 Years of Program Analysis - Zardus (Yan Shoshitaishvili)

 

Sunday - 17:00


Return to Index  -  Locations Legend
BillW - Office 4A on Promenade Level - Friends of Bill W -

Speaker List


Dan "AltF4" Petro
David Huerta
Eden Shochat
Inbar Raz
"Snide" Owen
[anonymous panel]
@h0tdish
@mickmoran
#BadgeLife Badge Makers
0ctane
0x00string
303
5A1F
Aardvark
Aaron Alva
Aaron Guzman
Abhay Bhargav
Abhijeth Dugginapeddi
Abhijeth
Adam Steed
Aditya Gupta
Ajit Hatti
Ajit Hatti
Alan Orlikoski
Aleph-Naught-
Alex "Jay" Balan
Alex Kahan
Alexander Zakharov
Alexey Ermishkin
algorythm
Alisha Kloc
Allan Friedman
Alvaro Muñoz
Amanda Plimpton
amarok
Amit Elazari
Amit Klein
Anant Shrivastava
Andrea Coravos
Andrea Matwyshyn
Andreas Dewes
Andrew 'r0d3nt' Strutt
Andrew 'r0d3nt' Strutt
Andrew Allen
Andrew Brandt
Andrew Hay
Andrew Tierney
Andy Robbins
Ankur Tyagi
Anshuman Bhartiya
Anthony Bislew
Anthony Singleton
Anthony
Anto Joseph
Antriksh Shah
Arnaud Soullie
Artem Kondratenko
Ashish Bangale
Ashish Bhangale
Ashish Bhangale
Ashish Bhangale
Atlas
Audie
Avi Bashan
Awesome Folks from Various BioHacking Podcasts
Ayoul3
B1TKILL3R
Balint Seeber
Barbara Simons
BASIM ALTINOK
Beau Woods
Ben Morris
Billy Boatright
Blake Johnson
Brad Pierce
Brandon Dixon
Brent White
Brian Knopf
Brute Logic
Bryan Gillispie
Bryan Passifiume
Bryce Kunz @TweekFawkes
Bryson Bort
c00p3r
Caezar
Caleb Madrigal
Candice Hoke
Carlos Perez
Catherine J. Ullman
ceyx
chaosdata
Charles Tritt
Cheng
Cheryl Biswas
Chet Hosmer
Chet Hosmer
Chris Castellano
Chris Eagle
Chris Frenz
Chris Grayson
Chris Hadnagy
Chris Quartier
Chris Roberts
Chris Sistrunk
Chris Thompson
Chris Wysopal
Christian "quaddi" Dameff MD MS
Christian Heinrich
Christian
Christopher Domas
Christopher Williams
Chuck Easttom
CINCVolFLT
CJ_000
Clarence Chio
Cooper Quintin
Corey Theun
Cory Doctorow
Cory Schwartz
Cory
Cosmo Mielke
Craig Young
Dakota Nelson
Dakota Nelson
Damien "virtualabs" Cauquil
Damon Small
Dan Cvrcek
Dan M.
Dan Regalado
Daniel Adinolfi
Daniel Bohannon (DBO)
Daniel Crowley
Dark Tangent
Dark Tangent
darkmatter
Darkmatter
Darren Kitchen
Darren
David "Karit" Robinson
David Bach
David Hulton
David Jefferson
David Latimer
David Potts
David Wong
Davin Potts
DazzleCatDuo
Deirdre Connolly
Dennis Maldonado
Denton Gentry
Deral Heiland
Devin Duffy-Halseth
Dhia Mahjoub
Dimitry Snezhkov
Dinesh Shetty
dlaw
Dmitry Dain
Dominic Spill
Dominic Spill
Dor Azouri
Dr. Stanislav Naydin
Dr. Suzanne Schwartz
Dr. Suzanne Schwartz
Duo Security
Dylan James Smith
Ed You
Eijah
El Kentaro
Elie Bursztein
Eric Capuano
Eric Capuano
Eric Escobar
Erik Kamerling
Erin
Etienne Stalmans
Eva Galperin
Evan Anderson
Evan Johnson
Evan Teitelman
Evgeny Sidorov
Fahey Owens
Felix Brezo
Francis Brown
FuzzyNop
Gabriel "solstice" Ryan
Gabriel Ryan
Gabriel Ryan
Gabriel Ryan
Galen Alderson
Garry Kasparov
General Douglas Lute
George Tankersley
Gerald Steere
Gil Cohen
Gilberto Bertin
Gingerbread
ginsback
Gita Ziabari
Grifter
Guillermo Buendia
Gus Fritschie
H0m3l3ss
Hanno Böck
Haoqi Shan
Harri Hurst
Harri Hurst
Hawaii John
Helen Thackray
HighWiz
Hyrum Anderson
Ian Foster
Igal Gofman
Ilja van Sprundel
Inbar Raz
INFOSEC UNLOCKED
Invisigoth
IOActive
Itzik Kotler
J0N J4RV1S
Jack Mott
Jack64
Jacob Thompson
Jake Williams
Jason Haddix
Jason Haddix
Jason Hernandez
Jason Jones
Jason Staggs
Jason Williams
Jay Beale
Jay Beale
Jay Beale
Jay Radcliffe
Jay Radcliffe
Jayson E. Street
Jayson Street
Jcran
Jeff "r3plicant" Tully MD
Jeff Quesnelle
Jeffrey Tibbetts
Jen
Jerel
Jeremy Heffner
Jerod MacDonald-Evoy
Jerry Gamblin
Jesse Michael
Jian Yuan
Jim Nitterauer
Jiva
Joe FitzPatrick
Joe FitzPatrick
Joe Gray
Joe Rozner
Joe Stirlandand Kevin Jones
Joe Weiss
Joel Wallenstrom
John Bass
John Ives
John Nye
John Poulin
John Sotos
John Spearing
Jon Medina
Joseph Birr-Pixton
Joseph Hall
Joseph Hall
Josh Datko
Josh Pitts
Joshua Corman
Joshua Corman
Joshua Marpet
Joshua Montgomery
Julian Dana
Julian Dana
Jun Axup
Jun Li
Justin Montalbano
K2
Kashmir Hill
Keith Conway
Keith Lee
Keith Lee
Keith
Ken Belva
Ken Munro
Ken Munro
Ken-ya Yoshimura (ad3liae)
Kenneth Geers
Keoni Gandall
Kevin Hulin
Kevin Sacco
Kit Walsh
Konstantinos Karagiannis
Kurt Opsahl
Lalith Rallabhandi
Lane Thames
Larry Pesce
Larry Vandenaweele
Lauren Rucker
Leah Figueroa
Leah Figueroa
Leah
Lee Brotherston
Lee Holmes
Lee Holmes
Leonard Bailey
Leonard Bailey
Lin Huang
Logan Lamb
Louis Auguste
Luke Young
Major Malfunction
Malware Unicorn
Malware Unicorn
Malware Utkonos
Manfred (@_EBFE)
Marc Newlin
Marc Newlin
Marcello Salvati
Marcelo Mansur
Marek Majkowski
Marina Simakov
Mark Eichorn
Mark Mager
Mati Aharoni
Matt 'openfly' Joyce
Matt Blaze
Matt Blaze
Matt Blaze
Matt Cheung
Matt Cheung
Matt Domko
Matt Knight
Matt Suiche
Matt Wixey
Matthew E. Luallen
Matthew E. Luallen
Maurice Carey
Max Bazaliy
Maxime Morin
Maximus64
Megan Roddie
Megumi Takeshita
Megumi Takeshita
Meow Ludo Meow Meow
Michael C. McNeil
Michael E. Taylor
Michael Gianarakis
Michael Hudson
Michael Leibowitz
Michael Ossmann
Michael Ossmann
Michael Ossmann
Michael T. Raggo
Michele Fincher
Mickey Shkatov
Miguel Guirao
Mike Raggo
Mike Raggo
Mikhail Sosonkin
Mikhail Sosonkin
Min (Spark) Zheng
minion
Mitch Johnson
Morten Schenk
Mr. Br!ml3y
Mr. Sean Kanuck
Mr. Sean Kanuck
Munin
Myles
Nadav Erez
Nadav Erez
Nate Cardozo
Nate Temple
Nathan Bates (@Brutes_)
Nathan Seidle
Neel Pandeya
Nick 'r@ndom' Delewski
Nick Cano
Nick Leiserson
Niki7a
Nishant Sharma
Nishant Sharma
Nishant Sharma
Nishant Sharma
Noah Praetz
Nolan Berry
Nolan
Oleksandr Bazhaniuk
Oleksandr Mirosh
Omar Eissa
Orange Tsai
Ozge Barbaros
p3n3troot0r
p3n3troot0r
PacketSled
Patrick DeSantis
Patrick McNeil
Patrick Wardle
Patrick Wardle
Paul Ashley
Pedro Cabrera
Peter Ewane
Peter Hefley
Peyton "Foofus" Engel
Philip Tully
Pishu Mahtani
Plore
Professor Plum
Punky Duero
Rafael Fontes Souza
Randall Alley
razzies
redbeard
Redezem
RenderMan
Rep. James Langevin
Rep. James Langevin
Rep. Will Hurd
Rep. Will Hurd
Rhett Greenhagen
Richard Henderson
Richard Thieme
Rick Ramgattie
Roamer
Robby Mook
Robert Ghilduta
Robert Wood
Robin Farmanfarmaian
Rogan Dawes
Roger Dingledine
Romain Coltel
Ron Taylor
Ruben Boonen
Ryan Baxendale
Ryan Lackey
Ryan Schmoll
S0ups
Salvador Mendoza
Salvador Mendoza
Sam Bowne
Sam Bowne
Sam Erb
Sam Richards
Sandy Clark
Sarah Zatko
Scott Arciszewski
Scott Behrens
Scott Lyons
Sean Dillon
Sean Metcalf
Sean Wilson
Seb Kinne
SensePost
Sergei Frankoff
Sergey Temnikov
Sh1n0g1
Shabid Buttar
Shaggy
Shane McDougal
Shea Nangle
Sheila Ayelen Berta
Siegfried Rasthofer
Simon Roses
skud
Sky
Slava Makkaveev
Sneha Rajguru
spaceB0x
Splunk
Splunk
Srinivas Rao
Steinthor Bjarnason
Stephan Huber
Steve Pordon
stryngs
stumblebot
Suggy
Svea Eckert
Syler Clayton
Takahiro Yoshimura (alterakey)
Tal Maor
Tan Kean Siong
Tarah Wheeler
TBA
TBA
Terrell McSweeny
Terrell McSweeny
Tess Schrodinger
Tess Schrodinger
Thomas Brandstetter
Thomas d'Otreppe
Thomas d'Otreppe
Thomas Mathew
Thomas Wilhelm
Tim Blute
Tim Cannon
Tim Kuester
Tim Roberts
Tom Sela
Tom Van Norman
Tom Van Norman
Tomas Susanka
Tomer Cohen
Tracy Z. Maleeff
Travis Lawrence
Trevor Goodman
Trey Forgety
trixr4skids
Tyler Rosonke
Tyler
Ulf Frisk
Utku Sen
Vasilios Mavroudis
Victoria Sutton
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vivek Ramachandran
Vlad Gostomelsky
Vlad Gostomelsky
Vlad Gostomelsky
Vladimir Dashchenko
Vulc@n
Waz
wendy
Wesley McGrew
Weston Hecker
Weston Hecker
Weston Hecker
Whitney Merrill
Will Schroeder
William Knowles
Willis Vandevanter
Wiseacre
Woody
Xiangyu Liu
XlogicX
Yaiza Rubio
Yolan Romailler
Yves Le Provost
Zachary Harding
Zaki Manian
Zardus
Zenofex
Zerina Curevac
zero-x
zerosum0x0
Zhang Yunhai

Talk List


DEFCON-Track 4- 'Ghost Telephonist' Impersonates You Through LTE CSFB
DEFCON-Track 1- 25 Years of Program Analysis
DEFCON-Track 2- Are all BSDs are created equally? A survey of BSD kernel vulnerabilities.
PHV-Milano VIII - Promenade Level- Modern Day CovertTCP with a Twist
Night Life-Chillout Lounge, Roman 3, Promenade Level-"DCG" Mixer
DEFCON-Track 4-"Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC
DEFCON-Track 4-(Un)Fucking Forensics: Active/Passive (i.e. Offensive/Defensive) memory hacking/debugging.
DEFCON-Track 2-$BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning?
IOT-Main Contest Area-101 hardware hacking workshop
Night Life-Promenade level, in Skytalks room.-303 Party
Workshops-Octavius 1-A B C of Hunting
DEFCON-Track 3-A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
CPV-Florentine Ballroom 4-A New Political Era: Time to start wearing tin-foil hats following the 2016 elections?
DEFCON-Track 4-A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego
Wireless-Florentine BR I & II - Promenade Level-A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar.
SEV-Emperors BR II-….Not lose the common touch
DEFCON-Track 4-Abusing Certificate Transparency Logs
CHV-Village Talks Outside Contest Area, Pool Level-Abusing Smart Cars with QR codes
DEFCON-Track 1-Abusing Webhooks for Command and Control
SKY-Verona/Tuin/Trevi - Promenade Level-Advanced DNS Exfil
PHW-Neopolitan BR IV - Promenade Level-Advanced Implant Detection with Bro & PacketSled
Demolabs-Table 1-Advanced Spectrum Monitoring with ShinySDR
Workshops-Octavius 7-Advanced Wireless Attacks Against Enterprise Networks
CPV-Florentine Ballroom 4-Alice and Bob are Slightly Less Confused
SKY-Verona/Tuin/Trevi - Promenade Level-All The Sales President's Men
DEFCON-Track 4-All Your Things Are Belong To Us
DEFCON-Track 1-Amateur Digital Archeology
DEFCON-Track 3-An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
PHW-Neopolitan BR IV - Promenade Level-An Intro to Hunting with Splunk
PHW-Neopolitan BR IV - Promenade Level-An Intro to Hunting with Splunk
RCV-Palermo room, Promenade level-An Introduction to Graph Theory for OSINT
Demolabs-Table 3-Android Tamer
Workshops-Octavius 7-Applied Physical Attacks on Embedded Systems, Introductory Version
SEV-Emperors BR II-Are you Killing your security program?
DEFCON-Track 1-Assembly Language is Too High Level
RCV-Palermo room, Promenade level-Attack Surface Discovery with Intrigue
Workshops-Octavius 4-Attacking Active Directory and Advanced Methods of Defense
Workshops-Octavius 5-Attacking and Defending 802.11ac Networks
DEFCON-Track 1-Attacking Autonomic Networks
CHV-Village Talks Outside Contest Area, Pool Level-Attacking Wireless Interfaces in Vehicles
CPV-Florentine Ballroom 4-Automated Testing using Crypto Differential Fuzzing (DO NOT RECORD)
Wireless-Florentine BR I & II - Promenade Level-Automating Physical Home Security Through Hacking
CHV-Village Talks Outside Contest Area, Pool Level-Autosar SecOC – Secure On-Board Comms
PHV-Milano VIII - Promenade Level-AWS Persistence and Lateral Movement Techniques
DEFCON-Track 2-Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years
SEV-Emperors BR II-Beyond Phishing - Building and Sustaining a Corporate SE Program
BHV-Pisa Room-Biohackers Die
BHV-Pisa Room-Biohacking Street Law
BHV-Pisa Room-Biohacking: The Moral Imperative to Build a Better You
BHV-Pisa Room-Biotechnology Needs a Security Patch...Badly
DEFCON-Track 3-BITSInject
Night Life-Octavius 3&4-Blanketfort Con
BHV-Pisa Room-Blockchain's Role in the Disruption of the Medical Industry
CPV-Florentine Ballroom 4-Blue Team TLS Hugs
Workshops-Octavius 4-Brainwashing Embedded Systems
DEFCON-Track 3-Breaking Bitcoin Hardware Wallets
DEFCON-Track 3-Breaking the x86 Instruction Set
CPV-Florentine Ballroom 4-Breaking TLS: A Year in Incremental Privacy Improvements
DEFCON-Track 1-Breaking Wind: Adventures in Hacking Wind Farm Control Networks
VMHV-Roman 1, Promenade Level-Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice.
Demolabs-Table 5-Bropy
Workshops-Octavius 7-Build your stack with Scapy, for fun and profit
Workshops-Octavius 5-Building Application Security Automation with Python
RCV-Palermo room, Promenade level-Building Google For Criminal Enterprises
Demolabs-Table 2-bullDozer
RCV-Palermo room, Promenade level-Burner Phone Challenge
DEFCON-Track 2-Bypassing Android Password Manager Apps Without Root
DEFCON-Track 3-CableTap: Wirelessly Tapping Your Home Network
DEFCON-Track 1-Call the plumber - you have a leak in your (named) pipe
SKY-Verona/Tuin/Trevi - Promenade Level-Catch me leaking your data... if you can...
Demolabs-Table 3-CellAnalysis
SEV-Emperors BR II-Change Agents: How to Effectively Influence Intractable Corporate Cultures
SKY-Verona/Tuin/Trevi - Promenade Level-Child Abuse Material, Current Issues Trends & Technologies
DEFCON-Track 1-Cisco Catalyst Exploitation
DEFCON-Track 1-CITL and the Digital Standard - A Year Later
VMHV-Roman 1, Promenade Level-Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why can’t we vote on touch screens or online?
BHV-Pisa Room-Computational Chemistry on a Budget
DEFCON-Track 1-Controlling IoT devices with crafted radio signals
CPV-Florentine Ballroom 4-Core Illumination: Traffic Analysis in Cyberspace
Demolabs-Table 3-CrackMapExec
BHV-Pisa Room-Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science
SKY-Verona/Tuin/Trevi - Promenade Level-Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border
Demolabs-Table 4-Crypt-Keeper
CPV-Florentine Ballroom 4-Cryptanalysis in the Time of Ransomware
PHV-Milano VIII - Promenade Level-CVE IDs and How to Get Them
CPV-Florentine Ballroom 4-Cypherpunks History
DEFCON-Modena Room-D0 No H4RM: A Healthcare Security Conversation
BHV-Pisa Room-Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode
DEFCON-Track 3-Dark Data
DEFCON-Capri Room-DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd
DEFCON-Track 1-DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd
DEFCON-Track 1-Dealing the perfect hand - Shuffling memory blocks on z/OS
DEFCON-Track 2-Death By 1000 Installers; on macOS, it's all broken!
SKY-Verona/Tuin/Trevi - Promenade Level-Death Numbers in Surgical room, Attacking Anesthesia Equipment.
Wireless-Florentine BR I & II - Promenade Level-Deceptacon: Wi-Fi Deception in under $5
DEFCON-Track 1-DEF CON 101 Panel
Night Life-Track 3-DEF CON Movie Night
Night Life-Track 3-DEF CON Movie Night
Night Life-Track 3-DEF CON Movie Night
Night Life-Lobby Bar-DEFCON 25 Meetup for /r/Defcon
Night Life-Sunset Park Pavilion F-DEFCON Toxic BBQ
CHV-Village Talks Outside Contest Area, Pool Level-DefCon Unofficial Badges Panel
PHV-Milano VIII - Promenade Level-Demystifying the OPM breach, WTF really happened
DEFCON-Track 1-Demystifying Windows Kernel Exploitation by Abusing GDI Objects.
BHV-Pisa Room-Designer Babies
Wireless-Florentine BR I & II - Promenade Level-Designing an Automatic Gain Control
DEFCON-Track 4-Digital Vengeance: Exploiting the Most Notorious C&C Toolkits
ICS-Calibria-Dissecting industrial wireless implementations.
BHV-Pisa Room-DIYBioweapons and Regulation
DEFCON-Track 3-DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent
Demolabs-Table 2-DNS-Exfil-Suite
RCV-Palermo room, Promenade level-Do Tinder Bots Dream of Electric Toys? How Tinder Bots are breaking hearts all over the world, and trashing Tinder’s reputation while they’re at it.
RCV-Palermo room, Promenade level-Domain Discovery: Expanding your scope like a boss
DEFCON-Track 3-DOOMed Point of Sale Systems
DEFCON-Track 1-Driving down the rabbit hole
Night Life-Track 2-Drunk Hacker History
Demolabs-Table 5-EAPHammer
Workshops-Octavius 5-Edge cases in web hacking
DEFCON-Track 4-Evading next-gen AV using artificial intelligence
SKY-Verona/Tuin/Trevi - Promenade Level-Everything you wanted to know about orchestration but were afraid to ask.
Workshops-Octavius 5-Exploitation/Malware Forward Engineering
DEFCON-Track 2-Exploiting 0ld Mag-stripe information with New technology
DEFCON-Track 3-Exploiting Continuous Integration (CI) and Automated Build systems
Wireless-Florentine BR I & II - Promenade Level-Failsafe: Yet Another SimplySafe Attack Vector
SKY-Verona/Tuin/Trevi - Promenade Level-FERPA - Only Your Grades Are Safe; OSINT in Higher Education
RCV-Palermo room, Promenade level-FERPA: Only Your Grades Are Safe; OSINT In Higher Education
SKY-Verona/Tuin/Trevi - Promenade Level-Financial Crime 2.0
PHV-Milano VIII - Promenade Level-Fooling the Hound: Deceiving Domain Admin Hunters
PHV-Milano VIII - Promenade Level-Fortune 100 InfoSec on a State Government Budget
Workshops-Octavius 6-Free and Easy DFIR Triage for Everyone: From Collection to Analysis
DEFCON-Track 4-Friday the 13th: JSON attacks!
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
BillW-Office 4A on Promenade Level-Friends of Bill W
DEFCON-Track 2-From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene
DEFCON-Track 1-From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices
IOT-Main Contest Area-From DVR worms, to fridges, via dildos, the sins of the IoT in 50 minutes
IOT-Main Contest Area-From FAR and NEAR: Exploiting Overflows on Windows 3.x
SKY-Verona/Tuin/Trevi - Promenade Level-From OPSUCK to OPSEXY: An OPSEC Primer
ICS-Calibria-Fun with Modbus function code 90.
Demolabs-Table 1-Fuzzapi
DEFCON-Track 1-Game of Chromes: Owning the Web with Zombie Chrome Extensions
DEFCON-Track 4-Game of Drones: Putting the Emerging "Drone Defense" Market to the Test
DEFCON-Track 4-Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization...
DEFCON-Track 3-Get-$pwnd: Attacking Battle-Hardened Windows Server
DEFCON-Track 4-Ghost in the Droid: Possessing Android Applications with ParaSpectre
Demolabs-Table 2-GibberSense
PHV-Milano VIII - Promenade Level-Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform
Wireless-Florentine BR I & II - Promenade Level-GODUMP-NG packet sniffing the Gotenna
Demolabs-Table 3-GoFetch
CHV-Village Talks Outside Contest Area, Pool Level-GPS System Integrity
CHV-Village Talks Outside Contest Area, Pool Level-Grand Theft Radio (Stopping SDR Relay Attacks on PKES)
Demolabs-Table 3-GreatFET
ICS-Calibria-Grid insecurity - and how to really fix this shit
Night Life-Octavius 5-8-GRIMM's AWESOME Arcade Party
Demolabs-Table 2-Gumbler
SKY-Verona/Tuin/Trevi - Promenade Level-Gun control - You can’t put the Genie back into its bottle
Night Life-Track 2-Hacker Jeopardy
Night Life-Track 2-Hacker Jeopardy
Night Life-Roman 1, Promenade Level-Hacker Karaoke
Night Life-Roman 1, Promenade Level-Hacker Karaoke
SEV-Emperors BR II-Hackers gonna hack - But do they know why?
DEFCON-Track 4-Hacking Democracy: A Socratic Dialogue
DEFCON-Capri Room-Hacking Democracy
Workshops-Octavius 1-Hacking Network Protocols using Kali
CPV-Florentine Ballroom 4-Hacking on Multiparty Computation
DEFCON-Track 3-Hacking Smart Contracts
Wireless-Florentine BR I & II - Promenade Level-Hacking Some More of The Wireless World
DEFCON-Track 1-Hacking the Cloud
SKY-Verona/Tuin/Trevi - Promenade Level-Hacking the Law: A Call for Action – Bug Bounties Legal Terms as a Case Study
BHV-Pisa Room-Hacking the Second Genetic Code using Information Theory
DEFCON-Track 2-Hacking travel routers like it's 1999
Workshops-Octavius 7-Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics
CPV-Florentine Ballroom 4-Have you seen my naked selfies? Neither has my snoopy boyfriend. Privacy within a Relationship
BHV-Pisa Room-Health as a service...
SEV-Emperors BR II-Heavy Diving for Credentials: Towards an Anonymous Phishing
DEFCON-Track 1-Here to stay: Gaining persistency by abusing advanced authentication mechanisms
Demolabs-Table 6-HI-Jack-2Factor
IOT-Main Contest Area-Hide Yo Keys, Hide Yo Car - Remotely Exploiting Connected Vehicle APIs and Apps
DEFCON-Modena-Horror stories of a translator and how a tweet can start a war with less than 140 characters
VMHV-Roman 1, Promenade Level-How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. This segment will feature a punch card machine and demo what can go wrong with it.
PHV-Milano VIII - Promenade Level-How Hackers Changed The Security Industry
ICS-Calibria-How to create dark buildings with light speed.
RCV-Palermo room, Promenade level-How to obtain 100 Facebooks accounts per day through internet searches
SEV-Emperors BR II-How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises)
BHV-Pisa Room-How to use the Scientific Method in Security Research
DEFCON-Track 4-How we created the first SHA-1 collision and what it means for hash security
BHV-Pisa Room-How your doctor might be trying to kill you and how personal genomics can save your life
Demolabs-Table 2-https://crack.sh/
Night Life-Octavius 1&2-Human Zoo
BHV-Pisa Room-Human-Human Interface
SKY-Verona/Tuin/Trevi - Promenade Level-HUMSEC (or how I learned to hate my phone)
PHV-Milano VIII - Promenade Level-Hunting Down the Domain Admin and Rob Your Network
DEFCON-Track 2-I Know What You Are by the Smell of Your Wifi
ICS-ICS-Village-ICS SCADA Forensics workshop/challenge
DEFCON-Track 3-If You Give a Mouse a Microchip... It will execute a payload and cheat at your high-stakes video game tournament
IOT-Main Contest Area-IIDS: An Intrusion Detection System for IoT
BHV-Pisa Room-Implants: Show and Tell
ICS-Octavius 6-Industrial Control System Security 101 and 201- SOLD OUT
Workshops-Octavius 6-Industrial Control System Security 101 and 201
Night Life-Turin, Promenade Level-INFOSEC UNLOCKED
CHV-Village Talks Outside Contest Area, Pool Level-Insecure By Law
DEFCON-Track 1-Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks
IOT-Main Contest Area-Inside the Alaris Infusion Pump, not too much medication por favor!
IOT-Main Contest Area-Intelligent Misusers: A Case for Adversarial Modelling on IoT Devices
RCV-Palermo room, Promenade level-Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool
RCV-Palermo room, Promenade level-Intro to OSINT: Zero on the way to Hero
DEFCON-Track 3-Introducing HUNT: Data Driven Web Hacking & Manual Testing
PHW-Neopolitan BR IV - Promenade Level-Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols
VMHV-Roman 1, Promenade Level-Introduction into hacking the equipment in the village.
PHW-Neopolitan BR IV - Promenade Level-Introduction to 802.11 Packet Dissection
PHW-Neopolitan BR IV - Promenade Level-Introduction to 802.11 Packet Dissection
Workshops-Octavius 6-Introduction to Cryptographic Attacks
Workshops-Octavius 6-Introduction to Practical Network Signature Development for Open Source IDS
ICS-ICS-Village-Introduction to the ICS Wall
Workshops-Octavius 5-Introduction to x86 disassembly
IOT-Main Contest Area-IoT - the gift that keeps on giving
BHV-Pisa Room-IoT of Dongs
IOT-Main Contest Area-IoT updates to help protect consumers
IOT-Main Contest Area-IoT Village Keynote - Friends, Not Foes: Rethinking the Researcher-Vendor Relationship
PHV-Milano VIII - Promenade Level-IP Spoofing
PHV-Milano VIII - Promenade Level-Iron Sights for Your Data
SKY-Verona/Tuin/Trevi - Promenade Level-It’s Not Just the Elections!
RCV-Palermo room, Promenade level-It’s Going To Get Worse Before It Gets Better - The Future of Recon Data Mining
DEFCON-Track 2-Jailbreaking Apple Watch
PHW-Neopolitan BR IV - Promenade Level-Jailing Programs with Linux Containers
PHW-Neopolitan BR IV - Promenade Level-Jailing Programs with Linux Containers
DEFCON-Track 2-Koadic C3 - Windows COM Command & Control Framework
Demolabs-Table 1-LAMMA 1.0
Wireless-Florentine BR I & II - Promenade Level-Large Scale Wireless Monitoring - KISMET packet sniffer on a multi-radio array
Night Life-Counsel Boardroom, Promenade Level-Lawyer Meetup
PHV-Milano VIII - Promenade Level-Layer 8 and Why People are the Most Important Security Tool
SKY-Verona/Tuin/Trevi - Promenade Level-Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways
Demolabs-Table 4-Leviathan Framework
Workshops-Octavius 1-Linux Lockdown: ModSecurity and AppArmor
CHV-Village Talks Outside Contest Area, Pool Level-Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles
DEFCON-Track 3-Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles
DEFCON-Track 1-macOS/iOS Kernel Debugging and Heap Feng Shui
PHV-Milano VIII - Promenade Level-Make Your Own 802.11ac Monitoring Hacker Gadget
DEFCON-Track 3-Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs
Demolabs-Table 5-Maltego "Have I been pwned?"
Workshops-Octavius 1-Malware Triage: Malscripts Are The New Exploit Kit
DEFCON-Track 3-Man in the NFC
IOT-Main Contest Area-Manufactures Panel
DEFCON-Track 3-MEATPISTOL, A Modular Malware Implant Framework
BHV-Pisa Room-Microscopes are Stupid
DEFCON-Track 1-Microservices and FaaS for Offensive Security
BHV-Pisa Room-Might as well name it Parmigiana, American, Cheddar, and Swiss
Workshops-Octavius 6-Mobile App Attack 2.0
DEFCON-Track 1-MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt)
BHV-Pisa Room-My dog is a hacker and will steal your data!
Demolabs-Table 1-Mycroft
Night Life-Track 4-n00b Party hosted by Duo Security.
BHV-Pisa Room-Neuro Ethics
BHV-Pisa Room-Neurogenic Peptides: Smart Drugs 4-Minute Mile
SKY-Verona/Tuin/Trevi - Promenade Level-Neutrality? We don't need no stinkin' Neutrality
DEFCON-Track 4-Next-Generation Tor Onion Services
DEFCON-Track 1-Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server
Night Life-Track 1-Official DEF CON Welcome Party
Night Life-Track 1 & Chillout lounges-Official Entertainment: ACID T
Night Life-Track 1 & Chillout lounges-Official Entertainment: CTRL/RSM
Night Life-Track 1 & Chillout lounges-Official Entertainment: DJDEAD
Night Life-Track 1 & Chillout lounges-Official Entertainment: DUALCORE
Night Life-Track 1 & Chillout lounges-Official Entertainment: JACKALOPE
Night Life-Track 1 & Chillout lounges-Official Entertainment: KILL THE NOISE
Night Life-Track 1 & Chillout lounges-Official Entertainment: KRISZ KLINK
Night Life-Track 1 & Chillout lounges-Official Entertainment: LEFT/RIGHT
Night Life-Track 1 & Chillout lounges-Official Entertainment: MC FRONTALOT
Night Life-Track 1 & Chillout lounges-Official Entertainment: MODERNS
Night Life-Track 1 & Chillout lounges-Official Entertainment: NINJULA
Night Life-Track 1 & Chillout lounges-Official Entertainment: REEL BIG FISH
Night Life-Track 1 & Chillout lounges-Official Entertainment: REID SPEED
Night Life-Track 1 & Chillout lounges-Official Entertainment: Richard Cheese
Night Life-Track 1 & Chillout lounges-Official Entertainment: SCOTCH AND BUBBLES
Night Life-Track 1 & Chillout lounges-Official Entertainment: SKITTISH AND BUS
Night Life-Track 1 & Chillout lounges-Official Entertainment: YT CRACKER
Night Life-Track 1 & Chillout lounges-Official Entertainment: ZEBBLER ENCANTI
SKY-Verona/Tuin/Trevi - Promenade Level-One-click Browser Defense
DEFCON-Track 2-Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.)
CPV-Florentine Ballroom 4-Operational Security Lessons from the Dark Web
DEFCON-Track 2-Opt Out or Deauth Trying !- Anti-Tracking Bots Radios and Keystroke Injection
RCV-Palermo room, Promenade level-OSINT Tactics on Source Code & Developers
DEFCON-Trevi Room-Panel - An Evening with the EFF
DEFCON-Capri Room-Panel - Meet the Feds (who care about security research)
DEFCON-Track 2-Panel: DEF CON Groups
DEFCON-Track 4-Panel: Meet The Feds
VMHV-Roman 1, Promenade Level-Panel: Securing the Election Office: A Local Response to a Global Threat
PHV-Milano VIII - Promenade Level-Passwords on a Phone
PHV-Milano VIII - Promenade Level-Past, Present and Future of High Speed Packet Filtering on Linux
Demolabs-Table 3-PCILeech
DEFCON-Track 2-PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks
Workshops-Octavius 1-Penetration Testing in Hostile Environments: Client & Tester Security
DEFCON-Track 1-Persisting with Microsoft Office: Abusing Extensibility Options
DEFCON-Track 2-Phone system testing and other fun tricks
Demolabs-Table 6-PIV OPACITY
Wireless-Florentine BR I & II - Promenade Level-POCSAG Amateur Pager Network
DEFCON-Track 4-Popping a Smart Gun
DEFCON-Track 1-Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode
Workshops-Octavius 1-Practical BLE Exploitation for Internet of Things
Workshops-Octavius 7-Practical Malware Analysis: Hands-On
Workshops-Octavius 4-Principals on Leveraging PowerShell for Red Teams
CPV-Florentine Ballroom 4-Privacy is Not An Add-On: Designing for Privacy from the Ground Up
Demolabs-Table 1-probespy
CPV-Florentine Ballroom 4-Protecting Users' Privacy in a Location-Critical Enterprise: The Challenges of 9-1-1 Location
BHV-Pisa Room-Psychoactive Chemicals in Combat
Workshops-Octavius 6-Pwning machine learning systems
IOT-Main Contest Area-Pwning the Industrial IoT: RCEs and backdoors are around!
Demolabs-Table 6-Radare2
DEFCON-Track 1-Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods
DEFCON-Track 1-Rage Against the Weaponized AI Propaganda Machine
DEFCON-Track 2-Real-time RFID Cloning in the Field
RCV-Palermo room, Promenade level-Recon and bug bounties what a great love story
IOT-Main Contest Area-Redesigning PKI for IoT because Crypto is Hard
Wireless-Florentine BR I & II - Promenade Level-Reverse Engineering DSSS Extended Cut
PHW-Neopolitan BR IV - Promenade Level-Reverse Engineering Malware 101
BHV-Pisa Room-Reversing Your Own Source Code
DEFCON-Track 4-Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
SKY-Verona/Tuin/Trevi - Promenade Level-Robbing the network and ways to get there
HHV-Main Contest Area, Pool Level-Robo-Sumo
SKY-Verona/Tuin/Trevi - Promenade Level-Rockin' the (vox)Vote
Demolabs-Table 4-Ruler - Pivoting Through Exchange
CPV-Florentine Ballroom 4-rustls: modern, fast, safer TLS
Demolabs-Table 5-SamyKam
Workshops-Octavius 4-Scanning the Airwaves: building a cheap trunked radio/pager scanning system
Workshops-Octavius 7-SDR Crash Course: Hacking your way to fun and profit
SEV-Emperors BR II-SE vs Predator: Using Social Engineering in ways I never thought…
DEFCON-Track 4-Secret Tools: Learning about Government Surveillance Software You Can't Ever See
DEFCON-Track 2-Secure Tokin' and Doobiekeys: How to roll your own counterfeit hardware security devices
CPV-Florentine Ballroom 4-Security Analysis of the Telegram IM
DEFCON-Track 2-See no evil, hear no evil: Hacking invisibly and silently with light and sound
BHV-Pisa Room-Sensory Augmentation 101
PHW-Neopolitan BR IV - Promenade Level-Serious Intro to Python for Admins
PHW-Neopolitan BR IV - Promenade Level-Serious Intro to Python for Admins
VMHV-Roman 1, Promenade Level-Session on legal considerations of hacking election machines.
CPV-Florentine Ballroom 4-SHA-3 vs the world
Demolabs-Table 6/Five-ShinoBOT Family
Demolabs-Table 6/Five-ShinoBOT Family
Wireless-Florentine BR I & II - Promenade Level-SIGINT for the Rest of US
Night Life-Modena, Promenade level-Silent Disco : Party like a Hacker
SEV-Emperors BR II-Skills For A Red-Teamer
RCV-Palermo room, Promenade level-Skip tracing for fun and profit
SEV-Emperors BR II-Social Engineering with Web Analytics
Demolabs-Table 6-Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization
BHV-Pisa Room-Standardizing the Secure Deployment of Medical Devices
DEFCON-Track 3-Starting the Avalanche: Application DoS In Microservice Architectures
PHV-Milano VIII - Promenade Level-Stories from a 15 days SMB Honeypot: Mum, Tons of WannaCry and Evils Attacked Our Home!
PHV-Milano VIII - Promenade Level-Strengthen Your SecOps Team by Leveraging Neurodiversity
Workshops-Octavius 5-Subverting Privacy Exploitation Using HTTP
Wireless-Florentine BR I & II - Promenade Level-Suitcase Repeater Build for UHF - 70cm
DEFCON-Track 2-Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update
BHV-Pisa Room-Tales from a healthcare hacker
BHV-Pisa Room-tDCS workshop
DEFCON-Track 2-Teaching Old Shellcode New Tricks
CHV-Village Talks Outside Contest Area, Pool Level-That’s no car. It’s a network!
DEFCON-Track 2-The Adventures of AV and the Leaky Sandbox
SKY-Verona/Tuin/Trevi - Promenade Level-The Automation and Commoditization of Infosec
CHV-Village Talks Outside Contest Area, Pool Level-The Bicho: An Advanced Car Backdoor Maker
BHV-Pisa Room-The Bitcoin DNA Challenge
DEFCON-Track 1-The Black Art of Wireless Post Exploitation
PHV-Milano VIII - Promenade Level-The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots
DEFCON-Track 3-The Brain's Last Stand
BHV-Pisa Room-The Brave New World of Bio-Entrepreneurship
DEFCON-Track 3-The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks?
BHV-Pisa Room-The collision of prosthetics, robotics and the human interface
BHV-Pisa Room-The Future is Fake Identities
ICS-Calibria-The gap in ICS Cyber security - Cyber security of Level 1 Field devices.
SEV-Emperors BR II-The Human Factor: Why Are We So Bad at Security and Risk Assessment?
DEFCON-Track 4-The Internet Already Knows I'm Pregnant
IOT-Main Contest Area-The Internet of Vulnerabilities
PHW-Neopolitan BR IV - Promenade Level-The Kali Linux Dojo - Angela Could Have Done Better
CPV-Florentine Ballroom 4-The Key Management Facility of the Root Zone DNSSEC KSK
DEFCON-Track 2-The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers
BHV-Pisa Room-The Patient as CEO
CPV-Florentine Ballroom 4-The Policy & Business Case for Privacy By Design
BHV-Pisa Room-The Rise of Digital Medicine: At-home digital clinical research
DEFCON-Track 4-The spear to break the security wall of S7CommPlus
CPV-Florentine Ballroom 4-The Surveillance Capitalism Will Continue Until Morale Improves
CPV-Florentine Ballroom 4-The Symantec/Chrome SSL debacle - how to do this better...
CPV-Florentine Ballroom 4-The Why and How for Secure Automatic Patch Management
SEV-Emperors BR II-Thematic Social Engineering
DEFCON-Track 1-There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers
PHV-Milano VIII - Promenade Level-Threat Intel for All: There's More to Your Data Than Meets the Eye
DEFCON-Track 1-Total Recall: Implanting Passwords in Cognitive Memory
BHV-Pisa Room-Total Recall: Implanting Passwords in Cognitive Memory
RCV-Palermo room, Promenade level-Total Recoll: Conducting Investigations without Missing a Thing
DEFCON-Track 2-Tracking Spies in the Skies
SKY-Verona/Tuin/Trevi - Promenade Level-Trauma in Healthcare IT: My Differential Diagnosis and Call to Action
BHV-Pisa Room-Trigraph: An Ethereum-based Teleradiology Application
DEFCON-Track 2-Trojan-tolerant Hardware & Supply Chain Security in Practice
Demolabs-Table 2-Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
CHV-Village Talks Outside Contest Area, Pool Level-Turbo Talks – Getting Started With CarHacking, k-Line Hacking
DEFCON-Track 3-Twenty Years of MMORPG Hacking: Better Graphics, Same Exploits
Workshops-Octavius 4-UAC 0day, all day!
DEFCON-Track 1-Unboxing Android: Everything you wanted to know about Android packers
CPV-Florentine Ballroom 4-Unfairplay (NOT RECORDED)
Demolabs-Table 4-Universal Serial aBUSe
DEFCON-Track 4-Untrustworthy Hardware and How to Fix It
RCV-Palermo room, Promenade level-Up close and personal - Keeping an eye on mobile applications
ICS-ICS-Village-Using Alexa for your Control System environment
RCV-Palermo room, Promenade level-Using DFIR Orchestration and Automation Tools and Playbooks For OSINT and Recon
DEFCON-Track 1-Using GPS Spoofing to control time
RCV-Palermo room, Promenade level-Using phonetic algorithms to increase your search space and detect misspellings.
Demolabs-Table 6-Vapor Trail
VMHV-Roman 1, Promenade Level-Verified Voting
PHV-Milano VIII - Promenade Level-Visual Network and File Forensics
DEFCON-Track 2-Weaponizing Machine Learning: Humanity Was Overrated Anyway
DEFCON-Track 2-Weaponizing the BBC Micro:Bit
DEFCON-Track 2-Welcome to DEF CON 25
ICS-ICS-Village-Welcome to the ICS Village
VMHV-Roman 1, Promenade Level-What are the national security implications of cyber attacks on our voting systems? What are the motivations of our adversaries, and how should the U.S. respond to the threat?
ICS-Calibria-What's the DFIRence for ICS?
DEFCON-Track 2-When Privacy Goes Poof! Why It's Gone and Never Coming Back
PHV-Milano VIII - Promenade Level-When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News
DEFCON-Track 2-Where are the SDN Security Talks?
Night Life-Track 4-Whose Slide is it anyway?
Night Life-Track 4-Whose Slide is it anyway?
Demolabs-Table 5-WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED
Demolabs-Table 4-WiFi Cactus
Demolabs-Table 4-WiFi Cactus
Wireless-Florentine BR I & II - Promenade Level-WIGLE Like You Mean It
Demolabs-Table 1-WiMonitor - an OpenWRT package for remote WiFi sniffing
Workshops-Octavius 4-Windows - The Undiscovered country
DEFCON-Track 2-Wiping out CSRF
Wireless-Florentine BR I & II - Promenade Level-Wireless Threat Modeling and Monitoring - WiNT
Night Life-The Nobu Hotel in Caesars Palace-Women, Wisdom & Wine
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
HHV-Main Contest Area, Pool Level-Workshop: Component Desoldering and Recovery
CPV-Florentine Ballroom 3-WS: Breaking the Uber Badge Ciphers
CPV-Florentine Ballroom 3-WS: FeatherDuster and Cryptanalib workshop
CPV-Florentine Ballroom 3-WS: Implementing An Elliptic Curve in Go
CPV-Florentine Ballroom 3-WS: Mansion Apartment Shack House: How To Explain Crypto To Practically Anyone
CPV-Florentine Ballroom 3-WS: NoiseSocket: Extending Noise to Make Every TCP Connection Secure
CPV-Florentine Ballroom 3-WS: Reasoning about Consensus Algorithms
CPV-Florentine Ballroom 3-WS: Secrets Management in the Cloud
CPV-Florentine Ballroom 3-WS: SECURE COMMUNICATIONS IN ANDROID WITH TLS/SSL
CPV-Florentine Ballroom 3-WS: Supersingular Isogeny Diffie-Hellman
DEFCON-Track 3-WSUSpendu: How to hang WSUS clients
DEFCON-Track 4-XenoScan: Scanning Memory Like a Boss
PHV-Milano VIII - Promenade Level-XSS FTW - What Can Really Be Done With Cross-Site Scripting
PHV-Milano VIII - Promenade Level-YALDA – Large Scale Data Mining for Threat Intelligence
CPV-Florentine Ballroom 4-Yet another password hashing talk
PHV-Milano VIII - Promenade Level-You're Going to Connect to the Wrong Domain

Talk/Event Descriptions


 

DEFCON - Track 4 - Sunday - 11:00-11:45


'Ghost Telephonist' Impersonates You Through LTE CSFB

Sunday at 11:00 in Track 4

45 minutes | Exploit

Yuwei Zheng Hacker

Lin Huang Hacker

One vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network will be presented. In the CSFB procedure, we found the authentication step is missing. This results in that an attacker can hijack the victim's communication. We named this attack as 'Ghost Telephonist'. Several exploitations can be made based on this vulnerability. When the call or SMS is not encrypted, or weakly encrypted, the attacker can impersonate the victim to receive the "Mobile Terminated" calls and messages or to initiate the "Mobile Originated" calls and messages. Furthermore, Telephonist Attack can obtain the victim's phone number and then use the phone number to make advanced attack, e.g. breaking Internet online accounts. These attacks can randomly choose victims, or target a given victim. We verified these attack with our own phones in operators' network in a small controllable scale. The experiments proved the vulnerability really exists. The attack doesn't need fake base station so the attack cost is low. The victim doesn't sense being attacked since no fake base station and no cell re-selection. Now we are collaborating with operators and terminal manufactures to fix this vulnerability.

Yuwei Zheng
Yuwei Zheng is a senior security researcher from Radio Security Research Dept. of 360 Technology. He has rich experiences in embedded systems over 10 years. He reversed blackberry BBM, PIN, BIS push mail protocol, and decrypted the network stream successfully in 2011. He successfully implemented a MITM attack for Blackberry BES based on a modified ECMQV protocol of RIM. He focuses on the security issues of embedded hardware and IOT systems. He was the speaker of DEF CON , HITB etc.

@huanglin_bupt

Lin Huang
Lin HUANG is a wireless security researcher and SDR technology expert, from Radio Security Research Dept. of 360 Technology. Her interests include the security issues in wireless communication, especially the cellular network security. She was the speaker of some security conferences, DEF CON , HITB, POC etc. She is the 3GPP SA3 delegate of 360 Technology.


Contributor Acknowledgement:

The Speakers would like to acknowledge Qing YANG, for his contribution to the presentation. Qing YANG is the founder of UnicornTeam & Radio Security Research Department in 360 Technology. He has rich experiences in information security area. He made presentations at BlackHat, DEF CON , CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 15:00-15:45


25 Years of Program Analysis

Sunday at 15:00 in 101 Track

45 minutes | Hacker History, Demo

Zardus (Yan Shoshitaishvili) Assitant Professor, Arizona State University

Last year, DARPA hosted the Cyber Grand Challenge, the culmination of humanity's research into autonomous detection, exploitation, and mitigation of software vulnerabilities. Imagine the CGC from the outside: huge racks of servers battling it out on stage, throwing exploit after exploit at each other while humans watch helplessly from the sidelines. But that vantage point misses the program analysis methods used, the subtle trade-offs made, and the actual capabilities of these systems. It also misses why, outside of the controlled CGC environment, most automated techniques don't quite scale to the analysis of real-world software!

This talk will provide a better perspective. On the 25th anniversary of DEFCON, we will go through these last 25 years of program analysis. We'll learn about the different disciplines of program analysis (and learn strange terms such as static, dynamic, symbolic, and abstract), understand the strength and drawbacks of each, and see if, and to what extent, they are used in the course of actual vulnerability analysis.

Did you know that every finalist system in the Cyber Grand Challenge used a combination of dynamic analysis and symbolic execution to find vulnerabilities, but used static analysis to patch them? Why is that? Did you know that, to make the contest feasible for modern program analysis techniques, the CGC enforced a drastically-simplified OS model? What does this mean for you, if you want to use program analysis while finding vulns and collecting bug bounties? Come to this talk, become an expert, and go on to contribute to the future of program analysis!

Zardus (Yan Shoshitaishvili)
Zardus is one of the hacking aces on Shellphish, the oldest-running CTF team in the world. He's been attending DEFCON since 2001, playing DEFCON CTF since 2009, and talking at DEFCON since 2015. Through this time, he also pursued a PhD in Computer Security, focusing on Program Analysis. The application of cutting-edge academic program analysis techniques to CTF (and, later, to his participation in the DARPA Cyber Grand Challenge, where he led Shellphish to a 3rd-place victory and a big prize payout) gave Zardus a unique understanding of the actual capabilities of the state of the art of program analysis, which in turn drove his research and culminated in the release of the angr binary analysis framework and the Mechanical Phish, one of the world's first autonomous Cyber Reasoning Systems.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 12:00-12:45


Are all BSDs are created equally? A survey of BSD kernel vulnerabilities.

Sunday at 12:00 in Track 2

45 minutes | Demo

Ilja van Sprundel Director of penetration testing, IOActive

In this presentation I start off asking the question "How come there are only a handful of BSD security kernel bugs advisories released every year?" and then proceed to try and look at some data from several sources. It should come as no surprise that those sources are fairly limited and somewhat outdated.

The presentation then moves on to try and collect some data ourselves. This is done by actively investigating and auditing. Code review, fuzzing, runtime testing on all 3 major BSD distributions [NetBSD/OpenBSD/FreeBSD]. This is done by first investigating what would be good places where the bugs might be. Once determined, a detailed review is performed of these places. Samples and demos will be shown.

I end the presentation with some results and conclusions. I will list what the outcome was in terms of bugs found, and who -based on the data I now have- among the 3 main BSD distributions can be seen as the clear winner and loser. I will go into detail about the code quality observed and give some pointers on how to improve some code. Lastly I will try and answer the question I set out to answer ("How come there are only a handful of BSD security kernel bugs advisories released every year?").

Ilja van Sprundel
Ilja van Sprundel is experienced in exploit development and network and application testing. As IOActive's Director of Penetration Testing, he performs primarily gray-box penetration testing engagements on mobile (specializing in iOS) and runtime (specializing in Windows kernel) applications that require customized fuzzing and source code review, identifying system vulnerabilities, and designing custom security solutions for clients in technology development telecommunications, and financial services. van Sprundel specializes in the assessment of low-level kernel code and architecture/infrastructure design, having security reviewed literally hundreds of thousands of lines of code. However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer's expectations. van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets. He is the driver behind the team's implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 15:10-15:59


Modern Day CovertTCP with a Twist

Mike Raggo, CSO at 802 Secure, Inc.
Chet Hosmer, Owner of python-forensics.org

Taking a modern day look on the 20 year anniversary of Craig Rowland's article on Covert TCP, we explore current day methods of covert communications and demonstrate that we are not much better off at stopping these exploits as we were 20 years ago. With the explosion of networked devices using a plethora of new wired and wireless protocols, the covert communication exploit surface is paving new paths for covert data exfiltration and secret communications. In this session, we will explore uPnP, Zigbee, WiFi, P25, Streaming Audio Services, IoT, and much more. Through real-world examples, sample code, and demos; we bring to light this hidden world of concealed communications.

Mike Raggo (Twitter: @MikeRaggo) Chief Security Officer, 802 Secure (CISSP, NSA-IAM, ACE, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of “Mobile Data Loss: Threats and Countermeasures†and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols†for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Editionâ€. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @ChetHosmer) is the Founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using the Python programming language. Chet is also the founder of WetStone Technologies, Inc. and has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss emerging cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, CrimeCrime TechTV and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com and Wired Magazine. He is the author of three recent Elsevier/Syngress Books: Python Passive Network Mapping, Python Forensics, and Data Hiding. Chet serves as a visiting professor at Utica College where he teaches in the Cybersecurity Graduate program. He is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program. Chet delivers keynote and plenary talks on various cyber security related topics around the world each year.


Return to Index      -     

 

Night Life - Chillout Lounge, Roman 3, Promenade Level - Friday - 18:00-20:00


Title:
"DCG" Mixer

Come meet the DEF CON Groups organizers after their talk ( 17:00 - 17:45 in Track 2 ) on Friday. This DEF CON Groups mixer is for all who are, or want to become, members of local DEF CON Groups. Come to get info, meet peers, and get some DCG swag. There will be a limited about of free beer via kegs courtesy of The Dark Tangent. Join us Friday evening to meet fellow DCG organizers and members from all over the world. Tell us what make your group work, or doesn't, or just raise a glass with like minded hackers. See you there!
Return to Index      -     

 

DEFCON - Track 4 - Friday - 16:00-16:45


"Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC

Friday at 16:00 in Track 4

45 minutes

Whitney Merrill Privacy, eCommerce & Consumer Protection Counsel, Electronic Arts

Terrell McSweeny Commissioner, Federal Trade Commission

The Federal Trade Commission is a law enforcement agency tasked with protecting consumers from unfair and deceptive practices. Protecting consumers on the Internet and from bad tech is nothing new for the FTC. We will take a look back at what the FTC was doing when DEF CON first began in 1993, and what we've been doing since. We will discuss enforcement actions involving modem hijacking, FUD advertising, identity theft, and even introduce you to Dewie the e-Turtle. Looking forward, we will talk about the FTC's future protecting consumers' privacy and data security and what you can do to help.

Whitney Merrill
Whitney Merrill is a hacker, ex-fed, and lawyer. She's currently a privacy attorney at Electronic Arts (EA), and in her spare time, she runs the Crypto & Privacy Village (come say hi!). Recently, she served her country as an attorney at the Federal Trade Commission where she worked on a variety of consumer protection matters including data security, privacy, and deceptive marketing and advertising. Whitney received her J.D. and master's degree in Computer Science from the University of Illinois at Urbana-Champaign.

@wbm312

Terrell McSweeny
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. This year marks her fourth time at DEF CON . When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics design - but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.

@TMcSweenyFTC


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 10:20-10:40


(Un)Fucking Forensics: Active/Passive (i.e. Offensive/Defensive) memory hacking/debugging.

Saturday at 10:20 in Track 4

20 minutes | Hacker History, Art of Defense, Demo, Tool

K2 Director, IOACTIVE

How to forensic, how to fuck forensics and how to un-fuck cyber forensics.

Defense: WTF is a RoP, why I care and how to detect it statically from memory. Counteract "Gargoyle" attacks.

Defense: For one of DEF CON 24's more popular anti-forensics talks (see int0x80 - Anti Forensics). In memory (passive debugging) techniques that allows for covert debugging of attackers (active passive means that we will (try hard to) not use events or methods that facilities are detectable by attackers).

Offense: CloudLeech - a cloud twist to Ulf Frisk Direct Memory Attack

K2
K2 (w00w00, ADM, undernet, efnet, The Honeynet Project) is a devil in the details person who does not take themselves too serious and appreciates a good laugh. Earlier DEF CON presentations included polymorphic shellcode in the form of ADMMutate (see ADM Crew), low-level process detection, with page table analysis (Weird-Machine motivated shell code) and using the branch tracing store backdoor trick on Windows to counter Ransom ware, detect RoP (RunTime + HW Assisted) and draw cool graphs — "BlockFighting with a Hooker: BlockfFghter2!". All three of these are open source tools available github.com/K2 (EhTrace and inVtero.Net are under active development).

@ktwo_K2
GitHub: https://github.com/K2


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 10:00-10:45


$BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning?

Saturday at 10:00 in Track 2

45 minutes

Cory Doctorow craphound.com, science fiction author, activist, journalist and blogger.

Is Net Neutrality on the up or down? Is DRM rising or falling? Is crypto being banned, or will it win, and if it does, will its major application be ransomware or revolution? Is the arc of history bending toward justice, or snapping abruptly and plummeting toward barbarism?

It's complicated.

A better world isn't a product, it's a process. The right question isn't, "Does the internet make us better or worse," its: "HOW DO WE MAKE AN INTERNET THAT MAKES THE WORLD BETTER?" We make the world better with code, sure, but also with conversations, with businesses, with lawsuits and with laws.

We don't know how to get to a better world, but we know which direction it's in, and we know how to hill-climb towards it. If we keep heading that way, we'll get *somewhere*. Somewhere good. Somewhere imperfect. Somewhere where improvement is possible.

Cory Doctorow
Cory Doctorow (craphound.com) is a science fiction author, activist, journalist and blogger - the co-editor of Boing Boing (boingboing.net) and the author of WALKAWAY, a novel for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN'T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER and novels for adults like RAPTURE OF THE NERDS and MAKERS. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles.

@doctorow


Return to Index      -     

 

IOT - Main Contest Area - Friday - 17:40-18:30



Return to Index      -     

 

Night Life - Promenade level, in Skytalks room. - Friday - 22:30-27:00


Title:
303 Party

Hosted and produced by the hacker collective simply known as “303”. This event needs no introduction...really. See you there!
Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Thursday - 10:30-14:30


A B C of Hunting

Thursday, 10:30 to 14:30 in Octavius 1

Julian Dana Mandiant / FireEye

We heard it all before. The old school SOC/CIRTs is not enough to fight the sophisticated attacks we see these days; being reactive to alerts and the known BAD model is not cutting it anymore. We need to move forward -> the CDC (Cyber Security Center) or the SOC/CIRT 2.0+, extra, super, plus! And, that means making the changes to become: Proactive, Predictive and Reactive too. And for that you need to start the HUNTING! .... BUT what is that? How do I do it? Where do I start? Which is the simplest for me as an analyst? Logs? Intelligence?

Let's start from the ABC... We will cover the theory and a few practical LABs. How to map the active Hunting to the Attack LyfeCycle. We will talk about the IOCs, Frequency Analysis (stacking). Intel driven LAB. And lastly ask you to use your imagination to create your own Hunting case.

Please get ready to talk, as it is going to be interactive (I'm not expecting to be the only one talking).

Prerequisites: Basic Incident Response knowledge. Basic security architecture knowledge. Basic log review knowledge. Basic OS knowledge.

Materials: The attendees should bring a laptop or a VM running Windows 7 or above with 2GB of RAM (4+ GB would be better) with connection to the Internet (the one provided by DEF CON works perfectly). Software: Spreadsheet editor, favorite text editor or log viewer. Admin rights to be able to install software if required.

Max students: 36 | Registration: https://dc25_dana.eventbrite.com (Sold out!)

Julian Dana
Julian is a Professional Services Director at Mandiant (a FireEye company). He has experience teaching IR, Network Investigations and other trainings. During his carrier, he has developed SOC/CIRTs, performed many penetration tests, responded to security breaches and worked on strategical security engagements for International Companies and Government institutions.


Return to Index      -     

 

DEFCON - Track 3 - Friday - 12:00-12:45


A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

Friday at 12:00 in Track 3

45 minutes | Demo, Tool, Exploit

Orange Tsai Security Consultant from DEVCORE

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.

Understanding the basics of this technique, the audience won't be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

Orange Tsai
Cheng-Da Tsai, also as known as Orange Tsai, is member of DEVCORE and CHROOT from Taiwan. Speaker of conference such as HITCON, WooYun and AVTokyo. He participates numerous Capture-the-Flags (CTF), and won 2nd place in DEF CON 22 as team member of HITCON.

Currently focusing on vulnerability research & web application security. Orange enjoys to find vulnerabilities and participates Bug Bounty Program. He is enthusiasm for Remote Code Execution (RCE), also uncovered RCE in several vendors, such as Facebook, Uber, Apple, GitHub, Yahoo and Imgur.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 15:00-16:00


Title:
A New Political Era: Time to start wearing tin-foil hats following the 2016 elections?

Author:
Joel Wallenstrom
Robby Mook

Abstract:
The most trivial communications were weaponized and drastically changed the course of the 2016 elections right before our eyes. As a result, information security is now a number one priority for all political campaigns — domestic and international. Yet many in the political community, including France, the UK, and the US, are deploying the same old practices, tools, and user training for communicating highly-sensitive information. In addition to continuing to hoard high-target data, political parties and candidates are reluctant to change behaviors and ask for help. Admitting to being hacked has become increasingly stigmatized, preventing under-resourced campaigns and the policy community from understanding how to deal with persistent and well-funded adversaries.

What have we learned and how likely is it that this will happen to election campaigns again? This talk will provide a first-hand context for understanding the exact political, media and security environments in which multiple breaches were detected on the democratic side of the 2016 campaign and how they went unmitigated for months. The talk will then trace how, in the aftermath, the affected parties have attempted, successfully or not, to recover and learn to work with the infosec community. We will also touch on what impact product decisions in the tech and security space have on ordinary users’ ability to do their work, including running national campaigns. Finally, the talk will touch on ephemerality becoming a number one behavioral change the ‘victims’ of the election hacking seek as an antidote to information weaponization.

Bio:
Joel Wallenstrom is the CEO of Wickr, a secure communications company building peer-to-peer encrypted ephemeral messaging and collaboration platforms. Prior to joining Wickr, Joel co-founded and led several top white-hat hacker teams including iSEC Partners and NCC Group, renowned for their cutting edge independent security research and incident response in high-profile cases. Joel also served as Director for Strategic Alliances at @stake.

Robby Mook is a former campaign manager for a $1 billion start-up called HFACC, Inc., more commonly known as Hillary for America. Robby successfully ran the Virginia gubernatorial campaign for Terry McAuliffe, served as an organizer for Barack Obama's 2008 team in Nevada, Indiana, and Ohio while working for Hillary Clinton's first campaign and leading the Democratic Congressional Campaign Committee.
Twitter handle of presenter(s): @RobbyMook @mywickr
Website of presenter(s) or content: wickr.com

Return to Index      -     

 

DEFCON - Track 4 - Saturday - 13:00-13:45


A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego

Saturday at 13:00 in Track 4

45 minutes | Tool

Philip Tully Principal Data Scientist, ZeroFOX

Michael T. Raggo Chief Security Officer, 802 Secure

Images, videos and other digital media provide a convenient and expressive way to communicate through social networks. But such broadcastable and information-rich content provides ample illicit opportunity as well. Web-prevalent image files like JPEGs can be disguised with foreign data since they're perceivably robust to minor pixel and metadata alterations. Slipping a covert message into one of the billions of daily posted images may be possible, but to what extent can steganography be systematically automated and scaled?

To explore this, we first report the distorting side effects rendered upon images uploaded to popular social network servers, e.g. compression, resizing, format conversion, and metadata stripping. Then, we build a convolutional neural network that learns to reverse engineer these transformations by optimizing hidden data throughput capacity. From pre-uploaded and downloaded image files, the network learns to locate candidate metadata and pixels that are least modifiable during transit, allowing stored hidden payloads to be reliably recalled from newly presented images. Deep learning typically requires tons of training data to avoid over fitting. But data acquisition is trivial using social networks' free image hosting services, which feature bulk uploads and downloads of thousands of images at a time per album.

We show that hidden data can be predictably transmitted through social network images with high fidelity. Our results demonstrate that AI can hide data in plain sight, at large-scale, beyond human visual discernment, and despite third-party manipulation. Steganalysis and other defensive forensic countermeasures are notoriously difficult, and our exfiltration techniques highlight the growing threat posed by automated, AI-powered red teaming.

Philip Tully
Philip Tully is a Principal Data Scientist at ZeroFOX. He employs natural language processing and computer vision techniques in order to develop predictive models for combating security threats emanating from social networks. He earned his joint doctorate degree in computer science from the Royal Institute of Technology (KTH) and the University of Edinburgh, and has spoken at Black Hat, DEF CON , ShowMeCon and across the neuroscience conference circuit. He's a hackademic that's interested in applying brain-inspired algorithms to both blue and red team operations.

@phtully

Michael T. Raggo
Michael T. Raggo, Chief Security Officer, 802 Secure (CISSP, NSA-IAM, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON , Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 18:00-18:25


Darren Kitchen

Bio

Darren Kitchen is the founder of Hak5, the award winning Internet television show inspiring hackers and enthusiasts since 2005. Breaking out of the 90s phone phreak scene, he has continued contributing to the hacker community as a speaker, instructor, author and developer of leading penetration testing tools.

@hak5darren

Sebastian Kinne

Bio

Sebastian Kinne has lead software development at Hak5 since 2011. His background in embedded systems and reverse engineering has been instrumental in the success of the WiFi Pineapple, the popular WiFi auditing tool. As an instructor and speaker on WiFi security, chances are he's sniffed your packets in a demo or two.

@sebkinne

A Pineapple, a Turtle, a Bunny, and a Squirrel walk into a bar

Abstract

A Pineapple, a Turtle, a Bunny and a Squirrel walk into a bar. Seriously. It has been a big year for the fruity team behind the WiFi Pineapple. No, that doesn't sound right. It's been a big year for Hak5. We've been working on new wireless initiatives, some out-of-band covert channel goodness, and something called a squirrel. One might say we're nuts. Join Darren Kitchen and Sebastian Kinne of famed pentesting tools and get a peek into what's right around the corner.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 17:30-18:20



Saturday July 29 5:30PM 50 mins
….Not lose the common touch
Building rapport is essential in life, and critical in Social Engineering. A lesson learned while tending bar on the Las Vegas Strip taught me something that everyone has in common: Everybody is from somewhere. Find out how to use this idea on engagements and in everyday life.

Billy Boatright: @fuzzy_l0gic
Billy began his social engineering career without even knowing it.  He was a bartender on the Las Vegas Strip for the better part of a decade.  He won numerous awards from all over the world as a Top-ranked Flair Bartender.  He has taken the skills he learned behind the bar to the Information Security world.  Billy has been a Judge for the Social Engineering Capture the Flag event at Defcon.  He is also the namesake for the BSides Las Vegas Social Engineering Capture the Flag Championship Belt.  Billy also volunteers time and expertise to the Las Vegas ISSA Chapter as a Board Member.  He is also a member of the BSides Las Vegas Senior Staff.

Billy has multiple degrees and numerous certifications.  However, when asked about them he will gladly quote George Moriarty, “The shining trophies on our shelves can never win tomorrow’s game.”


Return to Index      -     

 

DEFCON - Track 4 - Friday - 15:00-15:45


Abusing Certificate Transparency Logs

Friday at 15:00 in Track 4

45 minutes | Demo, Tool

Hanno Böck Hacker and freelance journalist

The Certificate Transparency system provides public logs of TLS certificates. While Certificate Transparency is primarily used to uncover security issues in certificates, its data is also valuable for other use cases. The talk will present a novel way of exploiting common web applications like Wordpress, Joomla or Typo3 with the help of Certificate Transparency.

Certificate Transparency has helped uncover various incidents in the past where certificate authorities have violated rules. It is probably one of the most important security improvements that has ever happened in the certificate authority ecosystem. In September 2017 Google will make Certificate Transparency mandatory for all new certificates. So it's a good time to see how it could be abused by the bad guys.

Hanno Böck
Hanno Böck is a hacker and freelance journalist. He regularly covers IT security issues for the German IT news site Golem.de and publishes the monthly Bulletproof TLS Newsletter. He also runs the Fuzzing Project, an effort to improve the security of free and open source software supported by the Linux Foundation's Core Infrastructure Initiative.

@hanno


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 14:30-15:30


Abusing Smart Cars with QR codes

No description available


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 11:20-11:40


Abusing Webhooks for Command and Control

Saturday at 11:20 in 101 Track

20 minutes | Demo, Tool

Dimitry Snezhkov Security Consultant, X-Force Red, IBM

You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is - the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You've implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.

We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known.
Having more choices when it comes to outbound network connectivity helps. In this talk we'll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost realtime asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.

Finally, we'll release the tool that will use the concept of a broker website to work with the external C2 using webhooks.

Dimitry Snezhkov
Dimitry Snezhkov does not like to refer to himself in the third person ;) but when he does he is a Sr. Security Consultant for X-Force Red at IBM, currently focusing on offensive security testing, code hacking and tool building.

@Op_Nomad


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 14:00-14:59


Title:
Advanced DNS Exfil

1400 Friday
Nolan and Cory
Advanced DNS Exfil

"Our previous demonstration used base64-encoded subdomains to exfiltrate data. It created long subdomains that might look unusual to an analyst and was detectable if you were to look for domains that had very high numbers of unique subdomains.

This method, although slower in throughput, is is less detectable by frequency analysis using tools such as elk stack. The reason for this is that data is encoded into the DNS header rather than resource sections of the packet. The query can be a the authoritative domain name if exfiltration should need to pass through caches. If the client has direct access to port 53, however, any domain name can be specified as it is totally ignored by the exfiltration process.

In the example above, I am directly querying the evil DNS using common domain names bing.com, yahoo.com and google.com. The evil dns server responds with the correct A record response, while at the same time reproducing the contents of /etc/passwd.

While that is going on, tcpdump appears to show normal-looking traffic with accurate responses.

19:58:39.298908 IP 127.0.0.1.53 > 127.0.0.1.43371: 25967 2/0/0 A 204.79.197.200, A 13.107.21.200 (58)
19:58:39.299534 IP 127.0.0.1.47467 > 127.0.0.1.53: 25964+ A? bing.com. (26)
19:58:39.300673 IP 10.0.1.39.49825 > 8.8.8.8.53: 25964+ A? bing.com. (26)
19:58:39.321210 IP 8.8.8.8.53 > 10.0.1.39.49825: 25964 2/0/0 A 204.79.197.200, A 13.107.21.200 (58)
19:58:39.321828 IP 127.0.0.1.53 > 127.0.0.1.47467: 25964 2/0/0 A 204.79.197.200, A 13.107.21.200 (58)
19:58:39.322258 IP 127.0.0.1.58465 > 127.0.0.1.53: 25967+ A? yahoo.com. (27)
19:58:39.322991 IP 10.0.1.39.46677 > 8.8.8.8.53: 25967+ A? yahoo.com. (27)
19:58:39.343705 IP 8.8.8.8.53 > 10.0.1.39.46677: 25967 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.344408 IP 127.0.0.1.53 > 127.0.0.1.58465: 25967 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.344872 IP 127.0.0.1.55726 > 127.0.0.1.53: 25959+ A? yahoo.com. (27)
19:58:39.345549 IP 10.0.1.39.39783 > 8.8.8.8.53: 25959+ A? yahoo.com. (27)
19:58:39.393440 IP 8.8.8.8.53 > 10.0.1.39.39783: 25959 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.394173 IP 127.0.0.1.53 > 127.0.0.1.55726: 25959 3/0/0 A 98.139.183.24, A 98.138.253.109, A 206.190.36.45 (75)
19:58:39.394902 IP 127.0.0.1.51405 > 127.0.0.1.53: 25961+ A? google.com. (28)
19:58:39.395784 IP 10.0.1.39.37965 > 8.8.8.8.53: 25961+ A? google.com. (28)
19:58:39.410372 IP 8.8.8.8.53 > 10.0.1.39.37965: 25961 1/0/0 A 172.217.5.110 (44)
19:58:39.411103 IP 127.0.0.1.53 > 127.0.0.1.51405: 25961 1/0/0 A 172.217.5.110 (44)



As far as I know no one has done much DNS Exfil work without the use of subdomains so I believe this is somewhat new."

Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 18:15-19:30


Advanced Implant Detection with Bro and PacketSled

Aaron Eppert, Director of Engineering for PacketSled

With the release Double Pulsar by the Shadow Brokers malicious software ranging from EternalBlue, WannaCry, to the more recent (Not)Peyta cyberattacks have necessitated a deeper understanding of the SMB protocol found in virtually every network in the world. Given the extreme complexity of SMB it is very easy for C&C activity to go undetected due to the shear signal-to-noise ratio present in the protocol and the high volume of activity that it generates on a network without malicious activity being present. For this PacketSled extended the SMB analyzer in Bro to facilitate the detection of, what would generally be, anomalous behavior of the protocol itself, bringing the noise floor down and allowing for the detection of anomalous activity.

What is Bro? Bro is a powerful network analysis framework that allows for customized development via an internal scripting language that allows the creation of highly powerful detections via metadata extraction events.

Aaron Eppert (Twitter: @aeppert) is the Director of Engineering and lead developer of PacketSled’s core Sensor technology. Aaron has commits to the Bro Core project and resurrected the SMB Analyzer from the depths of a feature branch and has since extended it for the purposes of finding modern malware. Additionally, Aaron has two decades of experience reverse engineering network protocols and malware as well as developing as well as developing low-level software in a range of languages. Aaron has developed and presented Bro-centric trainings to Fortune 500 companies, and government organizations.


Return to Index      -     

 

Demolabs - Table 1 - Saturday - 16:00-17:50


Advanced Spectrum Monitoring with ShinySDR

Michael Ossmann

Dominic Spill

Saturday from 1600-1750 at Table One

Audience: Wireless, Defense

We have developed open source tools to monitor the RF spectrum at a high level and then drill down to individual signals, supporting both reverse engineering and signals intelligence. By automatically combining the results with OSINT data from regulatory bodies around the world, we are able to build up a picture of devices transmitting in an environment.

http://greatscottgadgets.com/spectrummonitoring

Michael Ossmann
Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Dominic Spill
Dominic Spill is senior security researcher for Great Scott Gadgets. The US government recently labelled him as "extraordinary." This has gone to his head.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Friday - 14:30-18:30


Advanced Wireless Attacks Against Enterprise Networks

Friday, 14:30 to 18:30 in Octavius 7

Gabriel Ryan Security Consultant, Gotham Digital Science

This workshop will instruct attendees on how to carry out sophisticated wireless attacks against corporate infrastructure. Students will learn how to attack and gain access to WPA2-Enterprise networks, bypass network access controls, and explore how wireless can be leveraged as a powerful means of lateral movement through an Active Directory environment.

Topics of interest include:

- Wireless Reconnaissance and Target Identification Within A Red Team Environment
- Attacking and Gaining Entry to WPA2-EAP wireless networks
- SMB Relay Attacks and LLMNR/NBT-NS Poisoning
- Data Manipulation and Browser Exploitation Using Wireless MITM Attacks
- Downgrading Modern SSL/TLS Implementations Using Partial HSTS Bypasses
- Firewall and NAC Evasion Using Indirect Wireless Pivots

Each student will receive a course package containing a comprehensive course guide and preconfigured virtual machines. External wireless adapters and other wireless networking hardware will be provided by the instructor, and material learned in the lectures will be practiced within a realistic lab environment. The instructor will make himself available via email for questions and guidance in the weeks leading up to and following the workshop.

Prerequisites: A previous wireless security background is helpful but not required.

Materials: Students will be required to bring their own laptops capable of running virtualization software such as VMWare or VirtualBox. Other than that, I plan on providing the necessary hardware to complete the workshop. Hardware that will be provided to students includes:

- 1 TP-Link WN722N external wireless interface per student
- wireless access points

Max students: 85 | Registration: https://dc25_ryan.eventbrite.com/ (Sold out!)

Gabriel Ryan
Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company's research division, GDS labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 12:00-13:00


Title:
Alice and Bob are Slightly Less Confused

Name:
David Huerta (Freedom of the Press Foundation)

Abstract:
Two years ago at DEF CON I discussed UX issues affecting every kind of encryption tool. Since then, much has improved. We’ll go over some of the better examples of usable privacy technology and, like last time, go over some new challenges that still need to be addressed to make crypto usable in the real world. This talk is a sequel to this one: https://www.youtube.com/watch?v=pkh7gUm82QY.

Bio:
David Huerta is a Digital Security Fellow at the Freedom of the Press Foundation, where he’s working on ways to train journalists to take advantage of privacy-enhancing technology to empower a free press. He's organized dozens of trainings across the US from Brooklyn to Phoenix. Before arriving in New York, he was one of the founding members for HeatSync Labs, an Arizona hackerspace which brings makers, hackers, and the occasional futurist together to build things and teach others how to do the same.
Twitter handle of presenter(s): huertanix

Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 16:00-16:59


Title:
All The Sales President's Men

1600 Friday
Patrick McNeil
@unregistered436
All The Sales President's Men
"Are you someone technical who is starting to evaluate vendors for a new project? Or perhaps you are the person from your team tagged with going to Black Hat, RSA, or other vendor conferences to look at this year's product evaluation candidates?

As technologists and hackers many of us have skills in intelligence gathering, or social engineering, but we might not stop to think about how those same skills are being used against us to influence our purchasing decisions as we evaluate vendors for new projects. Now I know you're thinking, ""I can spot that a mile away"". No free lunch, vendor party, or booth giveaway at big security conference X is going to sway ME, right? Well, I've got a confession to make - it goes way beyond that stuff. As a “sales engineer” I can be your ally, your advocate, and an asset to your organization. I can also be the secret weapon of the sales team - the guy who speaks both languages - sales and tech. If I don’t have good intentions I can convince you to buy something you don’t need.

Want to know how? Let me walk you through what happens behind the scenes during the sales cycle at a typical tech company."

Return to Index      -     

 

DEFCON - Track 4 - Saturday - 11:20-12:35


All Your Things Are Belong To Us

Saturday at 11:20 in Track 4

75 minutes | Demo, Exploit

Zenofex Hacker

0x00string Hacker

CJ_000 Hacker

Maximus64 Hacker

Get out your rollerblades, plug in your camo keyboard, and fire up your BLT drive. It's 25 years later and we're still hacking the planet. The Exploitee.rs are back with new 0day, new exploits and more fun. Celebrating a quarter century of DEF CON the best way we know how: hacking everything!

Our presentation will showcase vulnerabilities discovered during our research into thousands of dollars of IoT gear performed exclusively for DEF CON. We will be releasing all the vulnerabilities during the presentation as 0days to give attendees the ability to go home and unlock their hardware prior to patches being released. As always, to give back to the community that has given us so much, we will be handing out free hardware during the presentation so you can hack all the things too!Come party with us while we make "All Your Things Are Belong To Us."

Zenofex
Zenofex (@zenofex) is a researcher with Exploitee.rs. Amir founded "Exploitee.rs" which is a public research group and has released exploits for over 45 devices including the Amazon FireTV, Roku Media Player and the Google Chromecast. Amir is also a member of Austin Hackers and has spoken at a number of security conferences including DEF CON, B-Sides Austin, and InfoSec Southwest.

@exploiteers
@zenofex

0x00string
0x00string (@0x00string) is hacker and security researcher, a recent addition to Exploitee.rs who has presented at BSidesSATX and ISSW. His previous published work includes Reverse Engineering The Kankun Smart Plug, and Hacking The Samsung Allshare Cast Hub. His hobbies include bug collecting and hacking all the things.

@0x00string

CJ_000
Cj_000 (@cj_000) is a researcher in the Cyber and Information Security directorate at *redacted* and also a member of Exploitee.rs. CJ has been involved in the release and responsible disclosure of vulnerabilities in a number of devices including TV's, media players, and refrigerators. CJ has presented at multiple DEF CON's and believes that a simple approach is often the most elegant solution.

@cj_000

Maximus64
Maximus64 (@maximus64_) is an undergraduate student at the University of Central Florida. Khoa enjoys a hardware based approach in researching embedded devices and is a master of the soldering iron. Khoa has disclosed numerous vulnerabilities in various set-top boxes and other "smart" devices to multiple vendors. He is currently listed on various "Security Hall of Fame" pages for successful bug bounty submissions including AT&T, Samsung and Roku.

@maximus64_


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 13:00-13:45


Amateur Digital Archeology

Thursday at 13:00 in 101 Track

45 minutes

Matt 'openfly' Joyce Hacker at NYC Resistor

'Digital Archeology' is actually the name of a Digital Forensics text book. But what if we used forensics techniques targetting cyber crime investigations to help address the void in Archeology that addresses digital media and silicon artifacts. At NYC Resistor in Brooklyn we've gotten into the world of Digital Archeology on several occasions and the projects have been enjoyable and educational.

Now, imagine what could happen if a bunch of hackers are able to get their hands on a laptop pulled off of a space shuttle.

Then come to our talk and find out what ACTUALLY happened. I bought a laptop at auction that claimed to be off a Shuttle Mission. It turns out to have been mostly authentic. This will be a little foray into the history of this device and what I could find out about it, and how I did that.

Spoiler Alert: We found out a lot.

Bonus: I may have found the sister laptop of this laptop (serial numbers match)

Matt 'openfly' Joyce
Matt Joyce hates writing in the third person. He is a hacker at NYC Resistor in Brooklyn. He used to do NASA shit for a project called Nebula. He currently is doing this talk in no way representing current or past employers. Matt's last talk was at the American Homebrewer's Association.


Return to Index      -     

 

DEFCON - Track 3 - Friday - 16:00-16:45


An ACE Up the Sleeve: Designing Active Directory DACL Backdoors

Friday at 16:00 in Track 3

45 minutes | Demo

Andy Robbins Red Team Lead

Will Schroeder Offensive Engineer

Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy", and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described.

Andy Robbins
As a Red Team lead, Andy Robbins has performed penetration tests and red team assessments for a number of Fortune 100 commercial clients, as well as federal and state agencies. Andy presented his research on a critical flaw in the ACH payment processing standard in 2014 at DerbyCon and the ISC2 World Congress, and has spoken at other conferences including DEF CON , BSidesLV, ekoparty, ISSA International, and Paranoia Conf in Oslo. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the "Adaptive Red Team Tactics" course at BlackHat USA.

@_wald0

Will Schroeder
Will Schroeder is a offensive engineer and red teamer. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON , DerbyCon, Troopers, BlueHat Israel, and various Security BSides.

@harmj0y


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 11:00-12:30


An Intro to Hunting with Splunk

Come to Packet Hacking Village and get a hands-on "Hunting with Splunk" training from the experts. You will learn how to deal with end point data, sort through wire data, and maybe even find some advanced threats. Then try your hand at searching for actors in a realistic dataset in Splunk.

Splunk Security Specialists (Twitter: @splunksec) are a group of Security practitioners who play with Splunk and get to help out at things like Wall of Sheep.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Sunday - 11:00-12:30


An Intro to Hunting with Splunk

Come to Packet Hacking Village and get a hands-on "Hunting with Splunk" training from the experts. You will learn how to deal with end point data, sort through wire data, and maybe even find some advanced threats. Then try your hand at searching for actors in a realistic dataset in Splunk.

Splunk Security Specialists (Twitter: @splunksec) are a group of Security practitioners who play with Splunk and get to help out at things like Wall of Sheep.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 14:55-15:40


An Introduction to Graph Theory for OSINT

Abstract

This session aims to gently introduce graph theory and the applied use of graphs for people who, like the speaker, consider themselves lacking the often perceived advanced math, science, and computer programming knowledge needed to harness their power.

The session will include live attendee interaction to help explain the general concepts of graph theory in a safe and inclusive way that should help solidify basic knowledge.

Once everyone understands what a graph can be used for we will discuss its applied use with several use cases including the tracking of security threats, construction of attacker profiles, and even using graphs to better understand organizational risk based the introduction of new tools, processes, or legal requirements.

Attendees may not leave with a Ph.D. but they’ll certainly walk away with a firm understanding of graph theory and how to construct, deploy, and maintain graphs for security and compliance initiatives within their organization.

Speaker Profile


Return to Index      -     

 

Demolabs - Table 3 - Saturday - 10:00-11:50


Android Tamer

Anant Shrivastava

Saturday from 1000-1150 at Table Three

Audience: Mobile (specifically Android)

Android Tamer is a project to provide various resources for Android mobile application and device security reviews. Be it pentesting, malware analysis, reverse engineering or device assessment. We strive to solve some of the major pain points in setting up the testing environments by providing various ways and means to perform the task in most effortless manner.

https://androidtamer.com/

Anant Shrivastava
Anant Shrivastava is an information security professional with nearly 10 years of hacking and teaching experience, with expertise in Mobile, Web Application, Networks and Linux Security. He is Regional Director Asia Pacific for NotSoSecure Global Services and has lead hacking training at some of the worlds top security conferences (BlackHat USA/EU/ASIA, Nullcon, g0s, c0c0n). Anant also leads Open Source project AndroidTamer (www.androidtamer.com) and CodeVigilant (www.codevigilant.com).


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Friday - 10:30-14:30


Applied Physical Attacks on Embedded Systems, Introductory Version

Friday, 10:30 to 14:30 in Octavius 7

Joe FitzPatrick Instructor & Researcher, Securing Hardware

Syler Clayton Security Engineer

Chris Castellano Senior Enterprise Windows Sysadmin

This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi development board. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Prerequisites: No hardware or electrical background is required. Computer architecture knowledge, Linux internals, command-line familiarity, and low-level programming experience all very helpful but not actually required.

Materials: All equipment, including laptops, will be provided for use in the class. Students will be provided with a lab manual that includes an equipment list of all materials used for the class.

Max students: 60 | Registration: https://dc25_fitzpatrick.eventbrite.com (Sold out!)

Joe FitzPatrick
Joe (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com (@securinghw). Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Syler Clayton
Syler Clayton (@SylerClayton) is known in the homebrew scene for his work reverse engineering and developing exploits for the Nintendo 3DS and Wii U. Professionally, he has spent the past 5 years as a Security Engineer doing reverse engineering, exploit development, penetration testing & software development. Since 2015, Syler has led the Red Team for the Collegiate Cyber Defense Competition At-Large regional. In his free time, Syler enjoys hacking on embedded systems in the form of video games, racing drones, virtual reality & electric longboards.

Chris Castellano
Chris Castellano (@StealthyC) is a Senior Enterprise Windows Sysadmin, with a high focus in defensive security. Pew Pew.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 16:55-17:25



Saturday July 29 4:55PM 30 Mins
To Be Announced Soon:

Michele Fincher: @SultryAsian
Michele Fincher is the Chief Influencing Agent of Social-Engineer, LLC, possessing over 20 years experience as a behavioral scientist, researcher, and information security professional. Her diverse background has helped solidify Social-Engineer, LLC’s place as the premier social engineering consulting firm.
As a US Air Force officer, Michele’s assignments included the USAF Academy, where she was a National Board Certified Counselor, Assistant Professor, and the Executive Officer in the Department of Behavioral Sciences and Leadership. Upon separating from the Air Force, Michele went on to hold positions with a research and software development firm in support of the US Air Force Research Laboratory as well as an information security firm, conducting National Security Agency appraisals and Certification and Accreditation for federal government information systems. She also returned to the USAF Academy, once again in the Department of Behavioral Sciences and Leadership, as a civilian instructor.
At Social-Engineer, LLC, Michele is a senior penetration tester and trainer with professional expertise in all facets of social engineering vectors, assessments, and research. A remarkable writer, she is also the talent behind many of the written products of Social-Engineer, LLC, including numerous reports and assessments, blog posts, and the Social-Engineer Newsletters. Michele is also the co-author of the very popular book, Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails.
Michele is an often-requested trainer and speaker on various technical and behavioral subjects for law enforcement, the intelligence community, and the private sector in venues including the Black Hat Briefings, RSA, Techno Security, SC Congress, and the Advanced Practical Social Engineering training course.
Michele has her Bachelor of Science in Human Factors Engineering from the US Air Force Academy and her Master of Science in Counseling from Auburn University. She is a Certified Information Systems Security Professional (CISSP).


Return to Index      -     

 

DEFCON - Track 1 - Friday - 15:00-15:45


Assembly Language is Too High Level

Friday at 15:00 in 101 Track

45 minutes | Demo, Tool, Exploit

XlogicX Machine Hacker

Do you have a collection of vulnerable programs that you have not yet been able to exploit? There may yet still be hope. This talk will show you how to look deeper (lower level). If you've ever heard experts say how x86 assembly language is just a one-to-one relationship to its machine-code, then we need to have a talk. This is that talk; gruesome detail on how an assembly instruction can have multiple valid representations in machine-code and vice versa. You can also just take my word for it, ignore the details like a bro, and use the tool that will be released for this talk: the Interactive Redundant Assembler (irasm). You can just copy the alternate machine code from the tool and use it in other tools like mona, use it to give yourself more options for self-modifying code, fork Hydan (stego) and give it more variety, or to create peace on earth.

XlogicX
XlogicX hacks at anything low level. He's unmasked sanitized IP addresses in packets (because checksums) and crafts his own pcaps with just xxd. He feeds complete garbage to forensic tools, AV products, decompression software, and intrusion detection systems. He made evil strings more evil (with automation) to exploit high consumption regular expressions. Lately he has been declaring war on assembly language (calling it too high-level) and doing all kinds of ignorant things with machine code. More information can be found on xlogicx.net

@XlogicX


Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 17:25-17:59


Attack Surface Discovery with Intrigue

Abstract

What’s more fun than discovering vulnerable and attack-worthy systems on the internet? Come join us for live demos!

Intrigue is a powerful and extensible open source engine for discovering attack surface. It helps security researchers, penetration testers, bug bounty hunters, and defenders to discover assets and their vulnerabilities. During this session, we’ll demo Intrigue and talk through architecture, with focus on recent areas of improvement such as meta-entities and discovery automation strategies.

Speaker Profile

Jonathan Cran (@jcran)


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Thursday - 10:30-14:30


Attacking Active Directory and Advanced Methods of Defense

Thursday, 10:30 to 14:30 in Octavius 4

Adam Steed Associate Director, Protiviti

Andrew Allen Senior Consultant, Protiviti

This hands on workshop teaches you how to both attack and defend Active Directory. We will start by deploying an Active Directory environment using the typical security settings found in most medium to large organizations. Participants will then learn current common methods and tools used to exploit Active Directory against their test environments. Participants will create a hardened Active Directory environment using advanced methods to secure domain controllers from attack and then try to compromise their hardened environments.

Prerequisites: A basic to intermediate understanding of how Active Directory works including day to day administration of users and implementing group policy.

Materials: All participants will need be bring a laptop to the workshop that can be used to spin up virtual machines or have access to a personal AWS or Azure instance.

Max students: 72 | Registration: https://dc25_steed.eventbrite.com/ (Sold out!)

Adam Steed
Adam Steed prides himself in not just being an Information Security professional, but has been part of the culture that has defined Defcon for the last two decades. He has over 20 years of experience in working for Financial, Websites and Healthcare organizations. Currently Adam an Associate Director at Protiviti as part of the Security and Privacy practice. He has also spoken at Bsides and other events across the United States.

Andrew Allen
Andrew Allen is a senior consultant in the IT Security and Privacy Management Practice at Protiviti. He served as an Information Assurance Security Officer in the United States Army before receiving a B.S. in Information Science and Technology from Temple University. His career has centered on penetration testing and is an offensive PowerShell enthusiast.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Thursday - 14:30-18:30


Attacking and Defending 802.11ac Networks

Thursday, 14:30 to 18:30 in Octavius 5

Vivek Ramachandran Founder, Pentester Academy

Thomas d'Otreppe Wireless Security Researcher

802.11ac networks pose a significant challenge to existing Wi-Fi hacking tools and techniques. Unlike the previous generation of 802.11 networks, AC brings about significant complexities with features such as multi-user MIMO, advanced beamforming, up to 8 spatial streams, extremely high speeds (Gbps) and wide channel bandwidths 80-160. This workshop will help you "upgrade" your existing tools and techniques for both attacking and defending these networks. After this workshop, you will be able to create your own 802.11ac monitoring and attack platform.

Prerequisites: Working knowledge of Wi-Fi and Linux

Materials: We will be providing files which can downloaded to follow the class. Wireshark needs to be installed.

Max students: 90 | Registration: https://dc25_ramachandran.eventbrite.com (Sold out!)

Vivek Ramachandran
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started"SecurityTube.net"in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon and others

Thomas d'Otreppe
Thomas D'Otreppe is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 14:00-14:45


Attacking Autonomic Networks

Saturday at 14:00 in 101 Track

45 minutes | Demo, Exploit

Omar Eissa Security Analyst, ERNW GmbH

Autonomic systems are smart systems which do not need any human management or intervention. Cisco is one of the first companies to deploy the technology in which the routers are just "Plug and Play" with no need for configuration. All that is needed is 5 commands to build fully automated network. It is already supported in pretty much all of the recent software images for enterprise level and carrier grade routers/switches.

This is the bright side of the technology. On the other hand, the configuration is hidden and the interfaces are inaccessible. The protocol is proprietary and there is no mechanism to know what is running within your network.

In this talk, we will have a quick overview on Cisco's Autonomic Network Architecture, then I will reverse-engineer the proprietary protocol through its multiple phases. Finally, multiple vulnerabilities (overall 5) will be presented, one of which allows to crash systems remotely by knowing their IPv6 address.

Omar Eissa
Omar Eissa is a security Analyst working for ERNW. His interests are network security and reverse-engineering. He is a professional Cisco engineer with various years of experience in enterprise and ISPs networks. He has given talks and workshops at various telco events and conferences like Troopers17 and Black Hat USA 2017.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 10:00-10:59


Attacking Wireless Interfaces in Vehicles

No description available


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 17:30-18:00


Title:
Automated Testing using Crypto Differential Fuzzing (DO NOT RECORD)

Author:
Yolan Romailler (Kudelski Security)

Abstract:
I present a new approach to test crypto software we developed together with JP Aumasson: differential fuzzing and our newly released tool, CDF, implementing it along with many edge case tests for common algorithms such as ECDSA, DSA and RSA. CDF also features time leakage detection.

CDF allowed the discovery of issues in high-profile, widely used crypto software components such as Go's crypto package, OpenSSL, and mbedTLS.

It is easy to use CDF to test your own library and everything is performed in a black-box fashion, so you only need to provide CDF with an executable to test it.

Bio:
Yolan Romailler is a Security Researcher at Kudelski Seucrity, where he delves into (and dwells on) cryptography, crypto code, and other fun things. He graduated in mathematics at EPFL and later in information security at HES-SO, both in Switzerland.
Twitter handle of presenter(s): anomalroil

Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 11:30-11:55


Eric Escobar (JusticeBeaver)

Bio

Eric Escobar is a Principal Consultant at SecureWorks. His projects generally include a mixture of Raspberry Pis, 3D printing, wireless tech and maybe even a rocket or two. Before he started chasing shells, Eric procured a Bachelor's and Master's degree in Civil Engineering. He now enjoys all things wireless, from WiFi, to SDR and Ham Radio. His team consecutively won first place at DEF CON 23 and 24's Wireless CTF, snagging a black badge along the way.

Automating Physical Home Security through Hacking

Abstract

This presentation will dive into hacking wireless security systems present in many residential homes. A number of common wireless sensors are susceptible to a wide range of vulnerabilities including denial of service attacks, replay attacks and information disclosures. Sensors that detect motion, smoke, water leaks, gas leaks and open doors use similar weak communication protocols. Weaknesses in these sensors can present a juicy target to a tech savvy thief. With a Raspberry Pi and an Arduino, it's possible to exploit these weaknesses as well as create your own robust alarm system. With this system, you can customize text message alerts and detect a denial of service attack. This presentation will discuss how to exploit these vulnerabilities and how to use the same exploits to defend against the dark arts.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 12:00-12:59


Autosar SecOC – Secure On-Board Comms

No description available


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 17:10-17:30


AWS Persistence and Lateral Movement Techniques

Peter Ewane, Security Researcher at AlienVault

The use of Amazon Cloud as a base of operations for businesses is increasing at a rapid rate. Everyone from 2 person start-ups to major companies have been migrating to the cloud. Because of this migration, cloud vendors have become the focus of potential exploitation and various role abuse in order to achieve persistence. This presentation will cover several different methods of post-infection and account persistence along with a discussion on best practices that can be used to protect from such techniques.

Peter Ewane (Twitter: @eaterofpumpkin) is a security researcher, sometimes conference speaker and a mostly blue teamer for the Alien Vault Labs Team. When not playing with computers, Peter enjoys trying and making interesting cocktails and collecting whisk(e)y.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 11:00-11:45


Backdooring the Lottery and Other Security Tales in Gaming over the Past 25 Years

Sunday at 11:00 in Track 2

45 minutes

Gus Fritschie CTO, SeNet International

Evan Teitelman Engineer, SeNet International

In this talk Gus and Evan will discuss the recent Hot Lotto fraud scandal and how one MUSL employee, Eddie Tipton, was able to rig several state lotteries and win $17 million (or perhaps more). Gus' firm is actively supporting the prosecution in this case. Evan was responsible for identifying and analyzing how Eddie was able to rig the RNG.

Details on the rigged RNG and other details from the case will be presented publicly for the first time during this talk.

For historical context other related attacks including the Ron Harris and hacking keno in the 1990's and a recent incident involving a Russian hacking syndicate's exploitation of slot machines will also be discussed.

Gus Fritschie
Gus Fritschie has been involved in information security since 2000. About 5 years ago (after his previous DEF CON presentation on iGaming security) he transitioned a significant portion of his practice into the gaming sector. Since then he has established himself and SeNet as the IT security leader in in gaming. He has supported a number of clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturer, lotteries, tribal gaming, and daily fantasy sports. In his free time he is a recreationally poker player (both online and B&M).

@gfritschie
@senetsecurity

Evan Teitelman
Bio coming soon.


Return to Index      -     

 

SEV - Emperors BR II - Friday - 16:55-17:25


Friday July 28 4:55PM 30 Mins

Beyond Phishing – Building and Sustaining a Corporate SE Program
Just think, 10 years ago, most organizations didn’t have an ethical hacking, red team or even a fully funded Infosec team. Now those teams are the “norm” , but what about a Social Engineering team? Is it possible to build an internal SE team and move past just phishing?  I’ll speak to some of my experiences building and maintaining a SE team and moving past just “phishing”.

Fahey Owen: @fomanchu
Fahey Owens is a information security specialist with 20 + years of IT and 12 years of InfoSec  experience. He spent several years as a system administrator and has held various roles in infosec such as vulnerability management and ethical hacking. He has many industry IT and Infosec certifications and spends his spare time honing his OSINT skills.


Return to Index      -     

 

BHV - Pisa Room - Saturday - 11:00-11:29


Title: Biohackers Die

Speaker: Jeffrey Tibbetts

About Jeffrey:
Jeffrey Tibbetts is a Biohacker, blogger, body mod artist and nurse out of Southern California. He’s been a collaborator on projects ranging from insufflatable peptides that extend REM sleep to non-Newtonian armor implants. He placed 3rd in the Biohack Village Oxytocin Poker Tournament and performed an implant on transhumanist presidential candidate Zoltan Istvan. Jeff hosts the annual event, “Grindfest†in Tehachapi California which New York Times states is for “the real transhumanists.†He shares his lab space with two fantastic cats, Chango and Grumpus, as well as two merely acceptable cats, Binky and Mildew.

Abstract:
Over the past decade, the ways we pursue human improvement have become increasingly invasive. We’ve so far been fortunate, but it’s likely if not inevitable that a death will occur due to biohacking. This presentation discusses the many precautions being taken by biohackers to make our procedures and projects as safe as possible.



Return to Index      -     

 

BHV - Pisa Room - Sunday - 14:00-14:59


Title: Biohacking Street Law

Speaker: Victoria Sutton

About Victoria:
Victoria Sutton, MPA, PhD, JD
Paul Whitfield Horn Professor
Associate Dean for Research and Faculty Development
Director, Center for Biodefense, Law and Public Policy
Director, Science, Engineering and Technology Law Concentration Program
Director, Dual Degree Programs in Science, Engineering and Technology
Founding Editor, Journal for Biosecurity, Biosafety and Biodefense Law


This session will give you some basic tips for avoiding violating the law, and some preventive tips for avoiding potential legal traps if you are a biohacker. Biohacking, in this session, includes body devices, genetic engineering, synthetic biology and laboratory practices. The session will begin with some examples of why you need to know about law for biohackers and discuss legal cases useful for biohackers. The second part of the session will be a workshop-style applying these rules for biohackers.



Return to Index      -     

 

BHV - Pisa Room - Friday - 10:05-10:30


Title: Biohacking: The Moral Imperative to Build a Better You

Speaker: Tim Cannon

About Tim:
Tim Cannon is an American software developer, entrepreneur, and biohacker based in Pittsburgh, Pennsylvania. He is best known as the co-founder and Chief Information Officer of Grindhouse Wetware, a biotechnology startup company that creates technology to augment human capabilities.

Cannon has spoken at conferences around the world on the topics of human enhancement, futurism, and citizen science, including at TEDx Rosslyn, FITUR, the University of Maryland, the World Business Dialogue, the Medical Entrepreneur Startup Hospital, and others. He has been published in Wired and featured in television shows such as National Geographic Channel’s Taboo and "The Big Picture with Kal Penn". Tim has been featured on podcasts including Ryan O'Shea's Future Grind and Roderick Russell's Remarkably Human.

Abstract:
The talk will focus on biohacking as not just an ethically grey zone but instead present the idea that biohacking is not just something we would like to see, but is something we must do if we are ever going to be capable of living up to the morals we espouse.



Return to Index      -     

 

BHV - Pisa Room - Saturday - 15:00-15:29


Title: Biotechnology Needs a Security Patch...Badly

Speaker: Ed You


About Ed:
Covert FBI super squirrel, loves working with legos, haikus, and playing handball with cement spheres. Ask him about his time in Panama-Spanish is his third language fluency, followed by sarcasm.

Abstract:
What talk? Its going to be a theatrical song and interpretive dance related to the 5 w's and how to fix our bio economy. You get it, I know you do.



Return to Index      -     

 

DEFCON - Track 3 - Sunday - 10:20-10:40


BITSInject

Sunday at 10:20 in Track 3

20 minutes | Demo, Tool

Dor Azouri Security researcher, @SafeBreach

Windows' BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file

Comprehending this file's binary structure allowed us to change a job's properties (such as RemoteURL, Destination Path...) in runtime and even inject our own custom job, using none of BITS' public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.

Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow

We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer - a pythonic BITS server; A struct definition file, to use for parsing your BITS state file

Dor Azouri
Dor Azouri is a security professional, having 6+ years of unique experience with network security, malware research and infosec data analysis. Currently doing security research @SafeBreach.


Return to Index      -     

 

Night Life - Octavius 3&4 - Saturday - 21:00-26:00


Title:
Blanketfort Con

I'm sorry, did you not read the name of this party? Seriously, why are you even thinking about it? You know you're coming. Bring your blankets and your sense of adventure, it's Blanketfort Con.
Return to Index      -     

 

BHV - Pisa Room - Friday - 16:00-16:29


Title: Blockchain's Role in the Disruption of the Medical Industry

Speakers: John Bass

About John:
John Bass is the Founder and CEO of Hashed Health, a healthcare technology innovation company focused on accelerating the realization of blockchain and distributed ledger technologies. John has over 20 years of experience in healthcare technology with expertise in collaborative platforms, patient engagement, systems integration, supply chain, clinical performance and value-based payments.
Prior to Hashed Health, John was CEO at InVivoLink, a surgical patient registry and care management start-up, acquired by HCA in 2015. John’s experience also includes healthcare B2B startup empactHealth.com which was acquired by Medibuy / Global Healthcare Exchange. John is a native of Nashville and has a Chemistry degree from the University of North Carolina, Chapel Hill.

Abstract:
Over the next ten years, blockchain and distributed ledger technologies will fundamentally change the delivery of care around the globe. The blockchain provides a technical framework where trust is moved from central controlling intermediaries to the open source protocol, freeing data and assets from the control of traditional corporate interests. The great hope is that this evolution will result in the empowerment of consumers, communities, and markets centered on sustainable wellness and environments of health. The coming years represent a unique opportunity to make sure blockchain-based global health initiatives are structured in a way that re-constructs our broken system in a way that improves the lives of individuals and the communities in which they live.



Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 17:00-17:30


Title:
Blue Team TLS Hugs

Author:
Lee Brotherston

Abstract:
TLS, and it’s older forerunner SSL, are used to maintain the confidentiality and integrity of network communications. This is a double edged sword for Information Security departments as this allows private information to remain private, but can also be used to hide malicious activity.

Current defensive measures for dealing with network traffic encrypted using TLS typically takes one of two forms:

- Attempting to detect malicious activities via other means which are outside of the encrypted session, such as endpoint security tools and IP address blacklists.

- Break the TLS trust model by effectively attacking all connections, including trusted connections, via MiTM with a trusted certificate. (yes AV vendors, I'm looking at you)

This talk discusses (ok maybe rants about) the problems with the current "state of the art" and introduces other techniques, such as TLS Fingerprinting and TLS Handshake Mangling, which can be used to solve the same problems with less of the issues of current systems.

Bio:
Lee Brotherston is a Director of Security for a startup in the Toronto area. Having spent nearly 20 years in Information Security, Lee has worked as an Internal Security resource across many verticals including Finance, Telecommunications, Hospitality, Entertainment, and Government in roles ranging from Engineer to IT Security Manager.

He's also old enough to have done computering on a Commodore 64.
Twitter handle of presenter(s): @synackpse

Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Thursday - 14:30-18:30


Brainwashing Embedded Systems

Thursday, 14:30 to 18:30 in Octavius 4

Craig Young Security Researcher, Tripwire

Lane Thames Security Researcher, Tripwire

JivaSecurity Research Engineer, Tripwire

Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat. Attendees to this tutorial session will learn the ropes of firmware dissection, app decompilation, and manual fuzz testing in a hands-on hack lab. Participants will be provided with a customized Kali Linux virtual appliance and given access to several consumer devices for analysis. These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

Prerequisites: Intermediate *nix knowledge; proficiency with a shell (including writing BASH or similar scripts); strong understanding of HTTP. Familiarity with tools for working with HTTP is a big plus (i.e. cURL, Burp, urllib, etc)

Materials: Nothing is required but in order to make the most out of the workshop, students will want to have a laptop with an 802.11 adapter and virtualization software capable of running an x86_64 virtual machine from an OVA/OVF (e.g. VirtualBox or VMWare). Virtual machine files will be made available for download from the Internet before the workshop and it is best for participants to load the content in advance. The material will also be available on USB and a local file server.

Max students: 72 | Registration: https://dc25_young.eventbrite.com/ (Sold out!)

Craig Young
Craig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has also successfully employed fuzzing techniques to find flaws in a variety of open source software including a memory corruption in MatrixSSL that could be used to achieve code execution on at least 100,000 Internet gateways.

Lane Thames
Lane Thames is a software development engineer and security researcher with Tripwire's Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management software. He also spends time looking for new vulnerabilities, contributing to the Tripwire State of Security blog, and understanding emerging cybersecurity threats. Lane received his PhD in Electrical and Computer Engineering from the Georgia Institute of Technology and has spent over 10 years working in information technology and software/hardware development. Lane worked for nCircle prior to their acquisition, and continues his research work now for Tripwire.

Jiva
Jiva is a Security Research Engineer on the Vulnerability and Exposures Research Team (VERT) at Tripwire. Prior to Tripwire, Jiva worked at Coalfire doing consulting/penetration testing, Dell SecureWorks as a network security analyst, and worked at UGA doing penetration testing on departmental web applications. Jiva went to school at the University of Georgia for a Bachelor's and Master's degree in Computer Science, and is a long time member of the CTF teams disekt and SecDawgs.


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 10:00-10:30


Breaking Bitcoin Hardware Wallets

Sunday at 10:00 in Track 3

20 minutes | Demo, Exploit

Josh Datko Principal Engineer, Cryptotronix LLC

Chris Quartier Embedded Engineer, Cryptotronix, LLC

The security of your bitcoins rests entirely in the security of your private key. Bitcoin hardware wallets help protect against software-based attacks to recover or misuse your key. However, hardware attacks on these wallets are not as well studied. In 2015, Jochen Hoenicke was able to extract the private key from a TREZOR using a simple power analysis technique. While that vulnerability was patched, he suggested the Microcontroller on the TREZOR, which is also the same on the KeepKey, may be vulnerable to additional side channel attacks.

In this presentation we will quickly overview fault injection techniques, timing, and power analysis methods using the Open Source Hardware tool, the ChipWhisperer. We then show how to apply these techniques to the STM32F205 which is the MCU on the Trezor and KeepKey. Lastly, we will present our findings of a timing attack vulnerability and conclude with software and hardware recommendations to improve bitcoin hardware wallets. We will show and share our tools and methods to help you get started in breaking your own wallet!

Josh Datko
Josh Datko is the owner of Cryptotronix, an embedded security consultancy. As a submarine officer, he was sent to Afghanistan to ensure that the Tailiban did not develop a submarine force—mission accomplished! He wrote a book on BeagleBones and crypto hardware which not many people have read, talked about embedded security at Portland BSides and HOPE, and presented a better way to make a hardware implant at DEF CON 22 which hopefully helped the NSA improve their spying.

Chris Quartier
Chris is the lead embedded hacker at Cryptotronix. He has worked at both big companies and IoT startups as an embedded developer working on bare metal and embedded linux board bring up, driver development, and trying to get those little logic analyzer clips to stay connected to a target. He's hacked on radios, rail guns, and fitness trackers but not all at the same time.


Return to Index      -     

 

DEFCON - Track 3 - Friday - 14:00-14:45


Breaking the x86 Instruction Set

Friday at 14:00 in Track 3

45 minutes | Demo, Tool

Christopher Domas Security Researcher, Battelle Memorial Institute

A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we'll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset. We'll disclose new x86 hardware glitches, previously unknown machine instructions, ubiquitous software bugs, and flaws in enterprise hypervisors. Best of all, we'll release our sandsifter toolset, so that you can audit - and break - your own processor.

Christopher Domas
Christopher Domas is a cyber security researcher and embedded systems engineer, currently investigating low level processor exploitation. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), and Turing-machines in the vi text editor. His more relevant work includes the binary visualization tool ..cantor.dust.. and the memory sinkhole x86 privilege escalation exploit.

@xoreaxeaxeax


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 14:00-15:00


Title:
Breaking TLS: A Year in Incremental Privacy Improvements

Author:
Andrew Brandt (Symantec)

Abstract:
I run a lab in which I let a lot of computers, as well as networked "IoT" devices, phone home, and then I use enterprise-level tools to decrypt and capture that TLS/SSL network traffic. In the past year, I've been observing a steady increase in the number of devices and services which flat-out refuse to let me decrypt their communications - an unequivocally Good Thing for privacy and security. But I've also witnessed some disastrous problems, such as large corporations, who should know better, behaving badly, using self-signed or expired certificates for critical sites used to, for instance, deliver firmware updates.

In this overview, I'll discuss the good, bad, and really, really ugly things I've learned about what, how, and to whom these devices communicate, and in some cases, the contents of those communications. I'll also provide an overview of the tools and techniques I've used to re-sign certificates and capture the decrypted data, including how (and why) you can (and probably should) do this yourself. Finally, I plan to offer my own manifesto to businesses large and small about how they should do a much better job at protecting the privacy of their customers.

Bio:
Andrew Brandt is the Director of Threat Research for Symantec, whose previous employer was acquired in the past year. In his role, he runs a malware research lab in which he infects all manner of devices with malware and permits the devices to phone home, in order to learn more about how, and to whom, malware communicates.
Twitter handle of presenter(s): @threatresearch

Return to Index      -     

 

DEFCON - Track 1 - Saturday - 10:20-10:40


Breaking Wind: Adventures in Hacking Wind Farm Control Networks

Saturday at 10:20 in 101 Track

20 minutes

Jason Staggs Security Researcher at the University of Tulsa

Wind farms are becoming a leading source for renewable energy. The increased reliance on wind energy makes wind farm control systems attractive targets for attackers. This talk explains how wind farm control networks work and how they can be attacked in order to negatively influence wind farm operations (e.g., wind turbine hijacking). Specifically, implementations of the IEC 61400-25 family of communications protocols are investigated (i.e., OPC XML-DA). This research is based on an empirical study of a variety of U.S. based wind farms conducted over a two year period. We explain how these security assessments reveal that wind farm vendor design and implementation flaws have left wind turbine programmable automation controllers and OPC servers vulnerable to attack. Additionally, proof-of-concept attack tools are developed in order to exploit wind farm control network design and implementation vulnerabilities.

Jason Staggs
Dr. Jason Staggs is an independent information security researcher with strong interests in critical infrastructure protection, telecommunications, penetration testing, network security and digital forensics. Jason has spoken at national and international conferences, authored various peer-reviewed publications and lectured undergraduate and graduate level courses on a variety of cyber security topics. His expertise in digital forensics has enabled him to provide invaluable assistance to law enforcement agencies at the local, state and federal levels in order to solve high-profile cybercrimes. In his spare time, Jason enjoys reverse engineering proprietary network stacks in embedded devices and diving through ancient RFCs to demystify obscure network protocols. Jason attended graduate school at The University of Tulsa where he earned his M.S. and Ph.D. degrees in Computer Science.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 13:00-13:45


Title:
Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice.

Title: Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice. Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice.


Harri Hursti is a Finnish computer programmer and former Chairman of the Board and co-founder of ROMmon where he supervised in the development of the world’s smallest 2 gigabit traffic analysis product that was later acquired by F-Secure Corporation.
Hursti is well known for participating in the Black Box Voting hack studies, along with Dr. Herbert “Hugh” Thompson. The memory card hack demonstrated in Leon County is popularly known as “the Hursti Hack”. This hack was part of a series of four voting machine hacking tests organized by the nonprofit election watchdog group Black Box Voting in collaboration with the producers of HBO documentary, Hacking Democracy. The studies proved serious security flaws in the voting systems of Diebold Election Systems.

Return to Index      -     

 

Demolabs - Table 5 - Saturday - 14:00-15:50


Bropy

Matt Domko

Saturday from 1400-1550 at Table Five

Provides simple anomaly based IDS capabilities using Bro. Bropy parses logs to generate network baselines using a simple Y/N interface, and the accompanying bro script generates logs for traffic outside of the baseline.

https://github.com/hashtagcyber/bropy

Matt Domko
"I'm just a guy playing with Legos. I crudely assemble the knowledge I have to build a solution for my problems."

Matt Domko is currently an Information Security instructor for Chiron Technology Services in Augusta, Georgia. His experiences as an enterprise administrator and cyber network defender for the United States Army are what drive his passion for network defense and "Blue Teaming". Bikes, Beards, and Karaoke


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Thursday - 10:30-14:30


Build your stack with Scapy, for fun and profit

Thursday, 10:30 to 14:30 in Octavius 7

stryngs

Jack64

zero-x

802.11 is still the Wild West in 2017. It has been around since the 90's, yet as most things with the Internet, security has always been a bolt-on addition. Through passive and active observations over the past couple years, it occurred to us that a workshop on how to abuse wifi would be interesting. This in and of itself is a spiderweb. There are so many ways to approach it; jam it, DOS it, crack it, so forth and so on.

We decided on the "ride the wave" approach. Take the existing infrastructure, and use it to your advantage by molding custom frames as you see fit. We feel this is under utilized and thus: demonstrations, beatings and examples should be given. ARP, ARP, ARP, who let the ARPs out. That is typically the battle cry for anything "LAN" these days. Pop the network, hop on the network, do your ARP, grab your MITM and go. Tried and true, it works, but it's outdated, oldskool and quite frankly, boring. Any hacker worth their salt should be able to arpspoof and ettercap. Any WIDS/WIPS should instantly lock on to what's going on and ban or alert accordingly. What we need, is a new approach.

Enter, Scapy. Without spending an hour on the wonders of Scapy and what it can do for you as a Pentester in this briefing, we'd quite frankly rather cut down to the nuts and bolts, and just, show you.

This workshop is going to center around Scapy and how you as a Pentester can use it to your advantage. Take the 802.11 and bend it to your will. Make it do your bidding and leave the SysAdmins scratching

Prerequisites: Familiarity with RFC 1149

Materials: - Laptop with bootable Linux of some variety
- Debian based is preferred
- apt is way easier than yum...
- WiFi NIC with Monitor Mode capability
- Curiosity

Max students: 85 | Registration: https://dc25_stryngs.eventbrite.com/ (Sold out!)

stryngs
stryngs has been into the scene since 2006 when he first discovered wifi. Since then he has learned and absorbed all he can. He has bothered many a person on the IRC. Though he might have perturbed you with his questions, he is grateful for the knowledge you bestowed upon him. Without the community, stryngs wouldn't be where he is today. As such, hopefully with this workshop, he is truly giving back to the community which brought him to where he is at today.

Jack64
João Pena Gil (Jack64) is a computer security researcher from Portugal, working in the field since 2015. Currently working at Checkmarx as the AppSec Analysis Team Leader by day and a Cobalt Core Researcher by night, Jack64's interests are broad in information security, ranging from networking protocols to application security and cryptography. Stryngs had a big influence in Jack64's interest in information security, sharing with him his proof-of-concept for airpwn-ng, which prompted Jack64 to learn more about 802.11 and the rest of the networking stack in general, leveraging the powerful capabilities of scapy and python. This is some of the knowledge he hopes to share in this workshop.

zero-x
Bio Coming Soon


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Thursday - 10:30-14:30


Building Application Security Automation with Python

Thursday, 10:30 to 14:30 in Octavius 5

Abhay Bhargav CTO, we45

In an age of rapid-release applications, DevOps and small application security teams, the only way application security can scale, is with automation. In this workshop, I will introduce some key automation practices and techniques using Python that students can use in their own application security programs for quick wins. These techniques will predominantly focus on developing automation scripts harnessing API from Open Source Web Vulnerability Scanners (like OWASP ZAP), Building fuzzers harnessing features of tools like mitmproxy with as little as a few lines of code and using NoSQL databases for easy search and to generate powerful application security analytics. The session will be entirely hands-on, with a lot of coding and very little theory.

Prerequisites:
Knowledge of Python basics preferred but not required ( Basic Python skills are good enough. Knowledge of variables, loops, modules, imports and data structures would suffice). Examples with complete source code would be given to participants to study further. Hands-on exercises will be "templatized" to ensure that people are up and running quickly, even if they are not familiar with Python.

Materials:
Laptop with 64bit CPU (Mac/Win/*nix) is good with 8GB+ RAM (Host Machine) preferred, and atleast 50GB of free HDD to import a Virtualbox VM
For Windows Laptops please ensure that Virtualization is enabled at the BIOS to run the VM. There have been issues where Virtualization being disabled at the BIOS has resulted in the VM not working. Please ensure that you have the necessary permissions to change BIOS settings if required (especially for work/corporate laptops)
64 bit CPU is required. we would be using Docker images and docker doesn't support 32bit systems
Please have the latest version of Virtualbox installed on the laptop.

Max students: 50 | Registration: https://dc25_bhargav.eventbrite.com (Sold out!)

Abhay Bhargav
Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development†and “PCI Compliance: A Definitive Guideâ€. Abhay is a builder and breaker of applications, and has authored multiple applications in Django and NodeJS. He is a passionate Pythonista and loves the idea of automation in security. This passion prompted him to author the world’s first hands-on Security in DevOps workshop that has been delivered in multiple locations, and recently as a highly successful workshop at the OWASP AppSecUSA 2016, OWASP AppSecEU 2017 and OWASP Appsec USA 2017. In addition , Abhay speaks regularly at industry events including OWASP, ISACA, Oracle OpenWorld, JavaOne, and others.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Sunday - 10:00-10:35


Building Google for Criminal Enterprises

Abstract

I was able to create a proof of concept application that scrubs a recreation of the Ohio Voter Database, which includes first name, last name, date of birth, home address, and link each entry confidently to its real owners Facebook page. By doing this I have created a method by which you can use the Voter Database to seed you with name address and DOB, and Facebook to hydrate that information with personal information.

My application was able to positively link a voter record to a Facebook account approximately 45% of the time. Extrapolated that out over the 6.5 million records in my database and you get 2.86 million Ohio resident Facebook records

Speaker Profile

Anthony Russell (@DotNetRussell)

https://www.dotnetrussell.com/


Return to Index      -     

 

Demolabs - Table 2 - Saturday - 14:00-15:50


bullDozer

Keith Lee

Saturday from 1400-1550 at Table Two

Audience: Offense

The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses.

The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, resuses them to compromise other hosts in the network.

Below are some of the places the tools look for hashes/passwords
1. SYSVOL
2. File Shares
3. Memory
4. Tokens (Incognito)
5. MSSQL service credentials
6. Unattend.xml, sysprep.xml, sysprep.inf

It will also exploit the Domain Controller if its vulnerable to MS14-069 and dump the hashes.
Pillaging the Corporate Network
The tool will also attempt to 'rob' the shares and hosts of the sensitive data/information.
1. Finding files whose filename have the word 'password' in it
2. Dump Wireless. WinVNC, UltraVNC, Putty, SNMP, Windows AutoLogon, Firefox Stored credentials,
3. Find KeePass Databases, FileZilla sitemanger.xml, Apache Httpd.conf, and etc. if they contain credentials.
4. Finding PII data and Credit Card Track Data from memory
5. Browser credentials

It will iterate and continue to test and exploit the systems until all hosts are compromised. Another useful feature is for attackers who want to find the right credentials in order to access a certain folder under the shares on the host.

For example, \\host1\share\private

You might have the account that allows you to access \\host1\share but you do not know which account you need to access \\host1\share\private.

Using the credentials the tool has captured and finds the 'right key' to the lock.

It is possible to disable any of the options (e.g. no memory search of PAN numbers) so to add a random delay to its operations so as to remain stealth.

We are planning to allow users to develop modules/plugins and encourage development so that its feature set can be extended.

Keith Lee
Keith Lee is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. SpiderLabs has a focus on original security research and regularly presents at conferences such as BlackHat, DefCon, OWASP, Hack In The Box and Ruxcon. Keith is based out of Singapore and has primary focus is on providing penetration testing, social engineering and incident response services to clients in the Asia-Pacific region.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 10:00-11:59


Burner Phone Challenge

Abstract

Once upon a time, I saw this tweet from Kenneth Lipp: https://twitter.com/kennethlipp/status/848566661384990722. In summary, the tweet is about an AT&T program available to law enforcement meant to make burner phones meaningless. Even if someone switches phones, if their pattern of behavior (both in terms of contacts and call locations) stays the same or similar, AT&T can determine that it’s the same person simply using a new phone.

This seems like a great teaching opportunity! Attendees at this workshop will build the same analytics as AT&T does, using Python on some “phone metadata†created just for you to play with. You’ll be able to find burner phones in the mess, and hopefully learn some fun network analysis, machine learning, and Python programming skills along the way!

Speaker Profile

Dakota Nelson (@jerkota)

Short: BSLV, SOURCE Boston x2, SOURCE Seattle, other non-security presentations.

Long: http://dakotanelson.com/

https://strikersecurity.com/


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 13:00-13:45


Bypassing Android Password Manager Apps Without Root

Sunday at 13:00 in Track 2

45 minutes | Demo, Exploit

Stephan Huber Fraunhofer SIT

Siegfried Rasthofer Fraunhofer SIT

Security experts recommend using different, complex passwords for individual services, but everybody knows the issue arising from this approach: It is impossible to keep all the complex passwords in mind. One solution to this issue are password managers, which aim to provide a secure, centralized storage for credentials. The rise of mobile password managers even allows the user to carry their credentials in their pocket, providing instant access to these credentials if required. This advantage can immediately turn into a disadvantage as all credentials are stored in one central location. What happens if your device gets lost, stolen or a hacker gets access to your device? Are your personal secrets and credentials secure?

We say no! In our recent analysis of well-known Android password manager apps, amongst them are vendors such as LastPass, Dashlane, 1Password, Avast, and several others, we aimed to bypass their security by either stealing the master password or by directly accessing the stored credentials. Implementation flaws resulted in severe security vulnerabilities. In all of those cases, no root permissions were required for a successful attack. We will explain our attacks in detail. We will also propose possible security fixes and recommendations on how to avoid the vulnerabilities.

Stephan Huber
Stephan Huber is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.

Siegfried Rasthofer
Siegfried Rasthofer is a vulnerability- and malware-researcher at Fraunhofer SIT (Germany) and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes and he is the founder of the CodeInspect reverse engineering tool. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and industry conferences like DEF CON, BlackHat, HiTB, AVAR or VirusBulletin.


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 16:00-16:45


CableTap: Wirelessly Tapping Your Home Network

Saturday at 16:00 in Track 3

45 minutes | Demo, Tool, Exploit

Marc Newlin Security Researcher at Bastille Networks

Logan Lamb Security Researcher at Bastille Networks

Chris Grayson Founder and Principal Engineer at Web Sight.IO

We discovered a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. Our research shows that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through the affected gateways, impacting millions of ISP customers.

Imagine for a moment that you want a root shell on an ISP-provided wireless gateway, but you're tired of the same old web vulns. You want choice. Maybe you want to generate the passphrase for the hidden Wi-Fi network, or log into the web UI remotely using hard-coded credentials.

Don't have an Internet connection? Not to worry! You can just impersonate a legitimate ISP customer and hop on the nearest public hotspot running on another customer's wireless gateway. Once online, you can head on over to GitHub and look at the vulnerability fixes that haven't yet been pushed to customer equipment.

In this talk, we will take you through the research process that lead to these discoveries, including technical specifics of each exploit. After showcasing some of the more entertaining attack chains, we will discuss the remediation actions taken by the affected vendors.

Marc Newlin
Marc is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.

Logan Lamb
Logan joined Bastille Networks in 2014 as a security researcher focusing on applications of SDR to IoT. Prior to joining Bastille Networks, he was a member of CSIR at Oak Ridge National Lab where his focus was on symbolic analysis of binaries and red-teaming critical infrastructure.

Chris Grayson
Christopher Grayson (OSCE) is the founder and principal engineer at Web Sight.IO. In this role he handles all operations, development, and research efforts. Christopher is an avid computing enthusiast hailing from Atlanta, Georgia. Having made a habit of pulling things apart in childhood, Chris has found his professional home in information security. Prior to founding Web Sight.IO, Chris was a senior penetration tester at the security consultancy Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations, Chris became a specialist in network penetration testing and in the application of academic tactics to the information security industry, both of which contributed to his current research focus of architecting and implementing high-security N-tier systems. Chris attended the Georgia Institute of Technology where he received a bachelor's degree in computational media, a master's degree in computer science, and where he organized and led the Grey H@t student hacking organization.


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 14:00-14:45


Call the plumber - you have a leak in your (named) pipe

Sunday at 14:00 in 101 Track

45 minutes | Demo

Gil Cohen CTO, Comsec group

The typical security professional is largely unfamiliar with the Windows named pipes interface, or considers it to be an internal-only communication interface.
As a result, open RPC (135) or SMB (445) ports are typically considered potentially entry points in "infrastructure" penetration tests.

However, named pipes can in fact be used as an application-level entry vector for well known attacks such as buffer overflow, denial of service or even code injection attacks and XML bombs, depending on the nature of listening service to the specific pipe on the target machine.

As it turns out, it seems that many popular and widely used Microsoft Windows-based enterprise applications open a large number of named pipes on each endpoint or server on which they are deployed, significantly increase an environment's attack surface without the organization or end user being aware of the risk.
Since there's a complete lack of awareness to the entry point, there's very limited options available to organizations to mitigate it, making it a perfect attack target for the sophisticated attacker.

In this presentation we will highlight how named pipes have become a neglected and forgotten external interface. We will show some tools that can help find vulnerable named pipes, discuss the mitigations, and demonstrate the exploitation process on a vulnerable interface.

Gil Cohen
Gil is an experienced application security instructor, architect, consultant and pentester just starting his 12th year in the field.

With past experience in the civilian, government and military cyber security industries, Gil currently serves as the CTO of Comsec Group, in charge of training, research, service lines, methodologies and quality assurance.

With a long time record as an SQL injection fanatic, Gil was responsible for publishing the "SQL Injection Anywhere" technique in 2010, which is currently in use in a variety of automated scanners in the market, and enables the blind detection and exploitation of potential injections in any part of the SQL statement.

He also has a taste for nostalgia, and has been working for a while on abuses to protocols that software developers would prefer to forget.

@Gilco83
www.facebook.com/gilc83


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 11:00-11:59


Title:
Catch me leaking your data... if you can...

1100 Satuday
Mike Raggo & Chet Hosmer
@DataHiding @PythonForensics
Catch me leaking your data... if you can...
"Organizations remain largely ill-equipped to identify data being exfiltrated from their networks. In this presentation we propose a plethora of methods of covert exfiltration from a network by highlighting exploitable flaws in wired and wireless network protocols while also applying steganographic and decoy techniques. We then outline a mockup environment to simulate an enterprise network and exfiltrate covert data that we capture and save in a PCAP file. At the end of the session we provide access to the downloadable PCAP file to determine who can be the 1st to identify covert communication. We will additionally provide the plain-text info to see if anyone can figure out how we did it. Winners will be Tweeted out afterwards.
"

Return to Index      -     

 

Demolabs - Table 3 - Saturday - 16:00-17:50


CellAnalysis

Pedro Cabrera

Saturday from 1600-1750 at Table Three

Audience: Defensive and mobile security

CellAnalysis is one more tool to be added to the pentester arsenal. Nowadays we can find other tools intended to find fake cells, most of them use active monitoring; that is, they monitor traffic coming to the SIM card on a smart phone, so that only cell attacks are scanned on the same network as the SIM card. CellAnalysis offers a different vision, it performs a passive traffic monitoring, so it does not require a SIM card or a mobile device, simply a OsmocomBB phone or compatible device SDR (rtlsdr, usrp, hackrf or bladerf) to start monitoring all the frequencies of the GSM spectrum.

http://www.fakebts.com/

Pedro Cabrera
Software Defined Radio and UAV enthusiast, Pedro Cabrera has worked over than 10 years in the main Spanish telecommunications operators, conducting security audits and pentesting in mobile and fixed networks. Besides working with the telecommunications operators, Pedro leads Open Source projects such as intrusion detection systems for GSM networks, which has led him to study the various fake 2G cells attacks and existing solutions. He has also collaborated in press articles on this topic, wardriving around Madrid City looking for how many and where fake stations can be found just walking. During this year he has participated in security events, training "Attacking 2G/3G Mobile Networks, Smartphones and Apps" (BlackHat Asia) and demonstrating how to remote inject commands to commercial drones; "All your bebop drones still belong to us: drone hijacking" (RootedCon) and showing how to intercept 2G calls and SMS under a frequency channel hopping network, using low cost SDR; HackRF and BladeRF.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 19:15-20:05



Saturday July 29 7:15PM 50 mins
Change Agents: How to Effectively Influence Intractable Corporate Cultures
It’s no secret that trying to change corporate culture is hard. This is primarily due to the fact that large corporations are complex systems and fundamentally averse to change. This reluctance is rooted in a systematic misalignment of shared vision, shared values, and shared culture within the organization. This talk defines a new method of business transformation by illustrating how to effectively influence corporate cultures towards collective action. To achieve that end, we outline an iterative framework along three main vectors: assess the people and environment, craft a narrative, then utilize timing to deliver your message for maximum impact. If you have ever been frustrated by a lack of political will within your own organization, come and join us. You will learn how to become a change agent yourself, how to create other change agents, then finally how to transform your corporation into a change agent.

Keith Conway: @algirhythm
Cameron Craig:

Keith Conway:
Keith Conway is a strategist and consultant operating at the nexus of user experience, systems thinking, and business development. Keith has worked with some of the world’s largest brands including Macy’s, CA Technologies, Estee Lauder, Coca-Cola, Facebook, Spotify, Nissan, and Google to name a few. Keith’s career focus aims to architect win/win situations that create sustainable value for businesses while designing memorable experiences for customers. In his free time, Keith enjoys studying cycles and patterns found in nature, complexity theory, group dynamics, and macroeconomics. Occasionally, you will hear him talking about the monolith.

Cameron Craig:
Cameron Craig is a twenty-year contributor to new product development and interactive digital media practices, holding strategic roles in high technology start-ups, digital agencies, and most recently a Fortune 500 retailer. Cameron is currently VP – Head of User Experience/Innovation at Macy’s | Bloomingdales, where he leads the team researching, designing and dreaming up the company’s next generation products and services. Prior to Macy’s, Cam was a Partner and Managing Director of Strategy, at Sprout Designs a product design agency in San Francisco. Sprout’s clients include GoPro, The Bill and Melinda Gates Foundation, Intuit, Sony, BEA, Sun Microsystems/Oracle, The San Francisco SPCA, and DocuSign.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 17:00-17:59


Title:
Child Abuse Material, Current Issues Trends & Technologies

1700 Friday
@h0tdish and @mickmoran
Child Abuse Material, Current Issues Trends & Technologies

"The Skytalk will be very specifically about updating the information security/hacker community of contemporary issues, trends and technologies related to Child Abuse Material (CAM) online by Laura Friend, investigator, research analyst and Cyber-Criminologist and Mick Moran formerly of INTERPOL.
We would like to introduce the term ""Child Abuse Material"" into the hacker/infosec vernacular instead of ""Child Pornography” and go into detail about why this and other current issues are valuable information for front line information security professionals.
We wish to engage in a Q&A discussion at the end about current technologies used by INTERPOL.
This will be a unique opportunity for the information security/hacker community to ask questions directly to a Criminologist with years of OSINT experience tracking violent crimes and a former INTERPOL Child Abuse Material investigator. "

Return to Index      -     

 

DEFCON - Track 1 - Friday - 17:00-17:45


Cisco Catalyst Exploitation - Artem Kondratenko

Cisco Catalyst Exploitation

Friday at 17:00 in 101 Track

45 minutes | Demo

Artem Kondratenko Penetration Tester, Security Researcher

On March 17th, Cisco Systems Inc. made a public announcement that over 300 of the switches it manufactures are prone to a critical vulnerability that allows a potential attacker to take full control of the network equipment.

This damaging public announcement was preceded by Wikileaks' publication of documents codenamed as "Vault 7" which contained information on vulnerabilities and description of tools needed to access phones, network equipment and even IOT devices.

Cisco Systems Inc. had a huge task in front of them - patching this vast amount of different switch models is not an easy task. The remediation for this vulnerability was available with the initial advisory and patched versions of IOS software were announced on May 8th 2017.

We all heard about modern exploit mitigation techniques such as Data Execution Prevention, Layout Randomization. But just how hardened is the network equipment? And how hard is it to find critical vulnerabilities?

To answer that question I decided to reproduce the steps necessary to create a fully working tool to get remote code execution on Cisco switches mentioned in the public announcement.

This presentation is a detailed write-up of the exploit development process for the vulnerability in Cisco Cluster Management Protocol that allows a full takeover of the device.

Artem Kondratenko
Artem is a Penetration Tester at Kaspersky Lab. On time between red team engagements he is doing security research of software and hardware appliances. Author of multiple CVE's on VMware Virtualization Platforms (CVE-2016-5331, CVE-2016-7458, CVE-2016-7459, CVE-2016-7460). Enjoys contributing to the community by writing penetration testing tools such as Invoke-Vnc (PowerShell vnc injector, part of CrackMapExec) and Rpivot (reverse socks4 proxy, now part of BlackArch Linux Distro).

@artkond, https://github.com/artkond,
https://artkond.com


Return to Index      -     

 

DEFCON - Track 1 - Friday - 12:00-12:45


CITL and the Digital Standard - A Year Later

Friday at 12:00 in 101 Track

45 minutes | Art of Defense

Sarah Zatko Chief Scientist, Cyber ITL

A year ago, Mudge and I introduced the non-profit Cyber ITL at DEF CON and its approach to automated software safety analysis. Now, we'll be covering highlights from the past year's research findings, including our in-depth analysis of several different operating systems, browsers, and IoT products.

Parts of our methodologies have now been adopted by Consumer Reports and rolled into their Digital Standard for evaluating safety, security, and privacy, in a range of consumer devices. The standard defines important consumer values that must be addressed in product development, with the goal of enabling consumer organizations to test, evaluate, and report on whether new products protect consumer security, safety, and privacy.

Sarah Zatko
Sarah Zatko is the Chief Scientist at the Cyber Independent Testing Lab (CITL), where she develops testing protocols to assess the security and risk profile of commercial software. She also works on developing automated reporting mechanisms to make such information understandable and accessible to a variety of software consumers. The CITL is a non-profit organization dedicated to empowering consumers to understand risk in software products. Sarah has degrees in Math and Computer Science from MIT and Boston University. Prior to her position at CITL, she worked as a computer security professional in the public and private sector.

cyber-itl.org


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 15:00-15:45


Title:
Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why can’t we vote on touch screens or online?

Title: Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why can’t we vote on touch screens or online?

Joe Hall bio
Joseph Hall, Chief Technologist and Director of the Internet Architecture project at the Center for Democracy & Technology

Joseph Lorenzo Hall is the Chief Technologist and Director of the Internet Architecture project at the Center for Democracy & Technology, a Washington, DC-based non-profit advocacy organization dedicated to ensuring the internet remains open, innovative and free. Hall’s work focuses on the intersection of technology, law, and policy, working to ensure that technical considerations are appropriately embedded into legal and policy instruments. Supporting work across all of CDT’s programmatic areas, Hall provides substantive technical expertise to CDT’s programs, and interfaces externally with CDT supporters, stakeholders, academics, and technologists. Hall leads CDT’s Internet Architecture project, which focuses on embedding human rights values into core internet standards and infrastructure, engaging technologists in policy work, and producing accessible technical material for policymakers.

Return to Index      -     

 

BHV - Pisa Room - Friday - 15:00-15:29


Title: Computational Chemistry on a Budget

Speakers: Mr. Br!ml3y

About Mr. Br!ml3y:
Mr_Br!ml3y is a DefCon Biohacking Village regular who is currently working on a PhD. from a research university in the Midwest. He also works in public sector network security to keep the lights on. His current research focuses on developing 3D computer models for contaminent transport in groundwater, with special emphasis on ionic contaminants (alkali metals and earths, halides). He has been exploring computational chemistry and nanochemistry to help with model development and bioinformatics as a side interest.

Abstract:
Determining effectiveness and fit of chemical compounds for human medical and health is a time-consuming and expensive process. One method for reducing time and expense is the use of computational chemistry to model compound-receptor binding, which helps rule out unpromising or suboptimal compounds. This presentation explores the fundamentals of computational chemistry for various applications and open-source programs available for use. Ab initio molecular modeling, molecular docking, and bioinformatics programs are discussed.



Return to Index      -     

 

DEFCON - Track 1 - Friday - 13:00-13:45


Controlling IoT devices with crafted radio signals

Friday at 13:00 in 101 Track

45 minutes | Demo, Tool

Caleb Madrigal Hacker, FireEye/Mandiant

In this talk, we'll be exploring how wireless communication works. We'll capture digital data live (with Software-Defined Radio), and see how the actual bits are transmitted. From here, we'll see how to view, listen to, manipulate, and replay wireless signals. We'll also look at interrupting wireless communication, and finally, we'll even generate new radio waves from scratch (which can be useful for fuzzing and brute force attacks). I'll also be demoing some brand new tools I've written to help in the interception, manipulation, and generation of digital wireless signals with SDR.

Caleb Madrigal
Caleb Madrigal is a programmer who enjoys hacking and mathing. He is currently working as a senior software engineer on Incident Response software at Mandiant/FireEye. Most of his recent work has been in Python, Jupyter, Javascript, and C. Caleb has been into security for a while... in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". Recently, Caleb has been playing around with SDR, IoT hacking, packet crafting, and a good bit of math/probability/AI/ML.

@caleb_madrigal, calebmadrigal.com


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 15:30-16:00


Title:
Core Illumination: Traffic Analysis in Cyberspace

Author:
Kenneth Geers (Senior Research Scientist, Comodo)

Abstract:
The information security discipline devotes immense resources to developing and protecting a core set of protocols that encode and encrypt Internet communications. However, since the dawn of human conflict, simple Traffic Analysis (TA) has been used to circumvent innumerable security schemes. TA leverages metadata and hard-to-conceal network flow data related to the source, destination, size, frequency, and direction of information, from which eavesdroppers can often deduce a comprehensive intelligence analysis. TA is effective in both the hard and soft sciences, and provides an edge in economic, political, intelligence, and military affairs. Today, modern information technology, including the ubiquity of computers, and the interconnected nature of cyberspace, has made TA a global and universally accessible discipline. Further, due to privacy issues, it is also a global concern. Digital metadata, affordable computer storage, and automated information processing now record and analyse nearly all human activities, and the scrutiny is growing more acute by the day. Corporate, law enforcement, and intelligence agencies have access to strategic datasets from which they can drill down to the tactical level at any moment. This paper discusses the nature of TA, how it has evolved in the Internet era, and demonstrates the power of high-level analysis based on a large cybersecurity dataset.

Bio:
Kenneth Geers (PhD, CISSP) is a Comodo Senior Research Scientist based in Toronto, Canada. Dr. Geers is also a NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) Ambassador, a Non-Resident Senior Fellow at Atlantic Council, an Affiliate with the Digital Society Institute-Berlin, a member of the Transatlantic Cyber Forum, and a Visiting Professor at Taras Shevchenko National University of Kyiv in Ukraine. Kenneth spent 20 years in the U.S. Government, with time in the U.S. Army, at NSA, NCIS, and NATO, and was a Senior Global Threat Analyst at FireEye. He is the author “Strategic Cyber Security”, Editor of “Cyber War in Perspective: Russian Aggression against Ukraine”, Editor of “The Virtual Battlefield: Perspectives on Cyber Warfare”, Technical Expert to the “Tallinn Manual”, and author of many articles and chapters on cyber security.
Twitter handle of presenter(s): @KennethGeers

Return to Index      -     

 

Demolabs - Table 3 - Saturday - 14:00-15:50


CrackMapExec

Marcello Salvati

Saturday from 1400-1550 at Table Three

Audience: Network Defense and Offense

Ever needed to pentest a network with 10 gazillion hosts with a very limited time frame? Ever wanted to Mimikatz entire subnets? How about shelling entire subnets? How about dumping SAM hashes ? Share spidering? Keeping track of all the credentials you pillaged? (The list goes on!) And doing all of this in the stealthiest way possible? Well look no further than CrackMapExec! CrackMapExec (a.k.a CME) is a modular post-exploitation tool written in Python that helps automate assessing the security of *large* Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection, IDS and IPS solutions. Although meant to be used primarily for offensive purposes, CME can be used by blue teams as well to assess account privileges, find misconfigurations and simulate attack scenarios. In this demo the author will be showing off v4.0, a major update to the tool bringing more feature and capabilities than ever before! If you are interested in the latest and greatest Active Directory attacks/techniques, weaponizing them at scale and general cool AD stuff this is the demo for you!

https://github.com/byt3bl33d3r/CrackMapExec

Marcello Salvati
Marcello Salvati (@byt3bl33d3r) is a security consultant who's really good at writing bios. He's so good at writing bios that he was awarded the 'The Best Bio Ever from *insert date when bios became a thing* to 2017" award. (Totally legit award. Don't Google it, Bing it).

His boss Liz asked him about ten times to re-write his bio because "It was too good. He had to make it less good. We didn't want people to cry in shame when they read it. It was like a poem ... sniff.. *a single tear is shed*".

By day a security consultant, by night a tool developer who discovered a novel technique to turn tea, sushi and dank memes into somewhat functioning code he has recently devoted his attention to the wonderful rabbit hole that is Active Directory which has become his favorite thing to 0wn.


Return to Index      -     

 

BHV - Pisa Room - Friday - 17:00-17:29


Title: Creating Human 2.0: Three Case Studies from the Edges of Brain Rewiring Science

Speakers: David Bach

About David:
David Bach, MD
Founder and President, Platypus Institute
A Harvard-trained scientist, physician, and serial entrepreneur, Dr. Bach is the Founder and President of the Platypus Institute, an applied neuroscience research organization whose mission is to translate cutting-edge neuroscience discoveries into practical tools and programs that radically enhance the human experience. As an entrepreneur, Dr. Bach founded and built three healthcare technology companies, each of which became a $100M enterprise. He has also been a management consultant, a venture capitalist, a competitive martial artist and a professional cellist. He is also an avid biohacker.

Abstract:
During the past decade, a confluence of scientific breakthroughs in neuroimaging, biotechnology, cybernetics, sensor technology and data analytics have created a new tool in the self-improvement arsenal. Today, for the first time in history, we can “rewire†the human brain in highly targeted ways that dramatically enhance cognition, perception, creative ability, learning speeds and health. During this session, building largely on work from DARPA, we will explore emerging technologies you can use today to dramatically enhance your brain and your cognitive abilities. We will also take a look into the future of neurotech – and how it is going to fundamentally disrupt what it means to be human.



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 12:00-12:59


Title:
Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border

1200 Saturday
wendy
@wendyck

Crossing the Border with a Burner Phone: A Lawyer Explains Legal & Security Issues at the Border

For many people, crossing a border isn't a cause for concern. But with a recent uptick in device searches and requests for social media handles, a lot of bad advice has been circulating. Hear from a hacker lawyer about the legality of border searches- what can border agents ask you? Must you unlock a phone? Can you give a fake social media handle?

Return to Index      -     

 

Demolabs - Table 4 - Saturday - 14:00-15:50


Crypt-Keeper

Maurice Carey

Saturday from 1400-1550 at Table Four

Audience: Anyone who wants to run a service to securely exchange files.

Crypt-Keeper is a service for securely exchanging files.

Equipment Requirements (Network Needs, Displays, etc): A display or protector would be great. The app will be running on AWS, so a network connection will be needed as well.

https://github.com/mauricecarey/crypt-keeper

Maurice Carey
"Maurice is the Principle Software Engineer at TargetSmart, a small company focused on big data problems, where he is helping create and scale their customer facing software platform for future business growth. Previously, Maurice has worked as a Software Architect focusing on data analytics and micro-services, and as a software engineer at companies like General Motors and Amazon.com.

Maurice has been a speaker or presenter publicly at many local meet ups and small conferences, as well as presenting papers at the IEEE International Conference on Program Comprehension (ICPC), and IEEE Enterprise Distributed Object Computing (EDOC) conferences.

Maurice received a Bachelor's Degree in Computer Science and PhD in Computer Science from Arizona State University while establishing himself as an entrepreneur working his way through school writing code for various clients.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 16:30-17:30


Title:
Cryptanalysis in the Time of Ransomware

Author:
Mark Mager (Endgame)

Abstract:
Crypto has served an important role in securing sensitive data throughout the years, but ransomware has flipped this script on its head by leveraging crypto as a means to instead prevent users from accessing their own data. The crypto seen in ransomware covers a wide range of complexity of symmetric and asymmetric algorithms, but flaws in their implementation and key storage / transmission routines have left the door open for users to retrieve their data in certain cases. In this talk, I'll provide a glimpse into some of the more notable ransomware crypto implementations that have surfaced over the past few years and how their weaknesses were exploited by security researchers through reverse engineering and cryptanalysis.

Bio:
Mark is a Senior Malware Researcher for Endgame. Throughout his career in software engineering and computer security, he has served in prominent technical leadership roles in the research and development of advanced computer network operations tools and has provided malware analysis and reverse engineering subject matter expertise to a diverse range of government and commercial clients in the Washington, D.C. metropolitan area.
Twitter handle of presenter(s): @magerbomb
Website of presenter(s) or content: https://www.endgame.com/our-experts/mark-mager

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 13:10-13:59


CVE IDs and How to Get Them

Daniel Adinolfi, Lead Cybersecurity Engineer at The MITRE Corporation
Anthony Singleton, Cyber Security Engineer at The MITRE Corporation

The Common Vulnerabilities and Exposures (CVE) program uniquely identifies and names publicly-disclosed vulnerabilities in software and other codebases. Whether you are a vulnerability researcher, a vendor, or a project maintainer, it has never been easier to have CVE IDs assigned to vulnerabilities you are disclosing or coordinating around. This presentation will be an opportunity to find out how to participate as well as a chance to offer your thoughts, questions, or feedback about CVE. Attendees will learn what is considered a vulnerability for CVE, how to assign CVE IDs to vulnerabilities, how to describe those vulnerabilities within CVE ID entries, how to submit those assignments, and where to get more information about CVE assignment.

Daniel Adinolfi (Twitter: @pkdan14850) is a Lead Cybersecurity Engineer at The MITRE Corporation. He works as part of the CVE Program as the CVE Numbering Authority (CNA) Coordinator and the Communications Lead. Daniel has a background in security operations and incident response and in developing information sharing programs, compliance programs, and security architectures. Daniel also writes poetry, plays games, and drinks a lot of coffee. He works in cybersecurity to pay the bills. Most of those bills are coffee and game-related.

Anthony Singleton recently completed his MS in Information Security and Policy Management at Carnegie Mellon University. He has worked for CERT-CC interning as a Cyber Workforce Developer and Vulnerability Analyst and is currently working at MITRE Corporation as a Cybersecurity Engineer with a focus in both the CVE and CWE efforts. Anthony is an aspiring Hacker working towards acquiring both the OSCP certificate and CEH certificate. He is a major New England Patriots fan and enjoys working on his Jeep Wrangler on his down time.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Sunday - 11:30-12:00


Title:
Cypherpunks History

Author:
Ryan Lackey (ResetSecurity, Inc.)

Abstract:
We will go over the history of the 1990s cypherpunks and major topics discussed during that period -- including remailers, the first discussions of crypto currencies, and various forms of anonymous electronic markets. In addition, we will present a free archive of the mailing list and topics for future research.

Bio:
Ryan Lackey has been a cypherpunk for over 20 years. He founded the world's first offshore datahaven, HavenCo, on Sealand in 2000. He was involved with pre-cryptocurrency anonymous digital currencies backed with gold and other assets, and worked in Iraq, Afghanistan, and other conflict zones, bootstrapping a satellite and wireless communications company. Later, he founded a Y Combinator-backed startup, CryptoSeal, which he sold to Cloudflare in 2014. After working at Cloudflare for the following two years, he founded ResetSecurity, a travel security company, in 2016.
Twitter handle of presenter(s): @octal

Return to Index      -     

 

DEFCON - Modena Room - Saturday - 20:00-21:59


D0 No H4RM: A Healthcare Security Conversation

Saturday at 20:00 - 22:00 in Modena Room

Evening Lounge

Christian "quaddi" Dameff MD MS Hacker

Jeff "r3plicant" Tully MD Hacker

Beau Woods Deputy director of the Cyber Statecraft Initiative in the Brent Scowcroft on International Security

Joshua Corman Director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center

Michael C. McNeil Privacy and security expert, Philips Healthcare

Jay Radcliffe Senior Security Consultant and Researcher, Rapid7

Suzanne Schwartz, MD, MBA Associate Director for Science & Strategic Partnerships, FDA'Center for Devices & Radiological Health (CDRH)

Previously a free-flowing, fast moving conversation between old friends and new colleagues in a dimly lit and alcohol soaked off-strip hotel suite, the third annual edition of "D0 No H4rm" moves to the better lit and even more alcohol soaked auspices of the DEF CON 25 Evening Lounge for a two hour session that links makers, breakers, and wonks in the healthcare space for a continuation of what may be one of the most important conversations in all of hackerdom- how to ensure the safety and security of patients in a system more connected and vulnerable than ever before. Join physician researchers quaddi and r3plicant, and researcher turned wonk Beau Woods as they offer an update on the state of the field and curate an interactive and engaging panel before breaking out the bottle and getting social. Continuing a tradition that has sparked professional connections, project ideas, and enduring friendships, "D0 No H4rm" aims to offer a prescription for the future, and we want your voice to be heard.

Christian "quaddi" Dameff MD MS
Christian (quaddi) Dameff is an emergency medicine physician, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure and medical devices. This is his thirteenth DEF CON.

@cdameffMD

Jeff "r3plicant" Tully MD
Jeff Tully is an anesthesiologist, pediatrician, and researcher with an interest in understanding the ever-growing intersections between health care and technology. Prior to medical school he worked on "hacking" the genetic code of Salmonella bacteria to create anti-cancer tools, and throughout medical training has remained involved in the conversations and projects that will secure healthcare and protect our patients as we face a brave new world of remote care, implantable medical devices, and biohacking.

@jefftullymd

Beau Woods
Beau Woods is the deputy director of the Cyber Statecraft Initiative in the Brent Scowcroft on International Security. His focus is the intersection of cyber (yes, he'll drink for that) security and the human condition, primarily around Cyber Safety. This comes out of the I Am The Cavalry initiative, ensuring the connected technology that can impact life and safety is worthy of our trust. Beau started his career working at a regional health provider, protecting patients by defending medical data and devices.

@beauwoods

Joshua Corman
Joshua Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center and a founder of I am The Cavalry (dot org). Corman previously served as CTO for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world's increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serving as an adjunct faculty for Carnegie Mellon's Heinz College and on the 2016 HHS Cybersecurity Task Force.


Return to Index      -     

 

BHV - Pisa Room - Saturday - 14:00-14:59


Title: Dangerous Minds Podcast: Live at DCBHV celebrating 100th episode

Speaker: Awesome Folks from Various BioHacking Podcasts

Moderators:
Moderators: c00p3r and cur50r from Dangerous Minds Podcast; McStuff from 2 Cyborgs and a Microphone; Sciaticnerd from Security Endeavours.

Abstract:
For this panel, two of the hosts of “Dangerous Minds Podcast†will be joined by one of the Hosts of “Two Cyborgs and a Microphone†and Sciaticnerd from "Security Endeavours" will be recording a normal episode with a mystery guest and or guests to celebrate the 100th episode of DMP, and our first live recording. Join us for the learning, stay for the laughs, without editing out our goofs, and turn the tables on everyone and ask your own questions as well. To which we can all learn together. It’s going to be a little bit fun, a little bit of learning, and a lot of laughs as always. Come out and join us, and bring your own spark! And perhaps go away with more.



Return to Index      -     

 

DEFCON - Track 3 - Friday - 15:00-15:45


Dark Data

Friday at 15:00 in Track 3

45 minutes

Svea Eckert NDR

Andreas Dewes PhD

A judge with preferences for hard core porn, a police officer investigating a cyber-crime, a politician ordering burn out medication - this kind of very personal and private information is on the market. Get sold to who is willing to pay for.

In a long time experiment, with the help of some social engineering techniques, we were able to get our hands on the most private data you can find on the internet. Click stream data of three million German citizens. They contain every URL they have looked at, every second, every hour, every day for 31 days. In our talk we will not only show how we got that data, but how you can de-anonymize it with some simple techniques.

This data is collected worldwide by big companies, whose legal purpose is to sell analytics and insights for marketers and businesses. In the shadow of Google and Facebook, companies have evolved, their names unknown to a broader public but making billions of dollars with your data. The new oil of the 20th century.

Our experiment shows in a drastic way, what the youngest decision reversing the Broadband Privacy Rule means. What the consequences for everyday life could be, when ISPs are allowed to sell your browsing data. And why that piece of regulation from the FCC was so important regarding privacy and constitutional rights.

Svea Eckert
Svea Eckert works as a freelance journalist for Germany's main public service broadcaster "Das Erste" (ARD). She is researching and reporting investigative issues for the PrimeTime news shows and high quality documentaries. Her main focus lies on new technology: computer and network security, digital economics and data protection.

Bigger projects and documentaries are for example "Superpower Wikileaks?" (ARD), "Facebook - Billion Dollar Business friendship" (ARD), her first book "Monitored and spied out: Prism, NSA, Facebook & Co" and in 2015 "Netwars" (ARD). Svea Eckert studied "Journalism and Communications" and Economics in Hamburg. She completed her journalistic training at NDR, Hamburg and Hannover.

Twitter: @sveckert
Website: www.sveaeckert.de

Andreas Dewes
Andreas Dewes is a trained physicist with a PhD in experimental quantum computing and a degree in quantitative economics. He has a passion for data analysis and software development. He has received numerous awards for his work on data analysis and his work on data privacy and big data has been featured in the national and international press.

Twitter: @japh44
Github: adewes


Return to Index      -     

 

DEFCON - Capri Room - Saturday - 15:00-16:59


DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd

Saturday at 15:00 - 17:00 in Capri Room

Lounge Format

Representative James Langevin (D-RI)

Representative Will Hurd (R-TX)

Ever wondered if there was such thing as a “hacker-friendly†member of Congress? We found some and convinced them to come to DEF CON so you can meet them too! In this first-of-its-kind DEF CON session, two of the most hacker-friendly Congress critters will join DEF CON for an engaging and interactive session with the security research community.

Join the Atlantic Council’s Cyber Statecraft Initiative for a candid discussion with Representatives Will Hurd (R-TX) and James Langevin (D-RI). The two Congressmen will share their thoughts on the latest developments in cybersecurity policymaking on the Hill and provide a unique opportunity for the audience to ask questions, exchange ideas, and maybe even answer some of the Congressmen’s questions.

Rep. Will Hurd (R-TX)
Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.

After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.

In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)
Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.

In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government†and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,†which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.

In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.

Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 15:00-14:59


DC to DEF CON: Q&A with Congressmen James Langevin and Will Hurd

Sunday at 15:00 in 101 Track

Representative James Langevin (D-RI)

Representative Will Hurd (R-TX)

Joshua Corman Director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center

The past year has seen major disruptions at the intersection of security and society. “Cybersecurity†has been thrust into the public consciousness frighteningly widely and quickly. Issues of public policy impact our colleagues and our community, beyond the technology layer. Some in the public policy community are actively encouraging our community to engage, recognizing the need for a technically literate voice of reason from the security research community. DEF CON is proud to host two members of Congress, who braved their way from DC to DEF CON as ambassadors from their community to ours.

Joshua Corman will engage Rep. Jim Langevin (D-RI) and Rep. Will Hurd (R-TX), in a candid, on-the-record “fireside chat†style conversation. DEF CON attendees will hear their perspectives on the state of cyber policy and what can be done to improve technical literacy in the dialogs. The members will also reflect on their experience at DEF CON, hanging out with hackers, and how they can make their voice known in the public policy conversation.

Rep. Will Hurd (R-TX)
Rep Hurd was born and raised in San Antonio, Texas. He attended John Marshall High School and Texas A&M University, where he majored in Computer Science and served as Student Body President.

After college, Will served as an undercover officer in the CIA in the Middle East and South Asia for nearly a decade, collecting intelligence that influenced the National Security agenda. Upon leaving the CIA, he became a Senior Advisor with a cybersecurity firm, covering a wide range of complex challenges faced by manufacturers, financial institutions, retailers, and critical infrastructure owners. He was also a partner with a strategic advisory firm helping businesses expand into international markets.

In 2015, Will was elected to the 114th Congress and currently serves on the Committee of Oversight and Government Reform and chairs the Information Technology Subcommittee. He also sits on the Committee on Homeland Security and is the Vice Chair of the Border and Maritime Security Subcommittee. In 2017, Will was appointed by Speaker Ryan to serve on the House Permanent Select Intelligence Committee, to replace Representative Mike Pompeo upon his confirmation as Director of the CIA.

Rep. James Langevin (D-RI)
Rep. Langevin first ran for office in 1986, when he was elected a Delegate to Rhode Island’s Constitutional Convention and served as its secretary. Two years later, he won election to the Rhode Island House of Representatives.

In 1994, Langevin defeated a Republican incumbent to become the nation’s youngest Secretary of State. He transformed the office into “the people’s partner in government†and took on the challenge of reforming Rhode Island’s outdated election system. Langevin also established the state’s Public Information Center and, with Brown University, published “Access Denied,†which examined the General Assembly’s compliance with the Open Meetings Law and documented routine and widespread violations.

In 1998, Langevin easily won re-election to his second term as Secretary of State, achieving the largest plurality of any general officer in this century, and in 2000, he made a successful run for the U.S. House of Representatives, where he has served the Second Congressional District ever since.

Langevin graduated from Rhode Island College and earned a Master’s Degree in Public Administration from the Kennedy School of Government at Harvard University. He resides in Warwick, Rhode Island


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 16:00-16:45


Dealing the perfect hand - Shuffling memory blocks on z/OS

Saturday at 16:00 in 101 Track

45 minutes | Demo, Tool

Ayoul3 Pentester, Wavestone

Follow me on a journey where we p0wn one of the most secure platforms on earth. A giant mammoth that still powers the most critical business functions around the world: The Mainframe! Be it a wire transfer, an ATM withdrawal, or a flight booking, you can be sure that you've used the trusted services of a Mainframe at least once during the last 24 hours. In this talk, I will present methods of privilege escalation on IBM z/OS: How to leverage a simple access to achieve total control over the machine and impersonate other users. If you are interested in mainframes or merely curious to see a what a shell looks like on MVS, you're welcome to tag along.

Ayoul3
Ayoub is a pentester working for Wavestone, a consulting firm based in France. He got interested in Mainframe security in 2014 when, during an audit, he noticed the big security gap between this platform and standard systems like Windows and Unix. A gap that makes little sense since z/OS has been around for a while and is used by most major companies to perform critical business operations: wire transfer, claim refunds, bookings, etc.

If you want to test some of the tools showcased during the talk, you can check out his tools: https://github.com/ayoul3/

@ayoul3__


Return to Index      -     

 

DEFCON - Track 2 - Friday - 14:00-14:45


Death By 1000 Installers; on macOS, it's all broken!

Friday at 14:00 in Track 2

45 minutes | Demo, Exploit

Patrick Wardle Chief Security Researcher, Synack

Ever get an uneasy feeling when an installer asks for your password? Well, your gut was right! The majority of macOS installers & updaters are vulnerable to a wide range of priv-esc attacks.

It began with the discovery that Apple's OS updater could be abused to bypass SIP (CVE-2017-6974). Next, turns out Apple's core installer app may be subverted to load unsigned dylibs which may elevate privileges to root.

And what about 3rd-party installers? I looked at what's installed on my Mac, and ahhh, so many bugs!

Firewall, Little Snitch: EoP via race condition of insecure plist
Anti-Virus, Sophos: EoP via hijack of binary component
Browser, Google Chrome: EoP via script hijack
Virtualization, VMWare Fusion: EoP via race condition of insecure script
IoT, DropCam: EoP via hijack of binary component
and more!

...and 3rd-party auto-update frameworks like Sparkle -yup vulnerable too!

Though root is great, we can't bypass SIP nor load unsigned kexts. However with root, I discovered one could now trigger a ring-0 heap-overflow that provides complete system control.

Though the talk will discuss a variety of discovery mechanisms, 0days, and macOS exploitation techniques, it won't be all doom & gloom. We'll end by discussing ways to perform authorized installs/upgrades that don't undermine system security."

Patrick Wardle
Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools.

@patrickwardle, objective-see.com


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 15:00-15:59


Title:
Death Numbers in Surgical room, Attacking Anesthesia Equipment.

1500 Friday
Michael Hudson
Death Numbers in Surgical room, Attacking Anesthesia Equipment.

"Possibility of introducing malicious code in General Electric's Datex-Ohmeda Equipment, which are used in surgeries such as Anesthesia Equipment.
These equipment monitor all vital signs during a surgical operation. The model of the monitor is the G/1500213 and has 2 RJ-45 inputs, which connect to a PC (which in most of the hospitals visited uses a version of windows),
and from this PC to a central server. All Hospitals visited use Oracle database and HL7 protocol and Dicom (tcp-ip) protocol."

Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 15:00-15:55


Deceptacon: Wi-Fi Deception in under $5

No description available


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 16:00-17:45


DEF CON 101 Panel

Thursday at 16:00 in 101 Track

105 minutes | Hacker History, Audience Participation

HighWiz Founder, DC101

Malware Unicorn

Niki7a Director of Content & Coordination, DEF CON

Roamer CFP Vocal Antagonizer, DEF CON

Wiseacre

Shaggy

The DEF CON panel is the place to go to learn about the many facets of DEF CON and to begin your DEF CONian Adventure. Here you will begin your adventure that will include more than just listening in the talk tracks. You can get hands-on experience in the Villages and witness amazing feats of programming in Demo Labs. You may even display your own powers by participating in a contest or two in the Events and Contest Area. The panel will give you what you need to know to navigate DEF CON to your best advantage. We have speakers who will regale you with tales of how they came to be at DEF CON and (hopefully) inspire you with their personal experiences. Oh yeah, there is the time honored "Name the Noob", with lots of laughs and even some prizes.

HighWiz
Born of glitter and moon beams, HighWiz is the things that dreams are made of and nightmares long to be... Years ago, with the help of some very awesome people, he set about to create an event that would give the n00bs of DEF CON a place to feel welcomed and further their own pursuit of knowledge. HighWiz is the fabled Man on the Mountain whom people seek to gain a taste of his forbidden knowledge. He is a rare sighting at DEF CON only to be glimpsed by those lucky few.

Malware Unicorn
As a girl growing up, she was told she could be anything so she decided to be a unicorn. Ever since, she has made it her mission to ensure the truth is out there. Do not attempt to use malware pickup lines on her as she will pull them apart and you risk having your face impaled. Though she is fierce, she is also graceful, peaceful and determined. She is also an awesome artist.

Niki7a
There is truly only one sorceress that ensures the machinations of Def Con continue to move. She is both in tune with the magic and digital functions and is the power behind the CFP board from start to finish as well as the coordination of so many other activities behind the curtain. She works tirelessly year-round to make sure everything runs smoothly. Also, she is fun at parties and awesome AF.

@niki7a

Roamer
Appearing in a cloud of (cigarette) smoke, Roamer is a man full of whiskey and ideas. He has appeared at DEF CON since before (almost) the beginning. He is a renown author, speaker, pontificator and is famous for giving the most entertaining Worldwide Wardrive talk. He is also the Grand Vizier of All Things Vendor - you are welcome.

Wiseacre
Wiseacre was introduced to DEF CON by Roamer. Though he appeared at his first DEF CON because of the Capture the Flag contest, Roamer and HighWiz showed him how to make DEF CON so much more than simply attending the talks. From then on he made a point to participate in as much as he could. Of course, this was all within the limits of social anxiety so, if it allowed participation as a wallflower, he was in! Now, he wants to make sure everyone else gets to know as much as possible about this year's conference. In his private life, Mike hacks managers and is happy anyone listens to him at all. Mike would like to thank Highwiz for everything.

Shaggy
Shaggy has the Voice of Barry White, the brains of Albert Einstein and the soul of Bea Arthur. He has a few philosophies on life: He believes that while the righteous keep moving forward, those with clean hands become stronger and stronger . That the field of battle between God and Satan is the human soul. It is in the soul that the battle rages every moment of life. He also believes that one should Start by doing what's necessary; then do what's possible; and suddenly you are doing the impossible. Because You learn to speak by speaking, to study by studying, to run by running, to work by working, and just so, you learn to love by loving. All those who think to learn in any other way deceive themselves.


Return to Index      -     

 

Night Life - Track 3 - Thursday - 20:30-24:00


Title:
DEF CON Movie Night

DEF CON Movie Night
Return to Index      -     

 

Night Life - Track 3 - Friday - 20:30-24:00


Title:
DEF CON Movie Night

DEF CON Movie Night
Return to Index      -     

 

Night Life - Track 3 - Saturday - 20:30-24:00


Title:
DEF CON Movie Night

DEF CON Movie Night
Return to Index      -     

 

Night Life - Lobby Bar - Friday - 18:00-19:00


Title:
DEFCON 25 Meetup for /r/Defcon

DEFCON 25 Meetup
Alrighty friends, it's that time again to plan out our gathering at DC25! Our meetups have steadily been gaining traction each year, and I am hoping that we can make this one our biggest one to date.
As with the past couple of years, it's always a bit tricky to find a time and a place that is going to work perfectly for everybody because of the incredible amount of options for people to see/do. I am open to suggestions if you all think that there are better spots for us to meetup and socialize/drink.

Here are the details, ya filthy hackers:
Location: Lobby Bar - Caesars Palace Hotel and Casino
Date: Friday, July 28th, 2017
Time: 6:00pm
General Information I will gather some chairs and tables in the corner of the bar and defend them with my life if necessary.... Okay, maybe not my life, but I will do my best to make people too uncomfortable to sit in the area if they are not part of the meetup. And as always, please ask around for me if you can't find us or message me, I promise not to bite! And as always, please keep your snacks close by unless you want /u/1o57 to eat them.

T-Shirt Swap & Clothing Drive - In addition to our normal mingling, drinking, and general shenanigans, some of us will also be doing a T-shirt swap and clothing drive. Bring a couple shirts to swap, and any items of clothing that you would like to donate to a local charity (TBD). I will be personally bringing a trash-bag full of clothes to donate, and I would highly encourage you to bring your gently used clothes as well! Let's make an impact in the name of our sub!!

BONUS ROUND - Our afterparty will graciously be sponsored by the Monero Enterprise Alliance and our friends over at /r/Monero. Details to come.

Return to Index      -     

 

Night Life - Sunset Park Pavilion F - Thursday - 16:00-22:00


Title:
DEFCON Toxic BBQ

Toxic BBQ will be held on Thursday afternoon, 7/27, at Sunset Park Pavilion F from 16:00 to 22:00. (36.0636, -115.1178)

The humans of Vegas invite everyone to a barbecue and meetup at Sunset Park, Pavilion F. Kick off the con on Thursday afternoon with food, beer, and conversation at this unofficial welcome party.

Basic supplies will be provided (read: burgers, dogs, charcoal, plates). Bring sides, snacks, and spirits to fill out the smorgasbord. Hit the grocery (or liquor) store before arriving, or catch a ride once you arrive. Gifts for those that chip in to make the BBQ awesome:
- Grill masters
- Supply Runners
- Those that bring exotic meats
- Those that bring exotic brews (local or home brews)
- Carpool members, ride coordination, transportation help

We are going to host local Vegas HAMmers for an impromptu meetup. If your group would like to stage at the BBQ, let me know in the comments below. PM me if you can help with supplies or transport.

Credit to graverobber and all those that made this unofficial kickoff the best place to stuff your face year after year. This is an informal meetup, and costs are covered by humans like you
Toxic BBQ for DC25
Location
Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 16:00-16:59


DefCon Unofficial Badges Panel

No description available


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Sunday - 11:10-11:59


Demystifying the OPM Breach: WTF Really Happened

Ron Taylor

In September 2016 the House Committee on oversight finally released their report. Four years after the original breach, we are still asking how the f*#! did this happen. This talk with go over the key findings of the report and the impact on those who were effected.

Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting where he gained experience in many areas. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance. In 2012, he moved into a position with the Security Research and Operations group (PSIRT) where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. In his current role, he is a Consulting Systems Engineer specializing in Cisco's security product line. Certifications include GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Co-Founder and President of the Raleigh BSides Security Conference, and member of the Packet Hacking Village team at DEF CON.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 13:00-13:45


Demystifying Windows Kernel Exploitation by Abusing GDI Objects.

Saturday at 13:00 in 101 Track

45 minutes | Demo, Exploit

5A1F (Saif El-Sherei) Security Analyst, SensePost

Windows kernel exploitation is a difficult field to get into. Learning the field well enough to write your own exploits require full walkthroughs and few of those exist. This talk will do that, release two exploits and a new GDI object abuse technique.

We will provide all the detailed steps taken to develop a full privilege escalation exploit. The process includes reversing a Microsoft's patch, identifying and analyzing two bugs, developing PoCs to trigger them, turning them into code execution and then putting it all together. The result is an exploit for Windows 8.1 x64 using GDI bitmap objects and a new, previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.

5A1F (Saif El-Sherei)
Saif is a senior analyst with SensePost. He has a keen interest in exploit development and sharing everything he learns. Over the years he has released several exploitation tutorials, examples and a grammar-based browser fuzzer, wadi (DEF CON 23).

@saif_sherei


Return to Index      -     

 

BHV - Pisa Room - Saturday - 18:30-18:30


Title: Designer Babies

Speaker: Christian and Erin
@cdameffMDDr

About Christian and Erin:
Christian "quaddi" Dameff MD MS
Christian (quaddi) Dameff is an emergency medicine physician, former open capture the flag champion, prior DEF CON speaker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics including hacking critical healthcare infrastructure and medical devices. This is his thirteenth DEF CON.

Erin Hefley is a resident physician in her final year of training with the Phoenix Integrated Residency in Obstetrics & Gynecology. She has a background in public health and women's health, and obtained a Master of Public Health degree from the University of Northern Colorado prior to attending medical school at the University of Arizona - Phoenix. This is her 6th Defcon attendance over the past decade, and she is thrilled to have witnessed the development and expansion of the Biohacking Village. Her current interests include reproductive health technology, women's health policy, running, and vampire erotica

Abstract:
An estimated 30 million Americans and 300 million people worldwide suffer from genetic disease, and 15% of American couples are affected by infertility. Current assisted reproductive technology is used to prevent genetic disease and assist with conception. Human capabilities are rapidly advancing past the present application of these technologies, providing exciting possibilities for selecting and enhancing characteristics of our offspring in the brave new world of 21 st century medicine.
This discussion will outline current reproductive science in the US and abroad, and discuss the bioethical, legal, and medical consequences of a future where babies can be designed to specification.



Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 16:00-16:55


Robert Ghilduta

Bio

Interests include SDRs (bladeRF), RF, DSP, embedded programming, hardware design, modern control systems, UAVs, and information security.

@robertghilduta

Designing an Automatic Gain Control

Abstract

The presentation will describe the requirements and design methodology behind the bladeRF's newly released VHDL Automatic Gain Control. The talk will walk SDR beginners through the RF gain architecture of modern radios and explain why gain control is required. The talk will then use the bladeRF as an example, and show what it took to develop the AGC in VHDL.


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 15:00-15:45


Digital Vengeance: Exploiting the Most Notorious C&C Toolkits

Saturday at 15:00 in Track 4

45 minutes | Demo, Tool, Exploit

Professor Plum Hacker

Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.

If one looks at the many APT reports that have been released over the years some clear patterns start to emerge. A small number of Remote Administration Tools are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.

The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones.

Professor Plum
Professor Plum is an experienced reverse engineer, developer, and digital forensics examiner. He holds a graduate degree in Information Security from Johns Hopkins University, and has worked numerous computer incident investigations spanning the globe. He currently works as a Senior Threat Researcher for a Fortune 500 cybersecurity company and previously worked for the Department of Defense performing vulnerability research, software development, and Computer Network Operations.

@professor__plum


Return to Index      -     

 

ICS - Calibria - Saturday - 10:30-10:59


Title: Dissecting industrial wireless implementations.

Wireless technologies are seeing increased use on the plant floor to enable pervasive monitoring and control of processes. Off-the-shelf security tools focus on assessing the security properties of commercial and consumer protocols such as 802.11 and Bluetooth. Several new standards have emerged for use in industrial environments. In this talk, Blake will offer an introduction to Software Defined Radio (SDR) tools and their application in industrial security assessments. We will review two protocols based on 802.15.4, including industry standard WirelessHART. Blake will cover how to understand the security properties of RF protocols through integration with familiar tools such as Wireshark. The goal is to leave the audience with the knowledge to get started exploring their RF environment with GNU Radio and low-cost SDR tools and to stress the importance of including RF when threat modeling a system or facility.


Bio: Blake Johnson

Blake works on the Industrial Control System Cybersecurity Team at Mandiant. His work history includes time in the electric power generation and distribution (@AlliantEnergy) industry as well as a global retailer (@Amazon). He has been a radio hobbyist for 15 years and has been using software defined radios for security testing for the last 3.



Return to Index      -     

 

BHV - Pisa Room - Saturday - 13:00-13:29


Title: DIYBioweapons and Regulation

Speaker: Meow Ludo Meow Meow

About Meow Ludo Meow Meow:
Meow-Ludo is the founder of biohacking in Australia, and works full time running BioFoundry. He is a full-time hacker, part-time federal political candidate, and is interested in interdisciplinary projects.He is interested in the ability of biohackers to create bioweapons and the regulations that aim to control them.

Abstract:
Meow will be presenting on the capabilities for biological weapons that are currently able to be produced in home or community bio labs. He will explore the role that emerging technologies play in drastically reducing the technological and cost barriers to creating these constructs, and suggest ways that legislation and regulation may be employed to ensure maximum freedoms and innovation coupled with effective monitoring. Make sure to get your vaccinations before attending please.



Return to Index      -     

 

DEFCON - Track 3 - Saturday - 12:00-12:45


DNS - Devious Name Services - Destroying Privacy & Anonymity Without Your Consent

Saturday at 12:00 in Track 3

45 minutes | Art of Defense

Jim Nitterauer Senior Security Specialist, AppRiver, LLC

You've planned this engagement for weeks. Everything's mapped out. You have tested all your proxy and VPN connections. You are confident your anonymity will be protected. You fire off the first round and begin attacking your target. Suddenly something goes south. Your access to the target site is completely blocked no matter what proxy or VPN you use. Soon, your ISP contacts you reminding you of their TOS while referencing complaints from the target of your engagement. You quickly switch MAC addresses and retry only to find that you are quickly blocked again!

What happened? How were you betrayed? The culprit? Your dastardly DNS resolvers and more specifically, the use of certain EDNS0 options by those resolvers.

This presentation will cover the ways in which EDNS OPT code data can divulge details about your online activity, look at methods for discovering implementation by upstream DNS providers and discuss ways in which malicious actors can abuse these features. We will also examine steps you can take to protect yourself from these invasive disclosures.

The details covered will be only moderately technical. Having a basic understanding of RFC 6891 and general DNS processes will help in understanding. We will discuss the use of basic tools including Wireshark, Packetbeat, Graylog and Dig.

Jim Nitterauer
Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global spam & virus filtering infrastructure as well as all internal applications. They also manage security operations for the entire company. He holds a CISSP certification. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology since the late 1980s when punch cards were still a thing.

Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, CircleCityCon and several smaller conferences. He regularly attends national security conferences and is passionate about conveying the importance of developing, implementing and maintaining security policies for organizations. His talks convey unique and practical techniques that help attendees harden their security in practical and easy-to-deploy ways.

Jim is a senior staff member with BSides Las Vegas, a member of the ITEN WIRED Planning Committee and the president of the Florida Panhandle (ISC)2 Chapter. When not at the computer, Jim can be found working out, playing guitar, traveling or just relaxing with an adult beverage.

Twitter: @jnitterauer
LinkedIn: https://www.linkedin.com/in/jnitterauer/


Return to Index      -     

 

Demolabs - Table 2 - Saturday - 16:00-17:50


DNS-Exfil-Suite

Nolan Berry

Cory Schwartz

Saturday from 1600-1750 at Table Two

Audience: I think the best audience here would be PenTesters, DNS Engineers and people looking to learn more about DNS based attack methods.

Our tool kit provides multiple methods of data exfiltration, infiltration and botnet command and control systems using 100% DNS traffic that is either hard to detect or impossible to detect.

https://github.com/ndberry/DNS_Exfil_Tool

Nolan Berry
DNS Engineer
-----------
Nolan has been working with DN for 2 years and has always been very interested in security. His passion for both security and DNS has led him to work and develop a platform for DNS exploitation in an attempt to raise awareness of known but under appreciated security flaws.

Cory Schwartz
Site Reliability Engineer
Twitter
----------
Cory has a past working on signals intelligence and processing after graduating with a degree in cryptography he served in the Air Force and then as a government contractor helping the intelligence community. After that he worked at Rackspace on CloudStorage and systems automation. Now he is an SRE at Twitter in San Fransisco.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Sunday - 11:25-11:55


Do Tinder Bots Dream of Electric Toys? How Tinder Bots are breaking hearts all over the world, and trashing Tinder’s reputation while they’re at it.

Abstract

Tinder. The Final Frontier. Pick gorgeous (or not so gorgeous) members of your desired sex with the tip of your finger, at the comfort of your sofa, your bed, and let’s admit it - your toilet seat…

Research shows that there are 50 million active users on Tinder, who check their accounts 11 times per day and spend an average of 90 minutes per day on the app. Even celebrities, it seems. [Marie Claire]

In the name of Science, I decided to sacrifice myself and delve into the world of Tinder Dating. At first, I was detecting patterns in photos, in poses, in language and in attitude, all over the world! But suddenly something else showed up on my radar: Bots. And not just one - I was being surrounded. Imagine the heartbreak of matching 7 gorgeous women in a Scandinavian capital, only to discover that not only were they in reality bots, but they actually had an agenda!

In this talk I’ll describe the research, how I came to discover that Bots were not an isolated case, and how I uncovered the pattern behind generating the profiles. I’ll also break down the infrastructure behind the operation, and show who’s behind a campaign that spawned over multiple countries and continents. I’ll give multiple examples, from Tinder as well as from other platforms, of how bots operate under the radar of the site owners and carry out their agenda.

Speaker Profile

Inbar (@inbarraz) has been teaching and lecturing about Internet Security and Reverse Engineering for nearly as long as he has been doing that himself. He started programming at the age of 9 on his Dragon 64. At 13 he got a PC, and promptly started Reverse Engineering at the age of 14. Through high-school he was a key figure in the Israeli BBS scene. He spent most of his career in the Internet and Data Security field, and the only reason he’s not in jail right now is because he chose the right side of the law at an early age.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities. From late 2011 to late 2014 he was running the Malware and Security Research at Check Point, using his extensive experience of over 20 years in the Internet and Data security fields. He has presented at a number of conferences, including Kaspersky SAS, Hack.lu, CCC, Virus Bulletin, ZeroNights, ShowMeCon, several Law Enforcement events and Check Point events.

These days, Inbar is performing fascinating research on Bots and Automated Attacks at PerimeterX, and educating both customers and the public about the subjects.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 12:10-12:59


Domain discovery, expanding your scope like a boss

Abstract

Whether you do wide scope pentesting or bounty hunting, domain discovery is the 1st method of expanding your scope. Join Jason as he walks you through his tool chain for discovery including; subdomain scraping, bruteforce, ASN discovery, permutation scanning, automation, and more!

Speaker Profile

Jason Haddix (@Jhaddix)

I spoke at DC 23 on a talk called “how to shot webâ€.


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 15:00-15:45


DOOMed Point of Sale Systems

Saturday at 15:00 in Track 3

45 minutes | Demo, Exploit

trixr4skids Security Engineer

In response to public security breaches many retailers have begun efforts to minimize or completely prevent the transmission of unencrypted credit card data through their store networks and point of sale systems. While this is definitely a great improvement over the previous state of affairs; it places the security of transactions squarely in the hands of credit card terminals purchased from third party vendors. These terminals have a security posture that is often not well understood by the retail chains purchasing them. To better understand if the trust placed in these devices is warranted, the attack surface and hardening of a commonly deployed credit card terminal series is reviewed and a discussion of reverse engineered security APIs is presented. Despite the reduced attack surface of the terminals and hardened configuration, attacks that allow recovery of magstripe track data and PIN codes are demonstrated to be possible.

trixr4skids
trixr4skids is a security engineer and a recovering consultant. He enjoys hardware hacking, reverse engineering, the occasional webapp RCE, robots, beer, and of course robots that bring him beer. As a child he enjoyed taking apart everything he could get his hands on in a quest to figure out how it worked (his parents did not always appreciate this). He could never figure out what the green rectangles with the black rectangles on them did and often resorted to smashing them with a hammer to see what was inside. Since then he has learned more effective ways to go about discovering the secrets those black things are hiding and even how to make them do different things than intended. His current research projects include attacking embedded devices based on the rabbit 2000/3000 CPUs, studying the security of payment card systems, and hacking anything interesting that he can buy off eBay.

@trixr4skids


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 12:00-12:45


Driving down the rabbit hole

Saturday at 12:00 in 101 Track

45 minutes | Demo

Mickey Shkatov Security Researcher, McAfee.

Jesse Michael Security Researcher, McAfee.

Oleksandr Bazhaniuk Security Researcher

Over the past few years, cars and automotive systems have gained increasing attention as cyber-attack targets.  Cars are expensive.  Breaking cars can cost a lot.  So how can we find vulnerabilities in a car with no budget?  We’ll take you with us on a journey from zero car security validation experience through the discovery and disclosure of multiple remotely-exploitable automotive vulnerabilities.  Along the way, we’ll visit a wrecking yard, reassemble (most) of a 2015 Nissan Leaf in our lab, discuss how we picked our battles, fought them, and won.  During our talk, we’ll examine the details of three different classes of vulnerabilities we found in this vehicle, how they can be exploited, and the potential ramifications to the owner of their real-world exploitation.  We’ll also discuss the broader scope of the vulnerabilities discovered, how they extend beyond just this specific vehicle, and what the industry can do better to prevent these types of problems in the future.

Mickey Shkatov
Mickey Shkatov is a security researcher and a member of the McAfee Advanced Threat Research team. His areas of expertise include vulnerability research, hardware and firmware security, and embedded device security

@HackingThings

Jesse Michael
Jesse Michael has been working in security for over a decade and is currently a member of the McAfee Advanced Threat Research team who spends his time causing trouble and finding low-level hardware security vulnerabilities in modern computing platforms

@jessemichael

Oleksandr Bazhaniuk
Oleksandr Bazhaniuk is a security researcher and reverse engineer with background in automation of binary vulnerability analysis. He is also a co-founder of DCUA, the first DEF CON group in Ukraine.

@ABazhaniuk


Return to Index      -     

 

Night Life - Track 2 - Saturday - 20:00-24:00


Title:
Drunk Hacker History

Drunk Hacker History
Return to Index      -     

 

Demolabs - Table 5 - Saturday - 16:00-17:50


EAPHammer

Gabriel Ryan

Saturday from 1600-1750 at Table Five

Audience: Offensive security professionals, red teamers, penetration testers, researchers.

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds

Features:
* Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
* Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
* Perform captive portal attacks
* Built-in Responder integration
* Support for Open networks and WPA-EAP/WPA2-EAP
* No manual configuration necessary for most attacks.
* No manual configuration necessary for installation and setup process

https://github.com/s0lst1c3/eaphammer

Gabriel Ryan
Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company's research division, GDS Labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Saturday - 10:30-14:30


Edge cases in web hacking

Saturday, 10:30 to 14:30 in Octavius 5

John Poulin Principal Application Security Consultant, nVisium

Learn how to identify, exploit, and chain web-app vulnerabilities that you don't see every day. These vulnerabilities will include Server-Side Template Injection, Serialization vulnerabilities and more. We will identify how common protection mechanisms in languages such as Ruby on Rails, Django and PHP can be bypassed/exploited.

Prerequisites: Basic experience with common web hacking, including Cross-Site Scripting, SQL Injection, Remote Code Execution and more.

Materials: Laptop with VMWare or Virtualbox.

Max students: 90 | Registration: https://dc25_poulin.eventbrite.com (Sold out!)

John Poulin
John is a Principal Application Security Consultant who specializes in web application security. John has over 9 years of experience in development, management, and code analysis of web applications. John specializes in Ruby on Rails applications, but is happy to work in any MVC framework. John is leading the development of a tool called Httpillage, which provides the ability to perform distributed attacks against web applications. He also plays a role in developing and maintaining nVisium's internal security services. John graduated from the University of Maine with a degree in Computer Science and a minor in German.


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 11:00-11:30


Evading next-gen AV using artificial intelligence

Saturday at 11:00 in Track 4

20 minutes | Demo

Hyrum Anderson Technical Director of Data Science, Endgame

Much of next-gen AV relies on machine learning to generalize to never-before-seen malware. Less well appreciated, however, is that machine learning can be susceptible to attack by, ironically, other machine learning models. In this talk, we demonstrate an AI agent trained through reinforcement learning to modify malware to evade machine learning malware detection. Reinforcement learning has produced game-changing AI's that top human level performance in the game of Go and a myriad of hacked retro Atari games (e.g., Pong). In an analogous fashion, we demonstrate an AI agent that has learned through thousands of "games" against a next-gen AV malware detector which sequence of functionality-preserving changes to perform on a Windows PE malware file so that it bypasses the detector. No math or machine learning background is required; fundamental understanding of malware and Windows PE files is a welcome; and previous experience hacking Atari Pong is a plus.

Hyrum Anderson
Hyrum Anderson is technical director of data scientist at Endgame, where he leads research on detecting adversaries and their tools using machine learning. Prior to joining Endgame he conducted information security and situational awareness research as a researcher at FireEye, Mandiant, Sandia National Laboratories and MIT Lincoln Laboratory. He received his PhD in Electrical Engineering (signal and image processing + machine learning) from the University of Washington and BS/MS degrees from Brigham Young University. Research interests include adversarial machine learning, deep learning, large-scale malware classification, active learning, and early time-series classification.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 17:00-17:59


Title:
Everything you wanted to know about orchestration but were afraid to ask.

1700 Saturday
redbeard
@brianredbeard
Everything you wanted to know about orchestration but were afraid to ask.

"Who doesn't dream of getting that big score: a remote shell inside of Google. But what would it get you? The compute mechanisms of ""web scale"" and ""cloud native"" companies are often wildly unlike those of smaller companies. At Twitter Apache Mesos rules the day. Google is the mastermind behind Borg and Kubernetes (née Seven of Nine). At Facebook FBAR is one tool of many used to keep everything running.

This talk aims to give visibility into ""the way things work"" in the second half of the second decade of the 21st century and lemme tell you, it's not LAMP stacks anymore. "

Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Saturday - 14:30-18:30


Exploitation/Malware Forward Engineering

Saturday, 14:30 to 18:30 in Octavius 5

Sean Dillon Senior Security Analyst, RiskSense, Inc.

Zachary Harding Senior Security Analyst, RiskSense, Inc.

Windows post-exploitation is the penetrating step of every penetration test if you're on a Windows network. You're obviously swimming in shells (it's Windows after all), but you aren't in full control yet. Your best account is Network Service and you want Enterprise Admin.

Elevating privileges, either through bypassing UAC or finding local exploits, stealing tokens, pivoting to other systems, scanning the local network, dumping credentials. There are few open source tools available, such as PowerShell Empire, Koadic C3, and Metasploit's Meterpreter. We will go through the low-level code that makes it all work.

The training will explore shellcode, COM, WMI, Windows API, and .NET, and how these open source tools bring it all together. You will walk away with the knowledge to write your own plugins for these systems, as well as your own custom malware. An in-depth understanding of antivirus detection and evasion will be included. This workshop is a focus on the code, not just the tactics.

Prerequisites: Programming knowledge, one or all of the following: x86/x64, Python, JavaScript, PowerShell, Ruby, C Pentesting knowledge: Basic Windows post-exploitation

Materials: Bring favorite OS and code editor, Windows VMs, WiFi.

Max students: 90 | Registration: https://dc25_dillon.eventbrite.com (Sold out!)

Sean Dillon
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and other contributions to the project. He has previously been a software engineer in the avionics and insurance industries, and his favorite IDE is still GW-Basic on DOS.

Zachary Harding
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration tool he can get a hold of. You know the guy who's always looking for available public WiFi, or fiddling with a kiosk machine? That's Zach.


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 15:20-15:40


Exploiting 0ld Mag-stripe information with New technology

Thursday at 15:20 in 101 Track 2

20 minutes | Demo, Tool, Exploit

Salvador Mendoza Hacker

A massive attack against old magnetic stripe information could be executed with precision implementing new technology. In the past, a malicious individual could spoof magstripe data but in a slow and difficult way. Also brute force attacks were tedious and time-consuming. Technology like Bluetooth could be used today to make a persistent attack in multiple magnetic card readers at the same time with audio spoof.

Private companies, banks, trains, subways, hotels, schools and many others services are still using magstripe information to even make monetary transactions, authorize access or to generate "new" protocols like MST(Magnetic Secure Transmission) During decades the exploitation of magstripe information was an acceptable risk for many companies because the difficulty to achieve massive attacks simultaneously was not factible. But today is different.

Transmitting magstripe information in audio files is the faster and easier way to make a cross-platform magstripe spoofer. But how an attacker could transmit the audio spoof information to many magnetic card readers at the same time? In this talk, we will discuss how an attacker could send specific data or achieve a magstripe jammer for credit card terminals, PoS or any card reader. Also, how it could be implemented to generate brute force attacks against hotel door locks or tokenization processes as examples.

Salvador Mendoza
Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON, DerbyCon, Ekoparty, BugCON and Troopers. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet and lately SamyKam.

@Netxing
Blog: salmg.net


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 11:00-11:45


Exploiting Continuous Integration (CI) and Automated Build systems

Sunday at 11:00 in Track 3

45 minutes | Demo, Tool, Exploit

spaceB0x Sr. Security Engineer at LeanKit Inc.

Continuous Integration (CI) systems and similar architecture has taken new direction, especially in the last few years. Automating code builds, tests, and deployments is helping hordes of developers release code, and is saving companies a great amount of time and resources. But at what cost? The sudden and strong demand for these systems have created some widely adopted practices that have large security implications, especially if these systems are hosted internally. I have developed a tool that will help automate some offensive testing against certain popular CI build systems. There has been a large adoption of initiating these builds through web hooks of various kinds, especially changes to public facing code repositories. I will start with a brief overview of some of the more popular CI tools and how they are being used in many organizations. This is good information for understanding, at a high level, the purpose of these systems as well as some security benefits that they can provide. From there we will dive into specific examples of how these different CI implementations have created vulnerabilities (in one case to a CI vendor themselves). Last we will explore the tool, its purpose, and a demonstration of its use. This tool takes advantage of the configurations of various components of the build chain to look for vulnerabilities. It then has the capability to exploit, persist access, command and control vulnerable build containers. Most of the demonstration will revolve around specific CI products and repositories, however the concepts are applicable across most build systems. The goal here is to encourage further exploration of these exploitation concepts. The tool is built "modularly" to facilitate this. If you are new to CI and automated build systems, or if you have been doing it for years, this talk and tool will help you to better secure your architecture

spaceB0x
spaceB0x is extremely dedicated to his work in information security. He is the Sr. Security Engineer at a software company called LeanKit. He likes, and occasionally succeeds at, security dev-opsing, web application and network penetration testing, and some other security things. He has written tools for secure key management within automation infrastructures, capturing netflow data, and pwning automated build systems. He loves the hacker community, learning new things, and exploring new ideas.

@spaceB0xx
Website: www.untamedtheory.com


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 17:00-17:55


Failsafe: Yet Another SimplySafe Attack Vector

No description available


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 14:00-14:59


Title:
FERPA - Only Your Grades Are Safe; OSINT in Higher Education

1400 Saturday
Leah Figueroa/ Princess Leah
@Sweet_Grrl
FERPA - Only Your Grades Are Safe; OSINT in Higher Education

"Institutions of higher education are supposed to be somewhere that students go, earn a degree, and leave, all while their data is safe. Or is it? In this talk, I discuss the gaping security holes left by FERPA (Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) with regard to student data. Almost all student data, with the exception of grades and select demographics picked by each institution, are commonly listed as directory information that is available to anyone who asks. Add to this most institutions of higher education commonly practice automatic “opt-in” for Directory Information and require students to specifically request that their information be withheld. This leads to an OSINT opportunity ripe for abuse. However, that is not the only issue. Due to a loophole in the way medical records are handled at institutions of higher education, these records can lose almost all protections and become classified as Directory Information. I show examples of how easily this information can be retrieved from several institutions and what sort of information is available from many institutions. At the conclusion of the talk, I illustrate the various ways this information can be potentially used against a victim or in the construction of a false identity."

Return to Index      -     

 

RCV - Palermo room, Promenade level - Sunday - 10:35-11:25


FERPA: Only Your Grades Are Safe; OSINT In Higher Education

Abstract

Institutions of higher education are supposed to be somewhere that students go, earn a degree, and leave, all while their data is safe. Or is it? In this talk, I discuss the gaping security holes left by FERPA (Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) with regard to student data. Almost all student data, with the exception of grades and select demographics picked by each institution, are commonly listed as directory information that is available to anyone who asks. Add to this most institutions of higher education commonly practice automatic “opt-in†for Directory Information and require students to specifically request that their information be withheld. This leads to an OSINT opportunity ripe for abuse.

However, that is not the only issue. Due to a loophole in the way medical records are handled at institutions of higher education, these records can lose almost all protections and become classified as Directory Information.

I show examples of how easily this information can be retrieved from several institutions and what sort of information is available from many institutions. At the conclusion of the talk, I illustrate the various ways this information can be potentially used against a victim or in the construction of a false identity.

Speaker Profile

Leah Figueroa (@Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master’s in Education, an ABD in research psychology, and has taught kindergarten.

A data aficionado, Leah focuses on research on improving student outcomes at the higher education level, including focusing on both minority student issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in increasing data security in the higher education sphere as well as improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter) and loves cats, InfoSec, picking locks, cooking, and reading.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 10:00-10:59


Title:
Financial Crime 2.0

1000 Friday
Marcelo Mansur
@thatinfosecrec
Financial Crime 2.0

After the feedback from last year's talk I'm bringing this back to go into more detail about some of the finer points, cover some new cases of who's been caught and materials such as shopping lists of financial secrets. This will delve deeper into the murky coalition between cybercriminals and traders and, of course, I'll be telling you all I told you so!

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 16:10-16:59


Fooling the Hound: Deceiving Domain Admin Hunters

Tom Sela, Head of Security Research at illusive networks

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers. Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected. To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge.

Tom Sela (Twitter: @4x6hw) is Head of Security Research at illusive networks, specializing in Reverse Engineering, Malware Research, and OS internals. Prior to joining illusive, Tom lead the Malware Research team at Trusteer (acquired by IBM). Tom majored in Computer Science at Ben-Gurion University and studied at the Israeli Naval Academy, University of Haifa.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 12:10-12:59


Fortune 100 InfoSec on a State Government Budget

Eric Capuano, SOC Manager at Texas Department of Public Safety

A common misconception is that it takes spending millions to be good at security. Not only is this untrue, but I will share ways that you can increase security posture while actually reducing spending. This talk outlines many of the tricks and mindsets to doing security well without breaking the bank. This is not the typical “Problem, problem, problem....†talk.... This is a solution-based talk that goes back to many of the basic challenges facing SOC teams everywhere.

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Saturday - 10:30-14:30


Free and Easy DFIR Triage for Everyone: From Collection to Analysis

Saturday, 10:30 to 14:30 in Octavius 6

Alan Orlikoski

Dan M.

The hardest part of Digital Forensics and Incident Response (DFIR) is getting a meaningful look at "the goods". The digital artifact collection and parsing process usually requires a lot of time, money, or both. Wouldn't it be nice if there was a way to do this with a straightforward tool chain that was 100% free*, easy to setup, didn't require a PHD in coding, GitHub command mastery, and endless hours of "Where the @%^@$ did that dependency come from and how do I get it?" This course is a tutorial to the CyLR, CDQR, Forensics Virtual Machine (CCF-VM) where attendees will learn how to establish a working collection, data processing, and analysis solution for any size environment.

Attendees will setup and learn to use their own CCF-VM that includes: secure data collection from Windows and Linux Hosts, automated processing, and meaningful presentation of the data. After the data has been collected and processed, attendees will learn how to optimize dashboards for common kill chain analysis and Data Stacking.

*Your time must be worthless and your hardware free flowing

Prerequisites: Functional knowledge of Digital Forensics and Incident Response (DFIR) fundamentals including; the IR life-cycle, artifact collection and preservation, Timeline analysis, and modern threat kill chains. Attendee should have a working knowledge of network fundamentals, Windows and Linux configurations, and virtualization. Familiarization with VMWare / VirtualBox, Python, ElasticSearch, Kibana, and Plaso is ideal but not required.

Materials: A laptop capable of running either VirtualBox or VMWare software with 100GB Free HD space and; 8Gb Ram and an i5 equivalent processor (minimum), 16Gb Ram and i7 equivalent processor (preferred). All software is available from GitHub while virtual machines and data files will be available at the course. A 32Gb USB3.0 flash drive with the software, virtual machines, and data files will be made available for the attendees at a cost of $20 (materials fee).

Max students: 30 | Registration: https://dc25_orlikoski.eventbrite.com (Sold out!)

Alan Orlikoski
Alan has over 17 years of experience in both private and public sectors of the IT industry, with over 11 years of experience leading cyber security related projects. He has an extensive forensics background, written multiple open source forensic tools, profiled on the SQRRL Threat Hunter Blog, and presented at multiple security conferences. Alan has been a leader in some of the largest incident response and security operations center development programs in the history of multiple Fortune 100 companies. He also teaches Historical European Martial Arts (yup, he knows how to fight with a sword, poleaxe, spear...you get the picture)

Dan M.
Dan is a broad-spectrum technology professional with 18 years of experience, 13 in direct performance of Digital Forensics and Incident Response (DFIR). Dan has served as a contributor, Technical Lead, and Practice Lead for a Fortune 10 Incident Response service. In this role, Dan provided oversight to the goals and delivery of the service as well as a functioning as a senior incident handler and critical incident lead. Dan's investigation experience includes support for basic forensic analysis up through responses to complete enterprise breach scenarios. During this work Dan contributed to the patent development of enterprise threat intelligence sharing technologies. Dan has also been a presenter at events such as FIRST, Evanta, HTCIA, APWG, IEEE and many customer engagements.


Return to Index      -     

 

DEFCON - Track 4 - Sunday - 14:00-14:45


Friday the 13th: JSON attacks!

Sunday at 14:00 in Track 4

45 minutes | Demo, Exploit

Alvaro Muñoz Principal Security Researcher,Hewlett Packard Enterprise

Oleksandr Mirosh Senior Security QA Engineer, Hewlett Packard Enterprise

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues.

One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors.

We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable.

In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption — just simple process invocation.

Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.

Alvaro Muñoz
Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with HPE Security Fortify, Software Security Research (SSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research team, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including DEF CON , RSA, AppSecEU, Protect, DISCCON, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. He blogs at http://www.pwntester.com.

@pwntester

Oleksandr Mirosh
Oleksandr Mirosh has over 9 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for HPE Software Security Research team investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modelling, testing and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.


Return to Index      -     

 

BillW - Office 4A on Promenade Level - Thursday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Thursday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Friday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Friday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Saturday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Saturday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Sunday - 12:00-13:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

BillW - Office 4A on Promenade Level - Sunday - 17:00-18:00


Title:
Friends of Bill W

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4A”, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.
( See info booth next to office 4 on the map, if you’re having trouble finding “Office 4A”)
Return to Index      -     

 

DEFCON - Track 2 - Saturday - 16:00-16:45


From "One Country - One Floppy" to "Startup Nation" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene

Saturday at 16:00 in Track 2

45 minutes | Hacker History

Inbar Raz Principal Researcher, PerimeterX Inc.

Eden Shochat Equal Partner, Aleph

The late 80's and early 90's played a pivotal role in the forming of the Israeli tech scene as we know it today, producing companies like Checkpoint, Waze, Wix, Mobileye, Viber and billions of dollars in fundraising and exits. The people who would later build that industry were in anywhere from elementary school to high school, and their paths included some of the best hacking stories of the time (certainly in the eyes of the locals). The combination of extremely expensive Internet and international dial system, non-existent legal enforcement and a lagging national phone company could not prevent dozens of hungry-for-knowledge kids from teaching themselves the dark arts of reversing, hacking, cracking, phreaking and even carding. The world looked completely different back then and we have some great stories for you. We will cover the evolution of the many-years-later-to-be-named-Cyber community, including personal stories from nearly all categories. Come listen how the Israeli Cyber "empire" was born, 25 years ago, from the perspectives of 2:401/100 and 2:401/100.1.

Inbar Raz
Inbar has been reverse engineering for nearly as long as he has been living. It started with a screwdriver, pliers, wire cutters, and his grandfather's ECG machine, and gradually transitioned into less destructive research. In 1984, aged 9, he started programming on his Dragon 64. At 13 he got his first PC - Amstrad PC1512 - and within a year was already into reverse engineering. It wasn't long before he discovered how to access the X.25 network, Bitnet and Fidonet, and through high-school he was a key figure in the Israeli BBS scene.

Inbar spent most of his career in the Internet and Data Security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age. In fact, nowadays he commonly lectures about Ethical Hacking and Coordinated Vulnerability Disclosure.

Inbar specializes in outside-the-box approach to analyzing security and finding vulnerabilities, and is currently the Principal Researcher at PerimeterX, researching and educating the public on Automated Attacks on Websites.

@inbarraz
https://www.linkedin.com/in/inbar-raz-90a7913/

Eden Shochat
Eden Shochat builds stuff, most recently Aleph, +$330MM venture capital fund; The Junction, voted #1 startup program in Israel; face.com, a massive face recognition API acquired by Facebook; Aternity, the leading user-centric enterprise IT platform, acquired by Riverbed; and GeekCon, Europe's biggest makers conference. Eden grew up in Nigeria, where he was bored into assembly programming for the Z80 chip, graduated into the demo and cracking scenes while being thrown out of high-school but ended up being a (somewhat) productive member of society.

@eden
https://www.linkedin.com/in/edens/


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 11:00-11:45


From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices

Thursday at 11:00 in 101 Track

45 minutes

Patrick DeSantis Senior Security Research Engineer, Cisco Talos

Stringing together the exploitation of several seemingly uninteresting vulnerabilities can be a fun challenge for security researchers, penetration testers, and malicious attackers. This talk follows some of the paths and thought processes that one researcher followed while evaluating the security of several new "out of the box" Industrial Control System (ICS) and Internet of Things (IoT) devices, using a variety of well known exploitation and analysis techniques, and eventually finding undocumented, root-level, and sometimes un-removable, backdoor accounts.

Patrick DeSantis
Patrick DeSantis is a security researcher with Cisco Talos and focuses his efforts on discovery and exploitation of vulnerabilities in technologies that have an impact on the physical world, such as Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Internet of Things (IoT), and anything else that looks like it's asking to be hacked. Patrick's background includes work in both the public and private sectors, as well as a pile of information security certifications and a few college degrees.

@pat_r10t


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 10:00-10:50



Return to Index      -     

 

IOT - Main Contest Area - Sunday - 11:00-11:50



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 13:00-13:59


Title:
From OPSUCK to OPSEXY: An OPSEC Primer

1300 Friday
H0m3l3ss, Steve Pordon, and minion
@H0m3l3ssHacker @Legion303
From OPSUCK to OPSEXY: An OPSEC Primer

Return to Index      -     

 

ICS - Calibria - Friday - 11:00-11:30


Title: Fun with Modbus function code 90.

Forget 0 days, long live "forever days" ! In this talk, we'll take a look at how Schneider PLCs rely on an undocumented Modbus function code for administrative actions (start/stop, download and upload ladder logic, ...). We'll also demo the dedicated Metasploit program, and discuss the security level on newer Schneider PLCs. We'll conclude with defensive measures you can take to prevent attacks using this protocol.


Bio: Arnaud Soullie

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone, where he has been performing security audits, pentests and research for 7+ years. He has a specific interest in Active Directory security as well as ICS, two subjects that tend to collide nowadays. He teaches ICS security and pentests workshops at security conferences (BlackHat Europe 2014, BSides Las Vegas 2015, Brucon 2015, DEFCON) as well as full trainings (Hack In Paris 2015).



Return to Index      -     

 

Demolabs - Table 1 - Saturday - 10:00-11:50


Fuzzapi

Abhijeth Dugginapeddi

Lalith Rallabhandi

Srinivas Rao

Saturday from 1000-1150 at Table One

Audience: AppSec, Web/Mobile Developers, DevOps

Fuzzapi is a REST API pen testing tool that automatically does a bunch of checks for vulnerabilities on your APIs. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. After seeing the benefits of Automating REST API pen testing using a basic Fuzzapi tool, the authors have decided to come up with a better version which can automatically look into vulnerabilities in APIs from the time they are written. REST APIs are often one of the main sources of vulnerabilities in most web/mobile applications. Developers quite commonly make mistakes in defining permissions on various cross-platform APIs. This gives a chance for the attackers to abuse these APIs for vulnerabilities. Fuzzapi is a tool written in Ruby on Rails which helps to quickly identify such commonly found vulnerabilities in APIs which helps developers to fix them earlier in SDLC life cycle. The first released version of the tool only has limited functionalities however, the authors are currently working on releasing the next version which will completely automate the process which saves a lot of time and resources.

https://www.youtube.com/watch?v=43G_nSTdxLk&t=321s

Abhijeth Dugginapeddi
Abhijeth D (@abhijeth) is a Security Consultant working for a bank in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness and free responsible disclosures. Got lucky in finding few vulnerabilities with Google, Yahoo, Facebook, Microsoft, Ebay, Paypal, etc and one among Top 5 researchers in Synack a bug bounty platform. Also interested in Social media Marketing, Digital Marketing and Web designing.

Lalith Rallabhandi
Lalith Rallabhandi (@lalithr95) currently works as a Security Intern at Shopify. He has previously worked with Hackerrank, Zomato and Google Summer of Code. Likes to code, break stuff mostly with web applications and is a Ruby on rails Enthusiast. Found bugs with Google, Microsoft, Facebook, Badoo, Twitter etc.

Srinivas Rao


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 13:00-13:45


Game of Chromes: Owning the Web with Zombie Chrome Extensions

Sunday at 13:00 in 101 Track

45 minutes | Demo

Tomer Cohen R&D Security Team Leader, Wix.com

On April 16 2016, an army of bots stormed upon Wix servers, creating new accounts and publishing shady websites in mass. The attack was carried by a malicious Chrome extension, installed on tens of thousands of devices, sending HTTP requests simultaneously. This "Extension Bot" has used Wix websites platform and Facebook messaging service, to distribute itself among users. Two months later, same attackers strike again. This time they used infectious notifications, popping up on Facebook and leading to a malicious Windows-runnable JSE file. Upon clicking, the file ran and installed a Chrome extension on the victim's browser. Then the extension used Facebook messaging once again to pass itself on to more victims.

Analyzing these attacks, we were amazed by the highly elusive nature of these bots, especially when it comes to bypassing web-based bot-detection systems. This shouldn't be surprising, since legit browser extensions are supposed to send Facebook messages, create Wix websites, or in fact perform any action on behalf of the user.

On the other hand, smuggling a malicious extension into Google Web Store and distributing it among victims efficiently, like these attackers did, is let's say - not a stroll in the park. But don't worry, there are other options.

Recently, several popular Chrome extensions were found to be vulnerable to XSS. Yep, the same old XSS every rookie finds in so many web applications. So browser extensions suffer from it too, and sadly, in their case it can be much deadlier than in regular websites. One noticeable example is the Adobe Acrobat Chrome extension, which was silently installed on January 10 by Adobe, on an insane number of 30 million devices. A DOM-based XSS vulnerability in the extension (found by Google Project Zero) allowed an attacker to craft a content that would run Javascript as the extension.

In this talk I will show how such a flaw leads to full and permanent control over the victim's browser, turning the extension into zombie. Additionally, Shedding more light on the 2016 attacks on Wix and Facebook described in the beginning, I will demonstrate how an attacker can use similar techniques to distribute her malicious payload efficiently on to new victims, through popular social platforms - creating the web's most powerful botnet ever.

Tomer Cohen
Tomer Cohen leads the team at Wix.com responsible for all R&D and production systems security. Previous to that, Tomer has worked as an application security expert in several firms. Tomer was also one of the founders of "Magshimim" cyber training program, which teaches development and cyber security among high-school students in the periphery of Israel.


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 16:00-16:45


Game of Drones: Putting the Emerging "Drone Defense" Market to the Test

Saturday at 16:00 in Track 4

45 minutes | Art of Defense, Demo, Tool

Francis Brown Partner, Bishop Fox

David Latimer Security Analyst, Bishop Fox

When you learned that military and law enforcement agencies had trained screaming eagles to pluck drones from the sky, did you too find yourself asking: "I wonder if I could throw these eagles off my tail, maybe by deploying delicious bacon countermeasures?" Well you'd be wise to question just how effective these emerging, first generation "drone defense" solutions really are, and which amount to little more than "snake oil".

There is no such thing as "best practices" when it comes to defending against "rogue drones", period. Over the past 2 years, new defensive products that detect and respond to "rogue drones" have been crawling out of the woodwork. The vast majority are immature, unproven solutions that require a proper vetting.

We've taken a MythBusters-style approach to testing the effectiveness of a variety of drone defense solutions, pitting them against our DangerDrone. Videos demonstrating the results should be almost as fun for you to watch as they were for us to produce. Expect to witness epic aerial battles against an assortment of drone defense types, including:

• trained eagles and falcons that hunt "rogue drones"
• fighter drones that hunt and shoot nets
• drones with large nets that swoop in and snatch up 'rogue drones'
• surface-to-air projectile weapons, including bazooka-like cannons that launch nets, and shotgun shells containing nets
• signal jamming and hijacking devices that attack drone command and control interfaces
• even frickin' laser beams and Patriot missiles!

We'll also be releasing DangerDrone v2.0, an upgraded version of our free Raspberry Pi-based pentesting quadcopter (basically a ~$500 hacker's laptop, that can also fly). We'll be giving away a fully functional DangerDrone v2.0 to one lucky audience member!

So come see what's guaranteed to be the most entertaining talk this year and find out which of these dogs can hunt!

Francis Brown
Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.

Francis has presented his research at leading conferences such as Black Hat USA, DEF CON , RSA, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications.

Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques.

David Latimer
David Latimer is a Security Analyst at Bishop Fox, a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on network and web application penetration testing.

He won a state Cisco Networking Skills competition for Arizona in 2013. He has acted as a network engineer for one of Phoenix's largest datacenters, PhoenixNAP, where he architected large-scale virtualization clusters and assisted with backup disaster recovery services.


Return to Index      -     

 

DEFCON - Track 4 - Sunday - 12:00-12:45


Genetic Diseases to Guide Digital Hacks of the Human Genome: How the Cancer Moonshot Program will Enable Almost Anyone to Crash the Operating System that Runs You or to End Civilization...

Sunday at 12:00 in Track 4

45 minutes

John Sotos Chief Medical Officer, Intel Corporation

The human genome is, fundamentally, a complex open-source digital operating system (and set of application programs) built on the digital molecules DNA and RNA.

The genome has thousands of publicly documented, unpatchable security vulnerabilities, previously called "genetic diseases." Because emerging DNA/RNA technologies, including CRISPR-Cas9 and especially those arising from the Cancer Moonshot program, will create straightforward methods to digitally reprogram the genome in free-living humans, malicious exploitation of genomic vulnerabilities will soon be possible on a wide scale.

This presentation shows the breathtaking potential for such hacks, most notably the exquisite targeting precision that the genome supports — in effect, population, and time — spanning annoyance to organized crime to civilization-ending pandemics far worse than Ebola.

Because humans are poor at responding to less-than-immediate threats, and because there is no marketplace demand for defensive technologies on the DNA/RNA platform, the hacker community has an important role to play in devising thought-experiments to convince policy makers to initiate defensive works, before offensive hacks can be deployed in the wild. Hackers can literally save the world... from ourselves.

John Sotos
John Sotos is Chief Medical Officer at Intel Corporation. He has been programming computers continuously since 1970, excepting four years of medical school at Johns Hopkins, where he also trained as a transplantation cardiologist. His professional interests include hacking the medical diagnostic process, first with a book on edge cases, called "Zebra Cards: An Aid to Obscure Diagnosis," followed by six years as a medical technical consultant on the popular television series "House, MD." His masters degree in artificial intelligence is from Stanford, and he is a co-founder of Expertscape.com. He is a long-time air rescue flight surgeon for the National Guard; however, the opinions presented here are his own, and do not necessarily represent those of the Department of Defense or Intel.

www.intel.com
www.sotos.com


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 10:00-10:30


Get-$pwnd: Attacking Battle-Hardened Windows Server

Saturday at 10:00 in Track 3

20 minutes | Demo, Tool

Lee Holmes Principal Security Architect, Microsoft

Windows Server has introduced major advances in remote management hardening in recent years through
PowerShell Just Enough Administration ("JEA"). When set up correctly, hardened JEA endpoints can provide
a formidable barrier for attackers: whitelisted commands, with no administrative access to the underlying
operating system.

In this presentation, watch as we show how to systematically destroy these hardened endpoints by exploiting
insecure coding practices and administrative complexity.

Lee Holmes
Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack,
System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook,
and an original member of the PowerShell development team.


Return to Index      -     

 

DEFCON - Track 4 - Sunday - 10:20-10:40


Ghost in the Droid: Possessing Android Applications with ParaSpectre

Sunday at 10:20 in Track 4

20 minutes | Demo, Tool

chaosdata Senior Security Consultant, NCC Group

Modern Android applications are large and complex, and can be a pain to analyze even without obfuscation - static analysis can only get one so far, the debugger sucks, Frida doesn't give you enough access to the Java environment, and editing smali or writing Xposed hooks can be time consuming and error prone. There has to be a better way!

What if we could inject a command line REPL into an app to drive functionality? And what if we could also make writing function hooks fast and easy?

In this talk, I will introduce ParaSpectre, a platform for dynamic analysis of Android applications that injects JRuby into Android applications. It bundles a hook configuration web API, a web application interface to configure and edit hooks, and a connect-back JRuby REPL to aid application exploration from the inside-out. It supports various selectors to match classes and methods, can be reconfigured on-the-fly without requiring a device reboot, and takes the pain out of writing method hooks for Android apps.

ParaSpectre is for developers and security researchers alike. While not itself a debugger, it provides a level of access into a running application that a debugger generally won't.

chaosdata
chaosdata(aka "Jeff") is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He also likes exotic candies.

@chaosdatumz


Return to Index      -     

 

Demolabs - Table 2 - Saturday - 10:00-11:50


GibberSense

Ajit Hatti

Saturday from 1000-1150 at Table Two

Audience: Cryptologers, crypt analysts, forensic investigators, developers and testers.

On your forensics and investigation assignment found a Gibberish string or unknown file and dont know what is it? Throw it to GibberSense, it might try to make some sense out of it.

Not sure if a file is encrypted, encoded or obfuscated using substitution ciphers? Gibbersense can give you statistical analysis of the contents and gives you direction for further investigation and also gives you an excellent visualization.

Being an extensible framework, Gibbersense gives tools for simple xor encryption, frequency analysis, which gives basic cryptanalysis capabilities.

An Open Source Initiative GibberSense is an experimental tool for improving investigations.

https://github.com/smxlabs/gibbersense

Ajit Hatti
Ajit Hatti has been contributing on secure usage of cryptography from past 5 years and currently focusing on the security issues of BlockChain related Technologies. He is an author of LAMMA & GibberSense tools which help in securing crypto and PKI Implementatinos.

Ajit is founder of SecurityMonx and is also working in collaboration with Payatu on futuristic projects. He also co-founded Null Open Security Community and has worked with Symantec, Emerson, ZScaler, IBM and Bluelane as a Security Researcher.

Ajit has presented his work at BlackHat DEFCON Crypto-n-Privacy Village and organizes Nullcon in India. He loves to Run & Volunteer at BSides LV and organizes The World Run by Hackers.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Sunday - 12:10-12:59


Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform

Eric Capuano, SOC Manager at Texas Department of Public Safety

How prepared is your incident response team for a worst case scenario? Waiting for a crisis to happen before training for a crisis is a losing approach. For things that must become muscle memory, instinctive, you must simulate the event and go through the motions. This talk is a deep-dive technical discussion on how you can build your own DFIR simulation. Best part -- almost all of this can be accomplished with open source tools and inexpensive equipment, but I'll also share tips and tricks on getting free commercial hardware and software for use in your new simulation environment!

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 17:00-17:55


Tim Kuester

Bio

Tim K is an electronics engineer living in Virginia Beach. He enjoys designing embedded systems and working with radios. Previously, he has taught workshops on Software Defined Radio at conferences like Kiwicon and Cyberspectrum. His favorite programming language is solder.

@bjt2n3904

Bio

Woody: Noob at heart. Its rumored he can lift heavy things but probably can't spell them. Until a few years ago he thought Linux was Charlie Brown's best friend.

@tb69rr

GODUMP-NG packet sniffing the Gotenna

Abstract

GoTenna is a wireless communication tool, popular for providing encrypted "off-the-grid" communications on unlicensed MURS channels. Using SDR, GNU Radio, and scapy we developed a tool to capture packets from all the channels, simultaneously. This allowed us to characterize device behavior, study the packet protocol, and passively monitor communications. In this talk, we will explain or methodologies, demonstrate our tools live, and show how to preform link analysis: who is talking with whom, when, and how much.


Return to Index      -     

 

Demolabs - Table 3 - Sunday - 10:00-11:50


GoFetch

Tal Maor

Sunday from 1000-1150 at Table Three

Audience: Enterprise, Applied Security, Windows domain, Defense and offense

GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. The tool first loads a path of local admin users and computers generated by BloodHound and convert it to its own attack plan format. Once the attack plan is ready, it advances towards the destination according to the plan, step by step by successively apply remote code execution techniques and compromising credentials with Invoke-Mimikatz, Mimikatz and Invoke-Psexec.

A video of the Python version was published here: https://www.youtube.com/watch?v=dPsLVE0R1Tg A video of Invoke-GoFetch will be published soon. BloodHound Application - https://github.com/BloodHoundAD/BloodHound

Tal Maor
Tal Maor is a Security Researcher at Microsoft who has a passion for creating tools which makes life easy and more secured. Prior to Microsoft, Tal was developing intelligence platforms in a leading company, and previously served in the IDF intelligence unit for four years. Tal holds a B.Sc degree in Computer Science.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 11:00-11:59


GPS System Integrity

No description available


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 13:30-14:30


Grand Theft Radio (Stopping SDR Relay Attacks on PKES)

No description available


Return to Index      -     

 

Demolabs - Table 3 - Saturday - 12:00-13:50


GreatFET

Dominic Spill

Michael Ossmann

Saturday from 1200-1350 at Table Three

Audience: Hardware & Offense

GreatFET is an open source hardware hacking platform. In addition to support for common protocols such as SPI, USB, JTAG, and UART, GreatFET also allows us to implement arbitray protocols, as well as GPIO and acting as a logic analyser. Add on boards, known as neighbors, allow us to build on the flexibility of GreatFET and rapidly create new tools. Example neighbors include radio platforms, software defined infrared transceivers, and interfaces for hardware hacking.

Hardware: https://github.com/greatscottgadgets/greatfet Software/firmware: https://github.com/dominicgs/GreatFET-experimental

Dominic Spill
Dominic is a senior security researcher at Great Scott Gadgets, where he builds open source tools for reverse engineering communication protocols.

Michael Ossmann
Michael is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.


Return to Index      -     

 

ICS - Calibria - Saturday - 16:00-16:30


Title: Grid insecurity - and how to really fix this shit

You don’t need to be nation state backed, sophisticated, or even organized to take down the grid. Anyone can hack ICS/SCADA (even Donald Trump’s 400 pound guy sitting on his bed!). And the thing is, for years, we’ve been talking about finding 0-day in the grid, water treatment facilities, and other critical infrastructure. For the past ten or so years, con talks have focused on two things: all the fun 0-days, and the thousand products you should buy to be protected. But they never address the complexity of the actual problem. ICS is made up of endless numbers of components from just as many manufacturers – vulnerabilities are just the result of either incomplete systems design, or poor implementation. Most weaknesses are discovered at interfaces between software providers, coding languages, and system component boundaries; where vulnerabilities are introduced by the sum of all parts. Protecting ICS/SCADA is a systems level problem – and splitting it up into distinct pentests is not the solution. It means never solving the end-to-end issue, and ultimately cannibalizing an organization’s security budget by applying band-aids, instead of fixing the systemic issue.
This talk will not be another talk about how f*cked the problem is, instead it’ll reframe the issue as a systemic one, and talk about ways to fix it end-to-end.


Bio: Bryson Bort

Bryson is the Founder of GRIMM, a hacking firm for network, system, and embedded devices. He has a special interest in automotive, industrial control, SCADA, and embedded system security, and has been building over the past year a patent-pending platform approach to automated enterprise risk assessment based on offensive security, CROSSBOWTM. Prior to founding GRIMM, Bryson led an elite offensive research & development division contributing directly to national security priorities. He is a West Point grad and did a stint with tanks (ask him why you’re a “crunchieâ€) and tactical communications. Twitter: @brysonbort @grimmcyber



Bio: Atlas

Atlas is a doer of stuff -- with proven expertise in programmatic reverse-engineering, automated vulnerability discovery and exploitation, and breaking into or out of anything related to a computer. Special hacking interests include exploiting automobiles, power systems and industrial control systems, locks, drones, or any other kind of embedded device. He’s a four time DEFCON CTF winner, is always entertaining, educational, and fun. His day job includes breaking stuff at GRIMM. Twitter: @at1as @grimmcyber


Return to Index      -     

 

Night Life - Octavius 5-8 - Saturday - 21:00-26:00


Title:
GRIMM's AWESOME Arcade Party

The giant 16 person LED foosball tables are coming back to DEF CON! GRIMM is hosting an arcade party with tons of old school arcade games and great music. Come join the party!
Return to Index      -     

 

Demolabs - Table 2 - Sunday - 12:00-13:50


Gumbler

Willis Vandevanter

Sunday from 1200-1350 at Table Two

Audience: Offense, AppSec

The tool searches the entire commit history of a Git project for secrets and files. This is a different approach from other tools which focus on the current revision. It's excellent at digging up API keys, deleted usernames and passwords or files that are now cloaked from .gitignore.

https://github.com/BuffaloWill/gumbler

Willis Vandevanter
Willis Vandevanter is a principal at Silent Robot Systems. Prior to SRS, Will was a Senior Researcher at Onapsis and Lead Penetration Tester at Rapid7. He has previously spoken at Blackhat, DEFCON, TROOPERS, and other conferences. In his spare time, he writes code and contributes to different projects.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 12:00-12:59


Title:
Gun control - You can’t put the Genie back into its bottle

1200 Friday
Michael E. Taylor, Attorney at Law
@mingheemouse
Gun control - You can’t put the Genie back into its bottle

Michael E. Taylor, Attorney at Law, firearms law specialist and amateur gunsmith, will lead you through the futility of gun control by explaining how anyone, anywhere on the planet, can cheaply and easily assemble a fully functional firearm and make their own self-contained ammunition for that firearm, with simple hand tools, all using absolutely no firearm specific components. The technologies demonstrated herein are all public domain. All predate ITAR, with most dating back to the mid 19th century. The legality of personal firearm construction varies from jurisdiction to jurisdiction, so mind your local laws.

Return to Index      -     

 

Night Life - Track 2 - Friday - 20:00-24:00


Title:
Hacker Jeopardy

Hacker Jeopardy
Return to Index      -     

 

Night Life - Track 2 - Saturday - 20:00-24:00


Title:
Hacker Jeopardy

Hacker Jeopardy
Return to Index      -     

 

Night Life - Roman 1, Promenade Level - Friday - 20:00-26:00


Title:
Hacker Karaoke

Our 9th year! Celebrate with us and with others who love to sing. Do you like music? Do you like performances? Want to BE the performer? Want to have that "Hold my beer moment" do your best and not injured? Well trot your happy ass down to Hacker Karaoke, DEF CON's on-site karaoke experience. You can be a star, or if you don't want to be a star, you can also take pride in making an utter fool of yourself.
Return to Index      -     

 

Night Life - Roman 1, Promenade Level - Saturday - 20:00-26:00


Title:
Hacker Karaoke

Our 9th year! Celebrate with us and with others who love to sing. Do you like music? Do you like performances? Want to BE the performer? Want to have that "Hold my beer moment" do your best and not injured? Well trot your happy ass down to Hacker Karaoke, DEF CON's on-site karaoke experience. You can be a star, or if you don't want to be a star, you can also take pride in making an utter fool of yourself.
Return to Index      -     

 

SEV - Emperors BR II - Friday - 18:25-19:15



Friday July 28 6:25PM 50 mins

Hackers gonna hack – But do they know why?
Hackers gonna hack – But do they know why? Previous academic studies have investigated the psychological aspects of information security, but the focus has been on social engineering or attempts to define hacker characteristics/motivations. This neglects the wider social psychological processes that influence everyone who takes part in online communities. These processes are important; they determine how we understand, perceive and interact with the members of our own group and the groups around us. What is especially notable from social psychological research are the many mistakes people make in trying to interpret those around us, mistakes which can lead to underestimating risk or creating unnecessary tensions.

This talk will explore how social psychological research should be used to improve understanding of all the groups who may be involved in an information security incident. Regardless of how much of an anarchist or rebel we might be, it will be discussed how individuals are strongly influenced by the norms and identity of their group – and whether this is a good thing or not.

Helen Thackaray: @hel_ty
Helen is a PhD candidate at Bournemouth University (UK). The work presented in this talk is part of research for the doctoral thesis. Despite having qualifications in neither, she is based in the departments of Psychology and Computing. She spends most of her time on different internet forums and still finds it amazing that the university pays her do this. Her research aims to examine group identity and group processes online, highlight the importance of social psychology in information security, and further education about informed decision making online.


Return to Index      -     

 

DEFCON - Track 4 - Friday - 12:00-12:45


Hacking Democracy: A Socratic Dialogue

Friday at 12:00 in Track 4

45 minutes

Mr. Sean Kanuck Stanford University, Center for International Security and Cooperation

In the wake of recent presidential elections in the US and France, "hacking" has taken on new political and social dimensions around the globe. We are now faced with a world of complex influence operations and dubious integrity of information. What does that imply for democratic institutions, legitimacy, and public confidence?

This session will explore how liberal democracy can be hacked — ranging from direct manipulation of electronic voting tallies or voter registration lists to indirect influence over mass media and voter preferences — and question the future role of "truth" in open societies. Both domestic partisan activities and foreign interventions will be considered on technical, legal, and philosophical grounds. The speaker will build on his experience as an intelligence professional to analyze foreign capabilities and intentions in the cyber sphere in order to forecast the future of information warfare. Audience members will be engaged in a Socratic dialogue to think through how modern technologies can be used to propagate memes and influence the electorate. The feasibility of, and public policy challenges associated with, various approaches to hacking democracy will also be considered. This conceptual discussion of strategic influence campaigns will not require any specific technical or legal knowledge

Mr. Sean Kanuck
Sean Kanuck is an attorney and strategic consultant who advises governments, corporations, and entrepreneurs on the future of information technology. Sean is affiliated with Stanford University's Center for International Security and Cooperation and has received several international appointments, including: Chair of the Research Advisory Group for the Global Commission on the Stability of Cyberspace (Hague, Netherlands), Distinguished Visiting Fellow at Nanyang Technological University (Singapore), and Distinguished Fellow with the Observer Research Foundation (New Delhi, India). He regularly gives keynote addresses for global audiences on a variety of cyber topics, ranging from risk analysis to identity intelligence to arms control.

Sean served as the United States' first National Intelligence Officer for Cyber Issues from 2011 to 2016. He came to the National Intelligence Council after a decade of experience in the Central Intelligence Agency's Information Operations Center, including both analytic and field assignments. In his Senior Analytic Service role, he was a contributing author for the 2009 White House Cyberspace Policy Review, an Intelligence Fellow with the Directorates for Cybersecurity and Combating Terrorism at the National Security Council, and a member of the United States delegation to the United Nations Group of Governmental Experts on international information security.

Prior to government service, Sean practiced law with Skadden Arps in New York, where he specialized in mergers and acquisitions, corporate finance, and banking matters. He is admitted to the bar in New York and Washington DC, and his academic publications focus on information warfare and international law. Sean holds degrees from Harvard University (A.B., J.D.), the London School of Economics (M.Sc.), and the University of Oslo (LL.M.). He also proudly serves as a Trustee of the Center for Excellence in Education, a charity promoting STEM education that is based in McLean, Virginia.

@seankanuck


Return to Index      -     

 

DEFCON - Capri Room - Friday - 20:00-21:59


Hacking Democracy

Friday at 20:00 - 22:00 in Capri Room

Evening Lounge

Mr. Sean Kanuck Stanford University, Center for International Security and Cooperation

Are you curious about the impact of fake news and influence operations on elections? Are you concerned about the vulnerability of democratic institutions, the media, and civil society? Then come engage with your peers and the first US National Intelligence Officer for Cyber Issues on ways to hack democracy. He will: (1) provide a low-tech, strategic analysis of recent events, foreign intelligence threats, and the future of information warfare; (2) lead a Socratic dialogue with attendees about the trade-offs between national security and core democratic values (such as freedom, equality, and privacy); and (3) open the floor to audience questions and/or a moderated group debate.

This session is intended to be informal and participatory. It will cover a range of issues from supply chain attacks on voting machines to psychological operations by using an interdisciplinary approach that encompasses constitutional law, world history, game theory, social engineering, and international affairs. The discussion will occur against the backdrop of cyber security and critical infrastructure protection, but it will not examine any specific hardware or software systems; rather, it will concern the conceptual formulation and conduct of modern strategic influence campaigns. No specific knowledge is required, but a skeptical mind and mischievous intellect are a must.

Mr. Sean Kanuck
Sean Kanuck is an attorney and strategic consultant who advises governments, corporations, and entrepreneurs on the future of information technology. Sean is affiliated with Stanford University's Center for International Security and Cooperation and has received several international appointments, including: Chair of the Research Advisory Group for the Global Commission on the Stability of Cyberspace (Hague, Netherlands), Distinguished Visiting Fellow at Nanyang Technological University (Singapore), and Distinguished Fellow with the Observer Research Foundation (New Delhi, India). He regularly gives keynote addresses for global audiences on a variety of cyber topics, ranging from risk analysis to identity intelligence to arms control.

Sean served as the United States' first National Intelligence Officer for Cyber Issues from 2011 to 2016. He came to the National Intelligence Council after a decade of experience in the Central Intelligence Agency's Information Operations Center, including both analytic and field assignments. In his Senior Analytic Service role, he was a contributing author for the 2009 White House Cyberspace Policy Review, an Intelligence Fellow with the Directorates for Cybersecurity and Combating Terrorism at the National Security Council, and a member of the United States delegation to the United Nations Group of Governmental Experts on international information security.

Prior to government service, Sean practiced law with Skadden Arps in New York, where he specialized in mergers and acquisitions, corporate finance, and banking matters. He is admitted to the bar in New York and Washington DC, and his academic publications focus on information warfare and international law. Sean holds degrees from Harvard University (A.B., J.D.), the London School of Economics (M.Sc.), and the University of Oslo (LL.M.). He also proudly serves as a Trustee of the Center for Excellence in Education, a charity promoting STEM education that is based in McLean, Virginia.

@seankanuck


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Saturday - 14:30-18:30


Hacking Network Protocols using Kali

Saturday, 14:30 to 18:30 in Octavius 1

Thomas Wilhelm Security Solutions Expert, HP Inc.

John Spearing

There are a lot of hacking tutorials on how to compromise servers, but what about network devices? In this workshop, we will demonstrate how to conduct penetration tests against a number of different network protocols, specifically those at layer 2 and 3 of the OSI model, in order to assess and circumvent the security of an organization. Participants will be able to watch a demonstration on how to leverage insecurities in different protocols, and replicate the attacks themselves in a lab environment at the workshop. In addition, we will discuss what steps network engineers can do to limit the insecurities.
This workshop will contain network devices in which participants will be able to connect to and perform the demonstrated attacks. Participation will be reduced since network equipment resources are limited, unless additional lab equipment can be procured.

Prerequisites: Since the subject matter discusses network protocols, it is required for students to understand the OSI model and specifics of well-known network protocols, particularly those found at layer 2 and layer 3 of the OSI model.

Materials: Since this is an advanced penetration testing subject, participants should have a laptop that contains an up to date Kali Linux image. In addition, if they want to participate in actual network protocol attacks, they should bring CAT5 cables for connectivity. This class will not spend time getting students online - participants should already be familiar with configuring static IP addresses and/or DHCP for their systems. Because participants will be able to connect to a lab environment with active exploits, it is suggested that students use a computer system that can be easily re-imaged at the end of the workshop.

Max students: 32 | Registration: https://dc25_wilhelm.eventbrite.com/ (Sold out!)

Thomas Wilhelm
Thomas Wilhelm has been an associate professor at an NSACAE university, who has taught information assurance for many years at both the masters and undergraduate level. He has been a penetration tester and team lead for fortune 100 companies, and spent the last 20+ years involved in information security. Thomas has written and authored numerous articles and books over the years on hacking; the latest is titled "Professional Penetration Testing (vol 2)," published by Syngress, which has been printed in multiple languages. Thomas holds two masters degrees (MSCS, MSM) and maintains the following certifications: ISSMP, CISSP, CCNP Security, SCSECA, SCNA, SCSA, IEM, IAM

John Spearing
John Spearing works in the field of network and physical security, and has obtained a Masters Degree in both Computer Science and Organizational Behavior. John is the co-founder and Operations Manager of the MSSP company known as Crystal Defense Network Information Security, located in central Colorado. John's specialty within the Information Security realm is centralized around network intrusion detection and prevention, as well as endpoint security.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 10:30-11:00


Title:
Hacking on Multiparty Computation

Name:
Matt Cheung

Abstract:
Secure multiparty computation is about jointly computing a function while keeping each parties inputs secret. This comes off as an esoteric area of cryptography, but the goal of this talk is to introduce you to the core concepts through a history of the topic. I will conclude by demoing an implementation of an example protocol I implemented.

Bio:
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.
Twitter handle of presenter(s): nullpsifer

Return to Index      -     

 

DEFCON - Track 3 - Friday - 11:00-11:45


Hacking Smart Contracts

Friday at 11:00 in Track 3

45 minutes | Demo

Konstantinos Karagiannis Chief Technology Officer, Security Consulting, BT Americas

It can be argued that the DAO hack of June 2016 was the moment smart contracts entered mainstream awareness in the InfoSec community. Was the hope of taking blockchain from mere cryptocurrency platform to one that can perform amazing Turing-complete functions doomed? We've learned quite a lot from that attack against contract code, and Ethereum marches on. Smart contracts are a key part of the applications being created by the Enterprise Ethereum Alliance, Quorum, and smaller projects in financial and other companies. Ethical hacking of smart contracts is a critical new service that is needed. And as is the case with coders of Solidity (the language of Ethereum smart contracts), hackers able to find security flaws in the code are in high demand.

Join Konstantinos for an introduction to a methodology that can be applied to Solidity code review ... and potentially adapted to other smart contract projects. We'll examine the few tools that are needed, as well as the six most common types of flaws, illustrated using either public or sanitized real world" vulnerabilities.

Konstantinos Karagiannis
Konstantinos Karagiannis is the Chief Technology Officer for Security Consulting at BT Americas. In addition to guiding the technical direction of ethical hacking and security engagements, Konstantinos specializes in hacking financial applications, including smart contracts and other blockchain implementations. He has spoken at dozens of technical conferences around the world, including Black Hat Europe, RSA, and ISF World Security Congress.

@konstanthacker


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 12:00-13:25


Balint Seeber

Bio

A software engineer by training, Balint is a perpetual hacker, the Director of Vulnerability Research at Bastille Networks, and guy behind spench.net. His passion is Software Defined Radio and discovering all that can be decoded from the ether, as well as extracting interesting information from lesser-known data sources and visualising them in novel ways. When not receiving electromagnetic radiation, he likes to develop interactive web apps for presenting spatial data. Originally from Australia, he moved to the United States in 2012 to pursue his love of SDR as the Applications Specialist and SDR Evangelist at Ettus Research.

@spenchdotnet

Hacking Some More of The Wireless World

Abstract

The hacking continues on from last year! Three interesting applications will be demonstrated, and their underlying theory and design explained. The audience will be exposed to some novel GNU Radio tips and DSP tricks. INMARSAT Aero will be revisited to show (in Google Earth) spatial information, such as waypoints and flight plans, that are transmitted from airline ground operations to airborne flights. A good chunk of the VHF band is used for airline communications; plane spotters enjoy listening to tower and cockpit communications. Modern SDRs can now sample the entire band, and as AM modulation is used, it's possible to use a counterintuitive, but simple, demodulator chain (first shown by Kevin Reid's wideband 'un-selective AM' receiver) to listen to the most powerful transmission. This will be demonstrated with a GNU Radio-based implementation. It is also possible to 'spatialise' the audio for the listener using stereo separation, which can convey a transmission's relative position on the spectrum. FMCW RADAR experiments are enhanced to include Doppler processing. Plotting this new velocity information, due to the Doppler effect, shows whether a target is heading toward or away from you, and often reveals targets not normally seen in range-only information - this demonstrates the true power of full RADAR signal processing. This technique will be applied to the live audio demo, a new live SDR demo, CODAR ocean current tracking, and passive RADAR exploiting powerful ATSC digital television signals (this was used to track aircraft on approach across the Bay Area).


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 14:00-14:45


Hacking the Cloud

Thursday at 14:00 in 101 Track

45 minutes | Demo

Gerald Steere Cloud Wrecker, Microsoft

Sean Metcalf CTO, Trimarc

You know the ins and outs of pivoting through your target's domains. You've had the KRBTGT hash for months and laid everything bare. Or have you?

More targets today have some or all of their infrastructure in the cloud. Do you know how to follow once the path leads there? Red teams and penetration testers need to think beyond the traditional network boundaries and follow the data and services they are after. This talk will focus on how to take domain access and leverage internal access as a ticket to your target's cloud deployments.

We will also discuss round trip flights from cloud to on-premises targets and what authorizations are required to access your target's cloud deployments. While this talk is largely focused on Microsoft Azure implementations, the concepts can be applied to most cloud providers.

Gerald Steere
Gerald Steere has been a member of the C+E Red Team since joining Microsoft in June 2014. He regularly dives into the deepest corners of Azure looking for vulnerabilities unique to the cloud scale environment and collecting all the creds. Prior to that, he was a security auditor and penetration tester for three civilian Federal agencies, where he acquired a love for obtaining and cracking as many passwords as possible. He has spoken on cloud security topics at multiple BlueHat events and most recently at BSides Seattle.

@darkpawh

Sean Metcalf
Sean Metcalf is founder and principal consultant at Trimarc Security, LLC (www.TrimarcSecurity.com), which focuses on mitigating, detecting, and when possible, preventing modern attack techniques. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.

Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.

@pyrotek3


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 18:00-18:59


Title:
Hacking the Law: A Call for Action – Bug Bounties Legal Terms as a Case Study

1800 Friday
Amit Elazari
@amitelazari
Hacking the Law: A Call for Action – Bug Bounties Legal Terms as a Case Study

While the bug bounty economy is booming, a novel survey of bug bounty terms reveals that platforms and companies often put hackers in “legal” harm’s way, shifting the risk for civil and criminal liability towards hackers instead of authorizing access and creating “safe harbors”. This is a call for action to hackers to unite, negotiate and influence the emerging landscape of cyberlaw, since hackers’ actions speak louder than scholars’ words. I suggest simple steps that could and should be taken, in order to minimize the legal risks of thousands of hackers participating in bug bounties, and create a “rise-to-the-top” competition over the quality of bug bounty terms. Hackers will learn not only which terms they should beware of in light of recent developments in anti-hacking laws, but which terms they, individually and through the platform, should demand to see to ensure “authorized access”. Most importantly, this is a case study of how a united front of hackers could demand and negotiate important rights, similar to what is done by organizations in other industries. Contracts and laws will continue to play a role in the highly regulated cyber landscape, conflicts of interests will inevitably arise, therefore hackers should not only pay attention to the fine print, but unite and negotiate for better terms.

Return to Index      -     

 

BHV - Pisa Room - Saturday - 10:30-10:59


Title: Hacking the Second Genetic Code using Information Theory

Speakers: Travis Lawrence

About Travis:
Travis Lawrence is currently a PhD candidate in Quantitative and Systems Biology at University of California, Merced. He developed an interest in both biodiversity and computers early in life. During college, he stumbled into the field of evolutionary biology which allowed him to pursue his interests in computer programming and biodiversity. The questions that are of the most interest to him are at the interface of evolutionary biology, genomics and bioinformatics.


Abstract:
Recent advances in genome editing have quickly turned ideas thought restricted to science fiction into reality such as custom synthetic organisms and designer babies. These technologies rely on the fidelity of the genetic code, which translates nucleotides into proteins. The underlying mechanism of translation is well understood where triplets of nucleotides, known as codons, are recognized by transfer RNAs with complementally nucleotide triplets. These transfer RNAs carry one of twenty amino acids which are then added to the growing protein chain by the ribosome. However, relatively little work has examined how a transfer RNA that recognizes a certain codon always carries the correct amino acid. The rules that determine which amino acid a transfer RNA carries have been termed the second genetic code. I have developed a computational method based on information theory that can elucidate the second genetic code from genomic sequences. Interestingly, the second genetic code is highly variable between organisms unlike the genetic code which is relatively static. I will present how my method cracks the second genetic code and how the variability of the second genetic code can be exploited to develop new treatments to combat bacterial infections and parasites, create targeted bio-controls to combat invasive species, and expand the genetic code to incorporate exotic amino acids.



Return to Index      -     

 

DEFCON - Track 2 - Friday - 10:20-10:40


Hacking travel routers like it's 1999

Friday at 10:20 in Track 2

20 minutes | Demo, Exploit

Mikhail Sosonkin Security Researcher, Synack Inc.

Digital nomads are a growing community and they need internet safety just like anyone else. Trusted security researchers have warned about the dangers of traveling through AirBnB’s. Heeding their advice, I purchased a HooToo TM06 travel router to create my own little enclave while I bounce the globe. Being a researcher myself, I did some double checking.

So, I started fuzzing and reverse engineering. While the TM06 is a cute and versatile little device - protection against network threats, it is not. In this talk, I will take you on my journey revealing my methodology for discovering and exploiting two memory corruption vulnerabilities. The vulnerabilities are severe and while they’ve been reported to the vendor, they are very revealing data points about the security state of such devices. While the device employs some exploitation mitigations, there are many missing. I will be showing how I was able to bypass them and what mitigations should’ve been employed, such as NX-Stack/Heap, canaries, etc, to prevent me from gaining arbitrary shellcode execution.

If you’re interested in security of embedded/IoT systems, travel routers or just good old fashioned MIPS hacking, then this talk is for you!

Mikhail Sosonkin
Mikhail Sosonkin is a Security Researcher at Synack where he digs into the security aspects of low level systems. He enjoys automating aspects of reverse engineering and fuzzing in order to better understand application internals. Mikhail has a CS degree from NYU, where he has also taught Application Security, and a Software Engineering masters from Oxford University. Being a builder and a hacker at heart, his interests are in vulnerability analysis, automation, malware and reverse engineering. Mikhail much enjoys speaking at such conferences as ZeroNights in Moscow and DEF CON in Las Vegas!

@hexlogic, Blog http://debugtrap.com/


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Saturday - 14:30-18:30


Harnessing the Power of Docker and Kubernetes to Supercharge Your Hacking Tactics

Saturday, 14:30 to 18:30 in Octavius 7

Anshuman Bhartiya

Anthony Bislew Red Teamer, Intuit

Running reconnaissance on a target network is almost always time-consuming and cumbersome. For experienced hackers, the process of manually enumerating and scanning target networks comes to feel like a gratuitous journey through Mordor on our way to the glory of shells, pivoting, and pilfering. Even worse, most of the automated reconnaissance solutions out there are expensive, limited in their effectiveness, opaque in their functionality...or all of the above.

What if you could automate your own customized approach to reconnaissance and exploitation by leveraging an entirely free and open-source framework to
1. Integrate the tools you trust and
2. Build tools of your own to capture those tricks that are unique to the special snowflake that is you?

In this workshop, we'll introduce you to the power of Docker and Kubernetes to supercharge your hacking tactics. We'll walk you through the process of building your tools as Docker images, scheduling and launching those tools in a Kubernetes cluster, and storing your results in a way that's easy to analyze and act upon. We'll spawn and destroy some attack environments and show how easy it is to do your testing without stressing out on how to get started. We'll even use some of the recon results to automate running exploitation tools against them and getting to the keys of the kingdom! By the end of this workshop you should have all the tools you need to build and extend your own recon and exploitation framework, that is supercharged and hyper scalable, thanks to Kubernetes.

Prerequisites: Attendees should be:
Comfortable using a MacOS/Linux shell terminal
Comfortable enough with a common scripting language (preferably Python/Ruby) to write simple tools/scripts
Familiar with command-line tools common to security professionals (e.g. curl, Nmap, etc.)
Familiar with Docker (e.g. its purpose, the concepts of containers and images, etc.)
https://www.docker.com/

Familiar with Google Cloud Platform offerings (e.g Compute Engine, Container Engine, Storage, BigQuery, etc.)
https://cloud.google.com/

A basic knowledge of Kubernetes is extremely helpful but not required. https://kubernetes.io/

Materials:
• Laptop with a Linux-based OS (preferably Mac/Ubuntu)
• A Google Cloud Platform (GCP) account - You can use the GCP Free Tier to get one. They give $300 worth of free credits which is more than enough.
• https://cloud.google.com/free/
• A Slack account configured with an incoming webhook - https://api.slack.com/incoming-webhooks
• An IDE such as Atom or Visual Studio Code.
• We will walk through installation of any other tools/software necessary such as Docker, Minikube, Google SDK, Golang, Python, etc. so you don’t have to have these pre-installed but it would help if you do.

Max students: 60 | Registration: https://dc25_bhartiya.eventbrite.com (Sold out!)

Anshuman Bhartiya
Anshuman Bhartiya has been in the IT industry for about 10 years now and has had the opportunity to wear multiple hats. Anshuman has been a web developer, cloud consultant, systems engineer and security engineer to name a few. Anshuman has a varied skillset and he likes to tinker with the latest technology coming up with innovative solutions for difficult and challenging problems. Security, Automation and Innovation are some things he is really passionate about and he firmly believes in sharing knowledge and the Open Source community. You can find some of Anshuman's work at his Github here - https://github.com/anshumanbh

Anthony Bislew
Anthony Bislew is a red teamer for the Intuit security team, with 17 prior years of experience in the IT industry. He was the co-founder of two Infrastructure as a Service (IaaS) startups and architected multiple data centers from the ground up. He is a co-founder of SD Hackers, a San Diego-based group of security professionals that come together to learn from and collaborate with each other. He is also the creator of the public penetration testing lab Infoseclabs, which was recently converted into a private security research lab for local San Diego penetration testers and researchers.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 14:00-15:00


Title:
Have you seen my naked selfies? Neither has my snoopy boyfriend. Privacy within a Relationship

Author:
Lauren Rucker

Abstract:
Privacy is fairly cut and dry when it’s US verses THEM, but what if it’s ME verses YOU within US? What are YOUR Privacy Rights, in the context of OUR relationship? Am I your non-trusting girlfriend? Am I your controlling boyfriend? Am I your snooping wife? Am I your abusive husband? How do YOU protect your privacy from ME? I will be providing tips, techniques, and resources to enable someone (anyone – even YOU) to protect their Privacy in a relationship, perhaps even one with ME.

Highlights will include ways you can be surveilled, at home techniques you can use to protect yourself when using your phone and computer, and individual privacy rights within a marriage. Presented by someone who may have needed the information, and had to discover this path themselves, and is zealous about assisting those in need of this talk. Even YOU.

Bio:
Lauren Rucker is a threat intelligence analyst for NASA, with experience in threat assessment, vulnerability analysis, risk assessment, information gathering, correlating and reporting. Lauren is a former military intelligence officer that served at U.S. Cyber Command and U.S. Strategic Command. She is currently a graduate student earning her master’s in cybersecurity and is passionate about making cybersecurity practices relatable to the average internet user.
Twitter handle of presenter(s): @laurenkrucker

Return to Index      -     

 

BHV - Pisa Room - Friday - 14:30-14:59


Title: Health as a service...

Speakers: Julian Dana

About Julian:
Julian is a Security Consultant with more than 20 years of experience. He has experience in hands-on security testing and also teaching different technical security trainings. Julian, as a frustrated doctor, was always passionate and curious about the human body.

Abstract:
The software as a service (SaaS) model is same model that we are using for our health...Unbelievable: We are treating symptoms and not curing diseases...



Return to Index      -     

 

SEV - Emperors BR II - Friday - 20:10-20:40


Friday July 28 8:10PM 30 mins

Heavy Diving for Credentials: Towards an Anonymous Phishing
Online phishing campaigns are one of the most typical social engineering exercises that can be conducted in the internet. In spite of the easiness with which fake websites can be deployed using tools such as Social Engineering Toolkit, attackers will sometimes be limited by the difficulties to achieve a sufficient amount of privacy in the case of being trapped. Thus, finding a set of platforms that can provide this anonymity and untraceability is needed to launch similar campaigns with the minimum guarantees of remaining safe.

In this session, the authors will show a proposal on how to perform this type of attacks with the example of credential harvesting in mind by  using some of the well known capabilities that the Tor ecosystem provides. During the conference, some demos will be conducted in which our baits will be prepared to be bitten by even users which are not using tor-ified browsers, by adding some simple tricks that include the exploitation of the target=”_blank” directive, the particular use of .onion subdomains in current browsers and a combination of third party gateways to maximize the chances of deceiving the victim while the attacker remains as anonymous as possible.

Yaiza Rubio: @yrubiosec
Félix Brezo: @febrezo
Yaiza Rubio is an intelligence analyst with a Bachelor of Information Sciences, Master in Intelligence Analysis, Master in Logistics and Economics of Defense and Master in Law Applied to Internet and TIC. A member of the Institute of Forensic Science and Security of the Autonomous University of Madrid and former analyst at S21sec and Isdefe, since May 2013 serves as an intelligence analyst for Eleven Paths. She is a collaborator of the Centre of Analysis and Foresight of the Spanish Guardia Civil as well as recurrent national and international Law Enforcement Agencies trainer like Europol, the Spanish Army and several police units in Spain. She also teaches in several postgraduate courses on intelligence analysis, security and open source intelligence and publishes scientific and technical content in hacking and security-related conferences like RootedCon, NavajaNegra, 8dot8, JNIC, ISACA and many others. Since May 2017, she has been awarded by the Spanish Ministry of Digital the Honorofic Cybercooperant title for her work on spreading cybersecurity awareness.

Félix Brezo is an intelligence analyst with a Computer Engineering and Industrial Organisation Engineer degree, Master in Information Security, Master in Intelligence Analysis,  Master in Law Applied to Internet and TICs and PhD in Computer Engineering and Telecommunications. Until June 2013, a researcher in computer security in the S3Lab run by the University of Deusto and, thereafter, intelligence analyst for Eleven Paths, and collaborator of the Spanish Guardia Civil’s Centre of Analysis and Foresight, as well as a recurrent Law Enforcement Agencies trainer in Spain and Europe. He teaches on intelligence analysis and security in several postgraduate courses and is also a recurrent lecturer in hacking and security-related conferences like RootedCon, NavajaNegra, 8dot8, JNIC or ISACA amongst many others.

Both authors have been leading the development of OSRFramework, a free software information gathering framework focused on the analysts which has received up to 4 different national awards in Spain for the assistance it provides to the fingerprinting phase in hacking and intelligence operations.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 17:00-17:45


Here to stay: Gaining persistency by abusing advanced authentication mechanisms

Saturday at 17:00 in 101 Track

45 minutes | Demo

Marina Simakov Security researcher, Microsoft

Igal Gofman Security researcher, Microsoft

Credentials have always served as a favorite target for advanced attackers, since these allow to efficiently traverse a network, without using any exploits.

Moreover, compromising the network might not be sufficient, as attackers strive to obtain persistency, which requires the use of advanced techniques to evade the security mechanisms installed along the way.

One of the challenges adversaries must face is: How to create threats that will continuously evade security mechanisms, and even if detected, ensure that control of the environment can be easily regained?

In this talk, we briefly discuss some of the past techniques for gaining persistency in a network (using local accounts, GPOs, skeleton key, etc.) and why they are insufficient nowadays.

Followed by a comprehensive analysis of lesser known mechanisms to achieve persistency, using non-mainstream methods (such as object manipulation, Kerberos delegation, etc.).

Finally, we show how defenders can secure their environment against such threats.

Marina Simakov
Marina Simakov is a security researcher at Microsoft, with a specific interest in network based attacks.

She holds an M.Sc in computer science, with several published articles. Gave a talk at BlueHat IL 2016 regarding attacks on local accounts.

@simakov_marina

Igal Gofman
Igal Gofman is a security Researcher at Microsoft. Igal has a proven track record in network security, research oriented development and threat intelligence.

His research interests include network security, intrusion detection and operating systems.

Before Microsoft, Igal was a Threat Response Team Lead at Check Point Software Technologies leading the development of the intrusion detection system.

@IgalGofman


Return to Index      -     

 

Demolabs - Table 6 - Sunday - 10:00-11:50


HI-Jack-2Factor

Weston Hecker

Sunday from 1000-1150 at Table Six

Audience: Offense, Defense, Hardware

There are several attacks being performed on PKES Passive key entry systems on cars. Several high profile talks this year are about stealing cars using 11 Dollar SDR and cheap devices to relay the signals from the keyfob to the immobilizer: I will be demoing a device that I made using an ardunio and a 433/315 Mhz Radio and a 2.4GHZ wireless antenna They cost about 12 dollars to make and basically add two factor authentication to your vehicle.

https://eprint.iacr.org/2010/332.pdf This was the 2009 research. Here is the modern 2017 version https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/

Weston Hecker


Return to Index      -     

 

IOT - Main Contest Area - Friday - 13:00-13:50



Return to Index      -     

 

DEFCON - Modena - Friday - 20:00-21:59


Horror stories of a translator and how a tweet can start a war with less than 140 characters

Friday at 20:00 - 22:00 in Modena

Evening Lounge

El Kentaro Hacker

Translators are invisible, when they are present it is assumed that they know the language and are accurately translating between the languages. But how do you assure that the translator is accurately translating or working without an agenda? Although many of the case studies presented in this talk will focus on translating between different languages, the basic premise can be applied in any case where information needs to be shared among 2 or more different contexts. (i.e.: Sales vs Engineering, Government vs Private sector etc) . The talk will showcase publicly known historical cases and personal experiences where translation errors (accidental and deliberate) have lead to misunderstandings some with dire consequences. Also the talk will showcase using translators as an offensive tool (i.e.:How to create more credible fake news). We as a society consume more information and consume it faster than before, we have to be aware of the dangers that are inherit with bad translations. Also the infosec/cyber security profession because of the potential for large scale global impacts and or the need to maintain operational security poses unique considerations when translating or using a translator. This talk will highlight the unique challenges of using a translator or translations in such environments.

El Kentaro
El Kentaro / That Guy in Tokyo.

El Kentaro has been a communications facilitator between Japan and the rest of the world in the information technology industry since 1996. For the last 7 years Kentaro has solely focused on providing interpretation services for the infosec/cyber security industry in Japan. Kentaro also provided the Japanese subtitles for the DEF CON documentary released in 2015 and is a member of the CODE BLUE Security Conference held annually in Japan.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 16:00-16:45


Title:
How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. This segment will feature a punch card machine and demo what can go wrong with it.

Title: How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. I’ll bring a punch card machine and demo what can go wrong with it.

Matt Blaze bio
Matt Blaze, Cryptographer & Associate Professor of Computer & Information Science at University of Pennsylvania

Matt Blaze is a professor at the University of Pennsylvania, where he directs the Distributed Systems Lab and conducts research in security, privacy, surveillance, cryptography, scale, and the relationship between technology and public policy. His work has included the discovery of fundamental flaws in the Clipper chip and other surveillance systems, foundational work in network security, file encryption, trust management and two way radio security, and security evaluations of major electronic voting systems in used in the US.

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 10:10-10:59


How Hackers Changed The Security Industry

Chris Wysopal, CTO and Co-Founder of Veracode

Before hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does. This history will be told from a member of the hacker group The L0pht who lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software. Attendees will learn why we need the kind of tools hackers build to secure our systems and why we need people who are taught to think like hackers, 'security champions', to be part of software development teams.

Chris Wysopal (Twitter: @WeldPond) Chris Wysopal is currently Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.


Return to Index      -     

 

ICS - Calibria - Friday - 15:30-15:59


Title: How to create dark buildings with light speed.

A number of talks in the last few years have addressed various topics in the generic area of industrial control system insecurity but only few have tapped into security of building automation systems, albeit its prevalence.

The usage of building automation, regardless if in private homes or corporate buildings, aims to optimize comfort, energy efficiency and physical access for its users. Is cyber security part of the equation? Unfortunately, not to the extent one might expect, cyber security is quite often found to be sacrificed either for comfort or efficiency.

The higher number of small and large-scale installations combination with easily exploitable vulnerabilities leads to a stronger exposure of building automation systems, which are often overlooked. Even worse, an adversary understanding the usage of regular building automation protocol functions for malicious purposes may not only create chaos within the breached building but can potentially even peak into internal networks over building protocols which are otherwise not reachable.

This talk describes prototypic attack scenarios through building automation systems one should consider, and how even without exploits, a number of protocol functions in common building automation protocols like BACnet/IP and KNXnet/IP can support a malicious adversary going for those scenarious.

For penetration testers who would like to explore this interesting field of industrial security research, we include a section on tooling. We will discuss noteworthy tools both from the security toolbox but also from the building automation toolbox for carrying out a number of attacks or their preparatory steps.

We will close out talk by discussing existing security measures proposed by the building automation industry as well as their adoption problems found in this field.


Bio: Thomas Brandstetter

Thomas Brandstetter is CEO and Co-Founder of Limes Security, a company specializing in industrial cyber security and secure software development, based in Austria. Besides his work as a CEO, he is an Associate Professor at the University of Applied Sciences St. Poelten, Austria, where he loves to teach his students classes like industrial cyber security, incident response, botnets and honeypots, and penetration testing. He gathered a decade of experience in the industry when he joined Siemens in order to establish the topic of cyber security in industrial products, 10 years ago. After spending years in pen-testing products, he became Program Manager of the "Hack-Proof-Products Program" that he had co-founded. He held this position until in 2010 when the Stuxnet malware hit. He was assigned the official incident manager role for this unique threat and still loves to look back on what he learned back then both technically and about organizations. Out of the remnants of the Stuxnet-activities, Thomas founded the Siemens ProductCERT, which is still one of the most effective industrial incident and vulnerability response teams worldwide today. He led the Siemens ProductCERT for another two years before he left for Limes Security and UAS St. Poelten. He is a CISSP, GICSP and holds a degree in IT security from the University of Applied Sciences Hagenberg, Austria and a masters degree in Business Administration from the Universities of Augsburg and Pittsburgh.




Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 14:50-15:15


How to obtain 100 Facebooks accounts per day through internet searches

Abstract

Back in 2016, it was very new the way how the Facebook mobile application implements content through ““Instant articlesâ€â€. A user can view content from third parties directly in the Facebook platform without requiring to open the Browser, for instance. This content can also be shared, saved, opened in browser and so on.

In this talk, we will share how there Instant articles, and the way they were shared, lead us to the possibility to access Facebook accounts and how through internet searches this became a huge problem! We’ll discuss how we identify the issue and how it was tested, reported, fixed, rewarded and also we talk about a new vector attack for further research.

Speaker Profile

Guillermo (@bym0m0) is a Cyber Security Penetration Testing Consultant at Deloitte Mexico; he has worked for many Financial Institutions and Public sector for the last 5 years.

Yael (@zkvL7) is a Cyber Security Snr. Consultant at Deloitte Mexico and has been working as a Security Specialist in different organizations for the last 4 years. He is really into programming and his laziness has lead into writting some code to automatize certain things at work; nmap and nessus reports for instance https://github.com/zkvL7, and some other work not ready to see the light.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 18:25-19:15



Saturday July 29 6:25PM 50 mins
How to protect your banks & enterprises (Talk given by someone who robs banks & enterprises)
Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk Jayson will show how an attacker views your website & employees, then uses them against you. We’ll start with how a successful spear phish is created. By using the information gathered from the companies own ‘about’ page as well as scouring social media sites for useful information to exploit employees. The majority of the talk will be covering successful counter-measures to help stave off or detect attacks. This discussion will draw on the speakers 15 years experience of working in the US banking industry on the side of defense. Also at the same time he’ll be drawing on over 6 years of doing engagements where he took on the role of the attacker. If everything turns out well everyone will have learned something new that they can immediately take back to their networks and better prepare it against attacks!

Jayson Street: @jaysonstreet
Jayson E. Street is an author of the “Dissecting the hack: Seriesâ€. Also the DEF CON Groups Global Coordinator. He has also spoken at DEF CON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street†*He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.


Return to Index      -     

 

BHV - Pisa Room - Sunday - 12:00-12:59


Title: How to use the Scientific Method in Security Research

Speaker: Jay Radcliffe

About Jay:
Jay Radcliffe has been working in the computer security field for over 20 years. Coming from the managed security services industry, Jay has used just about every security device made over the last decade. Recently, Jay presented ground-breaking research on security vulnerabilities in medical devices, and was featured on national television as an expert on medical device vulnerability. Jay also has experience with hardware hacking and radio technology. Jay holds a Master's degree in Information Security Engineering from SANS Technology Institute, as well as a Bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. SC Magazine named him one of the Top Influential IT Security Thinkers in 2013.

One of the huge criticisms of Security research is the lack of process and adherence to traditional research methods. Quite often our "research" is just tearing apart systems and exposing their vulnerabilities. While this is useful, there is a better way. This talk will walk through the process of how I used the scientific method to conduct the research that led to my 2011 insulin pump findings. By changing just a couple steps in our research, I think that we can bring more outside credibility to our hard, and important work.



Return to Index      -     

 

DEFCON - Track 4 - Friday - 14:00-14:45


How we created the first SHA-1 collision and what it means for hash security

Friday at 14:00 in Track 4

45 minutes | Demo, Tool

Elie Bursztein Anti-abuse research lead, Google

In February 2017, we announced the first SHA-1 collision. This collision combined with a clever use of the PDF format allows attackers to forge PDF pairs that have identical SHA-1 hashes and yet display different content. This attack is the result of over two years of intense research. It took 6500 CPU years and 110 GPU years of computations which is still 100,000 times faster than a brute-force attack.

In this talk, we recount how we found the first SHA-1 collision. We delve into the challenges we faced from developing a meaningful payload, to scaling the computation to that massive scale, to solving unexpected cryptanalytic challenges that occurred during this endeavor.

We discuss the aftermath of the release including the positive changes it brought and its unforeseen consequences. For example it was discovered that SVN is vulnerable to SHA-1 collision attacks only after the WebKit SVN repository was brought down by the commit of a unit-test aimed at verifying that Webkit is immune to collision attacks.

Building on the Github and Gmail examples we explain how to use counter-cryptanalysis to mitigate the risk of a collision attacks against software that has yet to move away from SHA-1. Finally we look at the next generation of hash functions and what the future of hash security holds

Elie Bursztein
Elie Bursztein leads Google's anti-abuse research, which helps protect users against Internet threats. Elie has contributed to applied-cryptography, machine learning for security, malware understanding, and web security; authoring over fifty research papers in the field. Most recently he was involved in finding the first SHA-1 collision.

Elie is a beret aficionado, tweets at @elie, and performs magic tricks in his spare time. Born in Paris, he received a Ph.D from ENS-cachan in 2008 before working at Stanford University and ultimately joining Google in 2011. He now lives with his wife in Mountain View, California.

@elie


Return to Index      -     

 

BHV - Pisa Room - Sunday - 13:00-13:29


Title: How your doctor might be trying to kill you and how personal genomics can save your life

Speaker: dlaw and razzies

About Jennifer Szkatulski:
Jennifer has been an information security professional for the past 20 years and is currently a Security Intelligence Analyst. Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response. Jennifer studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science, has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a robotics club for kids and is learning to play the ukulele. She is an avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma.

About Darren Lawless:
Darren Lawless is a security analyst with 14+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for a large security services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays, experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech bad-assedness.

“Genomics saved my life.†– Jen
“My father can rot in hell.†- Darren

How is personalized medicine important? Should I get a genomic test? Is the Illuminati collecting my data? What can I learn from genetic testing? What are the risks? How do I choose a test? Will my doctor hate me if I get a genetic test?
These questions won’t be answered in thirty minutes, but we offer grist for the discussion mill.
We will present two personal stories on how genomics can have a real effect on your medical treatment, your understanding of who you are, and how you live your life.



Return to Index      -     

 

Demolabs - Table 2 - Saturday - 12:00-13:50


https://crack.sh/

David Hulton

Ian Foster

Saturday from 1200-1350 at Table Two

Audience: Offense, Mobile, Hardware

Cracking DES has been doable for state actors for the past few decades, but most people don't have access to a supercomputer or $100k of dedicated hardware laying around. In 2012, Moxie Marlinspike and David Hulton released a service for Cloudcracker.com to provide this to the masses for 100% success rate cracking of MSCHAPv2 (PPTP VPNs & WPA-Enterprise). Since then Cloudcracker.com has vanished, but ToorCon has taken over and released https://crack.sh, with added features for cracking MSCHAPv1 (Windows Lanman/NTLMv1 login), Kerberos Authentication, and a general purpose interface for cracking other systems that still use DES. We will also be releasing a free real-time service for cracking DES (in ~3 seconds) with chosen-plaintext, providing a full break of Windows Lanman/NTLMv1 authentication and allow people to test their devices to see if they're doing proper WPA-Enteprise certificate checking.

https://crack.sh/

David Hulton
David Hulton organizes the ToorCon suite of conferences and has spent nearly 20 years doing security research mostly focused on reverse engineering and cracking crypto. He's mostly known for developing the bsd-airtools wireless attack tools in the early 2000's, developing and presenting the first practical attack on GSM a5/1 in 2008, and releasing a DES cracking service and tools to perform a full break of MSCHAPv2 authentication in 2012.

Ian Foster


Return to Index      -     

 

Night Life - Octavius 1&2 - Saturday - 22:00-26:00


Title:
Human Zoo

Spent the first part of the night in the room next door enjoying Whose Slide is it Anyway? Well, this is the after party for folks that want to keep the insanity going. Join us, and come be part of the Human Zoo!
Return to Index      -     

 

BHV - Pisa Room - Friday - 17:30-17:59


Title: Human-Human Interface

Speakers: Charles Tritt

About Charles:
Dr. Charles Tritt is a has been a professor of biomedical engineering for over 25 years. His academic credentials include a Ph.D. in chemical engineering and an M.S. in biomedical engineering. His teaching has ranged from introductory cell biology and genetics to biomedical mechatronics. Over the past several years, he has become interested in exploring the potential of hobbyist grade equipment as a vehicle to low cost and accessible medical devices and the corresponding ethical and legal implications.

Abstract:
In this demonstration, readily available and inexpensive (about $100 total cost) equipment will be used to relay conscious motor activity from one human subject to another. Specifically, transcutaneous electrodes and a bio-amplifier will be used to produce an electromyogram (EMG) signal from the lower arm of the controlling subject. This signal will be digitized and processed using an embedded microcontroller evaluation board (an Arduino UNO could also be used) which in turn will activate a relay to apply transcutaneous electrical nerve stimulation to the ulnar nerve of the controlled subject. Motions of the controlled subject’s fingers will involuntarily replicate those of the controlling subject.



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Sunday - 10:00-10:59


Title:
HUMSEC (or how I learned to hate my phone)

1000 Sunday
amarok
@0x00amarok
HUMSEC (or how I learned to hate my phone)

I used to blog random security stuff, but now am talking directly to people at InfoSec cons instead. So like a crappy Richard Thieme talk, but maybe with a bit more tech and a few less aliens (but maybe some f*cking aliens). This time around, we're talking "Human Security" (no idea, srsly)

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 17:10-17:30


Hunting Down the Domain Admin and Rob Your Network

Keith Lee, Senior Security Consultant at Trustwave SpiderLabs
Michael Gianarakis, Director of Trustwave SpiderLabs Asia-Pacific

Portia: it's a new tool we have written at SpiderLabs to aid in internal penetration testing test engagements. The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses. The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, reuses them to compromise other hosts in the network. In short, the tool helps with lateral movements in the network and automating privilege escalation as well as find sensitive data residing in the hosts.

Keith Lee (Twitter: @keith55) is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. Keith Lee has presented in Hack In The Box, BlackHat Arsenal and PHDays.

Michael Gianarakis is the Director of Trustwave SpiderLabs' Asia-Pacific practice where he oversees the delivery of technical security services in the region. Michael has presented at various industry events and meetups including, Black Hat Asia, Thotcon, Rootcon, and Hack in the Box. Michael is also actively involved in the local security community in Australia where he is one of organizers of the monthly SecTalks meetup.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 10:00-10:30


I Know What You Are by the Smell of Your Wifi

Sunday at 10:00 in Track 2

20 minutes | Art of Defense, Demo, Tool, Audience Participation,

Denton Gentry Software Engineer

Existing fingerprinting mechanisms to identify client devices on a network tend to be coarse in their identification. For example they can tell it is an iPhone of some kind, or that it is a Samsung Android device of some model. They might look at DHCP information to know its OS, see if the client responds to SSDP, or check DNS-SD TXT responses.

By examining Wi-Fi Management frames we can identify the device much more specifically. We can tell a iPhone 5S from an iPhone 5, a Samsung Galaxy S8 from an S7, an LG G5 from a G4. This talk describes how the signature mechanism works.

Specifically identifying the client is the first step toward further scanning or analysis of that client's behavior on the network.

Denton Gentry
Denton Gentry is a software engineer who has worked at a lot of places and plans to work at a few more.


Return to Index      -     

 

ICS - ICS-Village - Saturday - 14:30-15:59


ICS SCADA Forensics workshop/challenge - Joe Stirlandand Kevin Jones
Title: ICS SCADA Forensics workshop/challenge

The ICS PCAP challenge is designed to utilise network forensics skills to analyse a baseline and an attack network pcap taken from an ICS network, in order to identify why a PLC has ceased working. The timescale for analysis is limited, as we need to replace the PLC within an hour max, and we have to be certain that the attack has been identified correctly in order to prevent future similar attack methods. The analysis will take 1 hour and a brief description of findings and conclusion is to be presented at the end. The participants will require network analysis tools such as: Wireshark, TCPDump and TShark, GREP, etc. however a copy of Kali will provide all of these tools.


Bio: Joe Stirlandand Kevin Jones

No BIO available


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 11:00-11:45


If You Give a Mouse a Microchip... It will execute a payload and cheat at your high-stakes video game tournament

Saturday at 11:00 in Track 3

45 minutes | Demo

skud (Mark Williams) Embedded Software Engineer

Sky (Rob Stanley) Security Software Engineer, Lead

The International, a recent esports tournament, had a 20 million dollar prize pool with over five million people tuned in to the final match. The high stakes environment at tournaments creates an incentive for players to cheat for a competitive advantage. Cheaters are always finding new ways to modify software, from attempting to sneak executables in on flash drives, to using cheats stored in Steam's online workshop which bypasses IP restrictions.

This presentation describes how one can circumvent existing security controls to sneak a payload (game cheat) onto a target computer. Esports tournaments typically allow players to provide their own mouse and keyboard, as these players prefer to use specific devices or may be obligated to use a sponsor branded device. These "simple" USB input devices can still be used to execute complex commands on a computer via the USB Human Interface Device (HID) protocol.

Our attack vector is a mouse with an ARM Cortex M series processor. The microcontroller stores custom user profiles in flash memory, allowing the mouse to retain user settings between multiple computers. We modify the device's firmware to execute a payload delivery program, stored in free space in flash memory, before returning the mouse to its original functionality. Retaining original functionality allows the mouse to be used discreetly, as it is an "expected" device at these tournaments. This concept applies to any USB device that uses this processor, and does not require obvious physical modifications.

This delivery method has tradeoffs. Our exploit is observable, as windows are created and in focus during payload delivery. The advantage to this approach is that it bypasses other security measures that are commonly in place, such as filtered internet traffic and disabled USB mass storage.

skud (Mark Williams)
Mark Williams is an embedded software engineer with experience in robotics and computer vision. His interest in embedded systems security and research builds off of a love for DIY projects, microcontrollers, and breaking things.

@skudmunky

Sky (Rob Stanley)
Rob Stanley is a lead security software engineer with a background in reverse engineering. He enjoys working with low-level software, taking things apart and putting them back together, and malware analysis. Lately, he has turned his passion towards sharing his knowledge by teaching, and authoring CTF challenge problems.


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 14:40-15:30



Return to Index      -     

 

BHV - Pisa Room - Friday - 13:30-13:59


Title: Implants: Show and Tell

Speaker: c00p3r

About c00p3r:
c00p3r is the founder of dangerousminds.io a biohacking. grinding, implantable tech, and network security podcast that started in late sept 2016 , a sysadmin that lives open source solutions by trade, and also pr director and member of the board of directors for prophase biostudios located in austin texas.

Abstract:
Through sharing experiences learned first hand and through work on the Dangerous Minds Podcast, c00p3r will be introducing you to implantable technology, explaining the basic products that are available on the market now, from where, as well as provide a show and tell experience of what it is like to become one of the augmentives. Come to learn, and stay to laugh and become a part of this new world of cyborgs.



Return to Index      -     

 

ICS - Octavius 6 - Friday - 14:30-18:30


Title: Industrial Control System Security 101 and 201- SOLD OUT

This 4-hour session is designed to arm incident response teams and security researchers with vital skills needed to monitor, analyze and respond to attacks against the unique networks that make up the backbone of the world's critical infrastructure. With recent attacks on critical infrastructure demonstrating the real and present danger to ICS networks, it is more important than ever to hone these skills and reduce the blind spots that exist for security teams. Understanding the inner workings of these networks, their unique protocols and the methods adversaries will employ to disrupt (including using legitimate commands to ICS network components) is of paramount importance as we witness an increasingly active threat landscape unfolding.

The workshop is composed of two, 2-hour sessions of ICS Fundamentals 101 and ICS Advanced 201. The two sessions step both the novice and intermediate skilled participant through the risks and mitigations of critical infrastructure and control system security.

The participant will use open source and trial editions of RexDraw, PeakHMI, NRL Core, Kali Linux, Python and Raspberry PIs.

The instructors will also perform demonstrations using real industrial devices. Participants will learn the ICS fundamentals and the value of technical, operational and physical security controls within ICS environments.

ICS 101 will guide the participants through the elements of ICS technical components (hardware, software, logic and protocols) through reversing engineering a bottling facility and a traffic light. The participants will learn about physical I/O, functional logic, industrial protocols and user interface design using the philosophy of build, break and secure. The participants will reverse a pre-built HMI user interface, OPC tag server and functional logic; break using industrial protocols overrides, MitM modifications and logic manipulations; secure using social, communication, application/os, firmware and hardware controls.

ICS 201 will teach students how to understand the content of network packet captures across a wide variety of proprietary ICS protocols. Using this understanding, we will explore in-depth the attacks and defenses demonstrated in ICS 101 to associate the value of active defense.

Participants will learn how to utilize WireShark to perform a deep packet analysis on multiple PCAPs ranging from simple to complex. Students will be taught the fundamental skills necessary for performing blind protocol analysis on proprietary ICS protocols, and learn how to create custom rules for specific addresses within the packets as well as ICS vendor specific commands. This analysis will give insight into the attacks performed, the elements manipulated and valuable tools available to actively defend the environment. Participants will gain in-depth understanding of industrial protocols and their complexity as well as detailed explanation of "behind the scenes" of ICS operations. When leaving this workshop, participants will be able to capture, and analyse industrial communication flows originating from different network segments using open source tooling (e.g. Snort, Wireshark, etc), and how to identify potential anomalous network traffic.

Prerequisites: Experience with Linux and Windows operating system administration. Experience with TCP/IP networking. Experience with Kali Linux.

Materials: A laptop with at least one USB port, 40GB of unused hard disk space, minimum of Intel i3 processor, most recent VMWare Player or equivalent VMWare product. Local administrator rights on the laptop, ability to turn off anti-virus software.


Bio: Matthew E. Luallen

Matthew Luallen is the Executive Inventor at CYBATI, a cybersecurity education company. Mr. Luallen has provided hands-on cybersecurity consulting and education within critical infrastructure for over 20 years. During this time he has owned and sold 3 companies, developed and educated upon cybersecurity products and technical assessment methodologies, maintained CISSP and CCIE status for 16 years. Mr. Luallen's passion is education and to expand knowledge through building, breaking, securing and making.


Bio: Nadav Erez

Nadav Erez is a Senior Researcher at Claroty's Research team, leading OT protocol analysis, reverse engineering and blind protocol reconstruction. Prior to joining Claroty, Nadav served in an elite cyber unit in the Israel Defense Forces (IDF) Intelligence corps, where he led a team of cybersecurity researchers in various operations.

Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Friday - 14:30-18:30


Industrial Control System Security 101 and 201

Friday, 14:30 to 18:30 in Octavius 6

Matthew E. Luallen Executive Inventor, CYBATI

Nadav Erez Senior Researcher, Claroty's Research team

This 4-hour session is designed to arm incident response teams and security researchers with vital skills needed to monitor, analyze and respond to attacks against the unique networks that make up the backbone of the world's critical infrastructure. With recent attacks on critical infrastructure demonstrating the real and present danger to ICS networks, it is more important than ever to hone these skills and reduce the blind spots that exist for security teams. Understanding the inner workings of these networks, their unique protocols and the methods adversaries will employ to disrupt (including using legitimate commands to ICS network components) is of paramount importance as we witness an increasingly active threat landscape unfolding.

The workshop is composed of two, 2-hour sessions of ICS Fundamentals 101 and ICS Advanced 201. The two sessions step both the novice and intermediate skilled participant through the risks and mitigations of critical infrastructure and control system security.

The participant will use open source and trial editions of RexDraw, PeakHMI, NRL Core, Kali Linux, Python and Raspberry PIs.

The instructors will also perform demonstrations using real industrial devices. Participants will learn the ICS fundamentals and the value of technical, operational and physical security controls within ICS environments.

ICS 101 will guide the participants through the elements of ICS technical components (hardware, software, logic and protocols) through reversing engineering a bottling facility and a traffic light. The participants will learn about physical I/O, functional logic, industrial protocols and user interface design using the philosophy of build, break and secure. The participants will reverse a pre-built HMI user interface, OPC tag server and functional logic; break using industrial protocols overrides, MitM modifications and logic manipulations; secure using social, communication, application/os, firmware and hardware controls.

ICS 201 will teach students how to understand the content of network packet captures across a wide variety of proprietary ICS protocols. Using this understanding, we will explore in-depth the attacks and defenses demonstrated in ICS 101 to associate the value of active defense.

Participants will learn how to utilize WireShark to perform a deep packet analysis on multiple PCAPs ranging from simple to complex. Students will be taught the fundamental skills necessary for performing blind protocol analysis on proprietary ICS protocols, and learn how to create custom rules for specific addresses within the packets as well as ICS vendor specific commands. This analysis will give insight into the attacks performed, the elements manipulated and valuable tools available to actively defend the environment. Participants will gain in-depth understanding of industrial protocols and their complexity as well as detailed explanation of "behind the scenes" of ICS operations. When leaving this workshop, participants will be able to capture, and analyse industrial communication flows originating from different network segments using open source tooling (e.g. Snort, Wireshark, etc), and how to identify potential anomalous network traffic.

Prerequisites: Experience with Linux and Windows operating system administration. Experience with TCP/IP networking. Experience with Kali Linux.

Materials: A laptop with at least one USB port, 40GB of unused hard disk space, minimum of Intel i3 processor, most recent VMWare Player or equivalent VMWare product. Local administrator rights on the laptop, ability to turn off anti-virus software.

Max students: 36 | Registration: https://dc25_luallen.eventbrite.com (Sold out!)

Matthew E. Luallen
Matthew Luallen is the Executive Inventor at CYBATI, a cybersecurity education company. Mr. Luallen has provided hands-on cybersecurity consulting and education within critical infrastructure for over 20 years. During this time he has owned and sold 3 companies, developed and educated upon cybersecurity products and technical assessment methodologies, maintained CISSP and CCIE status for 16 years. Mr. Luallen's passion is education and to expand knowledge through building, breaking, securing and making.

Nadav Erez
Nadav Erez is a Senior Researcher at Claroty's Research team, leading OT protocol analysis, reverse engineering and blind protocol reconstruction. Prior to joining Claroty, Nadav served in an elite cyber unit in the Israel Defense Forces (IDF) Intelligence corps, where he led a team of cybersecurity researchers in various operations.


Return to Index      -     

 

Night Life - Turin, Promenade Level - Friday - 22:00-27:00


Title:
INFOSEC UNLOCKED

INFOSEC UNLOCKED will be hosting a safe and fun board game party for DEF CON attendees. We will provide the space, light refreshments and network opportunities --all we need is you! Come learn about what it takes to become a conference speaker; no experience required and ALL are welcome! More details at https://isunlocked.com/dc25party !! InfoSec Unlocked is all about diversity and inclusion in Information Security. If you're part of an underrepresented group, or want to help out those who are underrepresented within our field. Join us for good times, and good discussions, at InfoSec Unlocked.
Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 13:00-13:59


Insecure By Law

No description available


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 15:00-15:45


Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks

Thursday at 15:00 in 101 Track

45 minutes | Art of Defense

CINCVolFLT (Trey Forgety) Director of Government Affairs & IT Ninja, NENA: The 9-1-1 Association

In October of 2016, a teenage hacker triggered DTDoS attacks against 9-1-1 centers across the United States with five lines of code and a tweet. This talk provides an in-depth look at the attack, and reviews and critiques the latest academic works on TDoS attacks directed at 9-1-1 systems. It then discusses potential mitigation strategies for legacy TDM and future all-IP access networks, as well as disaggregated "over-the-top" originating services and the devices on which both the access network providers and originating service providers rely.

CINCVolFLT (Trey Forgety)
CINCVolFLT (Trey Forgety) is Director of Government Affairs for NENA: The 9-1-1 Association. He previously served as a Presidential Management Fellow in the U.S. Department of Homeland Security's Office of Emergency Communications, with rotations in the Federal Communications Commission's Public Safety and Homeland Security Bureau, and the U.S. Department of Commerce's National Telecommunications and Information Administration. A sometimes-piratical sailor and inveterate tinkerer, CINCVolFLT's recent activities have included promoting the use of new location technologies in wireless carriers' networks, and serving as pro bono counsel to QueerCon. He holds a B.S. in Applied Physics and a J.D., both from the University of Tennessee (GO VOLS!).

@cincvolflt


Return to Index      -     

 

IOT - Main Contest Area - Friday - 10:00-10:50



Return to Index      -     

 

IOT - Main Contest Area - Sunday - 10:00-10:50



Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 15:40-16:25


Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool

Abstract

With 313 million active users and approximately 500 million Tweets sent per day, Twitter has plenty of low-hanging fruit ripe for OSINT picking. Learn from an experienced information professional how to craft advanced searches to retrieve data from this popular social media platform. Understand the search commands that Twitter uses, tips and techniques for extracting data, examine some of the lesser-known features of Twitter, and get a glimpse of some of the resources that work in conjunction with Twitter to help you better organize all the information you will retrieve.

While you may know how to write scripts and scrape data from Twitter, this session will focus on the GUI which can retrieve much older data. This session is not how to Tweet better, get more likes, or even how to get verified. This is all about searching for and extracting information from Twitter and its associated sites. You will come away from this session with a better understanding of how to use Twitter as a research tool.

Speaker Profile

Tracy Z. Maleeff (@InfoSecSherpa) left behind the glamorous world of law firm librarianship to seek out the white-hot spotlight of the information security industry. She is a newly-minted Cyber Analyst at GSK (GlaxoSmithKline.) Before that, Tracy started an independent research consulting business in 2016 called Sherpa Intelligence, and provided competitive intelligence, news monitoring, and social media management services. She earned a Master of Library and Information Science degree from the University of Pittsburgh.

Tracy was recognized with the Wolters Kluwer Law & Business Innovations in Law Librarianship Award in 2016 and the Dow Jones Innovate Award in 2014. Tracy is your guide up a mountain of information! Her Digital Portfolio can be viewed online here: https://sherpaintel.wordpress.com/portfolio/


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 16:00-17:59


Intro to OSINT: Zero on the way to Hero

Abstract

OSINT can be ones worst enemy or best friend, depending on what angle the person is looking at it from. This introduction level workshop will start out discussing the basis of OSINT then transition into applicable use case scenarios. Once we have a sound foundation in OSINT, we’ll start to work on some collection considerations and techniques.

In terms of tools used in this presentation, the list is somewhat fluid based upon the advancement of other tools, social media platforms, or other variables. Tools intended to be highlighted are: OSINTFramework.com, Inteltechniques.com, Buscador Linux, Recon-ng, Datasploit, APIs (Twitter and possibly Facebook; maybe others), haveibeenpwned. Cree.py, whois, persona generator, and others.

Depending on your position, this talk with either arm you with the right tools to build better OSINT engagements, whether for phishing or other investigations or educate you on steps you can take to better secure yourself.

Detailed talk outline : Hour 1

Speaker Profile

Joe Gray (@C_3PJoe) joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword & Shield Enterprise Security in Knoxville, TN. Joe also maintains his own Blog and Podcast called Advanced Persistent Security. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone. He is currently progressing his DFIR skills through Data Carving and Malware Analysis and Reverse Engineering.

I have spoken/presented at the following (All 2017):, BSides Hunstville (Last minute alternate), (ISC)² Atlanta, BSides Indy, (ISC)² Middle TN, Infosec Southwest , BSides Nashville, BSides Charm (Baltimore), BSides Knoxville, BSides Cincy, Dc865 (Knoxville TN Defcon chapter).

Here are some links to my talks:


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 17:00-17:45


Introducing HUNT: Data Driven Web Hacking & Manual Testing

Saturday at 17:00 in Track 3

45 minutes | Demo, Tool

Jason Haddix Head of Trust and Security @ Bugcrowd

What if you could super-charge your web hacking? Not through pure automation (since it can miss so much) but through powerful alerts created from real threat intelligence? What if you had a Burp plugin that did this for you? What if that plugin not only told you where to look for vulns but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tools? Well, now you do! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities (SQLi, CMDi, LFI/RFI, and more!). This data is parsed from hundreds of real-world assessments, providing the user with the means to effectively root out critical issues. Not only will HUNT help you assess large targets more thoroughly but it also aims to organize common web hacking methodologies right inside of Burp suite. As an open source project, we will go over the data driven design of HUNT and it's core functionality.

Jason Haddix
Jason is the Head of Trust and Security at Bugcrowd. Jason trains and works with internal security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason's interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructure security assessments, and static analysis. Jason lives in Santa Barbara with his wife and three children. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and also held the #1 rank on the Bugcrowd leaderboard for 2014.

@jhaddix

Contributor Acknowledgement:
The Speaker would like to acknowledge the following for their contribution to the presentation.

JP Villanueva is a Trust & Security Engineer at Bugcrowd. Before Bugcrowd, JP spent 2 years as an Application Security Engineer and another 2 years as a Solutions Architect at WhiteHat Security helping customers become more secure. JP has also presented at OWASP and Interop DarkReading events. In his free time, JP enjoys playing classic video games and hacking on bug bounty programs.

Fatih is an Application Security Engineer at Bugcrowd and Bug Hunter located in Istanbul/Turkey. Before Bugcrowd, he was a security consultant at InnoveraBT and performed penetration testing for clients including government, banks, trade, and finance companies. His expertise includes network, web applications, mobile security assessments, and auditing. He also holds OSCP, OSCE, GWAPT certifications.

Ryan Black is the Director of Technical Operations at Bugcrowd where he heads strategy and operations for the Application Security Engineering team. This group reviews and validates tens of thousands of vulnerability reports to bug bounty programs.

Prior to joining Bugcrowd, Ryan developed and led the static analysis and code review team for HP Fortify on Demand, later expanding to DevOps tooling and integrations for the enterprise. He has also held various InfoSec and technology positions at companies such as Aflac and Apple in the last decade. In addition to professional experience, he holds several industry certifications and participates in a variety of open source software projects and initiatives. On personal time he enjoys coding, gaming, various crafts, and nature activities with his wife, two kids, and three dogs.

Vishal Shah is an Application Security Engineer specializing in web and mobile security at Bugcrowd. Prior to Bugcrowd, Vishal spent time as a Security Consultant with Cigital hacking and building automation for hackers. In his free time, Vishal enjoys working out, CTFs, and playing video games.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 19:00-20:30


Introducing Mallet: An Intercepting Proxy for Arbitrary Protocols


Dane Goodwin

When it comes to HTTP interception, the tools of the trade are excellent. However, setting up an intercepting proxy for protocols other than HTTP can be time consuming and difficult. To address this gap, we've created a new proxy, which allows you to define a new protocol on the fly using Netty's built-in protocol encoders and decoders, as well as being able to create your own using the existing Netty libraries. Once defined, you can interact with the objects in real-time, modifying objects and properties as you see fit.
 This workshop will give you hands on experience with our new proxy.

Dane Goodwin (Twitter: @@dane_goodwin) has worked as a pentester for ~4 years, after deciding a career in development wasn't for him. He's presented some coolness at ZaCon, BSides Cape Town, and BlackHat Arsenal 2016. While not cycling, he currently spends his time learning all things SDR.



Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 11:00-11:45


Title:
Introduction into hacking the equipment in the village.

Title: Introduction into hacking the equipment in the village


Sandy Clark Bio
Sandy Clark
Ph.D Student, Computer Science, University of Pennsylvania

Sandy Clark is a graduate Student(Ph.D.) in computer and information science at the University of Pennsylvania. Her research focuses on computer security and privacy, with an emphasis on computer security as an ecosystem. Much of her work explores solutions to computer security problems from non-traditional disciplines. She also focuses on software security, user and data privacy, anonymity, computer human interaction, ethics, and cybercrime, malware evolution and the security arms race. Most recently, her works have also focused on the interaction of technology with law, governmental regulation, and international affairs.

Harri Hursti bio
Harri Hursti, Subject Matter Expert & Co-founder of ROMmon

Matt Blaze bio
Matt Blaze, Cryptographer & Associate Professor of Computer & Information Science at University of Pennsylvania

Matt Blaze is a professor at the University of Pennsylvania, where he directs the Distributed Systems Lab and conducts research in security, privacy, surveillance, cryptography, scale, and the relationship between technology and public policy. His work has included the discovery of fundamental flaws in the Clipper chip and other surveillance systems, foundational work in network security, file encryption, trust management and two way radio security, and security evaluations of major electronic voting systems in used in the US.

Mr. Harri Hursti, Founding Partner Nordic Innovation Labs, is a world-renowned data security expert, internet visionary and serial entrepreneur. He began his career as the prodigy behind the first commercial, public email and online forum system in Scandinavia. He founded his first company at the age of 13 and went on to cofound EUnet-Finland in his mid- 20’s. Today, Harri continues to innovate and find solutions to the world’s most vexing problems. He is among the world’s leading authority in the areas of election voting security and critical infrastructure and network system security.

Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Sunday - 13:00-14:30


Introduction to 802.11 Packet Dissection

Megumi Takeshita, aka Packet Otaku, Ikeriri Network Service Co.,Ltd.

Have you ever wanted to capture, filter, examine, visualize, decrypted and followed sequences of 802.11 packets? This workshop demonstrates a typical and basic work flow of wireless packet analysis. This workshop will cover basic wireless packet analysis, using Wireshark, to examine the internals of 802.11 frames including the Radiotap header, looking at the importance and meaning of the fields, mark packets and understand processes of the link layer, input the decryption key for WPA2 to explore WPA2-PSK frames and how to create graphs to visualize the stats of a wireless network.

Megumi Takeshita, or Packet Otaku (Twitter: @ikeriri) runs a packet analysis company, Ikeriri Network Service, after having worked at BayNetworks and Nortel Networks in Japan. Ikeriri Network Service is a reseller of many wired/wireless capture and analysis devices and software for Riverbed, Metageek, Profitap, Dualcomm etc. Megumi has authored 18+ books about Wireshark and packet analysis in Japanese. She is a contributor to the Wireshark project and has presented multiple times at SharkFest, Interopt Tokyo and other conferences.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 14:30-15:59


Introduction to 802.11 Packet Dissection

Megumi Takeshita, aka Packet Otaku, Ikeriri Network Service Co.,Ltd.

Have you ever wanted to capture, filter, examine, visualize, decrypted and followed sequences of 802.11 packets? This workshop demonstrates a typical and basic work flow of wireless packet analysis. This workshop will cover basic wireless packet analysis, using Wireshark, to examine the internals of 802.11 frames including the Radiotap header, looking at the importance and meaning of the fields, mark packets and understand processes of the link layer, input the decryption key for WPA2 to explore WPA2-PSK frames and how to create graphs to visualize the stats of a wireless network.

Megumi Takeshita, or Packet Otaku (Twitter: @ikeriri) runs a packet analysis company, Ikeriri Network Service, after having worked at BayNetworks and Nortel Networks in Japan. Ikeriri Network Service is a reseller of many wired/wireless capture and analysis devices and software for Riverbed, Metageek, Profitap, Dualcomm etc. Megumi has authored 18+ books about Wireshark and packet analysis in Japanese. She is a contributor to the Wireshark project and has presented multiple times at SharkFest, Interopt Tokyo and other conferences.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Thursday - 10:30-14:30


Introduction to Cryptographic Attacks

Thursday, 10:30 to 14:30 in Octavius 6

Matt Cheung

Cryptography can seem like a mysterious black box making attacks even more mysterious. Introduction to Cryptographic Attacks is for those who have no experience with cryptographic attacks and how they work. In this workshop you will learn how simple some of these attacks are, and you will build a foundation in cryptographic primitives and potential weak points of real world systems.

The workshop will lead attendees through CTF style crypto challenges that illustrate critical cryptographic weaknesses. I recommend coming prepared with a Python environment and the following modules: cryptography or PyCrypto, gmpy2 (requires installing gmp), and requests.

Prerequisites: None, though some moderate math and programming experience is useful.

Materials: Laptop installed with Python as I will have some code snippets to help with the exercises.

Max students: 30 | Registration: https://dc25_cheung.eventbrite.com (Sold out!)

Matt Cheung
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Thursday - 14:30-18:30


Introduction to Practical Network Signature Development for Open Source IDS

Thursday, 14:30 to 18:30 in Octavius 6

Jack Mott Researcher, Proofpoint

Jason Williams Researcher, Proofpoint

"In "Introduction to Practical Network Signature Development for Open Source IDS" we will teach expert methods and techniques for writing network signatures to efficiently detect the greatest threats facing organizations today. This class is designed for an analyst who spends their days investigating and responding to network IDS alerts and has something everyone can take back with them-- entry level or expert. Students will gain invaluable information and knowledge including usage, theory, malware traffic analysis fundamentals, and enhanced signature writing, for Open Source IDS such as Suricata and Snort. Student will be given handouts to help them develop and read with IDS signatures. Lab exercises will train students how to analyze and interpret hostile network traffic into agile IDS rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Phishing Attacks, Crimeware Backdoors, Targeted Threats, and more. Students will leave the class armed with the knowledge of how to write quality IDS signatures for their environment, enhancing their organization's ability to respond and detect threats.

Prerequisites: Familiarity with TCP/IP, familiarity with packet analysis tools (Wireshark, etc), Basic Malware Analysis fundamentals.

Materials: Nothing required, but if the student wishes, they may bring a computer capable of analyzing PCAPs and running Snort or Suricata to follow along with the presentation. Labs are provided for after class / take home practice.

Max students: 30 | Registration: https://dc25_mott.eventbrite.com (Sold out!)

Jack Mott
Jack is a Security Researcher on the Emerging Threats Research team at Proofpoint where he spends all day long in packet-land playing with malware and writing comprehensive IDS rules for the ETPRO and OPEN ruleset. In addition to IDS sigs, writes sigs for ClamAV and Yara to hunt, detect, and analyze internet-borne threats. Jack loves analyzing exploit kits, malicious docs, and ransomware. Jack is a core member and trainer with the non-profit Open Information Security Foundation (OISF) and works closely with the developers of Suricata. Additionally, Jack has spoken at various educational institutions and information security conferences on malware related topics.

Jason Williams
Jason is a Security Researcher on the Emerging Threats Research team at Proofpoint where he flops around in a metaphorical ball pit of network packets all day and night. He works on the ETPRO and OPEN rulesets, having written over four thousand signatures. He loves turning malware inside out and fights phishers and scammers 24/7. Seriously. He hates em. I once saw him 360 noscope 3 at once. I'm getting off topic. Outside of his work automating phishing research, he also works on Red Onion - a Centos/Redhat centric NSM solution combining Suricata, Bro, and Moloch. Jason is a core member and trainer with the non-profit Open Information Security Foundation (OISF) and works closely with the developers of Suricata. Jason has trained at Derbycon and spoken at Thotcon as well as various educational institutes on forensic and malware related topics.


Return to Index      -     

 

ICS - ICS-Village - Friday - 11:30-11:59


Introduction to the ICS Wall - Tom Van Norman
Title: Introduction to the ICS Wall

No description available

Bio: Tom Van Norman

No BIO available


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Friday - 10:30-14:30


Introduction to x86 disassembly

Friday, 10:30 to 14:30 in Octavius 5

DazzleCatDuo

Jumping into the world of disassembly can be incredibly intimidating and quite painful. This talk aims to introduce disassembly by walking through how to recognize basic logic flows and data structures in assembly. We'll look at locating common flow controllers such as if/else/loops/switch cases, as well as data structures. The talk will specifically address static disassembly using IDA, looking at c compiled to x86_32, but the principles can be applied to any other language and assembly architecture. x86, is one of the most common assembly architectures, and incredibly useful for security engineers to understand. x86 is the assembly architecture running almost all Mac, Windows, and Linux computers.

Prerequisites: Students must have a basic coding knowledge, and understand what if/else/loops/switches logically do, in any coding language.

Materials: Please bring a laptop with Virtual Box (latest version) and at least 20 gigs of free disk space. VM's with examples and tools will be distributed in class via USB sticks.

Max students: 90 | Registration: https://dc25_dazzlecatduo.eventbrite.com (Sold out!)

DazzleCatDuo
The DazzleCatDuo are both security engineers who specialize in x86 research.


Return to Index      -     

 

IOT - Main Contest Area - Friday - 16:10-16:59



Return to Index      -     

 

BHV - Pisa Room - Saturday - 13:30-13:59


Title: IoT of Dongs

Speaker: RenderMan


About RenderMan:
Canadian born and raised. He hacks banks during the day and other random things at night (currently sex toys). His interests are very diverse and people seem to like to hear about his work as much as he enjoys sharing it. This has allowed him to speak at conferences and events all over the world and even change it a few times.
Often near infosec news or causing it himself, he can be found on twitter at @ihackedwhat and @internetofdongs

Abstract:
Among ‘Internet of Things’ security research, there is one branch that no one has wanted to touch, until now: The Internet of Dongs. Internet connected sex toys in all shapes, sizes and capabilities are available on the market with many more being developed. Like many IoT devices, IoD devices suffer a great many security and privacy vulnerabilities. These issues are all the more important when you consider the private and intimate nature of these devices. To research this, the Internet of Dongs project was founded (https://internetofdon.gs).
This talk will explore this under researched branch of IoT and the security and privacy threats that exist. It will also cover the IoD projects efforts to bring information security best practices to the adult toy industry.



Return to Index      -     

 

IOT - Main Contest Area - Saturday - 23:30-24:20



Return to Index      -     

 

IOT - Main Contest Area - Friday - 23:30-24:20



Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 15:10-15:59


IP Spoofing

Marek Majkowski, Cloudflare

At Cloudflare we deal with DDoS attacks every day. Over the years, we've gained a lot of experience in defending from all different kinds of threats. We have found that the largest attacks that cause the internet infrastructure to burn are only possible due to IP spoofing.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing. We'll explain why L3 attacks are even possible in today's internet and what direct and reflected L3 attacks look like. We'll describe our attempts to trace the IP spoofing and why attack attribution is so hard. Our architecture allows us to perform most attack mitigations in software. We'll explain a couple of effective L3 mitigation techniques we've developed to stop our servers burning.

While L3 attacks are a real danger to the internet, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can fix the IP spoofing problem for all.

Marek Majkowski (Twitter: @majek04). After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 12:10-12:59


Iron Sights for Your Data

Leah Figueroa

Data breaches have become all too common. Major security incidents typically occur at least once a month. With the rise of both security incidents and full data breaches, blue teams are often left scrambling to put out fires and defend themselves without enough information. This is something that can be changed with the right tools. Tools now available allow blue teams to weaponize data and use it to their advantage. This talk reviews frameworks for clean, consistent data collection and provides an overview of how predictive analytics works, from data collection to data mining to predictive analytics to forecasts. The allows the blue team to focus on potential risks instead of trying to put out every fire.

Leah Figueroa (Twitter: @Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master's in Education, an ABD in research psychology, and taught kindergarten. A data aficionado, Leah focuses on research on improving students' outcomes at the higher education level, including focusing on both minority students issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter), loves cats, InfoSec, picking locks, cooking, and reading.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Sunday - 11:00-11:59


Title:
It’s Not Just the Elections!

1100 Sunday
Malware Utkonos
@MalwareUtkonos
It’s Not Just the Elections!

"Sofacy, APT28, Fancy Bear, or whatever one wishes to refer to them by, have been working overtime on meddling with elections. The first major news cycle election that came under attack was the 2016 US Presidential elections. Months later, the same group has set their sights on the 2017 French elections. It seems that election hacking has become a central danger to modern society. Unfortunately, it is not the only danger. Attacks by the same type of adversary that target individuals such as journalists and activists are just as dangerous, and in many ways more insidious. The greatest difficulty for targets like these is they don’t have SOCs, IR teams, threat intelligence teams, security engineers, or a CISO. Some of them may be fortunate to have non-profits looking after them if they get spear-phished. Others may even be working with private industry and vendors for assistance. Throughout this process, it can be difficult to interact with and effectively collect all the data needed to triage a phish and get information back to the individual about what it is and potentially who may be behind it.

The tool that we have developed has quite a boring name: “Help Site”. We didn’t want to name it something scary or cloak-and-dagger: what we’re working on has more that enough of that to go around. The long and short of it is we have developed a canned web server using Vagrant and open source software that allows journalists, activists, dissidents, and others who are under attack to safely report phishing and malware attacks to organizations that can help them. In addition to the ability to submit components of an attack for analysis, there is a growing library of instructions for how to extract an email with full headers from a multitude of common email clients. In this talk, viewers will leave with an understanding of why such a system is needed to distance the attack surface and contain it, as well as some of the work that we did leading up to this project."

Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 14:20-14:55


Keynote: It’s Going To Get Worse Before It Gets Better - The Future of Recon Data Mining

The OSINT and reconnaissance landscape is beginning to face some challenges. Current valuable sources such as open sourced lists are already facing offensive and malicious data poisoning. Privacy laws are creating barriers in many areas, and as court rulings are levying increasing fines for playing fast and loose with user data privacy. Social media companies are starting to realize that they actually need to start making profits, and are restricting their data.

Sites are aggressively combating web crawling, services like TOR and VPN face uncertain futures, the list of potential hurdles to the future of OSINT and recon seems grim. But fear not. There is still hope - and plenty of it. This presentation will discuss both the challenges and changes to both offensive and defensive reconnaissance that the presenter believes we will see in the future, and strategies that will help mitigate or enhance these changes.

Speaker Profile

Shane MacDougall tactical_intel is a two-time winner of the Defcon Social Engineering Capture The Flag, and has placed in the top three of the attack portion in every year of the contest’s existence. He is a principal partner in Tactical Intelligence, a boutique InfoSec consulting firm in Canada that specializes in social engineering, corporate information gathering, and red team attacks. Mr. MacDougall started in the computer security field in 1989 as a penetration tester with KPMG, and worked on the attacking side of the field until 2002, when he joined ID Analytics, the world’s largest anti-identity theft detection company as the head of information security. In 2011 he left the firm to start his own company. Mr. MacDougall has presented at several security conferences, including BlackHat EU, BSides Las Vegas, DerbyCon, LASCON, and ToorCon. He is currently doing research in the areas of integrating near-realtime OSINT into IDS/SIEM, as well as the generation of a real-time pre-text generator.


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 12:00-12:45


Jailbreaking Apple Watch

Thursday at 12:00 in 101 Track 2

45 minutes | Demo

Max Bazaliy Security Researcher, Lookout

On April 24, 2015, Apple launched themselves into the wearables category with the introduction of Apple Watch. This June, at Apple's Worldwide Developer Conference, Apple announced that their watch is not only the #1 selling smartwatch worldwide by far, but also announced the introduction of new capabilities that will come with the release of watchOS 4. Like other devices, Apple Watch contains highly sensitive user data such as email and text messages, contacts, GPS and more, and like other devices and operating systems, has become a target for malicious activity.

This talk will provide an overview of Apple Watch and watchOS security mechanisms including codesign enforcement, sandboxing, memory protections and more. We will cover vulnerabilities and exploitation details and dive into the techniques used in creating an Apple Watch jailbreak. This will ultimately lead to a demonstration and explanation of jailbreaking an Apple Watch, showcasing how it can access important user data and applications.

Max Bazaliy
Max is a Security Researcher at Lookout with more than ten years of experience in areas as reverse engineering, software security, vulnerability research and advanced exploitation. Currently focusing on iOS exploitation, reverse engineering advanced mobile malware and hardware attacks. Max was a lead security researcher at Pegasus iOS malware investigation.

In the past few years, Max was a speaker on various security conferences, including BlackHat, CCC, DEF CON , Ruxcon, RSA and BSides.

Max holds a Masters degree in Computer Science and currently is PhD student at the National Technical University of Ukraine "Kyiv Polytechnic Institute" where he'working on dissertation in code obfuscation and privacy area.

@mbazaliy


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 17:00-18:30


Linux Lockdown: Jailing Programs with Linux Containers

Jay Beale, CTO and COO at InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use Linux containers to better contain an attack on any program running on the system. You will be given a vulnerable program to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then contain it and exploit it again. We'll discuss AppArmor, seccomp and SELinux, and you'll be able to download the virtual machines to try more advanced versions of this afterward. For purposes of ease, we'll use Docker, but you can take the concepts home and try them with LXC/LXD, runc, or another framework for managing containers. This workshop is being taught for the first time and provides one topic from the long-running Black Hat class, "Aikido on the Command Line.â€

Jay Beale (Twitter: @jaybeale and @inguardians) has been working in Linux security since 1999, when he began creating several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. His first talk at Def Con was in 2000. Jay is a founder and both the CTO and Chief Operating Officer of the information security consulting company InGuardians.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 12:30-13:59


Linux Lockdown: Jailing Programs with Linux Containers

Jay Beale, CTO and COO at InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use Linux containers to better contain an attack on any program running on the system. You will be given a vulnerable program to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then contain it and exploit it again. We'll discuss AppArmor, seccomp and SELinux, and you'll be able to download the virtual machines to try more advanced versions of this afterward. For purposes of ease, we'll use Docker, but you can take the concepts home and try them with LXC/LXD, runc, or another framework for managing containers. This workshop is being taught for the first time and provides one topic from the long-running Black Hat class, "Aikido on the Command Line.â€

Jay Beale (Twitter: @jaybeale and @inguardians) has been working in Linux security since 1999, when he began creating several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. His first talk at Def Con was in 2000. Jay is a founder and both the CTO and Chief Operating Officer of the information security consulting company InGuardians.


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 13:00-13:45


Koadic C3 - Windows COM Command & Control Framework

Saturday at 13:00 in Track 2

45 minutes | Demo, Tool

Sean Dillon (zerosum0x0) Senior Security Analyst, RiskSense, Inc.

Zach Harding (Aleph-Naught-) Senior Security Analyst, RiskSense, Inc.

Koadic C3, or COM Command & Control, is a Windows post-exploitation tool similar to other penetration testing rootkits such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using the Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

An in-depth view of default COM objects will be provided. COM is a fairly underexplored, large attack surface in Windows. We will share lots of weird Windows scripting quirks with interesting workarounds we discovered during the course of development. Post exploitation with PowerShell has grown in popularity in recent years, and seeing what can be done with just the basic Windows Script Host is an interesting exploration. In addition, defenses against this type of tool will be discussed, as the Windows Script Host is more tightly coupled to the core of Windows than PowerShell is.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has available). We also found numerous ways to "fork to shellcode" in an environment which traditionally does not provide such capabilities. This talk is based on original research by ourselves, as well as the previous amazing work of engima0x3, subTee, tiraniddo, and others.

Sean Dillon (zerosum0x0)
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and contributions to the project. He has previously been a software engineer in the avionics and insurance industries, and his favorite IDE is still GW-Basic on DOS.

https://twitter.com/zerosum0x0
https://zerosum0x0.blogspot.com
https://github.com/zerosum0x0

Zach Harding (Aleph-Naught-)
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration tool he can get a hold of. You know the guy who's always looking for available public WiFi, or fiddling with a kiosk machine? That's Zach.

https://github.com/Aleph-Naught-


Return to Index      -     

 

Demolabs - Table 1 - Saturday - 12:00-13:50


LAMMA 1.0

Antriksh Shah

Ajit Hatti

Saturday from 1200-1350 at Table One

Audience: Cryptologist, crypt analysts, developers and testers, Block Chain and PKI Implements.

Last year we released LAMMA Beta at DEFCON, this year we are bringing the updated version of LAMMA with new modules for BlockChain Security Testing, auditing Trust stores, enhanced checks for source code analysis and logical flaws in crypto-coding. LAMMA 1.0 with new features & fixes makes crypto-testing more effective and smoother even for large scale implementations. You can use and enhance LAMMA 1.0, as it's a FREE and OPEN SOURCE.

http://www.securitymonx.com/products/lamma

Antriksh Shah
Antrksh is a Security Researchers from Goa. He is associated with null Open Security community and organizes Nullcon. His area of Interest are VAPT, Web app Security, Network Auditing and Forensics. Currently his research is focused on Security issues in Block Chain implementations and has contributed his work to enhance LAMMA.

Ajit Hatti
Ajit Hatti has been contributing on secure usage of cryptography from past 5 years and currently focusing on the security issues of BlockChain related Technologies. He is an author of LAMMA & GibberSense tools which help in securing crypto and PKI Implementatinos.

Ajit is founder of SecurityMonx and is also working in collaboration with Payatu on futuristic projects. He also co-founded Null Open Security Community and has worked with Symantec, Emerson, ZScaler, IBM and Bluelane as a Security Researcher.

Ajit has presented his work at BlackHat DEFCON Crypto-n-Privacy Village and organizes Nullcon in India. He loves to Run & Volunteer at BSides LV and organizes The World Run by Hackers.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 15:00-15:55


Alexander Zakharov

Bio

Alexander has over 25 years of experience in the Telecommunications, Information Technology and IT Security fields. He was responsible for the creation and deployment of solutions protecting networks, systems and information assets for a large number of organizations in both the private and public sectors. Alexander also managed numerous projects in the areas of Internet technologies, system integration, distributed computing, embedded designs, wired and wireless data and voice communications. He earned a Master of Science in Mechanics with Majors in Robotics, Cybernetics and Automated Control Systems, and holds the following key professional certifications in the IT Security field: CISSP, ISSAP, CAP, CEH, CISA, CISM, CRISK, PI, COBIT, EMCDSA, and ITIL.

@alftelsystems

Large Scale Wireless Monitoring - KISMET packet sniffer on a multi-radio array

Abstract

This presentation will walk audience through and explain recently developed Kismet features that greatly benefit multiple radio cards setup. Support for multiple devices allows smarter splitting across them, including separate discovery and tracking activities, as well as dedicating certain radios to targeted bands and channels ranges. Coming Kismet release (currently under development, slated to be released shortly) has new and very flexible configuration options targeting utilization of multiple sources of radio data during passive scan and tracking. Live presentation will use ALFTEL Systems Ltd. Airbud appliance with x8 radio cards setup and latest Kismet sniffer software.


Return to Index      -     

 

Night Life - Counsel Boardroom, Promenade Level - Saturday - 18:00-19:00


Title:
Lawyer Meetup

Attention all lawyers, law students, and judges: The DEF CON Lawyer Meetup is BACK! We'll be meeting Saturday the 29th at 6pm in the Counsel Boardroom on the Promenade Level. Join us for conversation and merriment, followed by dinner for those interested in extending the experience.

See you there!
Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 16:10-16:59


Layer 8 and Why People are the Most Important Security Tool

Damon Small, Technical Director, Security Consulting at NCC Group North America

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user's activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 17 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. As Technical Director for NCC Group, Small has a particular interest in research and business development in the Healthcare and Oil and Gas industries. His role also includes working closely with NCC consultants and clients in delivering complex security assessments that meet varied business requirements.


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 10:00-10:59


Title:
Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways

1000 Saturday
John Ives
Lessons From An Incident Responder AKA, Stories Of When Shit Goes Sideways

With nearly 20 years in IT and with over 13 of them in security on an open academic network, I have seen many things go wrong. While most issues are run of the mill events, there have been a number of times things have gone horribly wrong. This talk will use several true anecdotes (though names and locations may be altered) that highlight some issues that are rarely anticipated and will cover all stages of the IR process. As a bonus, you may also hear other tales of disaster like difficult e-discovery requirements and maybe even a tail of 0-day mismanagement.

Return to Index      -     

 

Demolabs - Table 4 - Sunday - 10:00-11:50


Leviathan Framework

Utku Sen

Ozge Barbaros

Sunday from 1000-1150 at Table Four

Audience: Red teamers, penetration testers (Offensive)

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.

The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Github page: https://github.com/leviathan-framework/leviathan A blog post about it's custom exploit feature: https://www.utkusen.com/blog/wide-range-detection-of-doublepulsar-implants-with-leviathan.html

Utku Sen
Utku Sen is a security engineer working for Sony. He is the author of ransomware honeypot projects such as Hidden Tear and EDA2 which are featured in Forbes and Business Insider. Utku is mostly focused on following areas: Web application security, network security, tool development and bug hunting. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016."

Ozge Barbaros
Ozge Barbaros is a security tools senior developer at Sony. Previously, she worked as GNU/Linux system administrator and as software developer at several companies in Turkey and studied Computer Engineering at Canakkale Onsekiz Mart University. She is interested in developing free software technologies.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Friday - 10:30-14:30


Linux Lockdown: ModSecurity and AppArmor

Friday, 10:30 to 14:30 in Octavius 1

Jay Beale Co-Founder and COO, InGuardians

Taught by Bastille Linux creator Jay Beale, this hands-on workshop will teach you to use AppArmor to contain an attack on any program running on the system and to use ModSecurity to protect a web application from compromise. You will be given a vulnerable command line program and a vulnerable web application to protect, via a virtual machine that you can download beforehand. You will first compromise the application, then build up a defense and attempt your attack again. This workshop is being taught for the first time and provides two topics from the long-running Black Hat class, "Aikido on the Command Line."

Prerequisites: Students should bring a working understanding of Linux.

Materials: Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system must be 64-bit. Students should also download the virtual machines and confirm that they run before the class begins.

Max students: 30 | Registration: https://dc25_beale.eventbrite.com (Sold out!)

Jay Beale
Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. He has been invited to speak at and chair conferences around the world. Jay is a founder and the Chief Operating Officer of the information security consulting company InGuardians.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 15:00-15:59


Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles

No description available


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 14:00-14:45


Linux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles

Saturday at 14:00 in Track 3

45 minutes | Demo, Tool

p3n3troot0r (Duncan Woodbury) Hacker

ginsback (Nicholas Haltmeyer) Hacker

Vehicle-to-vehicle (V2V) and, more generally, vehicle-to-everything (V2X) wireless communications enable semi-autonomous driving via the exchange of state information between a network of connected vehicles and infrastructure units. Following 10+ years of standards development, particularly of IEEE 802.11p and the IEEE 1609 family, a lack of available implementations has prevented the involvement of the security community in development and testing of these standards. Analysis of the WAVE/DSRC protocols in their existing form reveals the presence of vulnerabilities which have the potential to render the protocol unfit for use in safety-critical systems. We present a complete Linux-stack based implementation of IEEE 802.11p and IEEE 1609.3/4 which provide a means for hackers and academics to participate in the engineering of secure standards for intelligent transportation systems.

p3n3troot0r (Duncan Woodbury)
Car hacker by trade, embedded systems security engineer by day. Entered the field of cyberauto security in 2012 through the Battelle CAVE red team and had the opportunity to improve the world by hacking transportation systems. Co-founded multiple security companies focused on building tools for automated exploitation of automotive systems (http://www.silent-cyber.com/), open-source frameworks for V2X, secure digital asset management, and 3D printing electric cars (https://hackaday.com/tag/lost-pla/) out of your garage (http://fosscar.faikvm.com/trac/). DEF CON lurker since the age of 17, recently having joined forces with friends and mentors to organize and host the DEF CON Car Hacking Village.

p3n3troot0r began working V2X with ginsback two years ago and realized the opportunity, in lieu of any open-source or full-stack V2X implementation, to bring the security community in to the driver's seat in the development of next-gen cyberauto standards. Together they have engaged the thought leaders in this space, and via the long-awaited integration of this stack into the mainline Linux kernel, the global development community is given the opportunity to participate in the development of automated and connected transportation systems.

ginsback (Nicholas Haltmeyer)
AI researcher and security professional. Began work in automotive security through the DEF CON Car Hacking Village and have since developed V2X software and routing schemes. Extensive experience in signal processing and RF hacking, including vital sign monitoring, activity recognition, and biometric identification through RF.

Given the (abyssal) state of automotive cybersecurity, ginsback aims to develop and field tools for V2X that open collaboration with the hacker community. As intelligent transit reaches critical mass, attacks on V2X infrastructure have the potential to cause incredible damage. ginsback partnered with p3n3troot0r to develop a free as in freedom V2X interface and extend an invitation for the community to discover and fix flaws in the design of what will soon be a massive network of connected vehicles.


Return to Index      -     

 

DEFCON - Track 1 - Friday - 10:00-10:30


macOS/iOS Kernel Debugging and Heap Feng Shui

Friday at 10:00 in 101 Track

20 minutes

Min(Spark) Zheng Security Expert @ Alibaba Inc. Ph.D of CUHK.

Xiangyu Liu Security Engineer @ Alibaba Inc. Ph.D of CUHK.

Kernel bug is always very difficult to reproduce and may lead to the entire system panic and restart. In practice, kernel debugging is the only way to analyze panic scenes. However, implementing such a technique in real world is not an easy task since kernel code cannot be executed in the debugger, thus is hard to be tracked. Luckily, macOS has provided a very powerful kernel debugging mechanism, KDK (Kernel Development Kit), to assist people to analyze and develop kernel exploits. While for iOS, although there is no official kernel debugger, it is also possible for us to achieve kernel debugging by leveraging some tricks.

In this talk, we will share some kernel debugging techniques and their corresponding tricks on the latest iOS/macOS. In addition, we will also introduce the new kernel heap mitigation mechanisms on iOS 10/macOS 10.12 and two heap feng shui techniques to bypass them. Finally, we will demonstrate how to debug a concrete kernel heap overflow bug and then leverage our new heap feng shui techniques to gain arbitrary kernel memory read/write on the iOS 10.2/macOS 10.12.

Min(Spark) Zheng
Min(Spark) Zheng, Security Expert @ Alibaba Inc. Ph.D of CUHK.

Xiangyu Liu
Xiangyu Liu, Security Engineer @ Alibaba Inc. Ph.D of CUHK.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 10:10-10:59


Make Your Own 802.11ac Monitoring Hacker Gadget

Vivek Ramachandran, Founder of Pentester Academy and SecurityTube.net
Thomas d'Otreppe, Author of Aircrack-ng

802.11ac networks present a significant challenge for scalable packet sniffing and analysis. With projected speeds in the Gigabit range, USB Wi-Fi card based solutions are now obsolete! In this workshop, we will look at how to build a custom monitoring solution for 802.11ac using off the shelf access points and open source software. Our "Hacker Gadget" will address 802.11ac monitoring challenges such as channel bonding, DFS channels, spatial streams and high throughput data rates. We will also look different techniques to do live streaming analysis of 802.11 packets and derive security insights from it!

Vivek Ramachandran (Twitter: @securitytube) is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started SecurityTube.net in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, Mundo Hacker Day and others.

Thomas d'Otreppe (Twitter: @aircrackng) is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 13:00-13:45


Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs

Sunday at 13:00 in Track 3

45 minutes | Art of Defense

Thomas Mathew OpenDNS (Cisco)

Dhia Mahjoub Head of Security Research, Cisco Umbrella (OpenDNS)

Prior research detailing the relationship between malware, bulletproof hosting, and SSL gave researchers methods to investigate SSL data only if given a set of seed domains. We present a novel statistical technique that allow us to discover botnet and bulletproof hosting IP space by examining SSL distribution patterns from open source data while working with limited or no seed information. This work can be accomplished using open source datasets and data tools.

SSL data obtained from scanning the entire IPv4 namespace can be represented as a series of 4 million node bipartite graphs where a common name is connected to either an IP/CIDR/ASN via an edge. We use the concept of relative entropy to create a pairwise distance metric between any two common names and any two ASNs. The metric allows us to generalize the concept of regular and anomalous SSL distribution patterns.

Relative entropy is useful in identifying domains that have anomalous network structures. The domains we found in this case were related to the Zbot proxy network. The Zbot proxy network contains a structure similar to popular CDNs like Akamai, Google, etc but instead rely on compromised devices to relay their data. Through layering these SSL signals with passive DNS data we create a pipeline that can extract Zbot domains with high accuracy.

Thomas Mathew
Thomas Mathew is a Security Researcher at OpenDNS (now part of Cisco) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at ISOI APT, BruCon, FloCon and Kaspersky SAS.

Dhia Mahjoub
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, BotConf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC, and Les Assises de la sécurité.


Return to Index      -     

 

Demolabs - Table 5 - Saturday - 10:00-11:50


Maltego "Have I been pwned?"

Christian Heinrich

Saturday from 1000-1150 at Table Five

Audience: Defense

"Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by LinkedIn, Tumblr, etc

Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of "Have I been pwned?" with Maltego visualises these breaches in an easy to understand graph format that can be enriched with other sources.

https://github.com/cmlh/Maltego-haveibeenpwned

Christian Heinrich
Christian Heinrich has presented at the OWASP Conferences in Australia, Europe and USA and OWASP Chapters in the Netherlands, London and Sydney and Melbourne, Australia, ToorCon (USA), Shmoocon (USA), BlackHat (Asia and USA), SecTor (Canada), CONFidence (Europe), Hack In The Box (Europe), SyScan (Singapore), B-Sides (Australia), RUXCON (Australia), and AusCERT (Australia).


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Thursday - 14:30-18:30


Malware Triage: Malscripts Are The New Exploit Kit

Thursday, 14:30 to 18:30 in Octavius 1

Sergei Frankoff Co-Founder, Open Analysis

Sean Wilson Co-Founder, Open Analysis

Malware triage is an important function in any mature incident response program; the process of quickly analyzing potentially malicious files or URLs to determine if your organization has exposure. Traditionally malware triage has focused on exploit kits which were the initial infection vector of choice, but this is changing. In recent years malscripts and file based exploits have become an equally common initial infection vector. Often delivered via email, malscripts can take many different forms, WScript, Javascript, or embedded macros. However, the goal is always the same; obtain code execution and deliver a malicious payload.

In this workshop you will work through the triage of a live malscript sample. During this process you will identify and extract malscripts from Office documents, manually deobfuscate the malscripts, circumvent anti-analysis techniques, and finally determine the purpose of the scripts and payload in order to develop countermeasures. The focus of this process will be the intersection between the techniques used to analyze malscripts and the larger incident response process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop. Please make sure to bring a laptop that you are able to analyze malware on (we recommend using a VM). We also recommend that you have Google Chrome installed, no other tools are required to be installed prior to the workshop.

Prerequisites: None

Materials: Students must bring a laptop that they are able to analyze malware on. We strongly recommend a VM with all anti-virus software disabled.

Max students: 35 | Registration: https://dc25_frankof.eventbrite.com (Sold out!)

Sergei Frankoff
Sergei is a co-founder of Open Analysis, and volunteers as a malware researcher. When he is not reverse engineering malware Sergei is focused on building automation tools for malware analysis. Sergei is a strong believer in taking an open, community approach to combating cyber crime. He actively contributes to open source tools and tries to publish as much analysis as possible. With almost a decade of experience Sergei has held roles both, as the manager of an incident response team, and as a malware researcher.

Twitter: @herrcore
GitHub: https://github.com/herrcore and https://github.com/OALabs
Video Tutorials: https://vimeo.com/album/4455336

Sean Wilson
Sean is a co-founder of Open Analysis, and volunteers as a malware researcher. He splits his time between reverse engineering malware and building automation tools for incident response. He is an active contributor to open source security tools focused on incident response and analysis. Sean brings over a decade of experience working in a number of incident response and application security roles with a focus on security testing and threat modelling. In his free time Sean loves fly fishing.

Twitter: @seanmw
GitHub: https://github.com/idiom and https://github.com/OALabs
Video Tutorials: https://vimeo.com/album/4561104


Return to Index      -     

 

DEFCON - Track 3 - Sunday - 14:00-14:45


Man in the NFC

Sunday at 14:00 in Track 3

45 minutes | Demo, Tool

Haoqi Shan Wireless security researcher

Jian Yuan Wireless security researcher

NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange fields now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. To solve this problem, we built a hardware tool which we called "UniProxy". This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-slave way. The master part can help people easily and successfully read almost all ISO 14443A type cards, (no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever. No matter what security protocol this card uses, as long as it meets the ISO 14443A standard) meanwhile replaying this card to corresponding legal card reader via slave part to achieve our "evil" goals. The master and slave communicate with radio transmitters and can be apart between 50 - 200 meters.

Haoqi Shan
Haoqi Shan is currently a wireless/hardware security researcher in UnicornTeam of 360 Radio Security Research Dept. He focuses on Wi-Fi penetration, GSM system, embedded device hacking, building hacking tools, etc. He made serial presentations about Femto cell hacking, RFID hacking and LTE devices hacking on DEF CON , Cansecwest, Syscan360 and HITB, etc.

Jian Yuan
Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.


Contributor Acknowledgement:

The Speakers would like to acknowledge Yuan Jian, for his contribution to the presentation. Yuan Jian is a security researcher in UnicornTeam of 360 Radio Security Research Dept. He is mainly focused on the security of Internet of things, NFC, GPS, etc. He was a speaker at the DEF CON Car Hacking Village.


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 17:40-18:30


Manufactures Panel

No description available


Return to Index      -     

 

DEFCON - Track 3 - Friday - 17:00-17:45


MEATPISTOL, A Modular Malware Implant Framework

Friday at 17:00 in Track 3

45 minutes | Demo, Tool

FuzzyNop (Josh Schwartz) Director of Offensive Security @ Salesforce

ceyx (John Cramb) Hacker

Attention Red Teamers, Penetration Testers, and Offensive Security Operators, isn't the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we're fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction. This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.

FuzzyNop (Josh Schwartz) & ceyx (John Cramb)
FuzzyNop and ceyx were raised by computerized wolves with a penchant for fine art and rum based cocktails. While technically from different mothers and also sides of the world, they formed the first cyber wolf brothership shell-bent to ameliorate the state of targeted malware implants to support the ongoing war against the institutionalized mediocrity of the corporate shadow government. Working in tandem with dolphin researchers funded by the oligarch llamas they have found a way to synthesize powdered ethanol into mechanical pony fuel. Leading Offensive Security functions at Salesforce is merely a front to confuse the saurian overlords of their true purpose yet to be revealed...


Return to Index      -     

 

BHV - Pisa Room - Saturday - 11:30-11:59


Title: Microscopes are Stupid

Speaker: Louis Auguste

About Louis:
Lou Auguste is an entrepreneur in residence at the NYU Tandon incubator, Future Labs. He is passionate about microscopes, global health and creating jobs. His company Alexapath is at the forefront of AI based diagnostics and have collected awards from the ASME, Qualcomm, Singularity U, the Indian government, the British government and the US government.

Abstract:
Why can't microscopes diagnose disease? What if they could? For the past four years our team from NYU Tandon School of Engineering has been building an IoT system capable of turning a standard microscope into a digital imaging tool. And the goal is to connect every laboratory in the world into a global network.

We call our device the Auto Diagnostic Assistant, or ADA, in honor of Ada Lovelace, who likely died from undiagnosed cervical cancer. We think the biohacking village will enjoy learning about ADA because it is an extremely low cost microscope accessory capable of accomplishing the same tasks that were previously only able to be accomplished with whole slide imaging devices. Perfect for biohackers looking to save, share, study and analyse images of specimens from their microscope.

Our team is comprised of hardware engineers, software devs and machine learning computer scientists and our mission is to make diagnosis faster and easier. We have validated the accuracy of our mWSIs (mobile Whole Slide Images) with a pre-clinical study and presented our research as a poster at USCAP (United States and Canada Anatomical Pathology Conference). Additionally we published our original methods for creation of digital slides in the British Medical Journal (though the secret sauce has changed since then.)

The hardware prototype of ADA won an award for best hardware led social innovation from the ASME in 2015. Currently, we are launching our beta trial in India with the support of the US Department of State and the Indian Department of Science and Technology. We are actively looking for beta testers in the US as well and would be happy to provide one unit for free to a visitor or member of the biohacking village.



Return to Index      -     

 

DEFCON - Track 1 - Saturday - 11:00-11:30


Microservices and FaaS for Offensive Security

Saturday at 11:00 in 101 Track

20 minutes | Demo

Ryan Baxendale

There are more cloud service providers offering serverless or Function-as-a-service platforms for quickly deploying and scaling applications without the need for dedicated server instances and the overhead of system administration. This technical talk will cover the basic concepts of microservices and FaaS, and how to use them to scale time consuming offensive security testing tasks. Attacks that were previously considered impractical due to time and resource constraints can now be considered feasible with the availability of cloud services and the never-ending free flow of public IP addresses to avoid attribution and blacklists.

Key takeaways include a guide to scaling your tools and a demonstration on the practical benefits of utilising cloud services in performing undetected port scans, opportunistic attacks against short lived network services, brute-force attacks on services and OTP values, and creating your own whois database, shodan/censys, and searching for the elusive internet accessible IPv6 hosts.

Ryan Baxendale
Ryan Baxendale works as a penetration tester in Singapore where he leads a team of professional hackers. While his day is filled mainly with web and mobile penetration tests, he is more interested developing security tools, discovering IPv6 networks, and mining the internet for targeted low hanging fruit. He has previously spoken at XCon in Bejing on automating network pivoting and pillaging with an Armitage script, and has spoken at OWASP chapter and Null Security group meetings. https://www.linkedin.com/in/ryanbaxendale

@ryancancomputer
https://github.com/ryanbaxendale


Return to Index      -     

 

BHV - Pisa Room - Sunday - 11:30-11:59


Title: Might as well name it Parmigiana, American, Cheddar, and Swiss

Speaker: Ken Belva

About Ken Belva:
Kenneth F. Belva has had a distinguished career in cyber security for almost 20 years. His many roles have included managing a financial services cyber security program audited by the State and Fed, finding 0-days in major software, getting a US Patent on automated XSS exploitation techniques, as well as frequently speaking at many cyber security groups in NYC. He can be found on LinkedIn and on twitter at @infosecmaverick

Abstract:
PACS (picture archiving and communication system) is used in health care to store, retrieval, manage, distribute and present medical images. Such images are classified as PII as they are confidential patient data, usually x-rays along with a physician's patient notes. This talk will illustrate vulnerabilities in a PACS system. Note: potential surprises.



Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Friday - 10:30-14:30


Mobile App Attack 2.0

Friday, 10:30 to 14:30 in Octavius 6

Sneha Rajguru Security Consultant, Payatu Software Labs LLP

Mobiles Apps are the most preferred way of delivering the attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers.

So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then the 'Mobile App Attack 2.0’ is of definite interest to you, as the Mobile App Attack 2.0 workshop familiarizes attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them. Along with the various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using intentionally crafted real-world vulnerable Android and iOS apps by the author, we shall look into the some of the common ways as to how the malicious apps bypass the security mechanisms or misuse the given permissions.

Apart from that we shall have a brief understanding of what is so special with the latest Android 7 and iOS 10 security and the relating flaws.

Prerequisites: The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages (Java and C, and Python for scripting) will be an added advantage to grasp things quickly.

Materials: Hardware Requirements
Minimum 4GB RAM and more than 20 GB Free Hard Disk Space
Android device ( >=2.3)
iPhone/iPad >= 7.1.2
(preferable Rooted/Jailbreak)

Software Requirements
Windows 7/8
*Nix
Mac OS X 10.5
Administrative privileges on your machines Virtualbox or VMPlayer
SSH Client
Xcode 6 or higher
ADB
Android Studio 1.3 or higher
Android SDK

Max students: 25 | Registration: https://dc25_rajguru.eventbrite.com (Sold out!)

Sneha Rajguru
Sneha works as a Senior Security Consultant with Payatu Technologies Pvt.Ltd. and holds C.E.H and E.C.S.A certifications. Her area of interest lies in Web application and mobile application security and fuzzing. She has discovered various serious application flaws within open source applications such as PDFLite.Jobberbase, Lucidchart and more. She is also an active member of Null – The open security community in India, and a contributor to regular meetups at the Pune chapter. She has spoken and provided training at GNUnify, FUDCon, Defcamp #6, DEF CON 24, BSidesLV and Nullcon 2017.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 15:00-15:45


MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt)

Saturday at 15:00 in 101 Track

45 minutes | Demo, Tool

Chris ThompsonRed Team Ops Lead, IBM X-Force Red

Windows Defender Advanced Threat Protection will soon be available for all Blue Teams to utilize within Windows 10 Enterprise, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.

This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon

Chris Thompson
Chris is Red Team Operations Lead at IBM X-Force Red. He has extensive experience performing penetration testing and red teaming for clients in a wide variety of industries. He's led red teaming operations against defense contractors and some of North America's largest banks.

He's on the board for CREST USA (crest-approved.org), working to help mature the pentesting industry. Chris also teaches Network & Mobile Pentesting at one of Canada's largest technical schools.

Hacking his way through life, Chris likes to pretend he's a good drone pilot, lock picker, and mountain biker.

Twitter: @retBandit


Return to Index      -     

 

BHV - Pisa Room - Friday - 11:30-11:59


Title: My dog is a hacker and will steal your data!

Speaker: Rafael Fontes Souza


About Rafael:
Rafael Fontes Souza aka b4ckd00r is a Senior Information Security Consultant at CIPHER. He is a core member of Cipher Intelligence Labs - the advanced security team focused on penetration testing, application security and computer forensics for premier clients. He started studying at age 13 and since then has disclosed security vulnerabilities and has received recognition and awards from major companies such as Apple, Microsoft, ESET, HP and others. Being done hundreds of successful penetration tests for various organizations, including government, banking, commercial sectors, as well the payment card industry.

Abstract:
This presentation is about a creative approach to intrusion tests, as the popular saying would say: "–The dog is man's best friend" (he makes you feel good and secure). Let's explore the vulnerability of layer eight, the human being, subject to error and the social engineering techniques; This is an innovative method, with art and style, will be simpler than it sounds; The dog will be used as an attack tool, which will carry a mobile phone hidden along with its pectoral collar.
The attack vectors are triggered automatically without any human interaction. This may include geographically close attacks, such as fake Wi-Fi access points, cellular base stations or local user attacks on a network, we can exploit DNS hijacking, packet injection, Evil-Twin, rogue router or ISP, and many other variants. Furthermore, the target will connect to your rogue wifi access point and the rules are enabled with the DHCP configurations to allow fake AP to allocate IP address to the clients and forward traffic to a fake/malicious web-site; Then, the information can be stored easily as well the injection of malicious file to remotely control the victim.
And it's done. You can drop your hacker dog in a park and expect him to hack people for you, quietly, that's perfect!



Return to Index      -     

 

Demolabs - Table 1 - Saturday - 14:00-15:50


Mycroft

Joshua Montgomery

Saturday from 1400-1550 at Table One

Audience: Hardware, IoT, Automotive, AI, Everyone

Mycroft is an open source virtual assistant similar to Siri or Amazon Alexa. The technology stack allows developers to include a voice interface in anything from a Raspberry Pi to a Jaguar FTYPE sports car.

Mycroft integrates Speech-To-Text, Natural Language Processing, a Skill Framework and a Speech To Text engine into a single, easy to deploy software stack.

Though the technology runs anywhere. The company has developed a Raspberry Pi image ( Pi-Croft ) and recently deployed a Gnome Shell Extension. The company also has a hardware device the "Mark I" that comes pre-loaded with the software and includes a variety of I/O options for directly controlling devices.

http://mycroft.ai/

Joshua Montgomery
Mycroft is a team effort, but the presenter is likely to be Joshua Montgomery. Joshua is a three time entrepreneur and Air Force officer. A graduate of the University of Kansas, Joshua founded Wicked Broadband - a gigabit fiber-to-the-home ISP in Lawrence, KS. As the owner of an ISP Joshua has been an advocate for shared networks, common carriage and net neutrality. He had been featured in Wired, Forbes and ArsTechnica and has been instrumental in advocating for municipal broadband in his home state of Kansas.

Joshua started the Mycroft project because he wanted to deploy the Star Trek computer in his makerspace. He recruited a talented team of developers, ran a highly successful Kickstarter, was invited to join Techstars in 2016 and is an alum of 500 Startups.

In his capacity as and Air Force Officer Joshua serves with the 177 IAS out of Wichita Kansas. His unit is responsible for providing threat replication for the Department of Defense.


Return to Index      -     

 

Night Life - Track 4 - Thursday - 18:30-20:30


Title:
n00b Party hosted by Duo Security.

Come to the DC101 Panel, Thursday, Track 1, 16:00 to 17:45 to find out more about this awesome event. All are welcome, but DEF CON "n00bs" are especially encouraged to attend. If you're new to attending DEF CON and are looking to make some connections then this is your party. Music, free swag giveaways, and more!
Return to Index      -     

 

BHV - Pisa Room - Sunday - 13:30-13:59


Title: Neuro Ethics

Speaker: Dr. Stanislav Naydin and Vlad Gostomelsky

About Dr. Dr. Stanislav Naydin:
Dr. Stanislav Naydin is in residency to for neurology with a background in pharmaceutical sciences. He is heavily focused on procedure based medicine. He has been involved in a multitude of advanced surgeries and interventions. Prior to transitioning to the medical field Stanislav was an industrial robotics designer and programmer in the glass industry.

About Vlad Gostomelsky:
Vlad Gostomelsky is a driven security researcher with a passion for securing technology that makes civilized life possible. He is particularly focused on satellite systems security, SCADA systems supporting the critical infrastructure and wireless networks. He specializes in the intersection of physical and network security.

We will engage the audience in a discussion of modern technological advances along with their ethical implications. We live in an era where the very implanted hardware that keeps you alive can be evidence in the court of law. Neuroscience is now a tool used by marketing firms. Following this discussion on medical ethics we will continue with a show and tell of some recent cases where medical devices were used as evidence against the patients. We discuss some of the medical devices that have been tested by us in the past year and the vulnerabilities that were discovered.



Return to Index      -     

 

BHV - Pisa Room - Friday - 16:30-16:59


Title: Neurogenic Peptides: Smart Drugs 4-Minute Mile

Speakers: Gingerbread

About Gingerbread:
Long-time Security malcontent Gingerbread, having been eliminated early on in this years "Pop-and-Lock Potluck", (the nations *premier* overweight break dancing competition) has returned to DEF CON with even more of his half-baked theories, bro-science, and questionable supply chain advice for your enjoyment. Early adopter of the "Not for human consumption" defense, Gingerbread has spent years conducting extensive research in the areas of cognition enhancing drugs and lifestyle regimens and in the process has become a walking encyclopedia of things NOT to do.

Abstract:
Everything is impossible until it isn't.

Every undertaking, defined by the hard limitations at the edges of our possible achievement.

Lossless electrical conductivity, human travel beyond the sound 'barrier', running a four-minute mile...each, seen as some unassailable foe until, one-by-one, these milestones were not just approached and then attained, but very often surpassed. With time, these limits transition from the superlative, to the standard, and what once was thought of as impossible, now becomes the benchmark of superior performance.

The world of cognition enhancing drugs is no different.

For nearly as long as such structures have been differentiated, the cells of the brain and nervous system have been acknowledged to behave very differently than most of the others in the body.

Unlike the perpetual turn over that the rest of the body enjoys, there are only a few restricted areas in the brain and CNS of adult humans where new nerve cells are being regularly created. What you are born with, is what you have to work with.

Or is it?

Reliably producing productive structural, as opposed to solely chemical changes to the brain has long been seen as the 'Holy Grail' of Nootropics research..I am here today to discuss why the term "Four-minute mile" may be a bit more appropriate.

From the explosions of growth created in early childhood and in some illnesses, to the seemingly paradoxical benefits seen with the removal of malfunctioning structures, we are going to examine the sometimes baffling relationship between cognition and the physical structure of the brain, and how maybe, just maybe, there might be something you can do about it.



Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 11:00-11:59


Title:
Neutrality? We don't need no stinkin' Neutrality

1100 Friday
Munin
@munin
Neutrality? We don't need no stinkin' Neutrality

Net neutrality's pretty much a lost cause and traffic shaping according to network is pretty much inevitable at this point. Let's talk about ways to screw over the ISPs that perform these kinds of actions to pass our arbitrary traffic along their preferred channels in ways that they are unable to discern, taking advantage of their stupidity to give ourselves an advantage.

Return to Index      -     

 

DEFCON - Track 4 - Friday - 13:00-13:45


Next-Generation Tor Onion Services

Friday at 13:00 in Track 4

45 minutes | 0025

Roger Dingledine The Tor Project

Millions of people around the world use Tor every day to protect themselves from surveillance and censorship. While most people use Tor to reach ordinary websites more safely, a tiny fraction of Tor traffic makes up what overhyped journalists like to call the "dark web". Tor onion services (formerly known as Tor hidden services) let people run Internet services such as websites in a way where both the service and the people reaching it can get stronger security and privacy.

I wrote the original onion service code as a toy example in 2004, and it sure is showing its age. In particular, mistakes in the original protocol are now being actively exploited by fear-mongering "threat intelligence" companies to build lists of onion services even when the service operators thought they would stay under the radar.

These design flaws are a problem because people rely on onion services for many cool use cases, like metadata-free chat and file sharing, safe interaction between journalists and their sources, safe software updates, and more secure ways to reach popular websites like Facebook.

In this talk I'll present our new and improved onion service design, which provides stronger security and better scalability. I'll also publish a new release of the Tor software that lets people use the new design.

Roger Dingledine
Roger Dingledine is President and co-founder of the Tor Project, a non-profit that writes software to keep people around the world safe on the Internet.

Roger is a leading researcher in anonymous communications and a frequent public speaker. He coordinates and mentors academic researchers working on Tor-related topics, he is on the board of organizers for the international Privacy Enhancing Technologies Symposium (PETS), and he has authored or co-authored over two dozen peer-reviewed research papers on anonymous communications and privacy tools.

Among his achievements, Roger was chosen by the MIT Technology Review as one of its top 35 innovators under 35, he co-authored the Tor design paper that won a Usenix Security "Test of Time" award, and he has been recognized by Foreign Policy magazine as one of its top 100 global thinkers.

Roger graduated from The Massachusetts Institute of Technology and holds a Master's degree in electrical engineering and computer science as well as undergraduate degrees in computer science and mathematics.


Return to Index      -     

 

DEFCON - Track 1 - Friday - 10:20-10:40


Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server

Friday at 10:20 in 101 Track

20 minutes | Demo, Tool

Patrick Wardle Chief Security Researcher, Synack / Creator of Objective-See

Creating a custom command and control (C&C) server for someone else's malware has a myriad of benefits. If you can take over it a domain, you then may able to fully hijack other hackers' infected hosts. A more prosaic benefit is expediting analysis. While hackers and governments may be more interested in the former, malware analysts can benefit from the later

FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that even now, is only detected by a handful of security products.

We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script.

While this dropper component also communicates with the C&C server and supports some basic commands, it drops a binary payload in order to perform more complex actions. However, instead of fully reversing this piece of the malware, the talk will focus on an initial triage and show how this was sufficient for the creation of a custom C&C server. With such a server, we can easily coerce the malware to reveal it's full capabilities. For example, the malware invokes a handful of low-level mouse & graphics APIs, passing in a variety of dynamic parameters. Instead of spending hours reversing and debugging this complex code, via the C&C server, we can simply send it various commands and observe the effects.

Of course this approach hinges on the ability to closely observe the malware's actions. As such, we'll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a 'mouse sniffer' that locally observes and decodes commands sent from the malware to the OS, in order to control the mouse).

While some of this talk is FruitFly and/or macOS specific, conceptually it should broadly apply to analyzing other malware, even on other operating systems :)

Patrick Wardle
Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects macOS malware and writes free macOS security tools.

@patrickwardle, objective-see.com


Return to Index      -     

 

Night Life - Track 1 - Thursday - 21:00-27:00


Title:
Official DEF CON Welcome Party

Come hang out and listen to some awesome music hosted by DEF CON.
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 23:00-24:00


Title:
Official Entertainment: ACID T

ACID T
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 25:30-26:00


Title:
Official Entertainment: CTRL/RSM

CTRL/RSM
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 21:00-22:00


Title:
Official Entertainment: DJDEAD

DJDEAD
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 22:30-23:00


Title:
Official Entertainment: DUALCORE

DUALCORE
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 22:00-23:00


Title:
Official Entertainment: JACKALOPE

JACKALOPE
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 24:00-25:30


Title:
Official Entertainment: KILL THE NOISE

KILL THE NOISE
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 25:30-26:00


Title:
Official Entertainment: KRISZ KLINK

KRISZ KLINK
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 23:30-24:00


Title:
Official Entertainment: LEFT/RIGHT

LEFT/RIGHT
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 23:00-23:30


Title:
Official Entertainment: MC FRONTALOT

MC FRONTALOT
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 21:00-22:00


Title:
Official Entertainment: MODERNS

MODERNS
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 25:00-26:00


Title:
Official Entertainment: NINJULA

NINJULA
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 24:00-25:30


Title:
Official Entertainment: REEL BIG FISH

REEL BIG FISH

For your DEF CON After Dark enjoyment, we present Friday's headliners, Reel Big Fish! They're fresh from their Beer Run Tour and ready to bring their trademark SoCal skank to the DEF CON masses.

In case you're not familiar, a bio snippet: "Reel Big Fish were one of the legions of Southern California ska-punk bands to edge into the mainstream following the mid-'90s success of No Doubt and Sublime. Like most of their peers, they were distinguished by their hyperkinetic stage shows, juvenile humor, ironic covers of new wave pop songs, and metallic shards of ska."

Sounds fun, yes? Yes.

Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 24:00-25:00


Title:
Official Entertainment: REID SPEED

REID SPEED
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 21:00-22:30


Title:
Official Entertainment: Richard Cheese

Richard Cheese

Friday, in the Chillout area, please to enjoy the nearly-too-swanky-to-function sounds of returning DEF CON performers (and DEF CON Soundtrack contributors!) Richard Cheese and Lounge Against the Machine!

America's loudest lounge singer Richard Cheese performs swingin' Vegas versions of rock and rap songs, "swankifying" popular Top40 hits into retro vocal standards. Imagine Sinatra singing Radiohead, and you've got Richard Cheese & Lounge Against The Machine.

The aforementioned DEF CON soundtrack is included with admission at DEF CON 25 or by donating to the EFF (url coming soon).

Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 26:00-27:00


Title:
Official Entertainment: SCOTCH AND BUBBLES

SCOTCH AND BUBBLES
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Thursday - 22:00-23:00


Title:
Official Entertainment: SKITTISH AND BUS

SKITTISH AND BUS
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Friday - 23:30-24:00


Title:
Official Entertainment: YT CRACKER

YT CRACKER
Return to Index      -     

 

Night Life - Track 1 & Chillout lounges - Saturday - 23:00-23:30


Title:
Official Entertainment: ZEBBLER ENCANTI

ZEBBLER ENCANTI

Saturday Night, y'all!

Zebbler Encanti Experience (aka “ZEE”) is what happens when Pixel Wizard and Techno Badger meet in the woods and decide to short circuit neural pathways of the nearby mushroom pickers with nothing short of bassquakes (9.0 on the scale of awesome) and complete visual reality replacement (somewhat too awesome and terrifying to be numbered anything in particular).

That historic meeting in the woods is the underpinning of the very garments that ZEE now wear at every event they perform. The mere loosening of a button of their coats' pockets opens up a wormhole of psychedelic visions and sub-sonic rattles. But Zebbler Encanti Experience do more than that. They open their minds fully to each and every dance floor and ask you to Get In There!

Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Friday - 09:30-09:59


Title:
One-click Browser Defense

0930 Friday
Brandon Dixon
@9bplus
One-click Browser Defense
Despite significant advances in security technology, web browsers still function as one of the primary vehicles for attack delivery, yet don't offer much in way of protection. Using built-in interfaces, it's possible to bring defense directly to the browser without the need to change any behavior. In one-click, you can add an additional layer of security to your most vulnerable assets, people.

Return to Index      -     

 

DEFCON - Track 2 - Friday - 12:00-12:45


Open Source Safe Cracking Robots - Combinations Under 1 Hour! (Is it bait? Damn straight it is.)

Friday at 12:00 in Track 2

45 minutes | Demo, Tool, Exploit

Nathan Seidle Founder, SparkFun Electronics

We've built a $200 open source robot that cracks combination safes using a mixture of measuring techniques and set testing to reduce crack times to under an hour. By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, 'set testing' is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe. Come checkout the live cracking demo during the talk!

Nathan Seidle
Nathan Seidle is the founder of SparkFun Electronics in Boulder, Colo. Nathan founded SparkFun in 2003 while an undergraduate student studying electrical engineering. After building the company across 14 years to over 130 employees he now heads the SparkX Lab within SparkFun, tinkering, hacking and building new products.

Nathan has built a large catalog of off the beaten path projects including a 12' GPS clock, a wall sized Tetris interface, an autonomous miniature electric bat-mobile, a safe cracking robot, and a hacked bathroom scale to measure the weight of his beehive. He believes strongly in the need to teach the next generation of technical citizens.

Nathan is a founding member of the Open Source Hardware Association. He has served on the board of OSHWA and continues to promote and serve the organization. Nathan has been invited to the White House to participate in discussions around intellectual property policy and patent reform and attended multiple White House Maker Faires. Nathan has spoken in front of Congress on copyright and trademark policy. He has presented on the many facets of manufacturing and open hardware at the National Science Foundation, Google, and Sketching in Hardware. Nathan has guest lectured at numerous institutions including MIT, Stanford and West Point Academy.

In their off time, Nathan and his wife Alicia can be found making rather silly electronics projects together for their local Public Library, their nieces and nephews, and Burning Man. Nathan and Alicia live in Boulder, Colorado with their pet tree Alfonso.

@chipaddict, @sparkfun, www.sparkfun.com


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 12:00-13:00


Title:
Operational Security Lessons from the Dark Web

Author:
Shea Nangle

Abstract:
The past 5 years have seen a number of arrests and a number of convictions of parties engaged in criminal activities on the Dark Web. From Dread Pirate Roberts to French Maid, Willy Clock to Shiny Flakes, and others, we will explore operational security failures made that led to their arrests, and in some cases, convictions.

Why look at this? There are lessons to be learned from these cases even if you aren't in a position to be accused of running a multinational drug distribution ring. Whether you concerned with surveillance and/or reprisals from hostile nation-states or are simply wanting to better guard your privacy, we can all learn from these cases.

Attendees will leave this session with concrete tactical recommendations for increasing the operational security of their online lives and protecting their privacy.

Bio:
Shea Nangle works in information security in the Washington DC area. His areas of interest include open source intelligence, operational security, and forensics. In his spare time, you can often find him homebrewing and attending heavy metal concerts.
Twitter handle of presenter(s): @ultrashea

Return to Index      -     

 

DEFCON - Track 2 - Thursday - 11:00-11:45


Opt Out or Deauth Trying !- Anti-Tracking Bots Radios and Keystroke Injection

Thursday at 11:00 in 101 Track 2

45 minutes | 0025, Demo, Tool, Exploit

Weston Hecker Principal Application Security Engineer, "NCR"

It's hard not to use a service now days that doesn't track your every move and keystroke if you absolutely must use these systems why not give them the most useless information possible. Along with the fact that several companies are tracking their customers online now they are taking it to physical brick and mortar stores this talk will be geared looking at the attack surface of instore tracking and attacking these systems for the purpose of overloading their systems or making the information so inaccurate that it becomes useless. Watch as a 32 year old hackers online profile is turned to that of a 12 year old girl who loves horses!

Weston Hecker
With 12 Years Pen-testing, 13 years' security research and programming experience. Weston is currently working on the application security team of NCR Weston has recently Spoken at DEF CON 22,23 and 24, Blackhat 2016, HOPE11, Hardware.IO 2016, Takdowncon 2016, ICS cyber security 2016, Bsides Boston, Enterprise Connect 2016 ISC2-Security Congress, SC-Congress Toronto and over 60 other speaking engagements from regional events to universities on security subject matter. Working with A Major University's research project with Department of Homeland Security on 911 emergency systems and attack mitigation.Found several vulnerabilities' in very popular software and firmware. Including Microsoft, Qualcomm, Samsung, HTC, Verizon.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 15:15-15:59


OSINT Tactics on Source Code & Developers

Abstract

This practical talk is about using OSINT techniques and tools to obtain intelligence from source code. By analyzing the source code, we will profile developers in social networks to see what social networks they use, what they are saying, who they follow, what they like and much more data about them.

We will use well-known tools and custom Python scripts to automatize the parsing of source code, analyzing comments for behavior and sentiments, searching for OSINT patterns in code and fingerprinting developers in social networks, among other things. The collected data will be plotted in different visualizations to make the understanding of information easier.

The objective of the talk is to introduce attendees into OSINT tactics they can use to collect and analyze data, use the right tools and automatize tasks with Python scripting. For this example we have targeted developers and their projects.

Come and learn some OSINT tricks you can apply to collect and analyze data!

Speaker Profile

Simon Roses (@simonroses) holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid).

Currently is the CEO at VULNEX, driving security innovation. Former Microsoft, PriceWaterhouseCoopers and @Stake.

Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published security advisories in commercial products.

Simon was award with a DARPA Cyber Fast Track (CFT) grand to research on application security.

Frequent speaker at security industry events including BLACKHAT, DEF CON, RSA, HITB, OWASP, SOURCE. DeepSec and Microsoft Security Technets.
CISSP, CEH & CSSLP

Blog: www.simonroses.com


Return to Index      -     

 

DEFCON - Trevi Room - Friday - 20:00-21:59


Panel - An Evening with the EFF

Friday at 20:00 - 22:00 in Trevi Room

Evening Lounge | 0025

Kurt Opsahl Deputy Executive Director & General Counsel, Electronic Frontier Foundation

Nate Cardozo EFF Senior Staff Attorney

Eva Galperin EFF Director of Cyber security

Shabid Buttar Director of Grassroots Advocacy

Kit Walsh EFF Staff Attorney

Relax and enjoy in an evening lounge while you get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This Evening Lounge discussion will include updates on current EFF issues such as surveillance online, encryption (and backdoors), and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more.

Kurt Opsahl
KURT OPSAHL is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders' Rights Project. Before joining EFF, Opsahl worked at Perkins Coie, where he represented technology clients with respect to intellectual property, privacy, defamation, and other online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud to have been called a "rabid dog" by the Department of Justice. Prior to Perkins, Opsahl was a research fellow to Professor Pamela Samuelson at the U.C. Berkeley School of Information Management & Systems. Opsahl received his law degree from Boalt Hall, and undergraduate degree from U.C. Santa Cruz. Opsahl co-authored "Electronic Media and Privacy Law Handbook." In 2007, Opsahl was named as one of the "Attorneys of the Year" by California Lawyer magazine for his work on the O'Grady v. Superior Court appeal. In 2014, Opsahl was elected to the USENIX Board of Directors.

@kurtopsahl, @eff

Nate Cardozo
NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation's digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

Eva Galperin
EVA GALPERIN is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.

Shabid Buttar
SHAHID BUTTAR is EFF’s Director of Grassroots Advocacy, who leads EFF's grassroots and student outreach efforts, including the organizing the Electronic Frontier Alliance. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance. From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director. After graduating from Stanford Law School in 2003, where he grew immersed in the movement to stop the war in Iraq, Shahid worked for a decade in Washington, D.C. He first worked in private practice for a large California-based law firm, with public interest litigation projects advancing campaign finance reform, and marriage equality for same-sex couples as early as 2004, when LGBT rights remained politically marginal. From 2005 to 2008, he helped build a national progressive legal network and managed the communications team at the American Constitution Society for Law & Policy, and in 2008 and 2009 he founded the program to combat racial & religious profiling at Muslim Advocates. Outside of work, Shahid DJs and produces electronic music, writes poetry & prose, kicks rhymes, organizes guerilla poetry insurgencies, plays capoeira, speaks truth to power on Truthout, occasionally elucidates legal scholarship, and documents counter-cultural activism for the Burning Man Journal.

Kit Walsh
KIT WALSH is a staff attorney at EFF, working on free speech, net neutrality, copyright, coders' rights, and other issues that relate to freedom of expression and access to knowledge. She has worked for years to support the rights of political protesters, journalists, remix artists, and technologists to agitate for social change and to express themselves through their stories and ideas. Prior to joining EFF, Kit led the civil liberties and patent practice areas at the Cyberlaw Clinic, part of Harvard's Berkman Center for Internet and Society, and previously Kit worked at the law firm of Wolf, Greenfield & Sacks, litigating patent, trademark, and copyright cases in courts across the country. Kit holds a J.D. from Harvard Law School and a B.S. in neuroscience from MIT, where she studied brain-computer interfaces and designed cyborgs and artificial bacteria.


Return to Index      -     

 

DEFCON - Capri Room - Saturday - 20:00-21:59


Panel - Meet the Feds (who care about security research)

Saturday at 20:00 - 22:00 in Capri Room

Evening Lounge

Allan Friedman Director of Cybersecurity, National Telecommunications and Information Administration, US Department of Commerce

Amélie E. Koran Deputy Chief Information Officer, U.S. Department of Health and Human Services, Office of the Inspector General

Leonard Bailey Special Counsel for National Security, Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice

Nick Leiserson Legislative Director, Office of Congressman James R. Langevin (RI-02)

Kimber DowsettSecurity Architect, 18F

Security research is no longer a foreign concept in Washington, DC. A growing number of policymakers are not only thinking about its importance, but are eager to work with hackers to better understand the implications of policy and to help hackers navigate laws that affect security research. Officials from the Department of Commerce, the Department of Justice, Health & Human Services, General Services Administration, and Congress will talk about how security policy has been evolving; help you understand how you can get involved and make your voice heard; and host an extended Q&A. Hear about everything from making laws more hacker friendly to encryption to government bug bounties to IoT security. It's your opportunity to meet the feds and ask them anything.

Allan Friedman
Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA's multistakeholder processes, bringing together the community on issues like vulnerability disclosure and IoT Security. Prior to joining the Federal Government, Friedman spent over a decade as a noted cybersecurity and technology policy researcher at Harvard's Computer Science Department, the Brookings Institution, and George Washington University's Engineering School. He has a degree in computer science from Swarthmore College and a Ph.D. in public policy from Harvard University, and is the Co-Author of "Cybersecurity and Cyberwar: What Everyone Needs to Know".

Amélie E. Koran
serves as the Deputy Chief Information Officer for the U.S. Department of Health and Human Services, Office of the Inspector General. Amélie’s path to DHHS OIG took her the long way around - through multiple industry sectors, academia, and the public sector. Her professional experience includes time spent at The Walt Disney Company, Carnegie Mellon University CERT/CC, Mandiant, The World Bank, and The American Chemical Society. She began her time in the public sector as Lead Enterprise Security Architect for the U.S. Department of the Interior, eventually moving on to lead Continuous Diagnostics and Mitigation implementation for the U.S. Treasury Department. Amélie later spent time on a leadership development rotation as part of the President’s Management Council Fellowship serving the Federal CIO in supporting cybersecurity policy analysis and legislative review, where she took an active role in the government-wide Open Data Initiative and helped in giving “birth†to the United States Digital Service (USDS). She’s an ardent advocate for innovative approaches to hiring talent and rationally applying security strategies and technologies for the Federal Government space.

@webjedi

Leonard Bailey
Mr. Bailey is Special Counsel for National Security in the Computer Crime and Intellectual Property Section. He has prosecuted computer crime cases and routinely advises on cybersecurity, searching and seizing electronic evidence, and conducting electronic surveillance. He has managed DOJ cyber policy as Senior Counselor to the Assistant Attorney General for the National Security Division and then as an Associate Deputy Attorney General. He has also served as Special Counsel and Special Investigative Counsel for DOJ's Inspector General. Mr. Bailey is a graduate of Yale University and Yale Law School. He has taught courses on cybercrime and cybersecurity at Georgetown Law School and Columbus School of Law in Washington, D.C.

Nick Leiserson
Nick Leiserson is Legislative Director to Congressman Jim Langevin (RI-02), a senior member of the House Armed Services and Homeland Security Committees and the co-founder of the Congressional Cybersecurity Caucus. Leiserson serves as Rep. Langevin's principal advisor on an array of issues, particularly homeland security; judiciary; and technology policy. He holds a degree in computer science from Brown University.

Kimber Dowsett
Kimber Dowsett is the Security Architect for 18F, a digital services agency based within the US Government’s General Services Administration, who secures cloud infrastructure architecture while also serving as the Chief Incident Responder for the 18F platform. She is passionate about privacy, encryption, and building user-driven technology for the public.

Recently named one of the 2017 Top Women in Cybersecurity by CyberScoop, Kimber’s background is in Information Security, Incident Response, Security Policy, and Penetration Testing. She is an avid admirer of Chiroptera and is a connoisseur of comic books and video games.

@mzbat


Return to Index      -     

 

DEFCON - Track 2 - Friday - 17:00-17:45


Panel: DEF CON Groups

Friday at 17:00 in Track 2

45 minutes | Audience Participation

Jeff Moss (Dark Tangent) Founder, DEF CON

Waz DCG

Brent White (B1TKILL3R) DCG and DC615

Jayson E. Street DCG Ambassador

Grifter DC801

Jun Li DC010

S0ups DC225

Major Malfunction DC4420

Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!

In this talk, you'll hear from DEF CON's founder, Dark Tangent, who is also moderating the panel. Jayson E. Street, the Ambassador of DEF CON groups will also discuss updates about the program and share information from his global travel to help start groups around the world. We will also discuss what DEF CON groups are, how to get involved, as well as ideas for how to run a group, location ideas, and how to spread the word.

Founders of their own local DEF CON groups will also discuss the awesome projects of their groups, as well as projects from other groups, to give ideas to take back to your own DEF CON group. Projects we'll discuss range from custom badge build, IoT devices, vintage gaming systems, custom built routers, smarthome devices and more!

Jeff Moss (Dark Tangent)
Bio Coming soon.

Waz
Bio Coming soon.

Brent White (B1TKILL3R)
Bio Coming soon.

Jayson E. Street
Bio Coming soon.

Grifter
Bio Coming soon.

Jun Li
Bio Coming soon.

S0ups
Bio Coming soon.

Major Malfunction
Bio Coming soon.


Return to Index      -     

 

DEFCON - Track 4 - Friday - 10:20-11:35


Panel: Meet The Feds

Friday at 10:20 in Track 4

75 minutes

Andrea Matwyshyn Cranky law professor.

Terrell McSweeny Commissioner, Federal Trade Commission

Dr. Suzanne Schwartz FDA

Leonard Bailey Special Counsel for National Security, Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice

Lisa Wiswell Principal, Grimm
Fellow, Center for Strategic and International Studies

Making legal and policy progress on security is hard, especially when it involves coordinating with teams inside and across federal agencies/departments. But, there *are* success stories. DOJ, FDA, FTC, and DoD have all evolved in positive directions in their approach to security over the last five years, engaging more robustly with the security research community. The panelists will introduce their respective agencies/ departments, explain their missions, and describe the evolution of their organizations' approach across time to security and security research. As always, the panelists look forward to answering your questions.

Andrea Matwyshyn
Andrea Matwyshyn is an academic and author whose work focuses on technology and innovation policy, particularly information security, consumer privacy, intellectual property, and technology workforce pipeline policy. She is a (tenured full) professor of law / professor of computer science (by courtesy) at Northeastern University, where she is the co-director of the Center for Law, Innovation, and Creativity (CLIC). Andrea is also a faculty affiliate of the Center for Internet and Society at Stanford Law School and a visiting research collaborator at the Center for Information Technology Policy at Princeton University, where she was the Microsoft Visiting Professor of Information Technology Policy during 2014-15. She is a Senior Fellow of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center on International Security and a US-UK Fulbright Commission Cyber Security Scholar award recipient in 2016-2017. In 2014, she served as the Senior Policy Advisor/ Academic in Residence at the U.S. Federal Trade Commission. Prior to entering the academy, she was a corporate attorney in private practice.

Terrell McSweeny
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics by design–but recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.

@TMcSweenyFTC

Dr. Suzanne Schwartz
Dr. Suzanne Schwartz is the Associate Director for Science & Strategic Partnerships at FDA’s Center for Devices & Radiological Health (CDRH). In this role, she assists the CDRH Director and Deputy Director for Science in the development, execution and evaluation of the Center’s biomedical science and engineering programs. Suzanne is passionate about cultivating critical dialogue across sectors and across entities towards advancing innovation in the biomedical space and within healthcare, where complex multifaceted problems exist. Suzanne joined FDA in October 2010. Initially recruited as a Commissioner’s Fellow, she became a Medical Officer in the Office of Device Evaluation, transitioning in September 2012 to become the Director of CDRH’s Emergency Preparedness/Operations and Medical Countermeasures (EMCM) Program in the Office of the Center Director for the past 4 years. Among other public health concerns, her portfolio has most notably included medical device cybersecurity, for which she chairs CDRH’s Cybersecurity Working Group. She also co-chairs the Government Coordinating Council for Healthcare & Public Health critical infrastructure sector. Before FDA, Suzanne was a full time surgical faculty member at Weill Cornell Medical College, New York. Suzanne’s career has spanned the private sector as well, having served as Medical Director & Tissue Bank Director of Ortec International, a development stage medical device company focused on tissue engineering therapeutic approaches to burns and chronic wounds. Suzanne earned an MD from Albert Einstein College of Medicine, trained in General Surgery & Burn Trauma at the New York Presbyterian Hospital - Weill Cornell Medical Center; an executive MBA from NYU Stern School of Business, and completed the National Preparedness Leadership Initiative – Harvard School of Public Health & Kennedy School of Government.

Leonard Bailey
Leonard Bailey joined the Department of Justice's Terrorism and Violent Crime Section (TVCS) in 1991 where he handled litigation and investigations, managed departmental policies governing criminal enforcement and intelligence collection, and participated in the negotiation of international treaties concerning terrorist funding. He subsequently served as Special Counsel and Special Investigative Counsel to the Department's Inspector General while conducting investigations of senior Department officials and sensitive departmental programs. In 2000, he joined the Computer Crime and Intellectual Property Section (CCIPS) where he has prosecuted cases involving federal violations of computer crime and intellectual property statutes; advised on matters related to searching and seizing electronic evidence, investigating and prosecuting network intrusions, and conducting electronic surveillance; and chaired the Organization of American States' Group of Government Experts on Cybercrime. He has been Special Counsel for National Security in CCIPS since 2008. In 2009, he accepted a position as Senior Counselor to the Assistant Attorney General for the National Security Division, where he managed issues associated with cybersecurity, critical infrastructure protection, and national security investigations and operations involving cyber threats to national security. In 2012, he managed and set cyber policy for the Department of Justice as an Associate Deputy Attorney General before returning to the Criminal Division in 2013. Leonard received his B.A. from Yale University in 1987 and his J.D. from Yale Law School in 1991. He is an adjunct professor at Georgetown Law School, where he teaches cybersecurity law..

Lisa Wiswell
Lisa Wiswell worked for the better part of the past decade with the Department of Defense to shift its culture to interact more positively with the hacker community. At the Defense Digital Service, she hacked the Department of Defense bureaucracy and its antiquated and restrictive policies and processes. She was appointed Special Assistant to the Deputy Assistant Secretary of Defense for Cyber Policy in the Office of the Secretary of Defense where she supported senior DoD leaders by formulating and implementing policies and strategies to improve DoD’s ability to operate in digital space – specifically providing guidance and governance over the manning, training, and equipping of the Cyber Mission Force. Prior to serving in the Obama Administration, she served as Technology Portfolio Manager at the Defense Advanced Research Projects Agency overseeing a portfolio of cyberwarfare initiatives directly contributing to national security. Prior to supporting the DoD, Lisa worked on Capitol Hill for her home Member of Congress. She holds a BA in History and Political Science from the Maxwell School of Public Citizenship at Syracuse University, and a Masters in Technology Management from Georgetown University. Lisa is a privacy rights and STEM outreach advocate. She is now a Principal at Grimm and a Fellow at the Center for Strategic and International Studies.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 17:00-17:45


Title:
Panel: Securing the Election Office: A Local Response to a Global Threat

Title: Panel: Securing the Election Office: A Local Response to a Global Threat

PANEL BIOS

Jake Braun (moderator) bio
Jake Braun, CEO Cambridge Global and former White House-DHS Liaison

Jake Braun is CEO of Cambridge Global Advisors where he provides strategic direction and consulting for high profile cyber and national security initiatives. Prior to joining CGA, Mr. Braun was the Director of White House and Public Liaison for the Department of Homeland Security (DHS) where he was instrumental in the passage of the unprecedented Passenger Name Record (PNR) Agreement, one of the largest big data agreements in history. In addition, he worked on the development and implementation of the Homeland Security Advisory Council’s Task Force on CyberSkills.

In 2009, Mr. Braun served on the Presidential Transition Team for the Obama Administration as Deputy Director for the National Security Agencies Review. Prior to that, Mr. Braun also worked as National Deputy Field Director to the 2008 Obama for America Campaign, along with multiple other federal, state and local campaigns around the nation over the years.

Mr. Braun is a fellow at the Council on CyberSecurity and is a strategic advisor to DHS and the Pentagon on cybersecurity. He is also faculty at the University of Chicago’s Harris School of Public Policy where he teaches cybersecurity policy.


Tim Blute Bio
Tim Blute, Homeland Security & Public Safety Program Director, National Governors Association

Timothy Blute serves as program director for the NGA Center for Best Practices’ Homeland Security & Public Safety Division. Blute focuses on cybersecurity, public safety communications and information sharing. Prior to joining NGA, Blute served as intelligence analyst in the Counterterrorism Division of the Federal Bureau of Investigation, detailee to the Office of the General Counsel at the National Security Law Branch and intern for the U.S. Department of the Treasury. Blute holds a J.D. from the American University Washington College of Law and a bachelor’s degree in International affairs from the George Washington University,


Erik Kamerling Bio
Erik Kamerling
Senior Director, Cyber Security Technology at Center for Internet Security

Mr. Kamerling is a Senior Director at The Center for Internet Security with nineteen years of experience in the fields of advisory and consulting, network security assessment, penetration testing, vulnerability research, monitoring/incident response, and fundamental security research. His role at the Center for Internet Security is to spearhead technology developments for the Multi-State Information Sharing & Analysis Center (MSISAC). His current projects include global honeynet operations that study breaking threats that target State, Local, Territorial and Tribal entities, leading hunting and patrolling initiatives in the MSISAC, driving new capabilities in Albert network engineering, and security community outreach.

In the past, Erik has held lead positions at Mandiant, Symantec, RSA, and the SANS Institute. He enjoys writing and research on cyber intelligence topics and has driven the development of keynote speeches, research presentations, course-ware, advisories, papers, and hacking and penetration testing classes taught in a variety of venues.


Noah Praetz bio
Noah Praetz, Director of Elections for Suburban Cook County
Noah Praetz is an expert in state and federal election law. He is currently the Director of Elections for Suburban Cook County in Illinois, a role he assumed in 2013 after serving as the former Cook County Deputy Director of Elections and various other roles including Deputy Director, Manager of Planning and Preparation, Law Clerk and Staff Attorney.

Praetz is active in several election organizations, including the International Association of Clerks, Recorders, Election Officials and Treasurers. He is a graduate of Bradley University and DePaul College of Law. He lives in Indian Head Park with his wife, Megan O'Connell, and their three children.

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 18:10-18:59


Passwords on a Phone

Sam Bowne

Almost all Android apps from major retailers store your password on the phone, which is dangerous and unnecessary. And they don't even use the Android KeyStore; they just use custom encryption schemes that generate a key in predictable ways, so passwords are easily recoverable. This is “fake encryption†– the data appears to be encrypted but in fact is not actually protected from attackers. I will present results of my tests of many top retailers, and demonstrate how to steal passwords from them. I will also list a few (very few) companies who actually protect their customers' passwords properly.

Sam Bowne (Twitter: @sambowne) has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. He has these things: BS, PhD, CEH, CISSP, WCNA, and a lot of T-shirts.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 14:10-14:30


Past, Present and Future of High Speed Packet Filtering on Linux

Gilberto Bertin, CLoudflare

As internet DDoS attacks get bigger and more elaborate, the importance of high performance network traffic filtering increases. Attacks of hundreds of millions of packets per second are now commonplace. In this session, we will introduce modern techniques for high speed network packet filtering on Linux. We will follow the evolution of the subject, starting with Iptables and userspace offload solutions (such as EF_VI and Netmap), discussing their use cases and their limitations. We will then move on to a new technology recently introduced in the Linux kernel called XDP (express data path), which works by hooking an eBPF program into the lowest possible layer in the Linux kernel network stack, allowing network traffic to be filtered at high speeds.

Gilberto Bertin (Twitter: @akajibi) originally from a little Italian town near Venice, loves tinkering with low level systems, especially networking code. After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he decided to move to London to help the Cloudflare DDoS team filter all the bad internet traffic.


Return to Index      -     

 

Demolabs - Table 3 - Sunday - 12:00-13:50


PCILeech

Ulf Frisk

Sunday from 1200-1350 at Table Three

Total physical pwnage and plenty of live demos in this action packed Demo Lab! The PCILeech direct memory access attack toolkit was presented at DEF CON 24 and quickly became popular amongst red teamers and governments alike. A year later major operating systems are still vulnerable by default. I will demonstrate how to take total control of Linux, Windows and macOS by PCIe DMA code injection. Kernels will be subverted, full disk encryption defeated, file systems mounted and shells spawned! All this by using affordable hardware and the open source PCILeech toolkit.

http://github.com/ufrisk/pcileech

Ulf Frisk
Ulf Frisk is a hacker/penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 10:20-10:40


PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks

Sunday at 10:20 in Track 2

20 minutes | Art of Defense, Demo, Tool

Redezem Hacker

Denial of service. It requires a low level of resources and knowledge, it is very easy to deploy, it is very common and it is remarkable how effective it is overall. PEIMA is a brand new method of client side malicious activity detection based on mathematical laws, usually used in finance, text retrieval and social media analysis, that is fast, accurate, and capable of determining when denial of service attacks start and stop without flagging legitimate heavy interest in your server erroneously. However, denial of service attacks aren't the only type of anomalous activity you can look at with PEIMA. Learn what kinds of unusual identifying metrics you can get out of your network and users to help detect intrusions and, ultimately, defend your assets.

Redezem
Redezem hails from the southern hemisphere, specifically Perth, Australia, the most isolated capital city on the planet. He's been an avid computer tinkerer in this desolate, sunny, beach-ridden wasteland from a young age, and has been a "hacker" since he stole his dad's passwords to get at the internet as a kid. Having worked part time as a web application developer during his undergraduate degree in computer science, he specialised into intrusion detection in his honours year, and is currently performing his PhD into new and fantastic network anomaly detection mechanisms at Curtin University. He currently also lectures, and works part-time as a security consultant.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Friday - 14:30-18:30


Penetration Testing in Hostile Environments: Client & Tester Security

Friday, 14:30 to 18:30 in Octavius 1

Wesley McGrew Director of Cyber Operations, HORNE Cyber Solutions

Brad Pierce Director of Network Security For HORNE Cyber

Penetration testers can have the tables turned on them by attackers, to the detriment of client and tester security. Vulnerabilities exist in widely-used penetration testing tools and procedures. Testing often takes place in hostile environments: across the public Internet, over wireless, and on client networks where attackers may already have a foothold. In these environments, common penetration testing practices can be targeted by third-party attackers. This can compromise testing teams in the style of “ihuntpineapplesâ€, or worse: quietly and over a long period of time. The confidentiality, integrity, and availability of client networks is also put at risk by "sloppy" testing techniques.

In this workshop, we present a comprehensive set of recommendations that can be used to build secure penetration testing operations. This includes technical recommendations, policies, procedures, and guidance on how to communicate and work with client organizations about the risks and mitigations. The goal is to develop testing practices that:
- ...are more professionally sound
- ...protect client organizations
- ...protect penetration testers' infrastructure, and
- ...avoid a negative impact on speed, agility, and creativity of testers

The recommendations are illustrated with entertaining and informative hands-on exercises. These include:
- Vulnerability analysis of a penetration testing device's firmware
- Quick and dirty code audits of high-risk testing tools
- Monitoring and hijacking post-exploitation command and control
- Layering security around otherwise insecure tools.

After this workshop, you will walk away with actionable recommendations for improving the maturity and security of your penetration testing operations, as well as an exposure to the technical aspects of protecting the confidentiality of sensitive client data. You will participate in hands-on exercises that illustrate the importance of analyzing your own tools for vulnerabilities, and learn how to think like an attacker that hunts attackers. You'll hear about the challenges that are inherent in performing penetration tests on sensitive client networks, and learn how to layer security around your practices to reduce the risks.

Prerequisites: To get the most out of this class, students should have the ability to read/follow code in many programming languages (C/C++, Python, PHP, etc.). Students should also be familiar with navigation and use of the Linux command line. Experience with penetration testing will be useful, but those new to penetration testing should not be discouraged. The entire point is to pick up good operational security habits.

Materials: Students who wish to participate in the hands-on exercises should bring a laptop with at least 8GB of RAM, the operating system of their choice, and VMware Workstation or Fusion installed (sign up for a trial license from VMware just before the conference, if necessary). Virtual machines will be provided on USB sneakernet, so you may prefer to bring/configure a burner laptop. One exercise uses Wi-Fi. Apart from that, everything takes place within the virtual machines, and you will be able to disconnect all of your physical networking interfaces.

Max students: 36 | Registration: https://dc25_mcgrew.eventbrite.com (Sold out!)

Wesley McGrew
Wesley McGrew oversees and participates in penetration testing in his role of Director of Cyber Operations for HORNE Cyber Solutions. He has presented on topics of penetration testing, vulnerabilities, and malware analysis at DEF CON and Black Hat USA. He teaches a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley graduated from Mississippi State University's Department of Computer Science and Engineering and previously worked at the Distributed Analytics and Security Institute. He holds a Ph.D. in computer science for his research in vulnerability analysis of SCADA HMI systems.

Brad Pierce
Brad Pierce manages penetration testing engagements and network infrastructure as Director of Network Security For HORNE Cyber. He brings more than 10 years of experience in network deployment, management, support and internal customer technology support. Brad served eight years in the United States Marine Corps receiving an Honorable Discharge in 2003. Brad is a graduate of The University of Southern Mississippi with a Bachelor of Science in Business Administration with an emphasis in management information systems.


Return to Index      -     

 

DEFCON - Track 1 - Saturday - 10:00-10:30


Persisting with Microsoft Office: Abusing Extensibility Options

Saturday at 10:00 in 101 Track

20 minutes | Demo

William Knowles MWR InfoSecurity

One software product that red teamers will almost certainly find on any compromised workstation is Microsoft Office. This talk will discuss the ways that native functionality within Office can be abused to obtain persistence. The following opportunities for Office-based persistence will be discussed:

(1) WLL and XLL add-ins for Word and Excel - a legacy add-in that allows arbitrary DLL loading.
(2) VBA add-ins for Excel and PowerPoint - an alternative to backdoored template files, which executes whenever the applications load.
(3) COM add-ins for all Office products - an older cross-application add-in that leverages COM objects.
(4) Automation add-ins for Excel - user defined functions that allow command execution through spreadsheet formulae.
(5) VBA editor (VBE) add-ins for all VBA using Office products - executing commands when someone tries to catch you using VBA to execute commands.
(6) VSTO add-ins for all Office products - the newer cross-application add-in that leverages a special Visual Studio runtime.

Each persistence mechanism will be discussed in terms of its relative advantages and disadvantages for red teamers. In particular, with regards to their complexity to deploy, privilege requirements, and applicability to Virtual Desktop Infrastructure (VDI) environments which hinder the use of many traditional persistence mechanisms.

The talk isn't all red - there's also some blue to satisfy the threat hunters and incident responders amongst us. The talk will finish with approaches to detection and prevention of these persistence mechanisms.

William Knowles
William Knowles is a Security Consultant at MWR InfoSecurity. He is primarily involved in purple team activities, which involves objective-based testing to simulate real-world threats, and helping organizations to identify effective defenses against them with regards to both prevention and detection. Prior to joining the security industry, he completed a PhD in Computer Science at Lancaster University. His research interests include post-exploitation activities and offensive PowerShell.

@william_knows


Return to Index      -     

 

DEFCON - Track 2 - Friday - 15:00-15:45


Phone system testing and other fun tricks

Friday at 15:00 in Track 2

45 minutes | Demo, Tool

"Snide" Owen Hacker

Phone systems have been long forgotten in favor of more modern technology. The phreakers of the past left us a wealth of information, however while moving forward the environments as a whole have become more complex. As a result they are often forgotten, side tracked or neglected to be thoroughly tested. We’ll cover the VoIP landscape, how to test the various components while focussing on PBX and IVR testing. The security issues that may be encountered are mapped to the relative OWASP category for familiarity. Moving on I’ll demonstrate other fun ways that you can utilize a PBX within your future offensive endeavours.

"Snide" Owen
"Snide" Owen has worked in various IT fields from tech support to development. Combining that knowledge he moved into the security field by way of Application Security and is now on an offensive security research team. He enjoys both making and breaking, tinkering with various technologies, and has experimented for prolonged periods with PBX's and the obscure side of VoIP.


Return to Index      -     

 

Demolabs - Table 6 - Saturday - 10:00-11:50


PIV OPACITY

Christopher Williams

Saturday from 1000-1150 at Table Six

Audience: Authentication, Mobile, Embedded Security, Biohacking

OPACITY is a fast, lightweight asymmetric encryption protocol, adopted as an open standard by NIST, ANSI, and Global Platform. OPACITY, originally designed for payment and identity applications, provides a method for securing the NFC channel of low power devices with embedded secure hardware, such as smart cards. I will show an Android demonstration leveraging this open standard, as defined in NIST SP 800-73-4, to securely produce derived credentials and provide flexible and private authentication. While this demo is designed to showcase the Federal PIV standard, the OPACITY algorithm and concepts are broadly applicable to provide secure transactions in IoT, biohacking, and other low power embedded systems.

https://youtu.be/ftn8-Cth554

Christopher Williams
Dr. Christopher Williams specializes in the implementation and evaluation of information assurance and data collection techniques to solve emerging problems around transaction security and privacy in IoT, fintech, and transportation. Dr. Williams has a Ph.D. in Physics from University of Chicago, where his dissertation research focused on design, prototyping, and field deployment of novel detectors for particle astrophysics. He has diverse scientific experience with expertise in systems integration, instrumentation, experimental design, and real-time data acquisition with a focus on systematic error mitigation. He has applied his expertise to validate standards compliance in secure messaging protocols between a smart card and host; and to study the integration of commercial cryptography solutions into a government approved authentication infrastructure for mobile platforms.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 13:00-13:25


POCSAG Amateur Pager Network

No description available


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 17:00-17:45


Popping a Smart Gun

Saturday at 17:00 in Track 4

45 minutes | Demo, Exploit

Plore Hacker

Smart guns are sold with a promise: they can be fired only by authorized parties. That works in the movies, but what about in real life? In this talk, we explore the security of one of the only smart guns available for sale in the world. Three vulnerabilities will be demonstrated. First, we will show how to make the weapon fire even when separated from its owner by a considerable distance. Second, we will show how to prevent the weapon from firing even when authorized by its owner. Third, we will show how to fire the weapon even when not authorized by its owner, with no prior contact with the specific weapon, and with no modifications to the weapon.

Plore
Plore is an electrical engineer and embedded software developer based in the United States. At DEF CON 24, he spoke about cracking high-security electronic safe locks.

@_plore


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 12:00-12:45


Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode

Thursday at 12:00 in 101 Track

45 minutes | Demo, Tool

Matt Suiche Founder, Comae Technologies

Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology.

Ethereum blockchain is a consensus-based globally executed virtual machine, also referred as Ethereum Virtual Machine (EVM) by implemented its own micro-kernel supporting a handful number of instructions, its own stack, memory and storage. This enables the radical new concept of distributed applications.

Contracts live on the blockchain in an Ethereum-specific binary format (EVM bytecode). However, contracts are typically written in some high-level language such as Solidity and then compiled into byte code to be uploaded on the blockchain. Solidity is a contract-oriented, high-level language whose syntax is similar to that of JavaScript.
This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed applications this raise multiple questions regarding architecture, design, attack vectors and patch deployments.

As we, reverse engineers, know having access to source code is often a luxury. Hence, the need for an open-source tool like Porosity: decompiler for EVM bytecode into readable Solidity-syntax contracts - to enable static and dynamic analysis of compiled contracts.

Matt Suiche
Matt Suiche is recognized as one of the world's leading authorities on memory forensics and application virtualization.

He is the founder of the United Arab Emirates based cyber-security start-up Comae Technologies. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. He also worked as a researcher for the Netherlands Forensic Institute.

His most notable research contributions enabled the community to perform memory-based forensics for Mac OS X memory snapshots but also Windows hibernation files.
Since 2009, Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security due to his various contributions to the community.

@msuiche


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 1 - Saturday - 10:30-14:30


Practical BLE Exploitation for Internet of Things

Saturday, 10:30 to 14:30 in Octavius 1

Aditya Gupta Founder, Attify

Dinesh Shetty Security Innovation

The Practical BLE Exploitation for Internet of Things is a new training class focusing on exploiting the numerous IoT devices using BLE as the medium.

Bluetooth Low Energy (or BLE) is found in most of the popular IoT and smart devices - be it smart home automation, retail, medical devices and more. This class will go through the internals of BLE from a security perspective, and then jump right into how you could interact with BLE devices all the way to taking control over a complete IoT devices using BLE exploitation techniques.

At the end, we will also look at some of the automation tools and scripts you can use/write in order to make the process much faster - as it's required in a pentest.

Prerequisites: [+] Basic Linux knowledge [+] Interest in IoT security

Materials:- Laptop with 2 available USB ports
- 2 Ubuntu 16.04 VM instances (either one as host and one in a VM, or both inside separate VMs)
- Instructor will provide additional tools and devices to use during the workshop

Max students: 35 | Registration: https://dc25_gupta.eventbrite.com (Sold out!)

Aditya Gupta
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, a specialized IoT and mobile security firm, and a leading mobile security expert and evangelist.

He has done a lot of in-depth research on mobile application security and IoT device exploitation. He is also the creator and lead instructor for the popular training course "Offensive Internet of Things Exploitation," which has been sold out at numerous places including Black Hat US 2015, Black Hat US 2016, Brucon etc.

He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe and many more.

He has also published a research paper on ARM Exploitation titled "A Short Guide on ARM Exploitation." In his previous roles, he has worked on mobile security, application security, network penetration testing, developing automated internal tools to prevent fraud, finding and exploiting vulnerabilities and so on.

He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, DefCon, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack amongst others, and also provides private and customized training programmes for organizations.

Dinesh Shetty
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and IoT technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites.

Dinesh Shetty has previously presented his work at security conferences around Europe, Boston, New York, Australia, India and a bunch of Middle East and South East Asia countries. He continues to enhance his knowledge by undergoing security trainings and certifications around the world.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Saturday - 10:30-14:30


Practical Malware Analysis: Hands-On

Saturday, 10:30 to 14:30 in Octavius 7

Sam Bowne

Devin Duffy-Halseth

Dylan James Smith

Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment. There are four levels of analysis challenges.

1. Basic static analysis with file, strings, PEiD, PEview, Dependency Walker, and VirusTotal
2. Basic dynamic analysis with Process Monitor, Process Explorer, RegShot, and Wireshark
3. Advanced static analysis with IDA Pro Free and Hopper
4. Advanced dynamic analysis with Ollydbg and Windbg

The first challenges are easy enough for beginners, and the later ones get difficult enough to interest intermediate security professionals. We will demonstrate the challenges, discuss the technologies and techniques, and help participants get through them as needed.

These challenges use harmless malware samples from the "Practice Malware Analysis" book by Michael Sikorski and Andrew Honig.

All materials and challenges are freely available at samsclass.info, including slide decks, video lectures, and hands-on project instructions. They will remain available after the workshop ends.

Prerequisites: Participant should be familiar with basic C programming. Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary.

Materials: Participants must bring a laptop (any OS) with VMware or VirtualBox installed on it. Each participant will need a 32-bit Windows virtual machine to run malware samples. USB sticks with a Windows Server 2008 VM will be available for students to copy. Some projects also use a Kali Linux VM to simulate the Internet, but that's not required.

Max students: 80 | Registration: https://dc25_bowne.eventbrite.com (Sold out!)

Sam Bowne
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEFCON, HOPE, RSA, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Devin Duffy-Halseth:
I really love hearing about different malware attack vectors and APT campaigns. I'm currently seeking a junior pentesting position.

Dylan James Smith
Dylan James Smith has assisted Sam Bowne with hands-on workshops at DEF CON, RSA, B-Sides LV and other conferences. He has worked in and around the computer support industry since adolescence. Now he’s old(er.) Currently focused on learning and teaching "the cybers."


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Saturday - 14:30-18:30


Principals on Leveraging PowerShell for Red Teams

Saturday, 14:30 to 18:30 in Octavius 4

Carlos Perez Director of Reverse Engineering

Workshop will focus on the fundamentals on how PowerShell is leveraged by an attacker in code execution and post-exploitation. We will also cover how depending the leverage of maturity of a target organization affects the techniques used and way to operate around some of the controls.

Prerequisites: Basic Windows sysadmin knowledge, basic scripting knowledge and a understanding of PowerShell Basics:

- What is PowerShell
- Cmdlets and Modules
- Using help and documentation
- Pipeline basics

Materials: Laptop with a Win10 Ent VM with Office trial (they can download the 90day demos from MS) and Sysinternals Sysmon installed.

Max students: 72 | Registration: https://dc25_perez.eventbrite.com (Sold out!)

Carlos Perez
Carlos Perez is the Director of Reverse Engineering at a security vendor and also worked as a Sr Solution Architect for a large IT Integrator in the areas of Security. He has won the Microsoft MVP award several years for his work on PowerShell and Enterprise Security. He is mostly known for his contributions to the Metasploit Framework and co-host in the Security Weekly podcast.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 11:30-12:00


Title:
Privacy is Not An Add-On: Designing for Privacy from the Ground Up

Author:
Alisha Kloc

Abstract:
You want to design customer-focused, easy-to-use products that your customers will love - but you aren’t doing your job if you wait until the last minute (or beyond!) to think about privacy. Tacking on privacy features as an afterthought isn’t only bad for your users, it’s also bad for your company. Privacy starts with your backend systems and carries forward through your product development cycle, your user testing, your product release, and all the way to your customer support. Learn how to build privacy into your products from the ground up, and create an awesome privacy story for both your company and your users.

Bio:
Alisha Kloc has worked in the security and privacy industry for over eight years, at companies ranging from startups to global powerhouses. Her focus is on protecting users’ data and developing industry-leading security and privacy programs. She is an advocate for user data protection, speaking at conferences across the US and Europe to highlight security & privacy issues and encourage people to choose security & privacy careers. Alisha is passionate about data security and user privacy, and believes in combining engineering, technology, policy, and culture to ensure users’ protection.
Twitter handle of presenter(s): @alishakloc

Return to Index      -     

 

Demolabs - Table 1 - Sunday - 10:00-11:50


probespy

stumblebot

Sunday from 1000-1150 at Table One

Audience: offense/recon/surveillance

Probespy is a dumb and dirty tool for analyzing directed and broadcast probe request data sent by wifi client devices. It assists in locating where wireless client devices have been (geolocation) and creating behavioral profiles of the person(s) owning the device via the identification of known SSIDs.

https://github.com/stumblebot/probespy

stumblebot
Stumblebot uses computers a lot. Currently he is paid to use computers on behalf of CDW's infosec team.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 13:00-14:00


Title:
Protecting Users' Privacy in a Location-Critical Enterprise: The Challenges of 9-1-1 Location

Author:
Trey Forgety

Abstract:
Precise location data can reveal the most sensitive details of a person's life. But, in an emergency, its the most important part of saving that life. This talk will detail how 9-1-1 systems acquire, use, and store sensitive location data today, and how that process will change as we transition to an all-IP Next Generation 9-1-1 world.

Bio:
Trey Forgety is Director of Government Affairs and Information Security Issues at NENA: The 9-1-1 Association. A physicist, lawyer, sailor, and inveterate tinkerer, Trey served two years as a Presidential Management Fellow with tours in DHS, the FCC, and NTIA, where he worked with the White House to develop policy for a nation-wide LTE network for public safety, known as FirstNet. By day, he handles legal, regulatory, and legislative issues affecting the 9-1-1 sector. By night, he handles the InfoSec issues, too. #SmallNonProfitLife
Twitter handle of presenter(s): @cincvolflt

Return to Index      -     

 

BHV - Pisa Room - Friday - 11:00-11:29


Title: Psychoactive Chemicals in Combat

Speaker: Amanda Plimpton/Evan Anderson

Amanda Plimpton/Evan Anderson:
Collaborators Amanda Plimpton and Evan Anderson are active in the body augmenting community and excited to see the current growth in the citizen science. Small groups and individuals who chose to pursue lines of inquiry and conduct ethical, methodical experiments are the key to the next series of breakthroughs that we will see across many sectors. Citizen scientists are people driven to investigate, experiment and seek answers. Whether they channel their passionate interests into a start-up business or stay in the nonprofit sector, they will continue to make important contributions in their fields. Our goal as speakers here is more modest, we are bringing forward research as a starting point for ourselves and our audience. Human experimentation has a long (and dark) history and today is fraught with ethical dilemmas and tensions. By looking at it through the lens of military experiments with a focus on psychoactive drugs we hope to add a small amount of research to the open source science body of work and to highlight the need for sound, ethically sourced data. Hopefully we will provoke thoughtful discussions around modern human experiments.

Abstract:
By looking at key experiments and trials done by the military we can learn about psychoactive chemicals and protocols that work, and don’t work, on humans. From biological enhancement to chemical deterrents, there is a wealth of information that grassroot scientists and body augmenters can use for their research and experiments.



Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 6 - Saturday - 14:30-18:30


Pwning machine learning systems

Saturday, 14:30 to 18:30 in Octavius 6

Clarence Chio Security Researcher

Anto Joseph Security Engineer, Intel

Pwning machine learning systems is an offensive-focused workshop that gives attendees a whirlwind introduction to the world of adversarial machine learning. This three-hour workshop will not be your run-of-the-mill introduction to machine learning course, (are you kidding? you can get that from a thousand different places online!) but will focus on hands-on examples, and actually attacking these systems. Every concept covered in this workshop will be backed-up with either a worked example or a challenge activity, (done in groups of 1 to 3) with minimal lecturing and maximum "doing". By the end of the workshop, students will be able to confidently pwn machine-learning-powered malware classifiers, intrusion detectors, and WAFs. We will cover the three major kinds of attacks on machine learning and deep learning systems - model poisoning, adversarial generation, and reinforcement learning attacks. As a bonus, attendees will emerge from the session with a fully-upgraded machine learning B.S. detector, giving them the ability to call B.S. on any "next-generation system" that claims to be impenetrable because of machine learning. This is an intermediate technical class suitable for attendees with some ability to read and write basic Python code. To get the most out of this workshop, surface-level understanding of machine learning is good. (be able to give a one-line answer to the question "What is machine learning?")

Prerequisites: Basic familiarity with Linux Python scripting knowledge is a plus, but not essential

Materials: latest version of virtualbox Installed administrative access on your laptop with external USB allowed at least 20 GB free hard disk space at least 4 GB RAM (the more the merrier)

Max students: 36 | Registration: https://dc25_chio.eventbrite.com (Sold out!)

Clarence Chio
Clarence Chio @cchio graduated with a B.S. and M.S. in Computer Science from Stanford within 4 years, specializing in data mining and artificial intelligence. He is in the process of co-authoring the O'Reilly book "Machine Learning and Security", and currently works as a Security Researcher and Data Scientist. Clarence spoke on Machine Learning and Security at DEF CON 24, GeekPwn Shanghai, PHDays Moscow, BSides Las Vegas and NYC, Code Blue Tokyo, SecTor Toronto, GrrCon Michigan, Hack in Paris, QCon San Francisco, and DeepSec Vienna (2015-2016). He had been a community speaker with Intel, and is also the founder and organizer of the"Data Mining for Cyber Security" meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.

He has been/will be giving trainings/workshops in on machine learning and security at TROOPERS 17 (Heidelberg), HITB Amsterdam 2017, VXCON (Hong Kong), HITB GSEC (Singapore), and AppSec EU (Belfast).

Anto Joseph
Anto Joseph @antojosep007 is a Security Engineer for Intel. He has 4 years of corporate experience in developing and advocating security in machine learning and systems in mobile and web platforms. He is very passionate about exploring new ideas in these areas and has been a presenter and trainer at various security conferences including BH USA 2016, DEF CON 24, BruCon, Hack in Paris, HITB Amsterdam, NullCon, GroundZero, c0c0n, XorConf and more. He is an active contributor to many open-source projects and some of his work is available at https://github.com/antojoseph.


Return to Index      -     

 

IOT - Main Contest Area - Friday - 14:40-15:30



Return to Index      -     

 

Demolabs - Table 6 - Saturday - 14:00-15:50


Radare2

Maxime Morin

Saturday from 1400-1550 at Table Six

Audience: A lot of people are currently using radare2 for a large panel of different purposes; binary exploitation, weird CPU architecture reversing, binary diffing, ctf, emulation, We also try to get new contributors for the projects and invite students to collaborate via various platform such as Google Summer Of Code or the Radare Summer of Code we try to organize based on donations.

Radare2 is an open-source Reverse-Engineering Framework

> Project URL: http://radare.org/r/
> Git Project URL: https://github.com/radare/radare2

Maxime Morin
French IT Security Consultant living in Amsterdam, I work for FireEye in the i3 team, performing general technical threat analysis (Malware analysis, etc.). I'm interested in Reverse Engineering especially Malware related analysis. I am a modest contributor of the project and part of the core-group, I am mainly working on the regressions-test suite and mentoring a student for Google Summer of Code for the project this year. I have already done a workshop at BSidesLV and other conferences with others contributors for example at hack.lu and "unofficial" workshops in Vegas Bars/Restaurants I also rewrote the radare book which is quick intro for radare2.


Return to Index      -     

 

DEFCON - Track 1 - Friday - 16:00-16:45


Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods

Friday at 16:00 in 101 Track

45 minutes | Demo

Matt Knight Senior Software Engineer, Threat Research at Bastille

Marc Newlin Security Researcher at Bastille

What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common? Vulnerable wireless protocols. Exploitation of wireless devices is growing increasingly common, thanks to the proliferation of radio frequency protocols driven by mobile and IoT. While non-Wi-Fi and non-Bluetooth RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think.

Join us as we walk through the fundamentals of radio exploitation. After introducing essential RF concepts and characteristics, we will develop a wireless threat taxonomy by analyzing and classifying different methods of attack. As we introduce each new attack, we will draw parallels to similar wired network exploits, and highlight attack primitives that are unique to RF. To illustrate these concepts, we will show each attack in practice with a series of live demos built on software-defined and hardware radios.

Attendees will come away from this session with an understanding of the mechanics of wireless network exploitation, and an awareness of how they can bridge their IP network exploitation skills to the wireless domain.

Matt Knight
Matt Knight is a software engineer and applied security researcher at Bastille, with a background in hardware, software, and wireless security. Matt's research focuses on preventing exploitation of the myriad wireless networking technologies that connect embedded devices to the Internet of Things. Notably, in 2016 he exposed the internals of the closed-source LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College.

@embeddedsec

Marc Newlin
Marc Newlin is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.

@marcnewlin


Return to Index      -     

 

DEFCON - Track 1 - Friday - 11:00-11:45


Rage Against the Weaponized AI Propaganda Machine

Friday at 11:00 in 101 Track

45 minutes | 0025

Suggy (AKA Chris Sumner) Researcher, The Online Privacy Foundation

Psychographic targeting and the so called "Weaponized AI Propaganda Machine" have been blamed for swaying public opinion in recent political campaigns. But how effective are they? Why are people so divided on certain topics? And what influences their views? This talk presents the results of five studies exploring each of these questions. The studies examined authoritarianism, threat perception, personality-targeted advertising and biases in relation to support for communication surveillance as a counter-terrorism strategy. We found that people with an authoritarian disposition were more likely to be supportive of surveillance, but that those who are less authoritarian became increasingly supportive of such surveillance the greater they perceived the threat of terrorism. Using psychographic targeting we reached Facebook audiences with significantly different views on surveillance and demonstrated how tailoring pro and anti-surveillance ads based on authoritarianism affected return on marketing investment. Finally, we show how debunking propaganda faces big challenges as biases severely limit a person's ability to interpret evidence which runs contrary to their beliefs. The results illustrate the effectiveness of psychographic targeting and the ease with which individuals' inherent differences and biases can be exploited.

Suggy (AKA Chris Sumner)
Suggy is the lead researcher and co-founder of the not-for-profit Online Privacy Foundation, who contribute to the field of psychological research in online contexts. He has authored papers and spoken on this topic at DEF CON and other noteworthy security, psychology, artificial intelligence and machine learning conferences. For the past 4 years, Suggy has served as a member of the DEF CON CFP review board. By day, he works in security strategy at Hewlett Packard Enterprise.

@thesuggmeister,https://www.onlineprivacyfoundation.org/


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 15:00-15:30


Real-time RFID Cloning in the Field

Thursday at 15:00 in 101 Track 2

20 minutes | Demo, Tool, Audience Participation

Dennis Maldonado Adversarial Engineer - LARES Consulting

Ever been on a job that required you to clone live RFID credentials? There are many different solutions to cloning RFID in the field and they all work fine, but the process can be slow, tedious, and error prone. What if there was a new way of cloning badges that solved these problems? In this presentation, we will discuss a smarter way for cloning RFID in the field that is vastly more efficient, useful, and just plane cool. We will go over the current tools and methods for long-range RFID cloning, than discuss and demonstrate a new method that will allow you to clone RFID credentials in the field in just seconds, changing the way you perform red team engagements forever.

Dennis Maldonado
Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, red teaming, and security research. Dennis' focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis co-founded Houston Locksport in Houston, Texas where he shares his love for lock-picking and physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area. Dennis is also a returning speaker to DEF CON having spoken at DEF CON 23 and DEF CON 24.

@DennisMald


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 13:00-13:25


Recon and Bug Bounties - What a great love story!

Abstract

Recon is an important phase in Penetration Testing. But wait,not everyone does that because everyone’s busy filling forms with values. Effective recon can often give you access to assets/boxes that are less commonly found by regular penetration testers. Internet is one of the best ways to find such hosts/assets. There are a bunch of tools available on the internet which can help researchers to get access to such boxes. Is reverse-IP really useful? Is dnsdumpster the only site that can give list of sub-domains? What if I told you there are many different ways which combined together can give you effective results. What if I told you I have got access to many dev/test boxes which should not have been public facing.

In this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices†but are definitely “good practices†and “nice to know†things while doing Penetration Testing.

Plus, the speaker will not just use presentation but will try to pray demo gods for some luck. Definitely some direct and key take aways to most attendees after the talk.

Speaker Profile

Abhijeth D (@abhijeth) is an AppSec dude at a bank and an Adjunct lecturer at UNSW in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application / Mobile / Infrastructure Security. Believes in need for more security awareness and free responsible disclosures. Got lucky in finding few vulnerabilities with Google, Yahoo, Facebook, Microsoft, Ebay, Dropbox, etc and one among Top 5 researchers in Synack a bug bounty platform.


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 16:10-16:59



Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 18:00-18:55


Michael Ossmann

Bio

Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

@michaelossmann

Reverse Engineering DSSSSSSSSSSS Extended Cut

Abstract

Direct Sequence Spread Spectrum (DSSS) is a popular modulation technique for wireless communication that reduces the probability of interference and enables sharing of spectrum. It is also the central technology for Low Probability of Detection (LPD) and Low Probability of Intercept (LPI) radio systems. In addition to being used in well known systems such as Wi-Fi, ZigBee, and GPS, DSSS is extremely popular for proprietary satellite communications and for terrestrial radio transmissions that people don't want you to notice. I will show how DSSS signals can be detected much more easily than most people realize, and I will demonstrate techniques for reversing the pseudo-random sequence used in a DSSS implementation.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 13:00-14:30


Reverse Engineering Malware 101

Malware Unicorn

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C/C++, Python, or Java

Provided: A virtual machine and tools will be provided.

Features: 5 Sections in 1.5 hours:

Amanda (Twitter: @malwareunicorn) absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on threat research focusing in dynamic behavior detection both on Windows and OSX platforms.



Return to Index      -     

 

BHV - Pisa Room - Saturday - 16:00-16:59


Title: Reversing Your Own Source Code

Speaker: Cosmo Mielke

About Cosmo Mielke:
Cosmo has a background in astronomy, but he switched to the medical field to study the metabolic syndrome that plagued him his whole life. At the Mayo Clinic he studied the molecular and genetic basis of obesity and diabetes. Currently he is working on a nonprofit citizen science movement to fight the war on obesity with crowdsourced health data. He beleives that everyone should have the right to study their own genetic "source code" without restrictions.

For his dayjob, Cosmo got super inspired by Ghost In The Shell and decided he wanted to learn how to scan his own brain, so he got a job at UCSF as one of their top data scientists in the neurology department. He scans brains for a living. Fun story.

Abstract:
In recent years, direct-to-consumer genetic testing services have given people the freedom to cheaply test their DNA. We have entered a new era where our own biological source code can be explored, allowing hackers to reverse-engineer the most complex machines in the universe: the human body. This data tells us about our ancestral origins, what makes us unique, and how our health may be influenced by our genetic predispositions.

These developments are exiting, but this new frontier is clouded by concerns about safety, privacy, and ethics. Recent developments in governmental regulation bring into question our rights as individuals to freely have our genes tested. We as hackers must unite to ensure that the human source code remains open source.

How do we embrace this technology to promote individual freedoms, accelerate research, and ultimately save lives without this information falling into wrong or abusive hands? How do we as hackers hack ourselves in a safe responsible way, and what can we expect to happen regarding government regulation? We will discuss these issues, and share our experiences as geneticists in studying our own code to better understand our health. We will also tell you about an open source science experiment we're running that will allow anyone to freely participate in genomic research for the betterment of human health and longevity.



Return to Index      -     

 

DEFCON - Track 4 - Sunday - 13:00-13:45


Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science

Sunday at 13:00 in Track 4

45 minutes | Art of Defense, Demo, Tool

Daniel Bohannon (DBO) Senior Consultant, MANDIANT

Lee Holmes Lead Security Architect, Microsoft

Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?

A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.

Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.

Approaches for evading these detection techniques will be discussed and demonstrated.

Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation.

Daniel Bohannon (DBO)
Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. He is the author of the Invoke-Obfuscation and Invoke-CradleCrafter PowerShell obfuscation frameworks

@danielhbohannon

Lee Holmes
Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team.

@Lee_Holmes, http://www.leeholmes.com/blog/


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Sunday - 13:00-13:59


Title:
Robbing the network and ways to get there

1300 Sunday
Keith & Jerel "Low rent Nickerson"

Robbing the network and ways to get there

"In this presentation, we discuss the tricky scenarios we faced during internal penetration test engagements and how we have developed a tool to solve those issues.

We want to fill the gap from after cracking a password hash (normal user) from NetBIOS/LLMNR/WPAD attacks to compromising the entire Domain as well as solving a few tricky issues that we as penetration testers face.

There are also scenarios where after getting Domain Admin access doesn’t mean we have access to all hosts/shares/databases on all hosts in the network. Some of the workstations/servers are in workgroup membership. Some file shares are restricted to certain groups/users in the Active Directory. These file shares might contain sensitive cardholder information or router configuration backups or Personally identifiable information (PII) data that are restricted to certain users or groups that are out of bounds to Domain Administrators.

How do we get there? It would be easy for an attacker if all hosts in the network were part of the same Domain membership and the Domain Admin group have access to all file shares in the network. However, in complex organizations, these might not be the scenarios.

The tricky part for an attacker is to find the right account to gain access and getting in and out of the environment fast.

The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses.
The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, resuses them to compromise other hosts in the network.
"

Return to Index      -     

 

HHV - Main Contest Area, Pool Level - Friday - 13:00-15:00


Title:
Robo-Sumo

HHV was started when 1057 went around giving some robots out and sitting down with a group to assemble them. This event is open to all who want to bring (or hack together) a bot. More info here
Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 16:00-16:59


Title:
Rockin' the (vox)Vote

1600 Saturday
algorythm
@rossja
Rockin' the (vox)Vote

VoxVote is a nifty little live voting app that turns out to have terrible security. What happens when you mess with it? Let's find out...

Return to Index      -     

 

Demolabs - Table 4 - Saturday - 12:00-13:50


Ruler - Pivoting Through Exchange

Etienne Stalmans

Saturday from 1200-1350 at Table Four

Microsoft Exchange has become the defacto gateway into most organisations. By nature, Exchange needs to be externally accessible, and usually falls outside of normal security monitoring. This can allow for the bypass of common security mechanisms. Even when organisations move into the cloud, their Exchange servers still provide access into the internal environment. It has been shown in the past that abusing the rules feature of Outlook, combined with auto-synchronisation through Exchange, can allow for Remote code-execution.

Furthermore, Exchange offers a covert communication channel outside of the usual HTTP or TCP employed by most malware. Using the mailbox itself, it is possible to create a communication channel that doesn't traverse the normal network boundary, and appears to be normal Exchange behaviour when inspected on the wire.

Introducing Ruler:

During our Red Team assessments, we saw an opportunity to utilise inherent weaknesses of Microsoft Exchange and create a fully-automated tool that aided further breach of the network. Ruler allows for the easier abuse of built in functionality, including the ability to execute code on every mailbox connected to the Exchange server.

This talk will showcase the numerous features of Ruler, demonstrating how to gain a foothold, pop shells on every connected mailbox, use Exchange as a covert communication channel and maintain a near invisible persistence in the organisation. We will also discuss possible defenses against the demonstarted attacks.

https://github.com/sensepost/ruler

Etienne Stalmans


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 16:00-17:00


Title:
rustls: modern, fast, safer TLS

Author:
Joseph Birr-Pixton (Electric Imp)

Abstract:
rustls is a new open-source TLS stack written in rust. This talk covers past TLS standard and implementation errors, and how those are avoided in rustls's design.

Bio:
I'm Joe, from Cambridge, England. I've been working in crypto, computer
security and embedded development since 2005; building HSMs, mobile
authentication, and securing IoT devices.
Twitter handle of presenter(s): @jpixton
Website of presenter(s) or content: https://jbp.io

Return to Index      -     

 

Demolabs - Table 5 - Saturday - 12:00-13:50


SamyKam

Salvador Mendoza

Saturday from 1200-1350 at Table Five

Audience: Offense/Defense/Hardware

SamyKam is a new project to pentest mag-stripe information designed using the Samy Kamkar's MagSpoof as base but in this case for Raspberry Pi integration. SamyKam is a portable hardware where the user can interact with it directly on the ssh, OLED, phone or browser to test magnetic card readers or tokenization processes with prepared attacks.

https://salmg.net/2017/01/16/samykam/

Salvador Mendoza
Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON, DerbyCon, Ekoparty, BugCON and Troopers. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet and lately SamyKam.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Friday - 10:30-14:30


Scanning the Airwaves: building a cheap trunked radio/pager scanning system

Friday, 10:30 to 14:30 in Octavius 4

Richard Henderson

Bryan Passifiume

Every second of every day, radio communications are flying through the air: many cities around the world have implemented multi-million dollar trunked radio systems for their transit, municipal, public safety, police, fire and EMS radio networks. Have you ever wondered what's being said over the air? Many of these systems are easily listenable with some basic software and very inexpensive hardware dongles originally designed for capturing over-the-air television broadcasts. This workshop will walk you through the basics of trunked radio systems, how they work, and how you can set up a listening post to decode these systems and listen in. We'll also cover the legalities of listening in, and where to find information online about your local radio systems. This workshop will cover setting up and using the Trunk88 scanning software, and how to scan other conventional (non-trunked) radio systems. A free SDR USB stick will be provided to the first 35 attendees. If time permits, we will also quickly walk through scanning popular archaic pager systems like POCSAG

Prerequisites: No prerequisites required - only a desire to want to listen in on the radio systems around you, a basic understanding of radio might help, but is not essential.

Materials: Laptop with Windows installed (no guarantees a VM will work with the hardware, so set up proper dual boot on your MacBooks and Linux machines, please) Notepad, pen. The first 35 participants will be given a free SDR/DVB-T USB stick in order to participate in the practical portion of the workshop. Any attendees beyond that will need to purchase their own SDR stick at the vendor village. There should be multiple vendors selling them. No fees are required. A small capacity USB drive with all the class notes/handouts, frequency lists, and software will also be provided.

Max students: 50 | Registration: https://dc25_henderson.eventbrite.com (Sold out!)

Richard Henderson
Richard Henderson is a writer, researcher, and ham radio/electronics nerd who has worked in infosec and technology for well over a decade. Richard is currently co-authoring a book on cybersecurity for ICS/Scada systems.

Bryan Passifiume
Bryan Passifiume is a journalist, writer and photographer who covers the crime/police beat at Calgary's biggest daily newspaper. A co-founder of the alt-amateur radio group Hamsexy, he's been involved in the monitoring and radio hacking scene for nearly twenty years.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 7 - Thursday - 14:30-18:30


SDR Crash Course: Hacking your way to fun and profit

Thursday, 14:30 to 18:30 in Octavius 7

Neel Pandeya Sr. Software Engineer & Manager, Ettus Research

Nate Temple Support/Software Engineer, Ettus Research

Wireless devices and wireless systems are increasingly becoming a fundamental and integral part of our world, and are becoming more of interest to security research professionals and hobbyists alike. Software Defined Radio (SDR) is rapidly becoming the tool of choice and a necessary skill for exploring and analyzing the wireless world. There has been significant innovation and development over the past several years, and SDR hardware and software has become much more capable and accessible than at any time before.

This workshop will provide a thorough introduction to SDR and will build a solid foundation for getting started in wireless security research. We will first cover the fundamental building blocks of digital signal processing, wireless communications and SDR hardware/software. We will then walk through various hands-on interactive exercises. We will then conclude with live demonstrations of a variety of applications utilizing SDR technology.

The workshop is based on USRP hardware and GNU Radio, an open-source SDR/DSP software framework, as well as other open-source tools. Attendees do not need to pre-install anything before coming to the workshop, and will use a customized Live Linux USB image to boot from.

The workshop will consist of three sections.

In Part One, we will review the theoretical background and fundamentals of wireless communications, DSP, RF and SDR. We will then discuss in detail the software and hardware used in SDR. Next, we will provide an overview of analog and digital modulation schemes, spectrum monitoring, and the identification and analysis of signals using all open-source software.

In Part Two, attendees will be guided step-by-step in the implementation of transmitters and receivers for a variety of analog and digital wireless systems. We will then analyze, inspect and visualize real-world wireless signals such as ASK, FSK, PSK, OFDM, LTE, 802.11.

In Part Three, we will perform a live demonstration of Radio Direction Finding and a wireless Replay Attack. We will then show a demonstration of receiving and demodulating recorded GPS signals, and other satellite signals such as Outernet, APT, LRPT. We will conclude with passively detecting and identifying on-air LTE networks with SDR hardware.

Prerequisites: Attendees should have some previous experience with Linux, the Linux command line, and a programming language such as C, C++, or Python. Basic familiarity with DSP and RF fundamentals would be helpful but is not required.

Materials: Attendees should bring a laptop with at least 4 GB RAM and two USB ports, where at least one port is USB 3.0. It is recommended that you bring the most powerful laptop that you can, and in general laptops over five years old may not be suitable for the workshop. Attendees should also bring a blank USB 3.0 flash drive, with minimum capacity of 16 GB. Attendees will also be provided USRP SDR hardware to use during the workshop. Optionally, attendees are welcome to bring their own SDR hardware.

Max students: 50 | Registration: https://dc25_pandeya.eventbrite.com (Sold out!)

Neel Pandeya
Neel is a Senior Software Engineer and Manager of the Technical Support Group at Ettus Research. His background and interests are in open-source software development, Linux kernel and embedded software development, wireless and cellular communications, DSP and signal processing, and software-defined radio (SDR). He holds a Bachelor's Degree in electrical engineering (BSEE) from Worcester Polytechnic Institute (WPI), and a Master's Degree in electrical engineering (MSEE) from Northeastern University. He has an Amateur Radio License, and is aspiring to obtain a private pilot license.

Nate Temple
Nate is a Support Engineer/Software Engineer at Ettus Research working in the areas of product support and software development. His background is in Embedded Linux Development, Micro-controller Development, Web Application Development and Security. He is passionate about SDR technology and is active within the community. His general interests are programming, wireless security, amateur radio, radio direction finding, and SATCOM hunting/hacking. He has contributed to many open-source SDR software projects over the years.


Return to Index      -     

 

SEV - Emperors BR II - Friday - 17:30-18:20



Friday July 28 5:30PM 50 mins

SE vs Predator: Using Social Engineering in ways I never thought….
When I started my path down becoming a professional social engineer my vision was something like a modern day version of Sneakers.  Instead I was taken down a road that crossed paths with human traffickers, child pornography and the darkest filth on the planet.  Out of that darkness I have had the chance to do some truly remarkable things that it is time to share…..

Chris Hadnagy:  @humanhacker
Chris is a professional social engineer with over 16 years of experience.  His passion is understanding the why not just the what. Chris has had the opportunity to work with some of the world’s greatest minds in learning how to use skills that might not be too common in the infused industry.  You can find out more by looking at www.social-engineer.com


Return to Index      -     

 

DEFCON - Track 4 - Friday - 10:00-10:30


Secret Tools: Learning about Government Surveillance Software You Can't Ever See

Friday at 10:00 in Track 4

20 minutes | 0025

Peyton "Foofus" Engel Attorney at Hurley, Burish & Stanton, S.C.

Imagine that you're accused of a crime, and the basis of the accusation is a log entry generated by a piece of custom software. You might have some questions: does the software work? how accurate is it? how did it get the results that it did? Unfortunately, the software isn't available to the public. And you can't get access to the source code or even a working instance of the software. All you get are assurances that the software is in use by investigators around the globe, and doesn't do anything that law enforcement isn't supposed to be doing. Because you can trust the government, right?

This talk will look at a family of tools designed for investigating peer-to- peer networks. By synthesizing information from dozens of search warrant affidavits, and a few technical sources, we're able to put together at least a partial picture of the software's capabilities. But we'll also look at the reasons the government offers for keeping these tools out of the public eye and talk about whether they make sense. Finally, we'll examine the implications that investigations based on secret capabilities have for justice.

Peyton "Foofus" Engel
After 18 years in IT, with 16 of those years spent in security and penetration testing, Foofus now works as an attorney. But because he's got significant experience with the Internet and security, one area of his practice focuses on consulting with litigants where digital evidence is at stake. In this capacity he does forensic analysis and assists other attorneys with strategy for presenting (or calling into question) computer-based evidence. In his spare time, Foofus enjoys cooking, playing guitar, and opera. Oh, and remember CoffeeWars? Foofus was pretty involved with that


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 11:00-11:45


Secure Tokin' and Doobiekeys: How to roll your own counterfeit hardware security devices

Saturday at 11:00 in Track 2

45 minutes | Demo, Tool

Joe FitzPatrick SecuringHardware.com

Michael Leibowitz Senior Trouble Maker

Let's face it, software security is still in pretty bad shape. We could tell ourselves that everything is fine, but in our hearts, we know the world is on fire. Even as hackers, it's incredibly hard to know whether your computer, phone, or secure messaging app is pwned. Of course, there's a Solution(tm) - hardware security devices.

We carry authentication tokens not only to secure our banking and corporate VPN connections, but also to access everything from cloud services to social networking. While we've isolated these 'trusted' hardware components from our potentially pwnd systems so that they might be more reliable, we will present scenarios against two popular hardware tokens where their trust can be easily undermined. After building our modified and counterfeit devices, we can use them to circumvent intended security assumptions made by their designers and users. In addition to covering technical details about our modifications and counterfeit designs, we'll explore a few attack scenarios for each.

Sharing is Caring, so after showing off a few demonstration, we'll walk you through the process of rolling your own Secure Tokin' and Doobiekey that you can pass around the circle at your next cryptoparty.

Joe FitzPatrick
Joe is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

@securelyfitz

Michael Leibowitz
Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days hacking the mothership for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes DEF CON CFPs, and contributes to the NSA Playset.

@r00tkillah


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 16:00-16:30


Title:
Security Analysis of the Telegram IM

Author:
Tomas Susanka (CTU Prague)

Abstract:
Telegram is a popular instant messaging service, a self-described fast and secure solution. It introduces its own home-made cryptographic protocol MTProto instead of using already known solutions, which was criticised by a significant part of the cryptographic community.

In this talk we will briefly introduce the protocol to provide context to the reader and then present two major findings we discovered as part of our security analysis performed in late 2016. First, the undocumented obfuscation method Telegram uses, and second, a replay attack vulnerability we discovered. The analysis was mainly focused on the MTProto protocol and the Telegram's official client for Android.

Bio:
Tomáš Sušánka studied and lives in Prague and occasionaly other universities and cities because, according to him, why not. He wrote his Master's thesis on Telegram IM and amongst other things discovered an undocumented obfuscation and a possible vulnerability, which he then reported to the powers that be.

Earlier this year he graduated from FIT CTU and currently would like to move into the world of infosec. He's joining Cloudflare's crypto team for a summer internship in 2017. When he wasn't roaming the world and studying abroad he worked on a number of web applications, APIs and a Q&A mobile game. He likes to eat grapefruits before going to bed and playing chess, as unlikely a combination as it sounds.

Return to Index      -     

 

DEFCON - Track 2 - Thursday - 14:00-14:45


See no evil, hear no evil: Hacking invisibly and silently with light and sound

Thursday at 14:00 in 101 Track 2

45 minutes | Demo, Tool

Matt Wixey Senior Associate, PwC

Traditional techniques for C2 channels, exfiltration, surveillance, and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost, from an attacker's perspective - we constantly see examples of attackers creatively bypassing such protections - it is always beneficial to have more weapons in one's arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk demonstrates a number of techniques and attacks which leverage light and/or sound, using off-the-shelf hardware. It covers everything from C2 channels and exfiltration using light and near-ultrasonic sound, to disabling and disrupting motion detectors; from laser microphones, to repelling drones; from trolling friends, to jamming speech and demotivating malware analysts.

This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, but also demonstrates, in a hopefully fun and practical way, how these techniques work, their advantages, disadvantages, and possible future developments. It also gives details of real case studies where some of these techniques have been used, and provides defenders with realistic methods for the mitigation of these attacks.

Finally, the talk covers some ideas for future research in this area.

Matt Wixey
Matt Wixey is a penetration tester on PwC's Threat and Vulnerability Management team in the UK, and leads the team's research function. Prior to joining PwC, he led a technical R&D team in a UK law enforcement agency. His research interests include bypassing air-gaps, antivirus and sandbox technologies, and RF hacking.

@darkartlab


Return to Index      -     

 

BHV - Pisa Room - Friday - 14:00-14:29


Title: Sensory Augmentation 101

Speaker: Trevor Goodman

About Trevor Goodman:
Trevor Goodman is a bodyhacker and the Event Director for BDYHAX, the BodyHacking Convention. They are working to grow the bodyhacking and biohacking industries and communities in the US, Canada and Europe. Trevor is also the Event Director for InfoSec Southwest in Austin, TX and Director of Rogue Signal.

Abstract:
Everything you know about your environment mediated by your senses. Likely, you can see in a range of colors, hear a car horn honking, and feel the roughness of sandpaper, but light exists in bands too narrow or wide to be processed by your eyes, some sounds are too high or low to be recognized by your ears, and magnetic fields pulse around you all day. Most of us hardly notice. Dr. Paul Bach-y-Rita’s research in the 60’s eventually lead to The BrainPort which lets a user see through an electrode grid on your tongue, but sensory augmentation has stayed mostly within the realm of the medical field until recently. Now there are magnets in fingertips all over the place, Neil Harbisson can hear in colors in a wider range than you can see and companies like NeoSensory and Cyborg Nest are building even more devices that let you sense more or differently. We’ll talk through the basics of how your senses work in conjunction with your brain, about many of the great projects that help have helped individuals augment their senses, and why a vibrating North-sensing device mounted to your chest is different than a compass.



Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Friday - 15:00-16:30


Serious Intro to Python for Admins

Davin Potts, Python Core Developer

Intended for an audience of IT managers and admins who are either responsible for systems with deployed Python apps and/or interested in the security implications of developing their own tools/scripts/apps in Python. This will be a hands-on exercise from start to finish designed to leave you with a sense of the mentality of Python and an ability to quickly look up what you need when expanding your knowledge of Python in the future. Prior programming experience not required. However it would be helpful if you've seen lots of Monty Python skits before.

Davin Potts is a Python Core Developer and lead dev for the multiprocessing module in the Python standard library. For a day job, Davin is a scientific software consultant working primarily on data science projects. Also refer to https://www.crunchbase.com/person/davin-potts.


Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 16:30-17:59


Serious Intro to Python for Admins

Davin Potts, Python Core Developer

Intended for an audience of IT managers and admins who are either responsible for systems with deployed Python apps and/or interested in the security implications of developing their own tools/scripts/apps in Python. This will be a hands-on exercise from start to finish designed to leave you with a sense of the mentality of Python and an ability to quickly look up what you need when expanding your knowledge of Python in the future. Prior programming experience not required. However it would be helpful if you've seen lots of Monty Python skits before.

Davin Potts is a Python Core Developer and lead dev for the multiprocessing module in the Python standard library. For a day job, Davin is a scientific software consultant working primarily on data science projects. Also refer to https://www.crunchbase.com/person/davin-potts.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 12:00-12:45


Title:
Session on legal considerations of hacking election machines.

Title: Session on legal considerations of hacking election machines.


Joe Hall bio
Joseph Hall, Chief Technologist and Director of the Internet Architecture project at the Center for Democracy & Technology

Joseph Lorenzo Hall is the Chief Technologist and Director of the Internet Architecture project at the Center for Democracy & Technology, a Washington, DC-based non-profit advocacy organization dedicated to ensuring the internet remains open, innovative and free. Hall’s work focuses on the intersection of technology, law, and policy, working to ensure that technical considerations are appropriately embedded into legal and policy instruments. Supporting work across all of CDT’s programmatic areas, Hall provides substantive technical expertise to CDT’s programs, and interfaces externally with CDT supporters, stakeholders, academics, and technologists. Hall leads CDT’s Internet Architecture project, which focuses on embedding human rights values into core internet standards and infrastructure, engaging technologists in policy work, and producing accessible technical material for policymakers.


Candice Hoke bio
Candice Hoke, Legal Expert & Founder of the Center for Election Integrity

Professor Hoke is widely recognized national authority on laws governing election technologies (including voting devices and voter registration databases), election management, and on federal regulatory programs reflecting federalism values. She is a graduate of Yale Law School, where she was Senior Editor of the Yale Law Journal and co-chair of the Yale Law Women's Association. Her most recent publications focus on election technology regulatory issues, some of which were co-authored with computer security scientists. Her prior publications focus on health care regulation, welfare/public entitlement programs, and constitutional standards for statutory preemption.

Professor Hoke presents her research in academic, technology, and election policy forums throughout the country. She has testified before Congress on federalism aspects of health care reform legislation and on election policies needed to achieve greater public accountability. She founded and directed the Center for Election Integrity, which conducted nationally unprecedented field research on deployed voting technologies and election administration management problems.

Professor Hoke served three terms on the American Bar Association's Advisory Commission on Election Law. She has consulted with all levels of government on election policies and technology issues.

Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 11:00-12:00


Title:
SHA-3 vs the world

Name:
David Wong (NCC Group)

Abstract:
Since Keccak has been selected as the winner of the SHA-3 competition in 2012, a myriad of different hash functions have been trending. From BLAKE2 to KangarooTwelve we'll cover what hash functions are out there, what is being used, and what you should use. Extending hash functions, we’ll also discover STROBE, a symmetric protocol framework derived from SHA-3.

Bio:
David Wong is a Security Consultant at the Cryptography Services practice of NCC Group. He has been part of several publicly funded open source audits such as OpenSSL and Let's Encrypt. He has conducted research in many domains in cryptography, publishing whitepapers and sharing results at various conferences including DEF CON and ToorCon as well as giving a recurrent cryptography course at Black Hat. He has contributed to standards like TLS 1.3 and the Noise Protocol Framework. He has found vulnerabilities in many systems including CVE-2016-3959 in the Go programming language and a bug in SHA-3's derived KangarooTwelve reference implementation. Prior to NCC Group, David graduated from the University of Bordeaux with a Masters in Cryptography, and prior to this from the University of Lyon and McMaster University with a Bachelor in Mathematics.
Twitter handle of presenter(s): lyon01_david
Website of presenter(s) or content: https://www.cryptologie.net

Return to Index      -     

 

Demolabs - Table 6/Five - Saturday - 16:00-17:50


ShinoBOT Family

Sh1n0g1

Saturday& Sunday from Saturday 1600-1750, Sunday 1200-1350 at Table Six/Five

Audience: Offense

ShinoBOT Family is a malware suite for the pentester, security engineer who want to test the vendor's solution. It contains Backdoor, Ransomware, Downloader, Dropper, PowerShell based malware, obfuscation/encryption techniques, Pseudo-DGA, and the C&C is provided as a service (C&CaaS), no fee. 5 sec to get ready and "DOWNLOAD. EXECUTE. CONTROL."

https://shinobot.com/ <- ShinoBOT executable
https://shinobotps1.com/ <- powershell edition
https://shinolocker.com/ <-ShinoLocker
https://shinosec.com/ <- other components include ShinoBOT Suite

Sh1n0g1
Security Researcher (a.k.a Hacker). 12 years on breaking security solutions.


Return to Index      -     

 

Demolabs - Table 6/Five - Sunday - 12:00-13:50


ShinoBOT Family

Sh1n0g1

Saturday& Sunday from Saturday 1600-1750, Sunday 1200-1350 at Table Six/Five

Audience: Offense

ShinoBOT Family is a malware suite for the pentester, security engineer who want to test the vendor's solution. It contains Backdoor, Ransomware, Downloader, Dropper, PowerShell based malware, obfuscation/encryption techniques, Pseudo-DGA, and the C&C is provided as a service (C&CaaS), no fee. 5 sec to get ready and "DOWNLOAD. EXECUTE. CONTROL."

https://shinobot.com/ <- ShinoBOT executable
https://shinobotps1.com/ <- powershell edition
https://shinolocker.com/ <-ShinoLocker
https://shinosec.com/ <- other components include ShinoBOT Suite

Sh1n0g1
Security Researcher (a.k.a Hacker). 12 years on breaking security solutions.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 11:30-12:55


Matt Blaze

Bio

Matt Blaze is a professor at U. Penn, where he does various kinds of hackery.

@mattblaze

Sigint for the rest of us

Abstract

Practical weaknesses on P25 radio encryption, and how we exploited them


Return to Index      -     

 

Night Life - Modena, Promenade level - Friday - 22:00-27:00


Title:
Silent Disco : Party like a Hacker

Free party open to anyone, bring your booze from the bar next door, bring a phone, bring headphones. #PartyTime
Return to Index      -     

 

SEV - Emperors BR II - Friday - 19:15-20:05



Friday July 28 7:15PM 50 mins

Skills For A Red-Teamer
Want to incorporate hybrid security assessments into your testing methodology? What does going above and beyond look like for these types of assessments? How do you provide the best value with the resources and scope provided? What do some of these toolkits encompass?

If you’re interested in what skills are needed for a Red-Teamer, or taking your red teaming assessments to the next level, here’s the basic info to get you started. We’ll discuss items of importance, methodology, gear, stories and even some tactics used to help give you an edge.

Brent White: @brentwdesign
Tim Roberts:@zanshinh4x
Brent White :
Brent is an Sr. Security Consultant within TrustedSec, is the founding member of the Nashville Def Con group (DC615), and is also a supervisor for the Def Con conference “Groups†program. He has held the role of Web/Project Manager and IT Security Director at the headquarters of a global franchise company as well as Web Manager and information security positions for multiple television personalities and television shows on The Travel Channel.

He has also been interviewed on the popular web series, “Hak5†with Darren Kitchen, BBC News, and on Microsoft’s “Roadtrip Nation†television series. His experience includes Internal/External Penetration, Wireless, Application and Physical Security assessments, Social Engineering, and more.

Brent has also spoken at numerous security conferences, including ISSA International, DEF CON, DerbyCon, SaintCon, PhreakNic, SkyDogCon, NolaCon, B-Sides Nashville, B-Sides Charleston, Techno Security Con, TakeDownCon and Appalachian Institute of Digital Evidence (AIDE) conference at Marshall University, and more.

Tim Roberts :
Tim is a Sr. Security Consultant within NTT Security’s Threat Services group. He has spoken at national, international and collegiate security conferences, including ISSA International, DEF CON, DerbyCon, various B-Sides, CircleCityCon, Techno Security Con, SaintCon, Appalachian Institute of Digital Evidence at Marshall University and more.

He has been interviewed on the subject of “White hat hacking†for Microsoft’s “Roadtrip Nation†television series, was featured on IDG Enterprise’s CSO Online publication by Ryan Francis on social engineering and is a regular contributor to NTT Security’s #WarStoryWednesday blog series.

Tim has held management, IT and physical security roles across multiple industries, including healthcare and government. His professional experiences cover traditional/non-traditional hacking techniques that include network, wireless, social engineering, application, physical and scenario-based compromises. These techniques have led to highly successful Red Team assessments against corporate environments. By continuing to share these experiences, he hopes to further contribute to the InfoSec community.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 18:00-18:35


Skip tracing for fun and profit

Abstract

This talk covers skip tracing TTPs and countermeasures in the digital and human domains. The audience will be guided through two real world examples of how a regular citizen can use open source tools, exploits, and social engineering to assist law enforcement and profit.

Some examples include phishing websites tailored to a fugitive’s resume, geolocating a target through video game clients, and using social media meta-data to build pattern-of-life. As the audience is moved through the process step by step, online and offline countermeasure such as USPS forwarding, false resume writing, and secure communications will also be covered.

Speaker Profile

Rhett Greenhagen has worked in the NetSec/IC for over a decade. He specializes in open source intelligence, cyber counter-intelligence, profiling, exploitation, malware analysis, and technical research and development. Career highlights include Primary Forensic Investigator for the DoD’s largest data center as well as senior technical positions for multiple defense contracting companies. Rhett is currently working for the Advanced Programs Group at McAfee.


Return to Index      -     

 

SEV - Emperors BR II - Saturday - 20:10-20:40



Saturday July 29 8:10PM 30 mins
Social Engineering with Web Analytics
Do you run web analytics on your websites, such as Google Analytics? If you were viewing your web analytics and noticed lots of traffic being referred to your website from an interesting domain, would you investigate? Wouldn’t you be curious as to why you were receiving this traffic and what it could mean? This sort of curiosity could be used against you! This talk will cover the intricacies of social engineering with web analytics! Come find out how the world wide web could be manipulated and how you could perform your very only web analytics social engineering attack!

Tyler Rosonke: @zonksec
Tyler Rosonke is a security consultant at TrustFoundry with application security and penetration testing experience. Tyler has worked with a variety of clients, including Fortune 100 companies, to improve their security posture. Tyler’s main area of focus is in offensive security. He enjoys researching new technologies, studying them, understanding them, and identifying how an adversary could abuse it. Tyler graduated from the University of Nebraska at Omaha with a B.S. in Information Assurance.

Before joining TrustFoundry, Tyler helped develop and run a red team at a Fortune 200 company. This position allowed him to not only sharpen his technical skills, but practice his security evangelism as well. Tyler has completed the Penetration Testing with Kali Linux challenge and has obtained his Offensive Security Certified Professional (OSCP) certification. Tyler is highly involved with the security community. He has contributed to open source projects, spoken at security events, and writes and operates a security blog.


Return to Index      -     

 

Demolabs - Table 6 - Saturday - 12:00-13:50


Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization

Bryce Kunz @TweekFawkes

Nathan Bates (@Brutes_)

Saturday from 1200-1350 at Table Six

During a penetration test, we typically collect all sorts of information into flat files (e.g. nmap scans, masscan, recon-ng, hydra, dirb, nikto, etc) and then manually analyze those outputs to find vectors into target networks. Leveraging data analytics techniques within Splunk, pentesters will be able to quickly find the information they are looking for and hence exploit more target networks within short time periods. This talk covers the required tools for consolidating, analyzing and visualizing the dark tools that are used by every red team. We'll release the required framework for getting the data where it needs to be, the technical add-ons to ensure this data is ingested in usable formats, and dashboards for Spunk to leverage this data for mass pawnage of your target!

Bryce Kunz @TweekFawkes
Bryce Kunz (@TweekFawkes) applies his knowledge of the red-side to discover vulnerabilities which enable exploiting all the things! Currently, leading the tailored testing of Adobe's marketing cloud infrastructure to discover security vulnerabilities. As an Ex-NSA, Ex-DHS employee who hold various certifications (OSCP, CISSP, etc...) my fervor for perfection drives me to share intriguing research.

Nathan Bates (@Brutes_)
Nathan Bates (@Brutes_) applies his knowledge of the blue-side to defend against organized crime, nation-states and Bryce. Currently, leading the security centric big data initiatives for Adobe's marketing cloud infrastructure to build large scale systems for security monitoring and incident response.


Return to Index      -     

 

BHV - Pisa Room - Saturday - 15:30-15:59


Title: Standardizing the Secure Deployment of Medical Devices

Speaker: Chris Frenz

About Chris Frenz:
Christopher Frenz is an expert on healthcare security and privacy. He the author of the books "Visual Basic and Visual Basic .NET for Scientists and Engineers" and "Pro Perl Parsing," as well as the author of numerous articles on security related topics. He is an active member in the security community and the project lead for the OWASP Anti-Ransomware Guide and OWASP Secure Medical Device Deployment Standard projects. Frenz holds many industry standard certifications, including CISSP, HCISPP, CISM, CISA, CIPP/US, CIPM, CIPT, and CCSK.

Abstract:
In recent months it seems like not a week passes where you do not encounter a headline that states that a healthcare organization has been held for ransom or in some other way involved in a breach. Healthcare has been a sector that has routinely been described as being lax with the implementation and enforcement of information security controls and the challenges faced by healthcare organizations are growing as attackers begin to look past EHR and PACS systems and target the medical devices within them. That older but still very functional computerized medical supply cabinet which was installed to improve the efficiency of operations can now be seen as a liability in that its aging unpatched control node may contain hundreds of unpatched vulnerabilities. Vulnerabilities that in the case of malware like Medjack can be used to compromise the device and use it as a staging ground for attacks against other hospital systems. In some cases, however, the risk goes beyond just a breach vector and can directly impact human life. What if that infusion pump’s dosage was illegitimately changed or the pacemaker programming made malicious? What if Brickerbot took out a surgical robot or a heart monitor at a critical time? These issues could readily give a whole new meaning to the term Denial of Service and cannot be ignored. While the FDA recently issued some guidance for the manufacturers of such devices, the secure deployment of such devices is also critical for security as all of the security features in the world are useless if no one terms them on or configures them improperly. This presentation will discuss the OWASP Secure Medical Device Deployment Standard and requisite methods that can be used to securely deploy medical devices in order to help to prevent their compromise as well as mitigate the damage that can occur if a successful compromise were to occur.



Return to Index      -     

 

DEFCON - Track 3 - Friday - 13:00-13:45


Starting the Avalanche: Application DoS In Microservice Architectures

Friday at 13:00 in Track 3

45 minutes | Demo, Tool

Scott Behrens Senior Application Security Engineer

Jeremy Heffner Senior Cloud Security Engineer

We'd like to introduce you to one of the most devastating ways to cause service instability in modern micro-service architectures: application DDoS. Unlike traditional network DDoS that focuses on network pipes and edge resources, our talk focuses on identifying and targeting expensive calls within a micro-services architecture, using their complex interconnected relationships to cause the system to attack itself — with massive effect. In modern microservice architectures it's easier to cause service instability with sophisticated requests that model legitimate traffic to pass right through web application firewalls.

We will discuss how the Netflix application security team identified areas of our microservices that laid the groundwork for these exponential-work attacks. We'll step through one case study of how a single request into an API endpoint fans out through the application fabric and results in an exponential set of dependent service calls. Disrupting even one point within the dependency graph can have a cascading effect throughout not only the initial endpoint, but the dependent services backing other related API services.

We will then discuss the frameworks we collaborated on building that refine the automation and reproducibility of testing the endpoints, which we've already successfully leveraged against our live production environment. We will provide a demonstration of the frameworks which will be open sourced in conjunction with this presentation. Attendees will leave this talk understanding architectural and technical approaches to identify and remediate application DDoS vulnerabilities within their own applications. Attendees will also gain a greater understanding on how take a novel new attack methodology and build an orchestration framework that can be used at a global scale.

Scott Behrens
Scott Behrens is currently employed as a senior application security engineer for Netflix. Prior to Netflix Scott worked as a senior security consultant at Neohapsis and an adjunct professor at DePaul University. Scott's expertise lies in both building and breaking for application security at scale. As an avid coder and researcher, he has contributed to and released a number of open source tools for both attack and defense. Scott has presented security research at DEF CON , DerbyCon, OWASP AppSec USA, Shmoocon, Shakacon, Security Forum Hagenberg, Security B-sides Chicago, and others.

@helloarbit

Jeremy Heffner
Jeremy Heffner is a software and security professional who has worked on numerous commercial and government projects. His passion is for securing and building scalable, survivable, and fault-tolerant distributed systems. His focus includes cyber attack and defense, information gathering and analysis, and scaling systems globally through automation and dynamic optimization.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Sunday - 13:10-13:59


Stories from a 15 days SMB Honeypot: Mum, Tons of WannaCry and Evils Attacked Our Home!

Tan Kean Siong, Security Researcher

WannaCry, Eternal Blue, SambaCry are the popular topic recently. During the outbreak in May 2017, we designed a 'real' Windows 7 / Samba server with the open source Dionaea honeypot and exposed the favourable SMB port to the world. There are tons of expected WannaCry attacked the pot, and interestingly there are more juicy collection than that! In this session, we would like to present the stories from a 15 days SMB honeypot. As a honeypot hobbyist, we deployed an emulated Windows 7 machine which implanted with DoublePulsar backdoor. Yes, a Windows system infected with DoublePulsar! Also, our honeypot is up for the CVE 2017-7494 SambaCry vulnerability. We observed tons of scanning which looks for targets to spread the expected WannaCry ransomware. Surprisingly, there are more juicy collection in the pot, e.g. EternalRocks, Reverse Shell, RAT, DDoSers, Coin Miner, Trojan, etc (you name it you have it!). We love to share various interesting data, with the 15 days observation from a single home-based sensor in the entire IP space.

Tan Kean Siong (Twitter: @gento_) is an independent security researcher and honeypot hobbyist. As part of The Honeynet Project, he enjoys reading the backlog of various sensors over the net, analyzing and scout for evil activities. He involved in several open source network sensor and honeypot development, including Dionaea, Honeeepi and Glutton. He has spoken in conferences e.g. Hack In The Box SIGINT, Hack In The Box GSEC Singapore, HoneyCon Taiwan and other open source community events.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 17:40-17:59


Strengthen Your SecOps Team by Leveraging Neurodiversity

Megan Roddie, Cyber Security Analyst at the Texas Department of Public Safety

High productivity, extreme attention to detail, logical/calculated, passionate, and hyper-focused. These are all characteristics considered valuable in the information security industry. However, a certain group of people who exceed expectations in these skill sets are constantly overlooked for job positions. That group of people is the High Functioning Autistic (HFA) community. Individuals in the high functioning autistic community are often overlooked for job positions due to their social disabilities which makes them perform poorly in an interview and in their interactions with other people. However, if you look past their awkward behavior and social struggles, you will find these individuals are perfectly suited for roles in the information security industry. This talk aims to show the listeners that, as many tech companies have found, the HFA community is ripe with individuals who could be the best of the best in the security industry if given the chance. The audience will realize that a small investment in time, understanding, and acceptance can result in the addition of an invaluable member to a Security Operations team.

Megan Roddie (Twitter: @megan_roddie) is a graduate student pursuing her Master's in Digital Forensics at Sam Houston State University while also working as a Cyber Security Analyst at the Texas Department of Public Safety. As a 20-year old with Asperger's Syndrome (High Functioning Autism), Megan offers a unique perspective in any topic she discusses. Megan can articulate her struggles and how small modifications in daily life have made her successful.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 5 - Friday - 14:30-18:30


Subverting Privacy Exploitation Using HTTP

Friday, 14:30 to 18:30 in Octavius 5

Eijah Founder, Demonsaw

The world has become an increasingly dangerous place. Governments and corporations spend hundreds of millions of dollars each year to create new and cutting-edge technology designed for one purpose: the exploitation of our private communications. How did we let this happen? And what are we going to do about it? Are we willing to stand idly by and live in a state of fear while our freedom of speech is silently revoked? Or is there something we can do to challenge the status quo and use our skills to protect our privacy and the privacy of others?

The Hypertext Transfer Protocol (HTTP) is an application-layer protocol that's the foundation of the modern Internet. Initially created by Tim Berners-Lee in 1989, HTTP is still the most popular protocol in use today. One of the core strengths of HTTP is that it's flexible enough to transmit any type of data. HTTP is also everywhere - it's in use on desktops, mobile devices, and even IoT. Due to the ubiquitous nature of HTTP, firewalls and proxies are configured by default to allow this type of traffic through. Could HTTP be used to communicate securely while completely bypassing network management rules?

This workshop challenges the assumption that HTTP cannot guarantee confidentiality of data. It will introduce you to the HTTP protocol and demonstrate how it can be used to send data securely. We'll create command-line applications in C/C++ on Linux that will use HTTP to securely send messages across the Internet, while bypassing firewall and proxy rules. We'll use a variety of ciphers, hashes, and other cryptographic routines that are part of open-source libraries. Whether you're a professional programmer, find yourself a little rusty and want a refresher course, or even if you'd never created a secure application in C/C++ before; this workshop is for you.

Please note that this is a medium-level, technical workshop and requires that attendees have prior experience in at least one programming language, preferably C or C++. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.9.2 or msvc 2015).

Prerequisites: Previous experience in at least one programming language is required. Previous experience with C/C++ and cryptography is helpful, but not required.

Materials: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

Max students: 90 | Registration: https://dc25_eijah.eventbrite.com (Sold out!)

Eijah
Eijah is the founder of Demonsaw, a secure and anonymous information sharing program. For the last 5 years he was also a Senior Programmer at Rockstar Games where he worked on Grand Theft Auto V. Eijah has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at DEF CON and Hack Miami conferences, and holds a master's degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 13:30-13:55


Andrew 'r0d3nt' Strutt

Bio

Overall IT experience: 19 years No. of years of security experience: 11 years

@andrew_strutt

POCSAG Amateur Pager Network

Abstract

Andrew 'r0d3nt' Strutt as an amateur radio operator, has hosted the only DEFCON POCSAG Pager Network, with single cell ranges of over 50 miles. This presentation will detail the legalities, hardware and software requirements to host the infrastructure and foxhunt contest. This will be the 5th year hosting the pager network.

Suitcase Repeater Build for UHF - 70cm

Abstract

As an amatuer radio operator, I enjoy building mobile implementations for ARES (Amatuer Radio Emergency Service), and for events. During this presentation, I will detail out several years worth of experimentation, research, and showcase my final build w/ modifications and demonstrate the build.


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 17:00-17:45


Taking Windows 10 Kernel Exploitation to the next level - Leveraging write-what-where vulnerabilities in Creators Update

Saturday at 17:00 in Track 2

45 minutes | Demo, Exploit

Morten Schenk Security Advisor, Improsec

Since the release of Windows 10 and especially in the Anniversary and Creators Updates, Microsoft has continued to introduce exploit mitigations to the Windows kernel. These include full scale KASLR and blocking kernel pointer leaks.

This presentation picks up the mantle and reviews the powerful read and write kernel primitives that can still be leveraged despite the most recent hardening mitigations. The presented techniques include abusing the kernel-mode Window and Bitmap objects, which Microsoft has attempted to lock down several times. Doing so will present a generic approach to leveraging write-what-where vulnerabilities.

A stable and precise kernel exploit must be able to overcome KASLR, most often using kernel driver leaks. I will disclose several previously unknown KASLR bypasses in Windows 10 Creators Update. Obtaining kernel-mode code execution on Windows has become more difficult with the randomization of Page Table entries. I will show how a generic de-randomization of the Page Table entries can be performed through dynamic reverse engineering. Additionally, I will present an entirely different method which makes the usage of Page Table entries obsolete. This method allocates an arbitrary size piece of executable kernel pool memory and transfers code execution to it through hijacked system calls

Morten Schenk
Morten Schenk (@blomster81) is a security advisor and researcher at Improsec ApS, with a background in penetration testing, red teaming and exploit development. Having a high craving for learning and torture based on taking certifications like OSCP, OSCE and OSEE, Morten's research is specifically focused on binary exploitation and mitigation bypasses on Windows. He blogs about his research at https://improsec.com/blog/

@Blomster81


Return to Index      -     

 

BHV - Pisa Room - Friday - 13:00-13:29


Title: Tales from a healthcare hacker

Speaker: Kevin Sacco

About Kevin
Kevin is healthcare threat hunter and has been conducting ethical hacking since the time when wardialing and sitting in hot vans all day with a bazooka (not Joe's gum) to do wardriving was in vogue. He has over 16 years experience in IT security and compliance ranging from active duty service in the US military, Big 4 consulting, compliance management at a large tech company and more recently healthcare-focused consulting - where has led and conducted more than 50 hacking engagements in the past 3 years. Kevin is the coauthor of a whitepaper on "Hacking Healthcare" and has assisted the Office of Civil Rights on a study to advise and guide the government on hacking in healthcare. In his spare time - Kevin is trained and enjoys experimenting with and working with people in various forms of cutting edge psychology and diet and nutrition approaches to maximize human potential.

Abstract:
Over past decade, electronic medical records (EMR's) and networked medical devices have become a healthcare norm. However, vendors and consumers alike have not paid sufficient attention to the security implications of EMR's and networked medical devices. In this talk, I will cover my experience [ethical] hacking and social engineering my way into healthcare networks. I will highlight security issues with healthcare networks and share real life stories.



Return to Index      -     

 

BHV - Pisa Room - Friday - 18:00-18:59


Title: tDCS workshop

Speakers: Darren and Jen

About Darren and Jen:
Jennifer has been an information security professional for the past 20 years and is currently a Security Intelligence Analyst. Her experience includes reverse engineering malware, penetration testing, vulnerability analysis, and incident response. Jennifer studied biology and psychology and focused her studies on neurology. Her passion for brain science, coupled with computer science, has been a driving factor in her interest in the technological singularity and human/machine integration. In her free time she runs a robotics club for kids and is learning to play the ukulele. She is an avid fan of the Detroit Tigers, William Shakespeare, and the oxford comma. Darren Lawless is a security analyst with 13+ years of plugging dykes and playing sentry. He currently leads the threat monitoring team for a large security services organization. His interest in all things *bio* has blossomed and intensified over the last couple years resulting in forays, experimentation, and investigation into nootropics, biofeedback, and augmentation, implantation, brain stimulation, and a sundry wet-tech bad-assedness. Still a squire in the realm, he maintains the ability to ask real world questions like, "Why (why not) do this? What are the risks? Should we care?"

Abstract:
Are you interested in experimenting with tDCS but don't want to pay a high price for commercial devices? Are you a maker and tinkerer at heart? If so, then this workshop is for you. Join us as we walk you through the process of DIYing your very own tDCS device. Donations for kits appreciated ($10 or whatever you like)



Return to Index      -     

 

DEFCON - Track 2 - Friday - 13:00-13:45


Teaching Old Shellcode New Tricks

Friday at 13:00 in Track 2

45 minutes | Demo

Josh Pitts Hacker

Metasploit x86 shellcode has been defeated by EMET and other techniques not only in exploit payloads but through using those payloads in non-exploit situations (e.g. binary payload generation, PowerShell deployment, etc..). This talk describes taking Metasploit payloads (minus Stephen Fewer's hash API), incorporating techniques to bypass Caller/EAF[+] checks (post ASLR/DEP bypass) and merging those techniques together with automation to make something better.

Josh Pitts
Josh Pitts has over 15 years experience conducting physical and IT security assessments, IT security operations support, penetration testing, malware analysis, reverse engineering and forensics. Josh has worked in US Government contracting, commercial consulting, and silicon valley startups. He likes to write code that patches code with other code via The Backdoor Factory (BDF), has co-authored an open-source environmental keying framework (EBOWLA), and once served in the US Marines.

@midnite_runr


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 12:00-12:59


That’s no car. It’s a network!

No description available


Return to Index      -     

 

DEFCON - Track 2 - Friday - 16:00-16:45


The Adventures of AV and the Leaky Sandbox

Friday at 16:00 in Track 2

45 minutes | Demo, Tool

Itzik Kotler Co-Founder & CTO, SafeBreach

Amit Klein VP Security Research, SafeBreach

Everyone loves cloud-AV. Why not harness the wisdom of clouds to protect the enterprise? Consider a high-security enterprise with strict egress filtering - endpoints have no direct Internet connection, or the endpoints' connection to the Internet is restricted to hosts used by their legitimately installed software. Let's say there's malware running on an endpoint with full privileges. The malware still can't exfiltrate data due to the strict egress filtering.

Now let'also assume that this enterprise uses cloud-enhanced anti-virus (AV).You'd argue that if malware is already running on the endpoint with full privileges, then an AV agent can't degrade the security of the endpoint. And you'd be completely wrong.

In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises which employ strict egress filtering. Assuming the endpoint has a cloud-enhanced antivirus installed, we show that if the AV employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration. We release a tool implementing the exfiltration technique, and provide real-world results from several prominent AV products. We also provide insights on AV in-the-cloud sandboxes. Finally we address the issues of how to further enhance the attack, and possible mitigations.

Itzik Kotler
Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEF CON, Black Hat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTO at Security-Art, an information security consulting firm, and before that he was SOC Team Leader at Radware. (NASDQ: RDWR).

@itzikkotler
www.ikotler.org

Amit Klein
Amit Klein is a world renowned information security expert, with 26 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at BlackHat USA, HITB, RSA USA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.

www.securitygalore.com


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Sunday - 12:00-12:59


Title:
The Automation and Commoditization of Infosec

1200 Sunday
Joshua Marpet and Scott Lyons
Josh - @quadling and Scott - @Csp3r
The Automation and Commoditization of Infosec

"Robots will take your job! Unless....
It's already happened to IT, when and how will it happen to IT Security?
Let's talk about it, and figure out how to make it better for you, and for the industry."

Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Saturday - 16:30-17:30


The Bicho: An Advanced Car Backdoor Maker

No description available


Return to Index      -     

 

BHV - Pisa Room - Friday - 12:00-12:59


Title: The Bitcoin DNA Challenge

Speaker: Keoni Gandall

About Keoni:
Keoni Gandall- 18 year old biohacker, frequents DIYbio forums under alias "Koeng". Worked at UCI for 4 years in directed evolution lab. Likes DNA, BSD, and freedom.

Abstract:
The ultimate form of information storage: DNA.
Dumb question: Can we store Bitcoin addresses in DNA?

Participate in several challenges demystifying the idea of storing Bitcoins inside of DNA. The first who discovers the solution to each challenge wins the satoshi stored in the actual DNA code.



Return to Index      -     

 

DEFCON - Track 1 - Sunday - 12:00-12:45


The Black Art of Wireless Post Exploitation

Sunday at 12:00 in 101 Track

45 minutes | Demo, Tool

Gabriel "solstice" Ryan Gotham Digital Science

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility. The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In this presentation, we will present a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel "solstice" Ryan
Gabriel is a pentester, CTF player, and Offsec R&D. He currently works for Gotham Digital Science, where he provides full scope red team penetration testing capabilities for a diverse range of clients. Previously he has worked at OGSystems and Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. Things that make him excited include obscure wireless attacks, evading antivirus, and playing with fire. In his spare time, he enjoys live music and riding motorcycles.

@s0lst1c3
github.com/s0lst1c3
solstice.me
blog.gdssecurity.com


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 11:10-11:59


The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Gabriel Ryan, Security Engineer at Gotham Digital Science

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility. The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In this presentation, we will present a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel Ryan (Twitter: @s0lst1c3) is a penetration tester and researcher with a passion for wireless and infrastructure testing. His career began as a systems programmer at Rutgers University, where he assessed, diagnosed, and resolved system and application issues for a user community of over 70,000 faculty, students, and staff. Gabriel then went on to work as a penetration tester and researcher for the Virginia-based defense contractor OGSystems. While at OGSystems, he worked as a lead engineer on the Mosquito project, a geospatial intelligence tool that leverages wireless technology to track potential threats. Gabriel currently works for the international security consulting firm Gotham Digital Science at their New York office, where he performs full scope red team penetration tests for a diverse range of clients. He also contributes heavily to his company's research division, GDS Labs. Some of his most recent work includes a whitepaper on rogue access point detection, along with the popular tool Eaphammer, which is used for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.


Return to Index      -     

 

DEFCON - Track 3 - Friday - 10:00 -10:45


The Brain's Last Stand

Friday at 10:00 in Track 3

45 minutes

Garry Kasparov Avast Security Ambassador

Former world chess champion Garry Kasparov has a unique place in history as the proverbial "man" in "man vs. machine" thanks to his iconic matches against the IBM supercomputer Deep Blue. Kasparov walked away from that watershed moment in artificial intelligence history with a passion for finding ways humans and intelligent machines could work together. In the spirit of "if you can't beat'em, join'em," Kasparov has explored that potential for the 20 years since his loss to Deep Blue. Navigating a practical and hopeful approach between the utopian and dystopian camps, Kasparov focuses on how we can rise to the challenge of the AI revolution despite job losses to automation and refuting those who say our technology is making us less human. He includes concrete examples and forward-looking strategies on AI.

Garry Kasparov
Garry Kasparov was born in Baku, Azerbaijan, in the Soviet Union in 1963. He became the youngest world chess champion in history in 1985 and was the world's top-rated player for 20 years, until he retired in 2005. His matches against arch-rival Anatoly Karpov and the IBM supercomputer Deep Blue popularized chess and machine intelligence in unprecedented ways. Kasparov became a pro-democracy leader in Russia and an outspoken defender of individual freedom around the world, a mission he continues as the chairman of the New York-based Human Rights Foundation. He is a Visiting Fellow at the Oxford-Martin School, where his lectures focus on human-machine collaboration. Kasparov is a provocative speaker who appears frequently before business, academic, and political audiences to speak about decision-making, strategy, technology, and artificial intelligence. His influential writings on politics, cognition, and tech have appeared in dozens of major publications around the world. He has written two acclaimed series of chess books and the bestsellers How Life Imitates Chess on decision-making and Winter Is Coming on Russia and Vladimir Putin. His new book, Deep Thinking: Where Machine Intelligence Ends and Human Creativity Begins comes out in May 2017. In 2016, he was named a Security Ambassador by Avast, where he discusses cybersecurity and the digital future. He lives in New York City with his wife Dasha and their two children.

@Kasparov63


Return to Index      -     

 

BHV - Pisa Room - Saturday - 17:00-17:29


Title: The Brave New World of Bio-Entrepreneurship

Speaker: Jun Axup

About Jun Axup:
Jun Axup is the Science Director at IndieBio. She has a PhD in chemical biology and worked in various startups in immuno-oncology, lab automation robotics, CRISPR, and precision medicine. Jun is passionate about using the intersection of biology, technology, and design to increasing human healthspan.

Abstract:
Biotech companies have historically been started by professors from prestigious institutions with millions of dollars of investment funding. Today, with the lowering cost of research and increasing amount of resources driven by Moore's law, robotics, software and efficiencies in bioproduction, anyone with an insight can start a biotech company for a fraction of the cost, be they PhD or biohacker.

At IndieBio, the world's largest biotech accelerator started just under 3 years ago, we've funded and help founders build 70 companies that redefine speed and innovation for biology. We have trained graduate students and first-time founders into entrepreneurs and have expanded biotechnology beyond therapeutics and medical devices. We see biology as the next big technology platform with applications in food, regenerative medicine, consumer products, neurotech, and bio-IT interfacing. Come hear about the big problems our companies are solving with biology as technology!



Return to Index      -     

 

DEFCON - Track 3 - Sunday - 12:00-12:45


The call is coming from inside the house! Are you ready for the next evolution in DDoS attacks?

Sunday at 12:00 in Track 3

45 minutes | Art of Defense

Steinthor Bjarnason Senior Network Security Analyst, Arbor Networks

Jason Jones Security Architect, Arbor Networks

The second half of 2016 saw the rise of a new generation of IoT botnets consisting of webcams and other IoT devices. These botnets were then subsequently used to launch DDoS attacks on an unprecedented scale against Olympic-affiliated organizations, OVH, the web site of Brian Krebs and Dyn.

Early 2017, a multi-stage Windows Trojan containing code to scan for vulnerable IoT devices and inject them with Mirai bot code was discovered. The number of IoT devices which were previously safely hidden inside corporate perimeters, vastly exceeds those directly accessible from the Internet, allowing for the creation of botnets with unprecedented reach and scale.

This reveals an evolution in the threat landscape that most organizations are completely unprepared to deal with and will require a fundamental shift in how we defend against DDoS attacks.

This presentation will include:
- An analysis of the Windows Mirai seeder including its design, history, infection vectors and potential evolution.
- The DDoS capabilities of typically infected IoT devices including malicious traffic analysis.
- The consequences of infected IoT devices inside the corporate network including the impact of DDoS attacks, originating from the inside, targeting corporate assets and external resources.
- How to detect, classify and mitigate this new threat.

Steinthor Bjarnason
Steinthor Bjarnason is a Senior Network Security Analyst on Arbor Networks ASERT team, performing applied research on new technologies and solutions to defend against DDoS attacks.

Steinthor has 17 years of experience working on Internet Security, Cloud Security, SDN Security, Core Network Security and DDoS attack mitigation. Steinthor is an inventor and principal of the Cisco Autonomic Networking Initiative, with a specific focus on Security Automation where he holds a number of related patents.

@sbjarnas

Jason Jones
Jason Jones is the Security Architect for Arbor Networks' ASERT team. His primary role involves reverse engineering malware, architecting of internal malware processing infrastructure, feed infrastructure and botnet monitoring infrastructure in addition to other development tasks. Jason has spoken at various industry conferences including BlackHat USA, FIRST, BotConf, REcon, and Ruxcon


Return to Index      -     

 

BHV - Pisa Room - Saturday - 17:30-17:59


Title: The collision of prosthetics, robotics and the human interface

Speaker: Randall Alley

About Randall Alley:
Randall Alley is CEO and Chief Prosthetist for biodesigns inc., a Southern California prosthetic facility and R&D center specializing in upper and lower limb interface (socket) systems for patients for all ages and activity levels.

Our biomechanically focused, proprietary interface designs result in improved outcomes, greater patient acceptance and are backed by evidence-based clinical support. In conjunction with his practice, Alley has worked with DEKA Research and Development as their prosthetic interface design consultant for the Defense Advanced Research Projects Agency’s (DARPA) “Revolutionizing Prosthetics Project†chartered to develop the next generation of military upper limb prosthesis (a.k.a. the “Luke Armâ€). Randy is currently the Principle Investigator on biodesigns’ own DARPA/SBIR Phase II contract.

Abstract:
Very often amputees, prosthetists, manufacturers and particularly the general public are all excited to hear about the latest developments in prosthetic components such as feet, ankles, knees and hands. And while these components have improved significantly over the last decade there is one area that has essentially been overlooked. And it’s an area that is arguably the most critical in terms of an individual’s comfort, control, proprioception, and overall health. I am of course talking about the prosthetic socket, or interface. The socket is universal to all upper & lower limb prosthetic systems and without it, prosthetic systems simply would not exist. Today nearly all prosthetic wearers are in sockets that provide limited biomechanical control and therefore outcomes are sub-par at best. Common wearer complaints include poor socket fit, inability for it to stay on or to be worn for long periods of time, excessive heat, skin irritations, poor performance among others.

This presentation will highlight the biomechanical differences of traditional sockets that merely encapsulate a residual limb to that of the High-Fidelity™ (HiFi) Interface that uses skeletal capture and control principles that result in increased comfort, increased performance, a trend toward gait symmetry, as well as improved range of motion, energy efficiency and overall user success. Perhaps the most interesting development resulting from osseostabilization is enhanced connectivity and proprioception. By mimicking the motions of the skeleton it is believed we are in effect “fooling†the brain into believing the lost arm or leg is back, a key component in the process of becoming whole again.



Return to Index      -     

 

BHV - Pisa Room - Sunday - 11:05-11:30


Title: The Future is Fake Identities

Speaker: Paul Ashley

About Paul Ashley:
Paul Ashley is Chief Technology Officer at Anonyome Labs, a startup company focused on identity obfuscation through building of fake identities. The company brings technology to every day users that allow them to interact online and offline in safety, privacy and control. Paul’s responsibilities at Anonyome Labs includes application architecture, development, emerging technologies, curating the patent portfolio, and technical partnerships.

Abstract:
In a world filled with danger emanating from all sorts of digital channels, having a proxy (or two) that you create, control, manage and direct is not just useful, but a requirement. Instead of worrying about an ineffectual government or an incomprehensible privacy policy, it’s possible that fake identities are a way to take ownership of the problem. Fake identities in the hands of the individual, are the way to swing the pendulum of privacy back to the people. The presentation will present our progress at building tools for people to implement fake identities to use offline and online. At the time of writing this abstract our users have 2 million active fake identities and the number is growing daily. These identities are used for dating, shopping, selling, social media, political statements and for numerous other uses.



Return to Index      -     

 

ICS - Calibria - Saturday - 14:00-14:30


Title: The gap in ICS Cyber security - Cyber security of Level 1 Field devices.

ICSs were, and continue to be, designed to meet reliability, safety, and regulatory requirements. Cyber securing the ICS system consists not only of securing the OT networks but also the instrumentation, actuators, drives, analyzers, and controllers which often are serial-based before the conversion to Ethernet communications. Level 1 sensors, other field devices, and their communication protocols are generally not cyber secure. Additionally, it is often not possible to tell the difference between a malicious cyber compromise and an unintentional equipment failure. Moreover, the sensing/control loop will continue to operate even if the Ethernet network is not available. Consequently, there is a need to understand what is happening at the Level 1 layer in addition to what is happening with the OT networks.


Bio: Joe Weiss

Joseph Weiss is an industry expert on control system cyber security, with more than 40 years of experience in the energy industry. He serves as a member of numerous organizations related to control system security. He has provided oral and written testimony to five congressional committees and has published over 100 papers on instrumentation, controls, and diagnostics including the book Protecting Industrial Control Systems from Electronic Threats. He has conducted SCADA, substation, plant control system, and water systems vulnerability and risk assessments and conducted short courses on control system security. He has amassed a database of more than 950 actual control system cyber incidents. He is an ISA Fellow, Managing Director of ISA Fossil Plant Standards, ISA Nuclear Plant Standards, ISA Industrial Automation and Control System Security (ISA99), a Ponemon Institute Fellow, and an IEEE Senior Member. He has been identified as a Smart Grid Pioneer by Smart Grid Today. He has two patents on instrumentation and control systems, is a registered professional engineer in the State of California, a Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC).



Return to Index      -     

 

SEV - Emperors BR II - Saturday - 16:00-16:50


Saturday July 29 4:00PM 50 Mins
The Human Factor: Why Are We So Bad at Security and Risk Assessment?
How does the science of human perception and decision making influence the security sector? How can we use information about how people make decisions to create more successful security professionals? In the 1970s, “fringe†psychologists began to question the phenomenon of decision making, seeking to understand the mechanism by which individuals will make seemingly unfathomable choices in the face of obvious deterrents. For example, virtually every story told by those that lived in areas ravaged by war is full of the warning signs they saw, reasons they could tell disaster was coming. Why then, did these individuals fail to run? It is almost impossible for one to believe that they are in the midst of a life-changing catastrophe. Terrifying circumstances are subconsciously alienated from our thoughts as ideas that are too far-fetched to be real. When one has any personal stake in a situation (e.g. what to eat for dinner or who to vote for) our ability to take stock and react reasonably seems nearly non-existent.

There are numerous academic studies on decision-making and perception. Their insights have been applied to various industries over the years with surprising success. Financial corporations have benefited greatly by working to understand, incorporate and utilize these insights. Why do we make unintelligent choices? Why are we are so overwhelmingly deficient at risk assessment and mitigation? This session will explore how the science of decision making applies to the security sector, empowering attendees to walk away with a better understanding of how these concepts can be leveraged to build more robust and useful security tools, as well as more successful training models. Supported by the research of Nobel prize-winning psychologist Daniel Kahneman, the session will introduce these techniques and discuss how they can help in the practical application of security testing.

John Nye: @EndisNye_com
John Nye has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).


Return to Index      -     

 

DEFCON - Track 4 - Friday - 17:00-17:45


The Internet Already Knows I'm Pregnant

Friday at 17:00 in Track 4

45 minutes | Exploit

Cooper Quintin Staff Technologist - EFF

Kashmir Hill Journalist - Gizmodo Media

Women's health is big business. There are a staggering number of applications for Android to help people keep track of their monthly cycle, know when they may be fertile, or track the status of their pregnancy. These apps entice the user to input the most intimate details of their lives, such as their mood, sexual activity, physical activity, physical symptoms, height, weight, and more. But how private are these apps, and how secure are they really? After all, if an app has such intimate details about our private lives it would make sense to ensure that it is not sharing those details with anyone such as another company or an abusive partner/parent. To this end EFF and Journalist Kashmir Hill have taken a look at some of the privacy and security properties of over a dozen different fertility and pregnancy tracking apps. Through our research we have uncovered several privacy issues in many of the applications as well as some notable security flaws as well as a couple of interesting security features.

Cooper Quintin
Cooperq is a security researcher and programmer at EFF. He has worked on projects such as Privacy Badger, Canary Watch, Ethersheet, and analysis of state sponsored malware. He has also performed security trainings for activists, non profit workers and ordinary folks around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. He also was a co-founder of the Hackbloc hacktivist collective. In his spare time he enjoys playing music and participating in street protests.

@cooperq

Kashmir Hill
Kashmir Hill is a journalist who writes about privacy and security. She is a senior reporter at Gizmodo Media and has previously written for Fusion, Forbes Magazine and Above The Law.

@kashhill


Return to Index      -     

 

IOT - Main Contest Area - Saturday - 13:00-13:50



Return to Index      -     

 

PHW - Neopolitan BR IV - Promenade Level - Saturday - 10:00-11:59


The Kali Linux Dojo - Angela Could Have Done Better

Mati Aharoni, Kali Linux Developer

This workshop will show you how to create your own personalized Kali Linux ISO, customizing virtually every aspect using the live-build utility. You'll learn how to create custom Kali appliances and dedicated tools for those ever-so-specific tasks.

Mati Aharoni (Twitter: @kalilinux) is an infosec dinosaur with over a decade of active involvement in the infosec community. Between Kali development and tinkering with mysterious hardware, Mati enjoys the evangelical role of convincing anyone who will listen about the virtues of Kali Linux.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Sunday - 12:00-12:30


Title:
The Key Management Facility of the Root Zone DNSSEC KSK

Author:
Punky Duero (ICANN - PTI)

Abstract:
Take a rare peak on the facility that helps secure the Root DNSSEC Key Signing Key and learn its recent activities including the key rollover. Understand what happens during a typically behind closed door key ceremonies.

Bio:
Punky Duero, a Filipino dude who once set course to California in search for opportunities after receiving his Bachelor's degree in Computer Science from the Philippines. During his journey, he settled in Fukushima and Yokohama, Japan for almost a year to help tinker and test software for NEC mobile phones. Upon arriving in California, he helped commercial and government facilities deploy security systems to secure their assets from James Bond and Ethan Hunt. In 2014, he joined the folks that helps manage the address book of the Internet and settled for the time being.
Twitter handle of presenter(s): punkyduero

Return to Index      -     

 

DEFCON - Track 2 - Thursday - 16:00-17:45


The Last CTF Talk You'll Ever Need: AMA with 20 years of DEF CON Capture-the-Flag organizers

Thursday at 16:00 in 101 Track 2

105 minutes | Hacker History

Vulc@n Difensiva Senior Engineer, DDTEK

Hawaii John CTF organizer, Legit Business Syndicate

Chris Eagle CTF organizer, DDTEK

Invisigoth CTF organizer, Kenshoto

Caezar CTF organizer, Ghetto Hackers

Myles CTF organizer, Goon

Today there is practically a year-round CTF circuit, on which teams hone their skills, win prizes and attain stature. For many, the ultimate goal is to dominate in the utmost competition, DEF CON's CTF, and walk away with a coveted black badge. Capture-the-Flag (CTF) is one of DEF CON's oldest contests, dating back to DEF CON 4. Over the past decades, the perennial contest has matured into an annual event requiring months of preparation and nearly continuous dedication both of players and organizers. Organizers strive to make the events unique while taking extreme measures to prevent games from being gamed. Participants often have to cope with novel challenges while simultaneously demonstrating continued excellence in domains like reverse engineering, vulnerability discovery, exploitation, digital forensics, cryptography, and network security. In this session, we will present the evolution of DEF CON CTF, highlighting key points of advancement in the CTF culture - most of which broke new ground and are now present in other contests run around the world. Capitalizing on the multi-year tenure of recent DEF CON CTF organizers, we are able to concisely represent over 20 years of organizers on a single panel. Where else can you ask cross-generational questions about challenges of running CTF? Where else can you inquire about evolutionary design, and get answers from those that actually did it? Where else can you ask about hidden challenges, secrets, and CTF lore...from whom it originated?

The panelists represent over 20 years of DEF CON CTF organizers. Staples in the CTF community are present comprising of decades of experience in participating and organizing CTFs. On stage we have past organizers representing Legit BS, DDTEK, Kenshoto, Ghetto Hackers, and before — many of which also participated as part of top recurring teams such as Sk3wl of r00t, Ghetto Hackers, Samurai, and Team Awesome. Many also played some role (infrastructure, challenge author, announcer) in the Cyber Grand Challenge culminating last summer at DEF CON. They have received and distributed dozens of black badges. Panelists and the roles they represent for this panel: Hawaii John, Legit Business Syndicate; Chris Eagle, DDTEK; Invisigoth, Kenshoto; Caezar, Ghetto Hackers; Myles, Goon.

Vulc@n
Vulc@n have been involved in the community since DEF CON 11, which in some ways seems recent but upon reflection is clearly more than a decade ago. In his early years he sprinted from talk to talk, dodging curious things like mid-school aged folks with baby chickens, couches in purple-dyed pools, and real dunk tanks. He even sat through talks in the blistering heat in outdoor tents at Alexis Park. Starting with his second year attending, he was pulled more and more into the CTF contest with then new-found and now lifelong friends at Sk3wl of r00t. Much of his time in the years since has been dedicated to playing in CTF or organizing it (as part of DDTEK). Ever since convincing one of his college professors to finance my first DEF CON trip, the hacker scene has been kind to him. He now finds himself in possession of two black badges (and leather jacket). More recently he was part of the Cyber Grand Challenge development team and was an on-stage referees for the all-computer hacking competition this past summer. In summary, it seems that he just keeps finding novel ways to be very involved with DEF CON and CTF.

@tvidas, @ddtek

Hawaii John
Bio coming soon.

@LegitBS_CTF, @hj_lbs

Chris Eagle
Bio coming soon.

@sk3wl

Invisigoth
Bio coming soon.

@kenshoto

Caezar
Bio coming soon.

Myles
Bio coming soon.


Return to Index      -     

 

BHV - Pisa Room - Friday - 10:30-10:59


Title: The Patient as CEO

Speaker: Robin Farmanfarmaian

About Robin:
Robin Farmanfarmaian is a Professional Speaker, Author, Entrepreneur, and Angel Investor, specializing in companies with the potential to impact >100M patients. Currently Robin is an Investor and VP at Invicta Medical, a medical technology company focusing on sleep apnea; VP at Actavalon, curing cancer by repairing p53; and Strategic Relations at MindMaze, VR for stroke and brain injury rehab. Her best selling book, “The Patient as CEOâ€, can be found on Amazon.

Abstract:
Robin's expertise showcases the future of medical technology, and how the convergence of accelerating tech will enable patients to be the key decision maker, executor, driver and ultimately the one responsible on the healthcare team. Patient empowerment and engagement through technological advancements including wearable technology, sensors, point-of-care diagnostics, 3D Printing, Tissue Engineering, Power of the Crowd, data, networks, artificial intelligence and robotics. These are some of the accelerating technologies set to fundamentally change healthcare and allow the patient to be in control of their own health.



Return to Index      -     

 

CPV - Florentine Ballroom 4 - Sunday - 12:30-13:30


Title:
The Policy & Business Case for Privacy By Design

Author:
Zerina Curevac (Squire Patton Boggs)

Abstract:
See no personal data, hear no personal data, and speak no personal data. For some organizations, requests for data by users and law enforcement are so frequent that entire departments are dedicated to handling these types of inquiries and providing information. To be able to respond to such requests, organizations need to invest in IT infrastructure, security, and legal advice just for starters. The status quo has been to respond to such requests despite the increase in demand, but is handing over “personal” data in the interest of the organization or the user?

Privacy by design controls are able to reduce some or most of the burden associated with such requests by minimizing the “personal” data held by an organization. This presentation will introduce Privacy by Design concepts, provide examples of successful implementations of Privacy by Design, and explain how Privacy by Design can improve consumer reputation and trust.

Bio:
Zerina Curevac focuses her practice on data privacy and cybersecurity, as well as other corporate technology matters. She is a Certified Information Privacy Professional in U.S. privacy law (CIPP/US) and has worked with clients in the U.S., EU and Asia Pacific on a range of matters, such as HIPAA compliance, EU-US Privacy Shield certification and EU General Data Protection Regulation ("GDPR") preparation. Her approach to data protection optimizes business goals and strategy and supports technology investments.
Twitter handle of presenter(s): zericure
Website of presenter(s) or content: http://www.squirepattonboggs.com/en/professionals/c/curevac-zerina

Return to Index      -     

 

BHV - Pisa Room - Saturday - 18:00-18:59


Title: The Rise of Digital Medicine: At-home digital clinical research

Speaker: Andrea Coravos
@andreacoravos


About Andrea Coravos:
Andrea Coravos is the co-founder of Elektra Labs, a digital health platform democratizing clinical trials by supporting remote, at-home research. Andrea is a software engineer focused on digital medicine and neurotechnologies, a digital rights advocate, and a writer for NeuroTechX.

Abstract:
In the past few years, software has started to “eat†healthcare in a new way. Historically, software was predominately a productivity enhancement for healthcare, but now software is emerging as a medical device. Many companies are releasing their own versions of digital medicines. Cognitive behavioral therapy (CBT) apps are coming to market that improve sleep well without pills or potions. Companies like Akili Interactive are building clinically-validated cognitive therapeutics, assessments, and diagnostics that look and feel like high-quality video games for pediatric ADHD. But how do we know any of these products work? Clinical trials and research are adapting to support the rise of digital medicine and more research is moving out of the lab and intro the home. We'll look at the new models that are supporting this trend, including a dive into Ethereum, a blockchain technology that can decentralize clinical trials, provide an economic incentive to join the trials, and endow participants with stronger rights and security for their data. We’ll share what the future could hold for at home research, digital medicine, and blockchains.



Return to Index      -     

 

DEFCON - Track 4 - Saturday - 10:00-10:30


The spear to break the security wall of S7CommPlus

Saturday at 10:00 in Track 4

20 minutes | Exploit

Cheng ICS Security Researcher, NSFOCUS

Zhang Yunhai Security researcher of NSFOCUS Security Team

In the past few years, attacks against industrial control systems (ICS) have increased year over year. Stuxnet in 2010 exploited the insecurity of the S7Comm protocol, the communication protocol used between Siemens Simatic S7 PLCs to cause serious damage in nuclear power facilities. After the exposure of Stuxnet, Siemens has implemented some security reinforcements into the S7Comm protocol. The current S7CommPlus protocol implementing encryption has been used in S7-1200 V4.0 and above, as well as S7-1500, to prevent attackers from controlling and damaging the PLC devices.
Is the current S7CommPlus a real high security protocol? This talk will demonstrate a spear that can break the security wall of the S7CommPlus protocol. First, we use software like Wireshark to analyze the communications between the Siemens TIA Portal and PLC devices. Then, using reverse debugging software like WinDbg and IDA we can break the encryption in the S7CommPlus protocol. Finally, we write a MFC program which can control the start and the stop of the PLC, as well as value changes of PLC's digital and analog inputs & outputs.
Based on the research above, we present two security proposals at both code level and protocol level to improve the security of Siemens PLC devices.

Cheng
Cheng Lei is an Industrial Control System Security researcher at NSFOCUS. His interest is mainly about PLC and DCS vulnerability exploitation and security enhancement. Over the years he has released three Siemens CVE vulnerability

Zhang Yunhai
is a security researcher of NSFOCUS Security Team, working on computer security for more than a decade.He has spoken at security conferences such as Blackhat and BlueHat. He has won the Microsoft Mitigation Bypass Bounty 4 years in a row since 2014.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 10:30-11:30


Title:
The Surveillance Capitalism Will Continue Until Morale Improves

Author:
J0N J4RV1S

Abstract:
Surveillance Capitalism is a form of information monetization that aims to predict and modify human behavior as a means to produce revenue and control.
It strives to be a pervasive background collector of our cyberspace and meatspace activities, attempting to both generate and profit from data collected about our wants and needs. It's what happens when Marketing decides to plagiarize from the NSA's playbook.

The methods used by Surveillance Capitalism's practitioners are intentionally becoming harder to detect, trickier to thwart, and increasingly convoluted to opt-out from. Merchandisers, content producers, and advertising networks are actively seeking and developing new technologies to collect and correlate the identities, physical movements, purchasing preferences, and online activity of all of us, their desperately desired customers.

This presentation will discuss existing data collection methods and review your options to avoid being profiled and tracked without your consent. Skip this session if you're already familiar with and are prepared to defend against:

- Instant facial recognition & correlation at scale
- Geofenced content delivery & user identification
- Retailer & municipal Wi-Fi tracking
- Unblockable browser fingerprinting
- Cross-device tracking & ultrasound beaconing
- Inescapable data brokers, IoT, and more....

Surveillance Capitalism is entrenched, it's profitable, and it's spreading.
Ethical engineering, disposable personas, and extreme compartmentation may be the only chance for Privacy's survival.

Bio:
J0N J4RV1S has been plugged into the Internet since the early 90's and he wants to help make it a safer place for everyone. He is a proponent of data privacy, usable encryption, InfoSec diversity, digital security training, Utah's tech scene, and leaving things better than you found them.
Twitter handle of presenter(s): @SecureUtah

Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 13:00-14:00


Title:
The Symantec/Chrome SSL debacle - how to do this better...

Author:
Jake Williams (Rendition Infosec)

Abstract:
When Google announced an intent to revoke trust from certificates issued by Symantec, this set off alarm bells all over the certificate authority industry. But that was March. What actually happened? Rendition Infosec has periodically tracked the SSL certificates on the Alexa top 1 million sites. In this talk, we’ll review that data set and examine what, if any, changes the Google announcement regarding Symantec certs had on certificate renewal/reissuance. We’ll also offer realistic suggestions for revoking trust in the future – had this been an actual fire drill, we’d have been burned alive.

Bio:
Jake Williams, the founder of Rendition Infosec, has almost two decades of experience in secure network design, penetration testing, incident response, forensics and malware reverse engineering. Prior to founding Rendition Infosec, Williams worked with various government agencies in information security and CNO roles. He also works with SANS where he teaches and co-authors the Malware Reverse Engineering, Memory Forensics, Cyber Threat Intelligence, and Advanced Exploit Development. He is the two time victor of the annual DC3 Forensics Challenge. He has spoken at Blackhat, Skytalks, Shmoocon, CEIC, RSA, EnFuse, DFIR Summit and DC3 Conference (and some we're forgetting here). His research areas include automating incident response throughout the enterprise, binary analysis, and malware C2. The primary focus of his work is increasing enterprise security by presenting complex topics in a way that anyone can understand.
Twitter handle of presenter(s): @malwarejake
Website of presenter(s) or content: www.rsec.us

Return to Index      -     

 

CPV - Florentine Ballroom 4 - Sunday - 13:30-14:00


Title:
The Why and How for Secure Automatic Patch Management

Author:
Scott Arciszewski (Paragon Initiative Enterprises, LLC)

Abstract:
The life cycle of a software vulnerability begins when a developer makes a mistake. A lot of software security best practices aim for lessening the time until vulnerabilities are discovered, or the time between discovery and patch availability. Unfortunately, most software projects have zero control over security patch deployment.

Bio:
Scott (CDO, Paragon Initiative Enterprises) resides at the intersection of PHP, security, cryptography, and open source software.
Twitter handle of presenter(s): @CiPHPerCoder
Website of presenter(s) or content: https://paragonie.com

Return to Index      -     

 

SEV - Emperors BR II - Friday - 16:00-16:50


Friday July 28 4:00PM 50 Mins

Thematic Social Engineering:
Social engineering tests are typically performed in a point-in-time fashion, targeting specific people at particular points in their day or their workflow. Additionally, our industry has invested considerable research in improving the way we prepare for and execute these types of attacks. From the perspective of managing security for a company, knowing that people will make mistakes only goes so far from a utility and risk management perspective. This talk will explore a new way to extract value from social engineering tests and the subsequent analysis of the results, digging into the underlying themes, roles, and discretionary conditions that enable social engineering in the first place.

Robert Wood: @robertwood50
Robert Wood runs the security team at Nuna Health, whose core directive is to protect one of the nation’s largest collective healthcare data sets. Previously, Robert was a Principal Consultant at Cigital where he founded and led the red team assessment practice and worked with strategic clients across the United States in an advisory capacity.


Return to Index      -     

 

DEFCON - Track 1 - Thursday - 10:00-10:45


There's no place like 127.0.0.1 - Achieving reliable DNS rebinding in modern browsers

Thursday at 10:00 in 101 Track

45 minutes | Demo, Tool, Exploit

Luke Young Senior Information Security Engineer, LinkedIn

Most people lock their doors at night, however if you walk into someone's home you likely won't find every piece of furniture bolted to the floor as well. We trust that if someone is inside our home they are supposed to be there. Unfortunately many developers treat local networks just the same, assuming all internal HTTP traffic is trusted, however this is not always the case. They incorrectly assume that their services will be protected by the same-origin policy in browsers, rather than implementing proper authentication mechanisms. By abusing this implicit trust we can gain access to confidential data and internal services which are not intended to be publicly accessible.

I will demonstrate that this is a poor security control and can be trivially bypassed via an older technique, DNS rebinding. The talk will cover how DNS rebinding works, the mitigations imposed by modern browsers and networks, and how each mitigation can be bypassed. I will discuss the notorious unreliability of DNS rebinding attacks that causes many developers to ignore the issue and how to overcome this unreliability.

Finally, I will examine a variety of popular services and tools to understand how they are affected by DNS rebinding. I will be releasing a tool that allows researchers to automate DNS rebinding attacks, the associated mitigation bypasses and generate drop-dead simple proof-of-concept exploits. I will demonstrate this tool by developing exploits for each vulnerable service, ending the talk by exploiting a vulnerable service to obtain remote-code execution, live.

Luke Young
Luke Young is a security researcher originally from the frozen plains of Minnesota who recently migrated to the much warmer state of California. He presented at DEF CON 23 on the topic of exploiting bitflips in memory, DEF CON 24 on the subject of large DDoS attacks and has investigated a variety of well-known products and network protocols resulting in numerous CVE assignments. He spends his free-time maintaining his position as one of the top researchers on various bug bounty platforms and is currently working as a Senior Information Security Engineer at LinkedIn.

@TheBoredEng
"https://bored.engineer


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 18:10-18:59


Threat Intel for All: There's More to Your Data Than Meets the Eye

Cheryl Biswas

Threat Intel isn't just a buzzword. It's about what you do with your data, to take a more proactive stance at securing yourself. Everybody has data, but we don't realize how to harness the power, to operationalize the context and relevancy within it as our strategic advantage. That's why Threat Intel isn't some shiny expensive box only the big kids get to play with. More importantly, as the nature of threats evolve, we need to keep pace by doing more than just monitoring. Everyone can level up by looking beyond their logs to see what's really in their data. Because there are all kinds of people in your neighbourhood...

Cheryl Biswas (Twitter: @3ncr1pt3d) is a Cyber Security Consultant, Threat Intel, with a Big4 firm in Toronto, Canada, where she also works on GRC, privacy, breaches, and DRP. Armed with a degree in Poli Sci, she engineered a backdoor into an IT role with CP Rail's helpdesk over 20 years ago, and got experience in vendor management and change management. Hacking her career, @3ncr1pt3d initiated the security role within JIG Technologies, an MSP. There she delivered weekly threat intel updates, and advised her team and clients on security matters. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building security awareness. She actively shares her passion for security in blogs, in print, as a guest on podcasts, and speaking at conferences.


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 11:00-11:45


Total Recall: Implanting Passwords in Cognitive Memory

Sunday at 11:00 in 101 Track

45 minutes

Tess Schrodinger

What is cognitive memory? How can you "implant" a password into it? Is this truly secure? Curiosity around these questions prompted exploration of the research and concepts surrounding the idea of making the authentication process more secure by implanting passwords into an individual's memory. The result? The idea is that you are not able to reveal your credentials under duress but you are still able to authenticate to a system. We will begin with an understanding of cognitive memory. Implicit versus explicit memory will be defined. The concepts of the subconscious, unconscious, and consciousness will be addressed. The stages of memory pertaining to encoding, storage and retrieval as well as the limitations of human memory along with serial interception sequence learning training will round out our build up to the current research and experimentation being done with the proposal to implant passwords into an individual's cognitive memory.

Tess Schrodinger
Tess is a security engineer and researcher with over twenty years of experience in security and counterintelligence. Her areas of interest are Insider Threat, Quantum Computing, Security Awareness, Cryptography, and Triathlons.

@TessSchrodinger


Return to Index      -     

 

BHV - Pisa Room - Saturday - 10:05-10:30


Title: Total Recall: Implanting Passwords in Cognitive Memory

Speaker: Tess Schrodinger

About Tess:
Tess is a security engineer and researcher with over twenty years of experience in security and counterintelligence. When not researching and speaking on Insider Threat, Quantum Computing, Security Awareness, and Cryptography, she participates in triathlons and protects the world from stampeding herds of devops unicorns.

Abstract:
What is cognitive memory? How can you “implant†a password into it? Is this truly secure? Curiosity around these questions prompted exploration of the research and concepts surrounding the idea of making the authentication process more secure by implanting passwords into an individual’s memory. The result? The idea is that you are not able to reveal your credentials under duress but you are still able to authenticate to a system. This talk will cover the stages of memory pertaining to encoding, storage and retrieval; the limitations of human memory; and the concept of serial interception sequence learning training. Current research and experimentation will be reviewed as well as the potential for forensic hypnosis to be used to “hack†this approach.



Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 14:00-14:25


Total Recoll: Conducting Investigations without Missing a Thing

Abstract

Recoll is a free and open source desktop tool which allows you to search through any arbitrary documents - but it can do more. By using the Recoll web indexer, you can automatically save a copy of any web sites you visit, and search them as well. This combination makes Recoll a great “capture and search†tool for investigators.

This talk will demonstrate what Recoll can do for you using two case studies - searching through a trove of leaked NSA documents and conducting an OSINT investigation online.

Speaker Profile

Dakota Nelson (@jerkota)

I’ve previously spoken at BSides Las Vegas, SOURCE Boston (x2), SOURCE Seattle, and some other smaller gatherings.

You can find full details at dakotanelson.com and strikersecurity.com


Return to Index      -     

 

DEFCON - Track 2 - Saturday - 15:00-15:45


Tracking Spies in the Skies

Saturday at 15:00 in Track 2

45 minutes | Art of Defense, 0025, Tool

Jason Hernandez Hacker / Technical Editor, North Star Post

Sam Richards Editor and Journalist, North Star Post

Jerod MacDonald-Evoy Journalist, North Star Post

Law enforcement agencies have used aircraft for decades to conduct surveillance, but modern radio, camera, and electronics technology has dramatically expanded the power and scope of police surveillance capabilities. The Iraq War and other conflicts have spurred the development of mass surveillance technologies and techniques that are now widely available to domestic police. The FBI, DEA, and other agencies flew powerful surveillance aircraft over cities for years in relative secrecy before breaking in to public attention in 2015. This presentation will discuss the capabilities of these aircraft, the discovery of the FBI and others' surveillance fleets, and continued efforts to shed light on aerial surveillance. We will discuss a method for detecting surveillance indicators in real time based on mutilateration of aggregated ADS-B data, and introduce code for detecting surveillance indicators from flight behavior.

Jason Hernandez
Jason Hernandez researches surveillance technology and reports on it for the North Star Post. Jason has a BS in economics, and has worked in the mining and technology industries. Jason has worked on algorithms to detect surveillance aircraft from ADS-B flight data.

@jason_nstar

Sam Richards
Sam Richards is an independent journalist, and founder of the North Star Post. Sam pieced together hundreds of FAA and corporate records to uncover the FBI's secret fleet of surveillance aircraft.

@minneapolisam

Jerod MacDonald-Evoy
Jerod MacDonald-Evoy is a journalist with the North Star Post, and a documentary filmmaker.

@jerodmacevoy


Return to Index      -     

 

SKY - Verona/Tuin/Trevi - Promenade Level - Saturday - 13:00-13:59


Title:
Trauma in Healthcare IT: My Differential Diagnosis and Call to Action

1300 Saturday
Audie
@_odddie_
Trauma in Healthcare IT: My Differential Diagnosis and Call to Action

As a lifelong hacker with 13 years of experience in Healthcare IT, I have been traumatized by an increasing number of near misses I’ve witnessed. We lack the proper language and culture to efficiently and accurately diagnose technical issues, which has placed connected medicine in critical condition. There are treatments and prescriptions available to improve the prognosis, but we desperately need all of your help.

Return to Index      -     

 

BHV - Pisa Room - Friday - 15:30-15:59


Title: Trigraph: An Ethereum-based Teleradiology Application

Speakers: Ryan Schmoll and Peter Hefley

About Ryan and Peter:
Ryan and Peter can each say that they were the world’s third largest nuclear power at some point in their life. They enjoy short walks along beaches lined with broken glass and broken dreams. They share experience keeping the world safe through “deterrence†and watching DirecTV for extended periods of time, well below ground, in America’s heartland. Subsequently, Peter pursued a life in penetration testing while Ryan made poor life decisions and is (still) studying to be a physician. With their blended experience in security, medicine, and an altruism that can only be gained by holding millions of lives at risk in support of vague and ever changing national security objectives, this duo is seeking to create a collaborative medical experience for patients and physicians that shatters the current paradigm.

Abstract:
Teleradiology is an $8 billion dollar a year industry and we are going to disrupt it. Medical records are critical infrastructure, and with an increasing emphasis on real-time interpretations of medical imagery to improve healthcare outcomes in emergency situations, it is imperative the systems that enable medical collaboration are secure and reliable. Here we present an Ethereum-based application that allows anyone who needs help interpreting an image to reach out to a radiologist anywhere in the world, securely, privately, without a third party intermediary, and for a lower price than existing teleradiology firms.



Return to Index      -     

 

DEFCON - Track 2 - Saturday - 14:00-14:45


Trojan-tolerant Hardware & Supply Chain Security in Practice

Saturday at 14:00 in Track 2

45 minutes | Art of Defense, Demo, Tool

Vasilios Mavroudis Doctoral Researcher, University College London

Dan Cvrcek Co-founder, Enigma Bridge Ltd

The current consensus within the security industry is that high-assurance systems cannot tolerate the presence of compromised hardware components. In this talk, we challenge this perception and demonstrate how trusted, high-assurance hardware can be built from untrusted and potentially malicious components.

The majority of IC vendors outsource the fabrication of their designs to facilities overseas, and rely on post-fabrication tests to weed out deficient chips. However, such tests are not effective against: 1) subtle unintentional errors (e.g., malfunctioning RNGs) and 2) malicious circuitry (e.g., stealthy Hardware Trojans). Such errors are very hard to detect and require constant upgrades of expensive forensics equipment, which contradicts the motives of fabrication outsourcing.

In this session, we introduce a high-level architecture that can tolerate multiple, malicious hardware components, and outline a new approach in hardware compromises risk management. We first demo our backdoor-tolerant Hardware Security Module built from low-cost commercial off-the-shelf components, benchmark its performance, and delve into its internals. We then explain the importance of "component diversification" and "non-overlapping supply chains", and finally discuss how "mutual distrust" can be exploited to further reduce the capabilities of the adversaries.

Vasilios Mavroudis
Vasilios Mavroudis is a doctoral researcher in the Information Security Group at University College London. He studies security and privacy aspects of digital ecosystems, with a focus on emerging technologies and previously unknown attack vectors.

He is currently working on a high-assurance cryptographic hardware. In cooperation with industrial partners, he has recently prototyped a high-assurance hardware architecture, that maintains its security properties even in the presence of malicious hardware components.

Past works include his recent publication on the ultrasound tracking ecosystem which received wide-spread attention and is considered the seminal work on that ecosystem, and auditing tools for the Public Key Infrastructure of Deutsche Bank. Moreover, he has participated in an international consortium studying large-scale security threats in telecommunication networks, and cooperated with UC Santa Barbara in several projects, including a detection system for evasive web-malware.

Vasilios holds an Information Security MSc from UCL, and a BSc on Computer Science from University of Macedonia, Greece.

Dan Cvrcek
Dan Cvrcek is a security architect and engineer learning how to run his start-up Enigma Bridge. He has extensive experience with large banking systems from operational procedures to system architectures: Swift, card payment processing, UK Faster Payments, large key management systems. His hardware encounters include smart cards, custom and embedded systems, and hardware security modules, from design, testing, defences to attacks. He reverse-engineered a hidden API of Chrysalis-ITS crypto modules (now SafeNet) with Mike Bond, Steven Murdoch and others. Dan got his uni degrees (PhD and Associate Prof.) from Brno University of Technology, and had fun as a post-doc at the University of Cambridge (2003-2004, 2007-2008), Deloitte London (2008-2009), start-ups, freelance security consultant (2010-2016) - clients include Barclays and Deutsche Bank, co-founded Enigma Bridge in 2015.

@dancvrcek


Contributor Acknowledgement:
The Speakers would like to acknowledge the following for their contribution to the presentation.

George Danezis, Professor (University College London)
Petr Svenda, Security Researcher (Masaryk University)


Return to Index      -     

 

Demolabs - Table 2 - Sunday - 10:00-11:50


Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes

Takahiro Yoshimura (alterakey)

Ken-ya Yoshimura (ad3liae)

Sunday from 1000-1150 at Table Two

Audience: AppSec, Mobile

Trueseeing is an automatic vulnerability scanner for Android apps. It is capable of not only directly conducting data flow analysis over Dalvik bytecode but also automatically fixing the code, i.e. without any decompilers. This capability makes it resillent against basic obfuscations and distinguishes it among similar tools -- including the QARK, the scanner/explotation tool shown by Linkedin in DEF CON 23. Currently it recognizes most classes of vulnerabilities (as in OWASP Mobile Top 10 (2015).)

https://github.com/taky/trueseeing

Takahiro Yoshimura (alterakey)
TAKAHIRO YOSHIMURA: He is Chief Technology Officer at Monolith Works Inc. In 2012 METI-coodinated CTF, Challenge CTF Japan 2012, his team (Enemy10) had won local qualification round at the 1st prize. In 2013, his team (Sutegoma2) took the 6th prize in DEFCON 21 CTF. He like to read binaries and hack things. He loves a GSD.

Ken-ya Yoshimura (ad3liae)
KEN-YA YOSHIMURA: Working as Chief Executive Officer at Monolith Works Inc, he is supervising an R&D lab specializing in emerging technologies. His hacker life starts when he was 8 years old; he likes to hack MSXs, NEC PC-9800s, Sharp X68000s, Windows, Macs, iPhones, iOS/Android apps, and circumvent copyright protection (for fun,) etc. He adores a GSD.


Return to Index      -     

 

CHV - Village Talks Outside Contest Area, Pool Level - Friday - 17:00-17:59


Turbo Talks – Getting Started With CarHacking, k-Line Hacking

No description available


Return to Index      -     

 

DEFCON - Track 3 - Saturday - 13:00-13:45


Twenty Years of MMORPG Hacking: Better Graphics, Same Exploits

Saturday at 13:00 in Track 3

45 minutes | Demo, Exploit

Manfred (@_EBFE) Security Analyst at Independent Security Evaluators

In theme with this year's DEF CON this presentation goes through a 20 year history of exploiting massively multiplayer online role-playing games (MMORPGs). The presentation technically analyzes some of the virtual economy-devastating, low-hanging-fruit exploits that are common in nearly every MMORPG released to date. The presenter, Manfred (@_EBFE), goes over his adventures in hacking online games starting with 1997's Ultima Online and subsequent games such as Dark Age of Camelot, Anarchy Online, Asherons Call 2, ShadowBane, Lineage II, Final Fantasy XI/XIV, World of Warcraft, plus some more recent titles such as Guild Wars 2 and Elder Scrolls Online and many more!

The presentation briefly covers the exploit development versus exploit detection/prevention arms race and its current state. Detailed packet analysis and inference on what the code looks like server side in order for some of the exploits to be possible is presented.

This presentation includes a live demonstration of at least one unreleased exploit to create mass amounts of virtual currency in a recent and popular MMORPG.

Manfred (@_EBFE)
Manfred (@_EBFE) has been reverse engineering and exploiting MMORPGs for 20 years. During that time, he ran a successful business based solely on exploiting online games in order to supply virtual goods to retailers. He has reverse engineered communication protocols for over 22 well known and popular MMORPGs and in certain cases circumvented anti tampering and software/hardware fingerprinting countermeasures. Manfred is currently a security researcher and analyst at Independent Security Evaluators (@ISEsecurity).

@_EBFE


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Saturday - 10:30-14:30


UAC 0day, all day!

Saturday, 10:30 to 14:30 in Octavius 4

Ruben Boonen

"This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.

Auto-Elevation:
- Identifying auto-elevating processes
- Analyzing process workflows
- Finding UAC bypass targets

Elevated File Operations:
- Using the IFileOperation COM object
- Tricking the Process Status API (PSAPI)

Getting UAC 0day (Pre Windows RS2):
- Analysis of known UAC bypasses
- Understanding the Windows Side-By-Side Assembly
- Creating proxy DLL's
- Using the Bypass-UAC framework (https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC)
- Dropping 0day(s)!

Triaging Windows RS2:
- Environment variables
- Registry abuse
- COM objects
- Process tokens

The workshop has intense hands-on labs where attendees will put the theory into practice. After attending, you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!

Prerequisites:

Materials: To participate in the hands-on sections, attendees need to bring a laptop with 2 GB RAM which can be dedicated to a virtual machine. Both VirtualBox and VMware player can be obtained for free. Two virtual machines and all necessary tools will be provided during the workshop!

Max students: 72 | Registration: https://dc25_boonen.eventbrite.com (Sold out!)

Ruben Boonen
Ruben Boonen (@FuzzySec) has been working in InfoSec since 2012. He has a well-rounded skill set, having taken on many application, infrastructure and bespoke engagements. _He has, however, developed a special interest for Windows: Domains, exploit development, client-side attacks, restricted environments, privilege escalation, persistence, post-exploitation and of course PowerShell!

He loves breaking stuff, but finds it is equally important to him to share that knowledge with the wider community. He has previously been a trainer at Black Hat, Def Con and various BSides events in the UK. Additionally, he maintains an InfoSec blog (http://www.fuzzysecurity.com/) and GitHub account (https://github.com/FuzzySecurity) where he publishes research on a variety of topics!


Return to Index      -     

 

DEFCON - Track 1 - Sunday - 10:00-10:45


Unboxing Android: Everything you wanted to know about Android packers

Sunday at 10:00 in 101 Track

45 minutes | Demo, Tool

Avi Bashan Mobile R&D Team Leader, Check Point

Slava Makkaveev Security Researcher, Check Point

To understand the Android ecosystem today, one must understand Android packers. Whether used for protecting legitimate apps' business logic or hiding malicious content, Android packer usage is on the rise. Android packers continue to increase their efforts to prevent reverse engineers and static analysis engines from understanding what's inside the package. To do so they employ elaborate tactics, including state of the art ELF tampering, obfuscation and various anti-debugging techniques.

In this talk, we will provide an overview of the packer industry and present real world test cases. We will do a deep technical dive into the internal workings of popular Android packers, exposing the different methods which protect the app's code. As a countermeasure, we will provide various techniques to circumvent them, allowing hackers and security researchers to unpack the secrets they withhold.

Avi Bashan
Avi Bashan is a Team Leader at Check Point, former security researcher at Lacoon Mobile Security. His daily job is to play around with Android Internals, writing Linux kernel code and drinking a lot of coffee.

Slava Makkaveev
Slava Makkaveev is a Security Researcher at Check Point. Slava has vast academic and professional experience in the security field. Slava's day to day is mostly composed from reversing and hacking malwares and operating systems for fun and profit.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Friday - 17:30-18:30


Title:
Unfairplay (NOT RECORDED)

Author:
[anonymous panel]

Abstract:
This panel includes developers and reverse engineers who cut their teeth building the most high-profile DRM system in history. They are now well-respected members of the security community and for the first time ever will be sharing their story.

Bio:
This panel includes developers and reverse engineers who formerly worked at a fruit company.

Return to Index      -     

 

Demolabs - Table 4 - Saturday - 16:00-17:50


Universal Serial aBUSe

Rogan Dawes

Saturday from 1600-1750 at Table Four

Audience: This tool is aimed at Offensive folks, with an interest in hardware attacks.

Universal Serial aBUSe is a combination of hardware and software, and is a refinement of the old school USB HID attacks. It adds a WiFi interface to the USB device, which enables the attacker to remotely trigger the payload at a time of their choosing, not just after a fixed delay from the time it is plugged in. The WiFi interface also enables a back-channel to allow the typed payload to communicate with the attacker without touching the victim's network interfaces.

This enables the attacker to avoid any network complexity (air gaps, firewalls and proxies) or network-based monitoring, and still obtain that precious shell!

https://sensepost.com/blog/2016/universal-serial-abuse/ https://github.com/SensePost/USaBUSe

Rogan Dawes
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.


Return to Index      -     

 

DEFCON - Track 4 - Sunday - 10:00-10:30


Untrustworthy Hardware and How to Fix It

Sunday at 10:00 in Track 4

20 minutes | Demo, Tool

0ctane Hacker

Modern computing platforms offer more freedom than ever before. The rise of Free and Open Source Software has led to more secure and heavily scrutinized cryptographic solutions. However, below the surface of open source operating systems, strictly closed source firmware along with device driver blobs and closed system architecture prevent users from examining, understanding, and trusting the systems where they run their private computations. Embedded technologies like Intel Management Engine pose significant threats when, not if, they get exploited. Advanced attackers in possession of firmware signing keys, and even potential access to chip fabrication, could wreak untold havoc on cryptographic devices we rely on.

After surveying all-too-possible low level attacks on critical systems, we will introduce an alternative open source solution to peace-of-mind cryptography and private computing. By using programmable logic chips, called Field Programmable Gate Arrays, this device is more open source than any common personal computing system to date. No blobs, no hidden firmware features, and no secret closed source processors. This concept isn't "unhacakable", rather we believe it to be the most fixable; this is what users and hackers should ultimately be fighting for.

0ctane
0ctane is a longtime hobbyist hacker, with experience primarily in UNIX systems and hardware. Holding no official training or technical employment, 0ctane spends most of their free time building and restoring older computer systems, hanging out at surplus stores and tracking down X86 alternatives with an occasional dabbling in OSX and 802.11 exploitation. Other interests include SDR and RF exploration, networking, cryptography, computer history, distributed computing...really anything that sounds cool that I happen to stumble on at 3am.


Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 16:25-16:45


Into the Bird’s Nest: A Comprehensive Look at Twitter as a Research Tool

Abstract

With 313 million active users and approximately 500 million Tweets sent per day, Twitter has plenty of low-hanging fruit ripe for OSINT picking. Learn from an experienced information professional how to craft advanced searches to retrieve data from this popular social media platform. Understand the search commands that Twitter uses, tips and techniques for extracting data, examine some of the lesser-known features of Twitter, and get a glimpse of some of the resources that work in conjunction with Twitter to help you better organize all the information you will retrieve.

While you may know how to write scripts and scrape data from Twitter, this session will focus on the GUI which can retrieve much older data. This session is not how to Tweet better, get more likes, or even how to get verified. This is all about searching for and extracting information from Twitter and its associated sites. You will come away from this session with a better understanding of how to use Twitter as a research tool.

Speaker Profile

Tracy Z. Maleeff (@InfoSecSherpa) left behind the glamorous world of law firm librarianship to seek out the white-hot spotlight of the information security industry. She is a newly-minted Cyber Analyst at GSK (GlaxoSmithKline.) Before that, Tracy started an independent research consulting business in 2016 called Sherpa Intelligence, and provided competitive intelligence, news monitoring, and social media management services. She earned a Master of Library and Information Science degree from the University of Pittsburgh.

Tracy was recognized with the Wolters Kluwer Law & Business Innovations in Law Librarianship Award in 2016 and the Dow Jones Innovate Award in 2014. Tracy is your guide up a mountain of information! Her Digital Portfolio can be viewed online here: https://sherpaintel.wordpress.com/portfolio/


Return to Index      -     

 

ICS - ICS-Village - Saturday - 11:30-11:59


Using Alexa for your Control System environment - Tom Van Norman
Title: Using Alexa for your Control System environment

No description available

Bio: Tom Van Norman

No BIO available


Return to Index      -     

 

RCV - Palermo room, Promenade level - Saturday - 13:25-13:59


Using DFIR Orchestration and Automation Tools and Playbooks For OSINT and Recon

Abstract

Everyone has probably heard about orchestration and automation tools in DFIR but what if we took the same concepts from DFIR and apply that to OSINT? In this talk we will discuss how to use DFIR tools and concepts for reconnaissance, investigations, and OSINT data gathering. We will work through an automated playbook to gather evidence on things like domains, organizations and people, then discuss using integrations like Intrigue.io, Pipl, DataSploit, and more all in parallel and finally wrapping up by storing the evidence, contacting, liberating and helping others by responding with the evidence, or simply just having some fun.

Speaker Profile

http://www.demisto.com https://www.linkedin.com/in/tyler/

14+ Years or some ** in Cyber (Previously known as Information Security).I have #NoCerts yet but seems like thats whats trendy these days. Been going to DefCon since before the Rio days where I first learned about LockPicking and just wished I could give some #AwkwardHugsâ€


Return to Index      -     

 

DEFCON - Track 1 - Friday - 14:00-14:45


Using GPS Spoofing to control time

Friday at 14:00 in 101 Track

45 minutes | Tool

David "Karit" Robinson Security Consultant, ZX Security

GPS is central to a lot of the systems we deal with on a day-to-day basis. Be it Uber, Tinder, or aviation systems, all of them rely on GPS signals to receive their location and/or time.

GPS Spoofing is now a valid attack vector and can be done with minimal effort and cost. This raises some concerns when GPS is depended upon by safety of life applications. This presentation will look at the process for GPS and NMEA (the serial format that GPS receivers output) spoofing, how to detect the spoofing attacks and ways to manipulate the time on GPS synced NTP servers. We will also explore the implications when the accuracy of the time on your server can no longer be guaranteed.

David "Karit" Robinson
Dave/Karit has worked in the IT industry for over 10 years. In this time he has developed a skillset that encompasses various disciplines in the information security domain. Dave is currently part of team at ZX Security in Wellington and works as a penetration tester. Since joining ZX Security Dave has presented at Kiwicon, BSides Canberra and Unrestcon and also at numerous local meetups; along with running training at Kiwicon and Syscan. He has a keen interest in lock-picking and all things wireless.

@nzkarit


Return to Index      -     

 

RCV - Palermo room, Promenade level - Friday - 17:00-17:25


Using phonetic algorithms to increase your search space and detect misspellings.

Abstract

In this talk I will give a brief introduction to phonetic algorithms and how they can apply to searching through social media data and other domains. I will then demonstrate applying these techniques to a US Census dataset, and generate a searchable dataset capable of suggesting alternative spellings and pronunciations of names. I will finish by talking about how we can detect potentially malicious domains using these techniques.

Speaker Profile

Alex Kahan is a software engineer in the DC area. Before joining Endgame, Alex worked as a research and development engineer at the social media cyber security company ZeroFOX. You can find most of his work on github


Return to Index      -     

 

Demolabs - Table 6 - Sunday - 12:00-13:50


Vapor Trail

Galen Alderson

Larry Pesce

Sunday from 1200-1350 at Table Six

Audience: Offense, Defense, Hardware

As red team members and even "evil attackers", we've been finding numerous ways to exfiltrate data from networks with inexpensive hardware: Ethernet, WiFi and cellular (2G, 3G and LTE). The first two are highly detectable, while the latter is expensive and both leave a paper trail. We found a way to use a medium that is right under everypony's nose; low power, broadcast FM radio. With a Raspberry Pi and a length of wire, we can send text and raw binary data with a method nopony (until now) would think to look for. We receive the data with an RTL-SDR, putting our overall hardware budget at $20. In this demo, we will show you how to build and use this system. We'll share tales of the custom software and transmission protocols. You want to see it in action? We've got demos. You want the software? Yep, you can have that too. We're excited to offer Vapor Trail to you, the first FM radio data exfiltration tool. Sure, HAM radio folks have had digital modes for years, but we've done better AND cheaper. We've effectively created our own RF digital mode for pwnage, HAM radio data transfer and redundant communication methods. Why? Because we can. We want to go undetected with current capabilities. Turns out, our approach is quite novel for pulling data right from a network via pcaps or tool output.

http://vaportrail.io/

Galen Alderson
This is Galen Alderson's first conference submission, but not his first contribution to the security industry. Fresh out of high school, Galen still has the new car smell. Galen has many years to become a curmudgeon by getting broken in as an intern at InGuardians.

Larry Pesce
Larry Pesce on the other hand, is almost veteran enough to be a curmudgeon. He has a few more years to go before yelling about kids on his lawn and no-code Extra Class Amateur radio operators. In the meantime, he keeps himself occupied as the Director of Research at InGuardians.


Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 10:00-10:45


Title:
Verified Voting

Title: Verified Voting, An election system is much more than the voting machine or the booth, overview of the election IT systems, the threat models and procedural safeguards


Barbara Simons bio
Barbara Simons, President, Verified Voting

Barbara Simons has been on the Board of Advisors of the U.S. Election Assistance Commission since 2008. She published Broken Ballots: Will Your Vote Count?, a book on voting machines co-authored with Douglas Jones. She also co-authored the report that led to the cancellation of Department of Defense’s Internet voting project (SERVE) in 2004 because of security concerns. In 2015 she co-authored the report of the U.S. Vote Foundation entitled The Future of Voting: End-to-End Verifiable Internet Voting, which included in its conclusions that “every publicly audited, commercial Internet voting system to date is fundamentally insecure.” Simons is a former President of the Association for Computing Machinery (ACM), the oldest and largest international educational and scientific society for computing professionals. She is Board Chair of Verified Voting and is retired from IBM Research.


David Jefferson bio
David Jefferson, Board Member, Verified Voting

Dr. David Jefferson is a visiting computer scientist at Lawrence Livermore National Laboratory, where he works on supercomputing applications. But he has also been active in research at the intersection of the computing and public elections for well over a decade. In 1994, while at Digital Equipment Corporation, he oversaw development of the California Election Server, the first web server anywhere to provide online voter information on candidates and issues. In 1995 he helped develop, in cooperation with the California Voter Foundation the first online database of campaign finance information ever, for the San Francisco municipal election of that year.

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 14:40-14:59


Visual Network and File Forensics

Ankur Tyagi, Senior Malware Research Engineer at Qualys Inc.

This presentation aims to demo the effectiveness of visual tooling for malware and file-format forensics. It will cover structural analysis and visualization of malware and network artifacts. Various techniques like entropy/n-gram visualization, using compression-ratio and theoretical minsize to identify file type and packed content will be shown. Along with this, a framework that helps automate these tasks will be presented. Attendees with an interest in network monitoring, signature writing, malware analysis and forensics will find this presentation to be useful.

Ankur Tyagi (Twitter: @7h3rAm) is working as a Sr. Malware Research Engineer at Qualys Inc., where he analyzes malicious code and applies statistical modelling to identify suspicious patterns and evolving trends. His research interests include developing algorithms and analysis tools that help with classifying large sets of unlabelled content collected via network and host-based monitoring tools. He is the author of Flowinspect - a network inspection tool and Rudra - a visual malware forensics framework.


Return to Index      -     

 

DEFCON - Track 2 - Sunday - 14:00-14:45


Weaponizing Machine Learning: Humanity Was Overrated Anyway

Sunday at 14:00 in Track 2

45 minutes | Demo, Tool

Dan "AltF4" Petro Senior Security Associate, Bishop Fox

Ben Morris Security Analyst, Bishop Fox

At risk of appearing like mad scientists, reveling in our latest unholy creation, we proudly introduce you to DeepHack: the open-source hacking AI. This bot learns how to break into web applications using a neural network, trial-and-error, and a frightening disregard for humankind.

DeepHack can ruin your day without any prior knowledge of apps, databases - or really anything else. Using just one algorithm, it learns how to exploit multiple kinds of vulnerabilities, opening the door for a host of hacking artificial intelligence systems in the future.

This is only the beginning of the end, though. AI-based hacking tools are emerging as a class of technology that pentesters have yet to fully explore. We guarantee that you'll be either writing machine learning hacking tools next year, or desperately attempting to defend against them.

No longer relegated just to the domain of evil geniuses, the inevitable AI dystopia is accessible to you today! So join us and we'll demonstrate how you too can help usher in the destruction of humanity by building weaponized machine learning systems of your own - unless time travelers from the future don't stop us first.

Dan "AltF4" Petro
Dan Petro is a Senior Security Associate at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and network penetration testing.

Dan likes to hear himself talk, often resulting in conference presentations including several consecutive talks at Black Hat USA and DEF CON in addition to appearances at HOPE, BSides, and ToorCon. He is widely known for the tools he creates: the Rickmote Controller (a Chromecast-hacking device), Untwister (a tool used for breaking pseudorandom number generators) and SmashBot (a merciless Smash Bros noob-pwning machine). He also organizes Root the Box, a capture the flag security competition.

Dan holds has a Master of Science in Computer Science from Arizona State University and still doesn't regret it.

@BishopFox
@2600altf4

Ben Morris
Ben Morris is a Security Analyst at Bishop Fox, a consulting firm providing cybersecurity services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, network penetration testing, and red-teaming.

Ben also enjoys performing drive-by pull requests on security tools and bumbling his way into vulnerabilities in widely used PHP and .NET frameworks and plugins. Ben has also contributed to Root the Box, a capture the flag security competition.


Return to Index      -     

 

DEFCON - Track 2 - Friday - 11:00-11:45


Weaponizing the BBC Micro:Bit

Friday at 11:00 in Track 2

45 minutes | Demo, Tool, Exploit

Damien "virtualabs" Cauquil Senior security researcher, Econocom Digital Security

In 2015, BBC sponsored Micro:Bit was launched and offered to one million students in the United Kingdom to teach them how to code. This device is affordable and have a lot of features and can be programmed in Python rather than C++ like the Arduino. When we discovered this initiative in 2016, we quickly thought it was possible to turn this tiny device into some kind of super-duper portable wireless attack tool, as it is based on a well-known 2.4GHz RF chip produced by Nordic Semiconductor.

It took us a few months to hack into the Micro:Bit firmware and turn it into a powerful attack tool able to sniff keystrokes from wireless keyboards or to hijack and take complete control of quadcopters during flight. We also developed many tools allowing security researchers to interact with proprietary 2.4GHz protocols, such as an improved sniffer inspired by the mousejack tools designed by Bastille. We will release the source code of our firmware and related tools during the conference.

The Micro:Bit will become a nifty platform to create portable RF attack tools and ease the life of security researchers dealing with 2.4GHz protocols !

Damien "virtualabs" Cauquil
Damien Cauquil is a senior security researcher at Digital Security (CERT-UBIK), a French security company focused on IoT and related ground breaking technologies. He spoke at various international security conferences including Chaos Communication Camp, Hack.lu,Hack In Paris and a dozen times at the Nuit du Hack (one of the oldest French security conferences).

@virtualabs, https://www.digitalsecurity.fr


Return to Index      -     

 

DEFCON - Track 2 - Friday - 10:00-10:30


Welcome to DEF CON 25

Friday at 10:00 in Track 2

20 minutes | Hacker History

The Dark Tangent Founder, DEF CON

The Dark Tangent welcomes everyone to DEF CON 25, our silver anniversary!

The Dark Tangent


Return to Index      -     

 

ICS - ICS-Village - Friday - 10:30-10:45


Welcome to the ICS Village - Larry Vandenaweele
Title: Welcome to the ICS Village

No description available

Bio: Larry Vandenaweele

Larry Vandenaweele (@lvandenaweele) works for a consulting firm in Belgium focusing on Industrial Control System Security. Before beginning his professional career, he did charity work in the Philippines. Larry is co-organizer of the ICS and IoT Village at BruCON which debuted in 2015. He is also co-organizing the World Run by Hackers which is a yearly running event in Las Vegas. He holds a BSc in New Media and Technology with focus areas in security and virtualisation and is currently pursuing a Master's degree in Information Security at Royal Holloway, University of London.



Return to Index      -     

 

VMHV - Roman 1, Promenade Level - Friday - 14:00-14:45


Title:
What are the national security implications of cyber attacks on our voting systems? What are the motivations of our adversaries, and how should the U.S. respond to the threat?

Title: The governments can be changed by bullets or ballots, International and domestic interest to interfere.


Douglas Lute bio
Douglas Lute
Former U.S. Ambassador to NATO

Ambassador Douglas Lute is the former United States Permanent Representative to the North Atlantic Council, NATO’s standing political body. Appointed by President Obama, he assumed the Brussels-based post in 2013 and served until 2017. During this period he was instrumental in designing and implementing the 28-nation Alliance’s responses to the most severe security challenges in Europe since the end of the Cold War.

A career Army officer, in 2010 Lute retired from active duty as a lieutenant general after 35 years of service. In 2007 President Bush named him as Assistant to the President and Deputy National Security Advisor to coordinate the wars in Iraq and Afghanistan. In 2009 he was the senior White House official retained by President Obama and his focus on the National Security Council staff shifted to South Asia. Across these two Administrations, he served a total of six years in the White House.

Before being assigned to the White House, General Lute served as Director of Operations (J3) on the Joint Staff, overseeing U.S. military operations worldwide. From 2004 to 2006, he was Director of Operations for the United States Central Command, with responsibility for U.S. military operations in 25 countries across the Middle East, eastern Africa and Central Asia, in which over 200,000 U.S. troops operated.

Return to Index      -     

 

ICS - Calibria - Friday - 13:00-13:30


Title: What's the DFIRence for ICS?

Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.

This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.

This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.


Bio: Chris Sistrunk

Chris Sistrunk is a Principal Consultant at Mandiant, focusing on cyber security for industrial control systems (ICS) and critical infrastructure. Prior to joining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) where he was the Subject Matter Expert (SME) for Transmission & Distribution SCADA systems. Chris helped organize the first ICS Village, which debuted at DEF CON 22 and was featured at RSAC and SANS ICS Summit. He is a Senior Member of IEEE, member of the DNP Users Group, President of Mississippi Infragard, and also is a registered PE in Louisiana. He holds a BS in Electrical Engineering and MS in Engineering and Technology Management from Louisiana Tech University. Chris also founded and organizes BSidesJackson, Mississippi's only cyber security conference.



Return to Index      -     

 

DEFCON - Track 2 - Saturday - 12:00-12:45


When Privacy Goes Poof! Why It's Gone and Never Coming Back

Saturday at 12:00 in Track 2

45 minutes | 0025

Richard Thieme a.k.a. neuralcowboy

"Get over it!" as Scott McNeeley said - unhelpfully. Only if we understand why it is gone and not coming back do we have a shot at rethinking what privacy means in a new context. Thieme goes deep and wide as he rethinks the place of privacy in the new social/cultural context and challenges contemporary discussions to stop using 20th century frames. Pictures don't fit those frames, including pictures of "ourselves."

We have always known we were cells in a body, but we emphasized "cell-ness". Now we have to emphasize "body-ness" and see ourselves differently. What we see depends on the level of abstraction at which we look. The boundaries we imagine around identities, psyches, private internal spaces," are violated in both directions, going in and going out, by data that, when aggregated, constitutes "us". We are known by others more deeply in recombination from metadata than we know ourselves. We are not who we think we are.

To understand privacy - even what we mean by "individuals" who want it - requires a contrary opinion. Privacy is honored in lip service, but not in the marketplace, where it is violated every day. To confront the challenges of technological change, we have to know what is happening to "us" so we can re-imagine what we mean by privacy, security, and identity. We can't say what we can't think. We need new language to grasp our own new "human nature" that has been reconstituted from elements like orange juice.

The weakest link in discussions of privacy is the definition of privacy, and the definition of privacy is not what we think. Buddhists call enlightenment a "nightmare in daylight", yet it is enlightenment still, and that kind of clarity is the goal of this presentation.

Richard Thieme a.k.a. neuralcowboy
Richard Thieme is an author and professional speaker focused on the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. His column, "Islands in the Clickstream," was distributed to subscribers in sixty countries before collection as a book in 2004. When a friend at the National Security Agency said after they worked together on ethics and intelligence issues, "The only way you can tell the truth is through fiction," he returned to writing short stories, 19 of which are collected in "Mind Games". His latest work is the stunning novel "FOAM", published by Exurban Press September 2015. He is also co-author of the critically extolled "UFOs and Government: A Historical Inquiry", a 5-year research project using material exclusively from government documents and other primary sources, now in 65 university libraries

His work has been taught at universities in Europe, Australia, Canada, and the United States, and he has guest lectured at numerous universities, including Purdue University (CERIAS), the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas, the "Design Matters" lecture series at the University of Calgary, and as a Distinguished Lecturer in Telecommunications Systems at Murray State University. He addressed the reinvention of "Europe" as a "cognitive artifact" for curators and artists at Museum Sztuki in Lodz, Poland, keynoted CONFidence in Krakow 2015, and keynoted "The Real Truth: A World's Fair" at Raven Row Gallery, London, He recently keynoted Code Blue in Tokyo. He loved Tokyo. He has spoken for the National Security Agency, the FBI, the Secret Service, the US Department of the Treasury, and Los Alamos National Labs and has keynoted "hacker",security, and technology conferences around the world. He spoke at DC 24 in 2016 for the 21st year.

Twitter and skype: neuralcowboy
Linked In and FB: Richard Thieme
Website: www.thiemeworks.com


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 11:10-11:59


When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News

Catherine Ullman, Senior Information Security Analyst at University at Buffalo
Chris Roberts, Chief Security Architect at Acalvio Technologies

Enabling better communications between geeks and management. As humans, we have had 60,000 years to perfect communication, but those of us working in IT, regardless of which side (Blue or Red Team), still struggle with this challenge. We have done our best over the centuries to yell "FIRE!" in a manner befitting our surroundings, yet today we seem utterly incapable of providing that very basic communication capability inside organizations. This talk will endeavor to explain HOW we can yell "FIRE!" and other necessary things across the enterprise in a language both leadership, managers and end-users understand.

Dr. Catherine Ullman (Twitter: @investigatorchi) began her IT career nearly 20 years ago as a Technical Support Specialist for Corel Word Perfect. After gaining valuable experience, as well as several technical certifications while working for Ingram Micro and subsequently Amherst Systems, she was offered and accepted a position at UB as a Systems Administrator in 2000 in which she provided both server and workstation support for several departments within Undergraduate Education. While she enjoyed her support role, she began to specialize in computer security and computer forensics. As a result, Cathy was often utilized by the Information Security Office to assist in the investigation of security breaches. Ultimately, she was asked to join the Information Security Office full time in 2009. In her current role as a Senior Information Security Analyst, Cathy is responsible for performing computer forensic investigative services for compliance on potentially compromised machines as well as personnel issues. She also assists with incident management involving intrusion detection and analysis and provides security awareness training to departments on campus upon request. In her (minimal) spare time, she enjoys researching death and the dead, and learning more about hacking things.

Chris Roberts (Twitter: @sidragon1) is considered one of the world's foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients. With increasingly sophisticated attack vectors, Roberts' unique methods of addressing the evolving threat matrix and experience with a variety of environments - Enterprise, Industrial, and IoT, make Roberts and his team an indispensable partner to organizations that demand robust, reliable, resilient and cost-effective protection.


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 10:00-10:45


Where are the SDN Security Talks?

Thursday at 10:00 in 101 Track2

45 minutes | Demo, Tool

Jon Medina Protiviti

Software Defined Networking is no longer a fledgling technology. Google, Amazon, Facebook, and Verizon all rely on the scalability, programmability, flexibility, availability, and yes, security provided by SDN. So why has there only ever been one DEF CON speaker presenting on SDN and security?

This talk will provide a brief introduction to SDN and security, demonstrate ways of compromising and securing a Software Defined Network and will illustrate new ways of using the power of open source SDN coupled with machine learning to maintain self-defending networks.

Jon Medina
Jon Medina (@ackSec) is a security nerd who has worked in networking and security capacities for everything from the Department of Defense, to the Fortune 500, to state and local government. He currently works for Protiviti providing security consulting for a wide variety of clients and industries. His interests outside of work include traveling, hockey, strange beers, and his bulldog. He's spoken at Shmoocon, BSides, and many other security events and conferences.

@ackSec


Return to Index      -     

 

Night Life - Track 4 - Friday - 20:00-24:00


Title:
Whose Slide is it anyway?

Preregister - http://improvhacker.com/update/2017/05/19/WSIIA-signups-are-now-LIVE!.html

The What:

'Whose Slide Is It Anyway?' is an unholy union of improv comedy, hacking and slide deck sado-masochism.

The How:

Our team of slide monkeys have created a shit ton of short decks on whatever nonsense we found funny that week. Slides are not exclusive to technology, they can and will be about anything. Contestants will take the stage and choose a random number corresponding to a specific slide deck. They will then improvise a five-minute lightning talk, becoming instant subject matter experts on whatever topic/stream of consciousness appears on the screen.

We'll be taking both pre-registered and day of contestants. However, if you want to secure your spot for a chance to win some awesome swag from our gracious sponsors get your name in early and for either/all days you wish.

The Why:

Whether you delight in the chaos of watching your fellow hackers squirm or would like to sacrifice yourself to the Contest Gods, it\x92s a night of schadenfreude for the whole family. DJs, circus performers, hacker celebrity judges and tons of swag from our sponsors Hak5, Toool, TrustedSec, Social Engineer Inc, Milton Security, Stitchery Hacks and DJ Jackalope.

Follow @improvhacker for updates and your normal everyday shitposting.

Return to Index      -     

 

Night Life - Track 4 - Saturday - 20:00-24:00


Title:
Whose Slide is it anyway?

Preregister - http://improvhacker.com/update/2017/05/19/WSIIA-signups-are-now-LIVE!.html

The What:

'Whose Slide Is It Anyway?' is an unholy union of improv comedy, hacking and slide deck sado-masochism.

The How:

Our team of slide monkeys have created a shit ton of short decks on whatever nonsense we found funny that week. Slides are not exclusive to technology, they can and will be about anything. Contestants will take the stage and choose a random number corresponding to a specific slide deck. They will then improvise a five-minute lightning talk, becoming instant subject matter experts on whatever topic/stream of consciousness appears on the screen.

We'll be taking both pre-registered and day of contestants. However, if you want to secure your spot for a chance to win some awesome swag from our gracious sponsors get your name in early and for either/all days you wish.

The Why:

Whether you delight in the chaos of watching your fellow hackers squirm or would like to sacrifice yourself to the Contest Gods, it\x92s a night of schadenfreude for the whole family. DJs, circus performers, hacker celebrity judges and tons of swag from our sponsors Hak5, Toool, TrustedSec, Social Engineer Inc, Milton Security, Stitchery Hacks and DJ Jackalope.

Follow @improvhacker for updates and your normal everyday shitposting.

Return to Index      -     

 

Demolabs - Table 5 - Sunday - 10:00-11:50


WIDY 2.0: WIFI 0WNAGE IN UNDER $5 RELOADED

Vivek Ramachandran

Nishant Sharma

Ashish Bhangale

Sunday from 1000-1150 at Table Five

Audience: Attack and Defense

WiDy is an open source Wi-Fi Attack and Defense platform created to run on the extremely cheap ESP8266 (<$5) IoT platform. We've written a simple framework which you can hack and create your own tools or automate attack/defense tasks. We also provided code to bring the concept of deception to WiFi area. WiDy was launched in Blackhat Asia 2017 Arsenal and received good response from the audience. WiDy 2.0 release contains several major improvements over initial version.

Vivek Ramachandran
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking - a WEP protection schema, conceptualized enterprise Wi-Fi Backdoors and created Chellam, the world's first Wi-Fi Firewall. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started SecurityTube.net in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. He also conducts in-person trainings in the US, Europe and Asia. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, SecurityByte, SecurityZone, Nullcon, C0C0n etc. Vivek has over a decade of experience in security and has keen interest in the areas of Wireless, Mobile, Network and Web Application Pentesting, Shellcoding, Reversing and Exploit Research. He loves programming in Python, C and Assembly.

Nishant Sharma
Nishant Sharma is a researcher and course creator at Pentester Academy, prior to which he was a core firmware developer at Mojo Networks (previously known as Airtight Networks). He presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. He has contributed to multiple projects like Vulnerable Router Project and Damn Vulnerable Wordpress. He has also contributed to "Pentest Gadget book" authored by Mr. Vivek Ramachandran. He has a Masters degree in Information Security from IIIT Delhi. Nishant has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Ashish Bhangale
Ashish Bhangale is a Sr Security Researcher at Pentester Academy. He has 5+ years of experience in Network and Web Application Security. He has previously worked with various law enforcement agencies as a Digital Forensics Investigator. He was responsible for developing and testing the Chigula and Chellam frameworks. He has also created and managed multiple projects like Command Injection & Arbitrary File Upload Vulnerable Web Application OS a collection of vulnerable OSes and Damn Vulnerable Wordpress. He co-presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. His areas of interest include Forensics, WiFi and AD security.


Return to Index      -     

 

Demolabs - Table 4 - Saturday - 10:00-11:50


WiFi Cactus

darkmatter

Saturday & Sunday from Saturday 1000-1150, Sunday 1200-1350 at Table Four

Audience: Offense, Defense

With this project you will be able to listen to all Wi-Fi channels at the same time. No more broken or fragmented frames due to channel hopping. It will passively monitor the dangerous WiFis around you giving you metadata and actual data that might be useful.

http://palshack.org/

darkmatter
Darkmatter is a mad scientist who likes to hacks hardware and software. He is particularly obsessed with wireless.


Return to Index      -     

 

Demolabs - Table 4 - Sunday - 12:00-13:50


WiFi Cactus

darkmatter

Saturday & Sunday from Saturday 1000-1150, Sunday 1200-1350 at Table Four

Audience: Offense, Defense

With this project you will be able to listen to all Wi-Fi channels at the same time. No more broken or fragmented frames due to channel hopping. It will passively monitor the dangerous WiFis around you giving you metadata and actual data that might be useful.

http://palshack.org/

darkmatter
Darkmatter is a mad scientist who likes to hacks hardware and software. He is particularly obsessed with wireless.


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Saturday - 16:00-16:50


Aardvark

Bio

Wireless enthusiast, retired SIGINT dude, lover of Bender badges, sometimes do stuff in mobile forensics

@ardject

Darkmatter

Bio

Darkmatter is a mad scientist who likes to hacks hardware and software. He is particularly obsessed with wireless.

@d4rkm4tter

WIGLE Like You Mean It

Abstract

Maximize your wardriving experience using wigle.net, the Wireless Geographic Logging Engine! We will hit all the hot WIGLE topics, such as sensor selection and placement, the best Android phones to use for your WIGLEs and where to mount them, compatible Android apps, Raspberry Pi sensors and Kismet, multiple-antenna setups, drones (both electro-mechanical and biological), full-neighborhood coverage (no house left behind) and covert WIGLEing. We'll talk about the whys of multiple-sensor wardriving in terms of channels and scan intervals and show the benefits of using more than one device to wardrive. We'll also show some... uh... god-awfully-huge-multiple-antenna setups that, while not practical in certain circumstances, can really dial up your results if you have a few shipping containers to carry them around in. Also we'll be talking about identifying what you are seeing, whether it's home WiFi installations, MAC analysis for multiple-access-point devices, mobile access points, remote stations, cell modems or phones and other... let's say... interesting stuff, along with correlation and analysis of data from your WIGLEs with WiFi clients, Bluetooth devices, geo-location, and photographic information. We'll demonstrate the use of the WIGLE API and incorporating WIGLE data into other areas, such as digital forensics and good, old-fashioned WiFi hacking. The purpose of this is to get you out WIGLEing without looking like a complete loon, (emphasis on complete). Whether you're in it to find free access points, contribute to this open geo-location source, or just be on the top of the leader boards, this is the WIGLE presentation for you. Representatives of wigle.net have offered to be on hand with stickers and precious, precious data and information! If you're going to WIGLE, WIGLE like your life depends on it.


Return to Index      -     

 

Demolabs - Table 1 - Sunday - 12:00-13:50


WiMonitor - an OpenWRT package for remote WiFi sniffing

Vivek Ramachandran

Nishant Sharma

Ashish Bhangale

Sunday from 1200-1350 at Table One

Audience: Defense

WiMonitor is ready to use OpenWRT package which allows the user to convert an OpenWRT WiFi router into a remote WiFi sniffer. It modifies the LuCI interface to show the task-specific configuration option. With the right configuration, it then captures the WiFi packets using monitor mode (while hopping on configured channels) and sends them to the remote machine as Aruba ERM (Encapsulated Remote Mirroring) packets. This allows the user to observe, capture and analyze traffic from multiple sources (read APs turned into sensors) on one machine (laptop/PC) using off the shelf OpenWRT compatible routers.

Vivek Ramachandran
Vivek Ramachandran is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking - a WEP protection schema, conceptualized enterprise Wi-Fi Backdoors and created Chellam, the world's first Wi-Fi Firewall. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started SecurityTube.net in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. He also conducts in-person trainings in the US, Europe and Asia. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, SecurityByte, SecurityZone, Nullcon, C0C0n etc. Vivek has over a decade of experience in security and has keen interest in the areas of Wireless, Mobile, Network and Web Application Pentesting, Shellcoding, Reversing and Exploit Research. He loves programming in Python, C and Assembly.

Nishant Sharma
Nishant Sharma is a researcher and course creator at Pentester Academy, prior to which he was a core firmware developer at Mojo Networks (previously known as Airtight Networks). He presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. He has contributed to multiple projects like Vulnerable Router Project and Damn Vulnerable Wordpress. He has also contributed to "Pentest Gadget book" authored by Mr. Vivek Ramachandran. He has a Masters degree in Information Security from IIIT Delhi. Nishant has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, forensics and cryptography.

Ashish Bhangale
Ashish Bhangale is a Sr Security Researcher at Pentester Academy. He has 5+ years of experience in Network and Web Application Security. He has previously worked with various law enforcement agencies as a Digital Forensics Investigator. He was responsible for developing and testing the Chigula and Chellam frameworks. He has also created and managed multiple projects like Command Injection & Arbitrary File Upload Vulnerable Web Application OS a collection of vulnerable OSes and Damn Vulnerable Wordpress. He co-presented WiDy (Under $5 WiFi Hacker Gadget) at Blackhat Asia Arsenal 2017. His areas of interest include Forensics, WiFi and AD security.


Return to Index      -     

 

Workshops - ( Sold Out ) - Octavius 4 - Friday - 14:30-18:30


Windows - The Undiscovered country

Friday, 14:30 to 18:30 in Octavius 4

Chuck Easttom

This workshop will explore new ways to use little known or undocumented programming techniques in a Windows system. The focus will be on methods that can be used to subvert the security of the system. For example api calls that can be used in manipulating the system or even in creating spyware. There will also be coverage of important SQL stored procedures that can be used in the same manner, for example there is an undocumented stored procedure that will blank the System Administrator password.

Prerequisites: Some knowledge of a C like programming language

Materials: Bring a laptop with some version of Windows (even on a VM is fine). A c++ compiler and or a copy of Visual C#

Max students: 72 | Registration: https://dc25_easttom.eventbrite.com (Sold out!)

Chuck Easttom
Chuck has been in the IT industry for over 25 years, he has authored 21 books, including many on computer security, forensics, and cryptography. Chuck has also authored a number of research articles related to cyber security including a few on spyware creation techniques. Mr Easttom is a frequent speaker at many security events including presenting a workshop at DefCon 2016 but also: SecureWorld Dallas, SecureWorld Houston,ISC2 Security Congress, HakonIndia, Secure Jordan, and many others.


Return to Index      -     

 

DEFCON - Track 2 - Thursday - 13:00-13:45


Wiping out CSRF

Thursday at 13:00 in 101 Track 2

45 minutes | Art of Defense, Demo

Joe Rozner Senior Software Security Engineer, Prevoty

CSRF remains an elusive problem due to legacy code, legacy frameworks, and developers not understanding the problem or how to protect against it. Wiping out CSRF introduces primitives and strategies for building solutions to CSRF that can be bolted on to any http application where http requests and responses can be intercepted, inspected, and modified. Modern frameworks have done a great job at providing solutions to the CSRF problem that automatically integrate into the application and solve most of the conditions. However, many existing apps and new apps that don't take advantage of these frameworks or use them incorrectly are still plagued with this problem. Wiping out CSRF will provide an in depth overview of the various reasons that CSRF occurs and provide payload examples to target those specific issues and variations. We'll see live demos of these attacks and the protections against them. Next we'll look at how to compose these primitives into a complete solution capable of solving most cases of CSRF explaining the limits and how to layer them to address potential short comings. Finally we'll finish by looking at Same Site Cookies, a new extension to cookies that could be the final nail in the coffin, and see how to use the prior solution as a graceful degradation for user agents that don't support it yet.

Joe Rozner
Joe (@jrozner) is a software engineer at Prevoty where he has built semantic analysis tools, language runtimes, generalized solutions to common vulnerability classes, and designed novel integration technology leveraging runtime memory patching. He has a passion for reverse engineering, exploitation, teaching, and sharing research with others. He is the undisputed champion of the Brawndo and Booze competition from DEF CON s past with his Irish Car Mutilator winning in both the drink and dip categories.

@jrozner


Return to Index      -     

 

Wireless - Florentine BR I & II - Promenade Level - Friday - 13:30-13:55


BESIM ALTINOK

Bio

I have been working on cyber security since 2010. I have previously worked on threat intelligence in the PRODAFT and now I am working Cyber Security Services Specialist at Lostar. I've been working on wireless network security for three years. I also have written a book about wireless network security (attack - defense - analysis) in Turkey. At the same time I have carried out many trainings and projects with Octosec and Canyoupwnme teams which are important communities in Turkey

@altnokbesim

Wireless Threat Modeling and Monitoring - WiNT

Abstract

WiNT is a Wi-Fi Threat Modelling and Monitoring project (It's not just a tool). WiNT can detect Wi-Fi threats, such as fake access points (Similar AP, Same AP ..), WiFi Pineapple devices, deauthentication attacks etc. In addition to all these, it also analyzes environmental threats and examine user actions at Probe Requests. Provides data sharing between threat analysis modules.


Return to Index      -     

 

Night Life - The Nobu Hotel in Caesars Palace - Friday - 15:00-17:00


Title:
Women, Wisdom & Wine

Join us in Las Vegas during Black Hat USA 2017 for our Women, Wisdom & Wine event – a chance to get together as industry professionals, relax, share our experiences, and catch up. It's the perfect chance to see your security sector friends and acquaintances – and meet new ones. This is a complimentary event for security industry professionals.
Feel free to invite your security colleagues. Food and wine (of course!) will be provided for your enjoyment. We look forward to seeing you there. Register today and join us!
Keep an eye out for further details on our event location arriving in your inbox Thursday, July 27th.
We can't wait to see you,
The IOActive Team
REGISTER
Return to Index      -     

 

HHV - Main Contest Area, Pool Level - Friday - 11:00-12:00


Title:
Workshop: Component Desoldering and Recovery

Come to the HHV and learn the skills required for desoldering and reclaiming PCB components. If you are already familiar with this process, then take some time to brush up on your skills. Each session is roughly an hour long and will cover: introduction, safety, conventional vs. RoHS practices, and then hands on component recovery. These sessions are first come first served at the time of start, so come early and get your learn on! No tools or equipment required!
Return to Index      -     

 

HHV - Main Contest Area, Pool Level - Friday - 16:00-17:00


Title:
Workshop: Component Desoldering and Recovery

Come to the HHV and learn the skills required for desoldering and reclaiming PCB components. If you are already familiar with this process, then take some time to brush up on your skills. Each session is roughly an hour long and will cover: introduction, safety, conventional vs. RoHS practices, and then hands on component recovery. These sessions are first come first served at the time of start, so come early and get your learn on! No tools or equipment required!
Return to Index      -     

 

HHV - Main Contest Area, Pool Level - Saturday - 11:00-12:00


Title:
Workshop: Component Desoldering and Recovery

Come to the HHV and learn the skills required for desoldering and reclaiming PCB components. If you are already familiar with this process, then take some time to brush up on your skills. Each session is roughly an hour long and will cover: introduction, safety, conventional vs. RoHS practices, and then hands on component recovery. These sessions are first come first served at the time of start, so come early and get your learn on! No tools or equipment required!
Return to Index      -     

 

HHV - Main Contest Area, Pool Level - Saturday - 16:00-17:00


Title:
Workshop: Component Desoldering and Recovery

Come to the HHV and learn the skills required for desoldering and reclaiming PCB components. If you are already familiar with this process, then take some time to brush up on your skills. Each session is roughly an hour long and will cover: introduction, safety, conventional vs. RoHS practices, and then hands on component recovery. These sessions are first come first served at the time of start, so come early and get your learn on! No tools or equipment required!
Return to Index      -     

 

CPV - Florentine Ballroom 3 - Friday - 12:00-13:00


Title:
WS: Breaking the Uber Badge Ciphers

Name:
Kevin Hulin

Abstract:
This talk will discuss the algorithms and tools that were developed to defeat the Running Key Ciphers that appeared on the DEFCon 20 and DEFCon 23 Uber badges. I will give a quick overview of the probability background and demonstrate the (open sourced) tool's use.

Bio:
A competitive crypto-hobbyist, Cryptok (Kevin Hulin) spends his spare time puzzling on cross words and developing language-model-based cryptanalysis tools for fun (and little profit). He's competed with Muppet Liberation Front [MLF] to win the DEFCon Badge challenge three years and hopes to make this year his fourth.
Twitter handle of presenter(s): @0xf0unD
Website of presenter(s) or content: https://cryptok.space/crypto/

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Friday - 13:00-14:00


Title:
WS: FeatherDuster and Cryptanalib workshop

Author:
Daniel Crowley (NCC Group)

Abstract:
Want to get into cryptanalysis but don't have any experience? Want to exploit a crypto bug but don't have the chops or don't have the time? FeatherDuster and its core library Cryptanalib are designed to help you perform cryptanalysis faster and easier.

This workshop will help you learn to use FeatherDuster, to write Python scripts which take advantage of common crypto vulnerabilities with functions built into Cryptanalib, and how to turn those scripts into FeatherDuster module

Bio:
Daniel Crowley is a Senior Security Engineer and Regional Research Director for NCC Group Austin, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and questions your character for even suggesting it. He has been working in information security since 2004. Daniel is TIME’s 2006 Person of the Year. He has developed and released various free security tools such as MCIR, a powerful Web application exploitation training and research platform, and FeatherDuster, an automated modular cryptanalysis tool. He does his own charcuterie and brews his own beer. He is a frequent speaker at conferences including Black Hat, DEFCON, Shmoocon, Chaos Communications Camp, and SOURCE. Daniel can open a door lock with his computer but still can’t launch ICBMs by whistling into a phone. He has been interviewed by various print and television media including Forbes, CNN, and the Wall Street Journal. He holds the noble title of Baron in the micronation of Sealand. His work has been included in books and college courses.
Twitter handle of presenter(s): @dan_crowley

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Saturday - 11:00-12:30


Title:
WS: Implementing An Elliptic Curve in Go

Author:
George Tankersley

Abstract:
Elliptic curve implementations - dark magic, right? We all copy the mysterious bit twiddles and have mechanically ported nacl everywhere. But what the hell are we actually doing?

I recently implemented Ed25519 from scratch in both pure Go and (dramatically faster) amd64 assembly, spending a frankly pathological amount of time to be sure I understood what I was doing, for a change. Now I'd like to share that. I'll explain the code (mine, and by extension ref10, donna, and amd64-51-30k from SUPERCOP) and the underlying concepts / design decisions behind it all. Then I'll talk about how I made the code fast - endianness tricks with Big.Ints, why assembly doesn't always mean faster, how the inlining model of the compiler works, and some tools you can use to make writing Plan9 asm less awful. Talk MAY use the “make it Go fast” joke but implementers SHOULD avoid the temptation.

Bio:
George Tankersley is a cryptography engineer at Cloudflare working on anonymous credentials, certificate transparency, and crypto at scale. For fun he works on anonymity tools and - very occasionally - even does some things that *don't* involve teaching eldritch geometry to thinking machines.
Twitter handle of presenter(s): @gtank__
Website of presenter(s) or content: https://gtank.cc

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Friday - 11:30-12:00


Title:
WS: Mansion Apartment Shack House: How To Explain Crypto To Practically Anyone

Name:
Tarah Wheeler (Psychoholics)

Abstract:
Ever stuttered when someone asked you "So, what *is* cryptography, anyway?" We're all in infosec but explaining crypto easily and memorably to people without making it too complicated or insulting their intelligence is nontrivial. Keeping it simple is never stupid, and we all need more converts to understanding that crypto isn't magic, it's just a bit of math and trust.

I've explained crypto to project managers, congressional aides, third graders, CEOs, and 7-11 clerks. I've created several memorable analogies and visual aides to help people understand the simple beauty of crypto. You learned everything you need to understand crypto in grade school. After watching this talk, you'll be able to easily explain simple ciphers, transforms, what really happens in a key exchange, a few brief historical facts, and why crypto is so important. And maybe I'll get to a few of those really dumb jokes we like telling at crypto parties. That one about 2xROT-13 hasn't gotten old yet. Unfortunately.

Bio:
Born in a log cabin on the prairie to a ___ and an itinerant ___, Tarah Wheeler had a humble upbringing of fighting the status quo, sticking it to the man, and shooting prairie dogs because they’re good eatin’. An emeritus member of the Order of the Orange Badge, Tarah has founded or been in the first 10 employees of many successful companies, mostly because she hates filling out job applications. Her life now consists mainly of sitting in airplanes, punctuated by writing books that smash the patriarchy and giving speeches where she tells people to stop sucking so much at security. No one can guarantee that the old proverb about “liquor in the front, poker in the rear” wasn’t written about Tarah, as she’s a midlevel limit Texas holdem pro with a fondness for highland Scotch and lowland company.
Twitter handle of presenter(s): @tarah
Website of presenter(s) or content: tarah.org

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Friday - 15:00-15:30


Title:
WS: NoiseSocket: Extending Noise to Make Every TCP Connection Secure

Author:
Dmitry Dain (Virgil Security, Inc.)
Alexey Ermishkin (Virgil Security, Inc.)

Abstract:
NoiseSocket is an extension of the Noise Protocol Framework (developed by the authors of Signal and currently used by WhatsApp) that enables quick and seamless Transport Layer Security (TLS) between multiple parties with minimal code space overhead, small keys, and extremely fast speed. NoiseSocket is designed to overcome the shortcomings of existing TLS implementations and targets IoT devices, microservices, back-end applications such as datacenter-to-datacenter communications, and use cases where third-party certificate of authority infrastructure is not optimal. This talk will introduce users to NoiseSocket, showcase demos and benchmarks, and provide information about publicly available implementations of NoiseSocket.

Bio:
Dmitry Dain: Random is an old-school hacker who started at Lucent working on early Wi-Fi (before it was Wi-Fi), later worked on the DARPA XG program which revolutionized wireless networking by combining cognitive radios, distributed sensor networks, and mobile ad hoc networks to provide Dynamic Spectrum Access, and ran his own privacy and security oriented file sharing company. Random is all about building tools that scale globally across every possible platform and programming language and loves nothing better than seeing another product ship that is #SecuredByVirgil.


Alexey Ermishkin: Scratch is a passionate cryptomaniac, software developer, and Russian paranoiac. Crypto is his beloved branch of science since school and now he is doing full time R&D at Virgil Security. His dream is to #EncryptEverything
Twitter handle of presenter(s): @dmitrydain
Website of presenter(s) or content: https://github.com/noisesocket/spec

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Sunday - 11:00-12:00


Title:
WS: Reasoning about Consensus Algorithms

Author:
Zaki Manian

Abstract:
Consensus algorithms play an incredibly important role in many cryptographic systems from the Tor Directory authorities to cryptocurrencies to enterprise blockchains. Each of these systems use different processes to securely update the state of the system. After decades of minimal progress, a new consensus research seems to appear almost every day. This talk presents a framework for thinking about the diversity of approaches to consensus and evaluating the algorithm's security properties.

Bio:
Zaki is an activist, entrepreneur and researcher in the world of applied cryptography projects. He is a founder of a blockchain company called Skuchain and has contributed to projects from ZCash to Tendermint.
Twitter handle of presenter(s): zmanian

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Saturday - 12:30-13:30


Title:
WS: Secrets Management in the Cloud

Author:
Evan Johnson

Abstract:
Secrets management in the cloud is a very hot topic. It's something every company must solve and is actually a fairly new problem with the meteoric growth of microservices and ephemeral services.

Let's take a practical look at how Segment handles secrets on AWS. We will talk about different secrets management tools, when they are appropriate, and different models for protecting secrets.

Bio:
Evan Johnson is a Security Lead at Segment. He previously did security and engineering work at Cloudflare and LastPass. He enjoys long walks in San Francisco and copious amounts of diet pepsi.

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Saturday - 14:00-16:00


Title:
WS: SECURE COMMUNICATIONS IN ANDROID WITH TLS/SSL

Author:
Miguel Guirao

Abstract:
Secure Communications in Android is an introductory talk into the amazing cryptographic technology of OpenSSL, that has helped us to achieve what the Internet is today, and the tasks we can perform on it. OpenSSL as become since many years ago, the defacto library/tool for implementing cryptographic protocols into our applications and secure them. Of course, this task is not that easy as it sounds, in order to achieve a secure communication in our applications, we not only have to choose the more secure library, but also, have the knowledge to implement it in a secure manner and more.

This talk aims to teach you the basics of the world of criptography, then an introduction to the implementation of OpenSSL in Android, then three coding labs in Android in order to learn how to integrate the OpenSSL library and implement the cryptographic protocols into your own applications.

You will learn to:
What is Cryptography and it's basics
What is OpenSSL and what it is used for
The Android implementation of OpenSSL
Coding Lab 1: Creating Secure Sockets (SSL/TLS sockets) Coding Lab 2: Working with Certificates
Coding Lab 3: Working with Message Digest
Coding Lab 4: Implementing a Client-Server Secure Communication

Bio:
Miguel Guirao (aka Chicolinux), as been in the information security
industry for around ten years, he is a freelance consultant at Futura
- Open Solutions, where he also has been training professionals about
Linux Management, Information Security and Programming. He has been
also a professor since 2009 for the Anahuac Mayab University where he
teaches at the School of CS Engineering and at the School of
Multimedia Design. He teaches Information Security in the Master of
Information Technology Management. He holds a GCIH Certification from
SANS. He is a SANS Mentor.

This is the second time that Miguel participates at DEFCON, last year at DC24
he taught INTRO TO MEMORY FORENSICS WITH VOLATILITY workshop.
Twitter handle of presenter(s): @miguelguirao

Return to Index      -     

 

CPV - Florentine Ballroom 3 - Friday - 17:00-17:30


Title:
WS: Supersingular Isogeny Diffie-Hellman

Author:
Deirdre Connolly

Abstract:
Post-quantum cryptography is an active field of research in developing new cryptosystems that will be resistant to attack by future quantum computers. Recently a somewhat obscure area, isogeny-based cryptography, has been getting more attention, including impressive speed and compression optimizations and robust security analyses, bringing it into regular discussion alongside other post-quantum candidates. This talk will cover isogeny-based crypto, specifically these recents results regarding supersingular isogeny diffie-hellman, which is a possible replacement for the ephemeral key exchanges in use today.

Bio:
Deirdre is a senior software engineer at Brightcove, where she is trying to secure old and new web applications. Her interests include web application security, post-quantum cryptography, elliptic curves and their isogenies.
Twitter handle of presenter(s): durumcrustulum

Return to Index      -     

 

DEFCON - Track 3 - Saturday - 10:20-10:40


WSUSpendu: How to hang WSUS clients

Saturday at 10:20 in Track 3

20 minutes | Demo, Tool

Romain Coltel Lead product manager at Alsid

Yves Le Provost Security auditor at ANSSI

You are performing a pentest. You just owned the first domain controller. That was easy. All the computers are belong to you. But unfortunately, you can't reach the final goal. The last target is further in the network, non accessible and heavily filtered. Thankfully, one last hope remains. You realize the target domain pulls its updates from the WSUS server of the compromised domain, the one you fully control. Hope is back... But once again, it fails. The only tools available for controlling the updates are not working: they require a network attack that is prevented by the network architecture and the server configuration. All hope is lost...

We will present you a new approach, allowing you to circumvent these limitations and to exploit this situation in order to deliver updates. Thus, you will be able to control the targeted network from the very WSUS server you own. By extension, this approach may serve as a basis for an air gap attack for disconnected networks.

Our talk will describe vulnerable architectures to this approach and also make some in-context demonstration of the attack with new public tooling. Finally, as nothing is inescapable, we will also explain how you can protect your update architecture.

Romain Coltel
Romain Coltel is the lead product manager in a french startup, Alsid IT, tackling Active Directory problems down to the core, and he's thus currently doing a lot of research and development on various Active Directory technologies. He's also teaching the well-received SANS SEC660 in France, each time with the author's congratulations at the end of the session.

Before that, he was acquiring his experience in the french National Cybersecurity Agency (ANSSI) as an IT auditor, where he performed penetration testing, various security researches and tools development. As a development example, he's the lead developer of dislocker, a tool to decrypt BitLocker-encrypted partitions on Linux, OSX and FreeBSD. He also implemented the AES-XEX and -XTS modes for the famous mbedTLS library.

Yves Le Provost
Yves Le Provost is a security auditor for more than 10 years. He's working for ANSSI, the french National Cybersecurity Agency since 5 years ago. During these five years defending french administrations, he specialized in database security, OS internals, SCADA architecture and penetration testing.

In parallel, he's teaching french engineering schools about various security topics.


Return to Index      -     

 

DEFCON - Track 4 - Saturday - 14:00-14:45


XenoScan: Scanning Memory Like a Boss

Saturday at 14:00 in Track 4

45 minutes | Demo, Tool

Nick Cano Hacker

XenoScan is the next generation in tooling for hardcore game hackers. Building on the solid foundation from older tools like Cheat Engine and Tsearch, XenoScan makes many innovations which take memory scanning to a whole new level.

This demo-heavy talk will skip the fluff and show the power of the tool in real-time. The talk will demonstrate how the tool can scan for partial structures, detect complex data structures such as binary trees or linked lists, detect class-instances living on the heap, and even group detected class instances by their types. Additional, these demos will take a look at the tool's extensibility by working not only on native processes, but also on Nintendo games running in emulators. You're not all game hackers, so the talk will also show how XenoScan can be useful in the day-to-day workflow of reverse engineers and hackers.

When I'm not doing demos, I'll be drilling down to the low-level to talk about the nitty gritty details of what's happening, how it works, and why it works.

By the end of the talk, you'll see the true power of a well-made, smart memory scanner. You'll be empowered to use it in your day to day hacking, whether that is on games, malware, or otherwise. For those of you that are really interested in the tool, it is completely open-source and all development is done on an interactive livestream, meaning you can participate in and learn from future development.

Nick Cano
Nick Cano is the author of "Game Hacking: Developing Autonomous Bots for Online Games" (No Starch Press), a Senior Security Architect at Cylance, and a life-long programmer and hacker. Programming since the age of 12 and hacking games since the age of 15, Nick has a strong background with both software development and Reverse Engineering. Nick has a history developing and selling bots for MMORPGs, advising game developers on hardening their games against bots, and making innovations in the EDR space for next-gen AV companies.

@nickcano93
https://github.com/nickcanohttp://www.nostarch.com/gamehacking
https://www.livecoding.tv/darkstar_xeno


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 14:40-14:59


XSS FTW - What Can Really Be Done With Cross-Site Scripting

Brute Logic, Security Researcher at Sucuri Security

Cross-site Scripting (XSS) is the most widespread plague of the web but is usually restricted to a simple popup window with the infamous <script>alert(1)</script> vector. In this short talk we will see what can be done with XSS as an attacker or pentester and the impact of it for an application, its users and even the underlying system. Many sorts of black javascript magic will be seen, ranging from simple virtual defacement to create panic with a joke to straightforward and deadly RCE (Remote Command Execution) attacks on at least 25% of the web!

Brute Logic (Twitter: @brutelogic) is self-taught computer hacker from Brazil working as a security researcher at Sucuri Security. Best known for providing useful content in Twitter in his starting years on several hacking topics, including hacking mindset, techniques and code (most fitting in 140 chars). Now his main interest and research involves Cross Site Scripting (XSS) and filter/WAF bypass. Has helped to fix more than 1000 XSS vulnerabilities in web applications worldwide by means of the Open Bug Bounty platform (former XSSposed). Some of them include big players in tech industry like Oracle, LinkedIn, Baidu, Amazon, Groupon e Microsoft. He also has a blog totally dedicated to XSS subject and a private twitter account where he shares some of his XSS and bypass secrets (@brutalsecrets). Recently launched a paradigm-changing XSS online tool named KNOXSS, which works in an automated manner to provide a working XSS PoC for users. It already has helped some of them to get thousands of dollars in bug bounty programs. He's always willing to help experienced researchers and newcomers to community as well with his well-known motto: do not learn to hack, # hack2learn.


Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Saturday - 13:10-13:59


YALDA - Large Scale Data Mining for Threat Intelligence

Gita Ziabari, Senior Threat Research Engineer at Fidelis Cybersecurity

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to find the signal in the noise to be able to best protect an organization. This talk will cover techniques to automate the processing of data mining malware to derive key indicators to find active threats against an enterprise. Techniques will be discussed covering how to tune the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We'll also discuss techniques for organizations to find and process intelligence for attacks targeting them specifically that no vendor can sell or provide them. Audiences would also learn about method of automatically identifying malicious data submitted to a malware analysis sandbox.

Gita Ziabari (Twitter: @gitaziabari) is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 13 years of experience in threat research, networking, testing and building automated frameworks. Her expertise is writing automated tools for data mining. She has unique approaches and techniques in automation.


Return to Index      -     

 

CPV - Florentine Ballroom 4 - Saturday - 15:00-15:30


Title:
Yet another password hashing talk

Author:
Evgeny Sidorov (Yandex)

Abstract:
Password hashing seems easy - just take a memory hard function, apply it to a password and you’re done. It might be so unless you have a high loaded web service with tight requirements for performance and response times and you need to achieve as maximum security as possible keeping in mind obvious computation DoS attacks (memory hard functions are hard not only for attackers, aren't they?). In this talk I'll give an overview of modern approaches to password hashing. We’ll discuss some details about Argon2 (d, i, id) and Yescrypt algorithms and different approaches to password hashing used in big Internet companies (what schemes are used, how to select parameters for algorithms etc.). In addition, I'll present our open source library Argonishche* that contains implementations of Argon2 and Blake2B optimized for SSE2, SSSE3, SSE4.1 and AVX2 instruction sets and uses runtime CPU dispatching to achieve maximum performance on CPUs with different SIMD extensions supported.

* in Russian suffix "-??" (-ishch) means something that is bigger than ordinary and that scares small children. In this case - something that is bigger than Argon :)

Bio:
Evgeny Sidorov is a Security Engineer at Yandex. Evgeny works in the Product Security Team and is responsible for developing and embedding various defense techniques in web and mobile applications. He finished his degree in applied mathematics at the Institute of Cryptography, Telecommunications and Computer Science of Moscow.

Return to Index      -     

 

PHV - Milano VIII - Promenade Level - Friday - 14:10-14:30


You're Going to Connect to the Wrong Domain Name

Sam Erb

Can you tell the difference between gооgle.com and google.com? How about xn--ggle-55da.com and google.com? Both domain names are valid and show up in the Certificate Transparency log. This talk will be a fun and frustrating look at typosquatting, bitsquatting and IDN homoglyphs. This talk will cover the basics, show real-world examples and show how to use Certificate Transparency to track down particularly malicious impersonating domain names which have valid X.509 certificates.

Sam Erb (Twitter: @erbbysam) is a software engineer hell-bent on making the internet a safer place. He is a Defcon Black Badge holder (badge challenge with @thecouncilof9, won 2x - DC23, DC24). Outside of Defcon he has co-authored two IETF draft documents.

DJ Bios


Return to Index      -     

DEF CON News


HackerTracker is Live in the App Store!

DEF CON Hacker Tracker image

The wait is over!

The iOS version of HackerTracker is available on the AppStore!. It's free, slick and courtesy of @sethlaw, @Chrismays94, @macerameg & @imachumphries. Thanks to all of them for delivering the goods on time!

Friends of Bill W. at DEF CON 25.

DEF CON Friends of Bill w. image

Vegas is a lot of fun, but it can also be just a lot. Too much, even, if you’re trying to keep the horizon level in your windscreen. If you’re a friend of Bill W joining us for DEF CON 25, please know that we have meetings at noon and five p.m., Thursday through Sunday in “Office 4Aâ€, on the promenade level. Drop by if you need to touch base or just want a moment of serenity. We’ll be there.

(See info booth next to office 4 on the map, if you’re having trouble finding “Office 4Aâ€)

DEF CON 25 Data Duplication Village!

DEF CON 25 Data Duplication Village image

Data Duplication Village is back for DEF CON 25, so don't forget to bring up to 3 6TB drives if you want to download the whole enchilada. This year's goodies are:

6TB drive 1-3: Updated archive of infocon.org plus other "direct from DT" content

6TB drive 2-3: freerainbowtables.com hash tables (#1-2)

6TB drive 3-3: GSM A5/1 hash tables plus remaining freerainbowtables.com data (#2-2)

There's a handy schedule to follow and you can drop off and pick up just like dry cleaning.

For more info you can check out dcddv.org and the forum thread

DEF CON 25 Entertainment Lineup!

DEF CON 25 Music Schedule image

Curious who's gonna be rocking the house in the wee hours of DEF CON 25? Here's a handy guide to the MainStage performers for all three nights! Enjoy, plot your entertainment journey and pass it on.

Just a little over a week! W00T!

*Richard Cheese and Lounge Against the Machine are performing in the Chill-Out Area, the rest of these performers are on the main stage.

Full-spectrum psychedelic bassquake - ZEE is back!

DEF CON Zebbler Encanti Experience image

Saturday Night, y'all!

Zebbler Encanti Experience (aka “ZEEâ€) is what happens when Pixel Wizard and Techno Badger meet in the woods and decide to short circuit neural pathways of the nearby mushroom pickers with nothing short of bassquakes (9.0 on the scale of awesome) and complete visual reality replacement (somewhat too awesome and terrifying to be numbered anything in particular).

That historic meeting in the woods is the underpinning of the very garments that ZEE now wear at every event they perform. The mere loosening of a button of their coats' pockets opens up a wormhole of psychedelic visions and sub-sonic rattles. But Zebbler Encanti Experience do more than that. They open their minds fully to each and every dance floor and ask you to Get In There!

Richard Cheese and Lounge Against the Machine are BACK for DEF CON 25!

DEF CON Richard Cheese image

Friday, in the Chillout area, please to enjoy the nearly-too-swanky-to-function  sounds of returning DEF CON performers (and DEF CON Soundtrack contributors!) Richard Cheese and Lounge Against the Machine!

America's loudest lounge singer Richard Cheese performs swingin' Vegas versions of rock and rap songs, "swankifying" popular Top40 hits into retro vocal standards. Imagine Sinatra singing Radiohead, and you've got Richard Cheese & Lounge Against The Machine.

The aforementioned DEF CON soundtrack is included with admission at DEF CON 25 or by donating to the EFF (url coming soon).

DEF CON 25 Friday Headliner: Reel Big Fish!

DEF CON Reel Big Fish image

For your DEF CON After Dark enjoyment, we present Friday's headliners, Reel Big Fish! They're fresh from their Beer Run Tour and ready to bring their trademark SoCal skank to the DEF CON masses.

In case you're not familiar, a bio snippet: "Reel Big Fish were one of the legions of Southern California ska-punk bands to edge into the mainstream following the mid-'90s success of No Doubt and Sublime. Like most of their peers, they were distinguished by their hyperkinetic stage shows, juvenile humor, ironic covers of new wave pop songs, and metallic shards of ska."

Sounds fun, yes? Yes.

DEF CON 25 Village Spotlight: ICS VIllage

DEF CON ICS Village image

A small group of SCADA Ninjas are traveling around the globe, spreading the word of SCADA. Unless you are already operating a secret nuclear enrichment facility in your basement or an ACME factory production line, then this is your best chance to get a kick-start into the world of Industrial Control Systems. We are bringing a number of real-world industrial devices from different vendors for you to look, feel and mess around with.

We bring you a safe, yet realistic environment where you can learn on how to assess, enhance, and defend your Industrial Environment. We bring you real components such as Programmable Logic Controllers (PLC), Human Machine Interfaces (HMI), Remote Telemetry Units (RTU), Actuators, etc. to simulate a realistic environment by using commonly components throughout different industrial sectors.

You will be able to connect your machine towards the different industrial components and networks and try to assess these ICS devices with common security scanners, network sniffers to sniff the industrial traffic, and more! In addition to previous years there is a workshop dedicated to ICS 101 and 201. Afterwards there will be an additional but optional challenge to test your newly acquired skills.

Follow @ICS_Village or have a look at www.ics-village.rocks.

New for DEF CON 25:
Voting Machine Hacking Village!

DEF CON Voting Village image

"Just like everything else, it's time for hackers to come in and tell you what's possible and what's not."

-The Dark Tangent

Judging from the headlines, it's a good time to figure out how secure our electronic voting machines are. What better way, we thought, to find out what's real and what's hype than getting a bunch of real voting machines into the hands of thousands of hackers? We happen to know where to find a lot of hackers onthe last weekend in July, so we created the Voting Machine Hacking Village. We're bringing a bunch of voting machines and encouraging people to see what's possible. Let's test the physical security, try attacks at a distance, dump the BIOS, all of it. Knowing is half the battle, people. Let's do our part to add to the base of knowledge.

Read all about it:

Voting Machine Hacking Village on the DEF CON Forums

DEF CON 25 Schedule is Live!

DEF CON Schedule is Live image

The DEF CON 25 Speaker Schedule is now LIVE! Please consult this schedule for all of your planning needs. For those of you who like to maximize efficiency, it can be paired with a venue map for optimal route planning and GPS programming.

We don't know about you, but we're getting pretty excited about this thing.

Web version: https://www.defcon.org/html/defcon-25/dc-25-schedule.html

PDF version: https://www.defcon.org/images/defcon-25/dc-25-schedule.pdf

Lawyer Meetup at DEF CON 25!

DEF CON Call for Parties image

Attention all lawyers, law students, and judges: The DEF CON Lawyer Meetup is BACK! We'll be meeting Saturday the 29th at 6pm in the Counsel Boardroom on the Promenade Level. Join us for conversation and merriment, followed by dinner for those interested in extending the experience.

See you there!

Important Call for Parties Update!

DEF CON Call for Parties image

Luxury problem: It turns out that we have a little more free night-time space than we anticipated.

Luxury solution: Turn it over to DEF CON community for some more parties. Got an idea for a fun, open-to-everyone party you’d like to throw? Get at us at contests@defcon.org right away. We’ll work with the best ideas to allocate floor space and get the party launched.

You have your assignment. We look forward to your kick-butt ideas.

DEF CON 25 Demo Labs are Live!

DEF CON demolabs image

DEF CON Demo Labs are back, and everything you need to know about them is waiting for you at the DEMO Labs Page! It's a heavy lineup of cool, open tools for all kinds of audiences, from testers to defenders to crypto enthusiasts. Bring your curiosity and questions and let's see what grows out of the interaction!

Workshops Reg Opens July 5th!

DEF CON workshops registration image

As hard as it might be to believe, we are less than a month away from DEF CON 25 - can you feel it in the air?

For those of you who are interested in the Workshops, we have some registration info. Online registration for workshops opens July 5 at 3pm PDT. First come, first served, so bookmark https://www.defcon.org/html/defcon-25/dc-25-workshops.html and set an alarm.

See you soon!

Meet the CFP Review Board!

DEF CON cfp review board image

Meet the team of renegade super geniuses that work for months to pick the best talks for DEF CON. We love them, and you should too. It's a crazy hard job reviewing hundreds of highly technical proposals, providing meaningful feedback and picking the best ones. This year they'll be rocking special CFP Review Board badges at DEF CON, so if you see them let them know we appreciate what they do.

The Speaker List is Complete!

DEF CON Speaker Update image

You know how we know it’s almost DEF CON? The Southwest is having a heat wave, that ancient tweet about the Feds (allegedly) not appreciating the ‘Spot the Fed’ contest is back and the interwebz are buzzing with burner phone chat.

Also, the speaker list is complete! Get yourself over to the speaker page and learn what wondrous presentations DEF CON 25 has in store for you! We think it’s gonna be a great year, and we want to thank everyone who submitted, both selected and not.

Extra special shout out to the unsung heroes of the CFP Selection team, who labor mightily to pull together the best possible lineup,  and to provide the kind of feedback that makes everyone better.

Check out the lineup, plan accordingly, and go ahead and get psyched. DEF CON approaches.

Workshops are Live!

DEF CON 25 workshops image

DEF CON Workshops are GO! Get yourself over to the DC25 website and see what strikes your fancy!

Registration opens July 5.

W00h00!

A DEF CON 25 Announcement

DEF CON 25 badge image

BAD NEWS:
No DEF CON 25 Mystery Challenge or badge contest.

WHAT HAPPENED?
Curious Codes, the company that was designing the DEF CON 25 badges, notified us they are no longer working on any challenges or badges for DEF CON.

WHY?
A combination of design and planning delays combined with a last minute unforeseen personal circumstance made their production impossible.

WHAT DOES THIS MEAN FOR DEF CON?
No special badges or challenge and no mystery challenge

SO NOW WHAT?
We've gone with a DEF CON 25 anniversary theme with the badges and have worked around the clock to get them designed and ordered. Not to fear, we are hackers, it will work out. Everyone will have badges, they just won't have crypto, secret embedded robotics, or radioactive compounds. I'll talk more about the joy of conference badges in a later post.

WAIT, THERE WAS GOING TO BE ANOTHER MYSTERY CHALLENGE?!?
Yes, L0st had planned to do a special DC 25 challenge to break everyone's minds.

ERATTA
Stay tuned for more info on #badgelife, we are planning a badge meet up for all those who enjoy building and collecting conference or contest specific badges of all kinds.

Village Spotlight - Crypto and Privacy Village Edition!

DEF CON 25 Crypto & Privacy Village image

Privacy is important to everyone, both in terms of the abstract legal right to secure our information and the concrete availability of tools and means to keep that data secure. In this age of near-ubiquitous surveillance, it's a good idea to keep your security knowledge sharp.

To that end, the Crypto and Privacy Village is back with a full roster of presentations, contests and workshops to level up your privacy game. Follow them @cryptovillage, or get the full rundown at cryptovillage.org.

Better Know a Contest: Hair Farmer Edition!

DEF CON 25 Beard and Mustache Competition image

The DEF CON Beard and Mustache Contest is back - time to break out the various oils, waxes and industrial fertilizers that keep you looking so profoundly beardy. There are prizes to be won! Join us at 'the intersection of facial hair and hacker culture'.

You can learn the rules and whatnot at the contest website dcbeard.com, and you can follow the contest on the Twitters @dcbeard contest.

Beardless, but interested in competing? Please know that there is a freestyle category that actively encourages the creation and display of faux, ersatz and/or fictive facial hair arrangements. Fanciful and improbable designs welcome.

DEF CON 25 Contest Update! SOHOpelessly Broken Router List Released!

DEF CON 25 SOHOPelessly Broken logo image

The 0Day Device List is now LIVE! Dig into these IoT devices and then demonstrate your exploits at the IoT Village for cool prizes and raucous applause!

Village Spotlight: Packet Hacking Village

DEF CON 25 Packet village image

Once upon a time, the Wall of Sheep was mostly a bunch of paper plates stapled to a wall, shaming DEF CON attendees for bad security practices. It has grown into a whole village full of packet shenanigans with its own speaker track, contests and even workshops.

There’s loads of information on their wallofsheep.com, including the speakers they’ve so far selected for DC25. There’s a lot to take in, so it pays to get familiar in advance. The Packet Hacking Village has enough going on to satisfy all packet ninjas, from Padawan to full-blown Jedi. Visit their site, follow them on Twitter @wallofsheep and get your chops in order. The mischief starts next month.

'Better Know a Contest’: Crash and Compile Edition

DEF CON 25 crash and compile image

Crash and Compile is part drinking game, part programming contest. The ratio, of course, is yours to determine, but there are prizes for both the solving of programming problems and the drinking of drinks.

There are more rules than this,naturally, and you can find them at crashandcompile.com. They are the kind of rules that go like this: something happens, people take a drink. Also something doesn’t happen, or fails to happen as expected, and people take a drink. You get the picture, we think.

There are also ways to participate if you want to code without the drinking, or drink without the coding, or just distract the people trying to do both.There are prizes, and booze, and the satisfaction of proving that your skills can’t be thwarted by a little casual imbibing.

Follow the organizers on Twitter @crashandcompile and if this seems like your kind of party, get started on the training montage. We’ll see you there!

DEF CON 25 Speaker round 2!

DEF CON Speaker Update image

Round 2 of the DEF CON 25 Speaker Selections is LIVE! Get into our speaker page and soak in all the updates. Clear some space in the old noggin for the science we're gonna drop in there. Visualize your ideal route.

BITSInject
Dor Azouri

How We Created The First SHA-1 Collision And What It Means For Hash Security
Elie Bursztein

Abusing Certificate Transparency Logs
Hanno Böck

Breaking the x86 Instruction Set
Christopher Domas

Secure Tokin' and Doobiekeys: How To Roll Your Own Counterfeit Hardware Security Devices
Joe FitzPatrick & Michael Leibowitz

MEATPISTOL, A Modular Malware Implant Framework
FuzzyNop & ceyx

Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods
Matt Knight & Marc Newlin

Cisco Catalyst Exploitation
Artem Kondratenko

"Tick, Tick, Tick. Boom! You're Dead." — Tech & the FTC
Whitney Merrill & Terrell McSweeny

An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
Andy Robbins & Will Schroeder

Man in the NFC
Haoqi Shan & Jian Yuan

Porosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode
Matt Suiche

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
Orange Tsai

Assembly Language is Too High Level
XlogicX

Most importantly, get amped! It's next month, people!

More speaker updates to come. Stay tuned.

DEF CON 25 Sticker Packs now Available!

DEF CON Sticker pack image

Got a device with visibly unadorned surface area? Don't worry - DEF CON is here to help you do the right thing. Hide your laptop's shiny silver shame with our stylish, durable DEF CON 25 stickers! There's five in the pack: you get a DC25 logo and four variations of our popular 'Disobey' sticker.

It's almost summer here in the Northern Hemisphere - make sure your gadgets are beach-ready. Get these fine stickers (and all kinds of other DEF CON goodies) at our eBay store, while supplies last.

DEF CON 25 Vendor Applications are Closing Soon!

DEF CON Vendor Reg Closing image

If you're still hoping to be a vendor at DEF CON 25, you need to to get over to defconvendors.com with all deliberate speed. The space is limited,and the deadline for submissions is June 1.

Don't miss your chance to share your products with thousands of members of the DEF CON community at Caesars Palace in July.

Tick-tock, tick-tock.

First Round of DEF CON 25 Speakers are Live!

DEF CON Speaker Update image

The time has come, worthy citizens of DEF CON! Our first round of speaker selections, piping hot and ready for your delectation. It's going to be a big year, and it's a good time to start planning your con. We'd love to hear which talks you're most interested in so far. Stay tuned to this channel for additional speaker updates in the days to come.

Get psyched!

Village Spotlight: BioHacking Village!

DEF CON Biohacking Village image

From the BioHacking Village website at defconbiohackingvillage.org:

"The DEF CON Biohacking Village is a multi-day biotechnology conference focused on breakthrough DIY, grinder, transhumanist, medical technology, and information security along with its related communities in the open source ecosystem. There have been multiple instances of DIYBio overcoming conventional science. We want to celebrate the biohacker movement with a compendium of talks, demonstrations, and a medical device hackathon.

The 2017 BioHacking Village theme is Medical Industry Disrupt. The Medical Industry is one of the last to be touched by technology. We have placed doctors and the study of medicine on an altar for years; the time of ivory towers, pedestals, and information isolation has come to an end. Biohackers are working on projects that have traditionally been kept in the labs of the medical institutions. We are moving science forward by working on DIY projects that matter and use citizen science to solve the economic problems that are caused by privatizing medicine and the resources for research."

If this sounds like your jam, or you just want to dip a toe in the DIYBio pool, you can find out more at defconbiohackingvillage.org, by following @DC_BHV or checking out their space on the DEF CON Forums.

Better Know a Contest - Film Contest Edition!

DEF CON td francis image

The TD Francis X-Hour Film Contest is back! Think you've got the skills to conceive, script and shoot a short film in the midst of the DEF CON madness? Do you enjoy fun, prizes and awesome Contest shirts? Sign up, meet some basic requirements,and make your masterpiece.

Full details are on the Film Contest Website (xhourfilmcontest.com), but the basics are:

• You get the full and final rules and the topic when you pick up your reg Packet onsite.

• You can film in the venue so long as you're wearing your brightly colored Contest tees.

• Up to 5 crew - actors and extras aren't counted as crew.

Win prizes like a Seattle Film Institute scholarship and human badges to DEF CON 26, and get your film shown at DEF CON 25. Thank DEF CON through your Oscar tears a surprisingly short time later.*

Slots are limited, so if you want shot at DEF CON Film glory, get over to xhourfilmcontest.com right away and begin your journey.

*your mileage may vary, but you definitely can't rule it out.

DEF CON 25 Village Spotlight: Tamper-Evident Village!

DEF CON tamper evident image

Tamper-evident tech may not be the flashiest security are out there, but it's a fascinating way to get your hands dirty in some ground-level physical security. The wily hacker who masters this space must know methods and techniques for defeating a wide variety of real-world seals, all the while stepping so lightly as to remove all evidence of their passing.

The Tamper-Evident Village brings a ton of different seals for you to practice on, helpful humans to point you in the right direction and even a few contests to test your skills.

Join us in the Tamper Evident Village and level up your physical security skill set!

Tuesday Feature: Better Know a Contest!

DEF CON 25 Coindroids image

We're spotlighting some of the contests of DEF CON 25, to help you map your time and maybe get some practice in. Today's Featured Contest: COINDROIDS!

Coindroids is sort of an RPG, set in a post-humanity Earth where only financial services droids remain, battling each other through the ruins for upgrades and survival. Money is the goal, both as a symbol of power and the weapon from which power is derived.

The game is played within the blockchain, and each block represents a round. To attack, you send defcoin to the attack address. To defend, you send defcoin to a 'block' address to raise your shield. Gain experience, level up, purchase new and more powerful armaments and upgrades and claw your way up the leaderboard. Rule the Cryptocurrency wasteland.

For a thorough explanation of the game's inner workings, check out the coindroids github: https://coindroids.github.io/Coindroids-Documentation/#introduction

Sign up and get some reps in at the Coindroids website: def.coindroids.com

Congrats to DEF CON 25 CTF Qualifying Teams!

DEF CON 25 CTF Qualifiers image

We'd like to congratulate these qualifiers for DEF CON 25's CTF contest:

PPP
Tea Deliverers
Shellphish
DEFKOR
A*0*E
hacking4danbi
!SpamAndHex
RRR
Team Rocket ☠ï¸

Excellent work, and may fortune smile on you in Las Vegas this July. We'd also like to thank the upstanding citizens of the Legitimate Business Syndicate for putting together another great contest. Feels good, doesn't it? The spring is turning to summer, the table is set for the DEF CON CTF and we're in the home stretch of the countdown to DC25. Feel free to get amped.

DEF CON 25 CFP Reminder!
Closes Monday May 1!

DEF CON 25 CFP Reminder image

If you're waiting until the last minute to submit your presentation, you should know that we are officially in last minute territory right now. The window closes Monday, so if you want to see your talk in contention make good use of the remaining time! The moment of truth is upon you, so clear out some space and get your submission in order.

Let's get your cool ideas up where they belong.

The information you need is here:
https://www.defcon.org/html/defcon-25/dc-25-cfp.html

DEF CON 25 Crypto & Privacy Village CFP is OPEN!

DEF CON 25 Vendors image

Cypherpunks, start your engines! Crypto and Privacy Village is returning for DEF CON 25 and they're looking for speakers. If you've got some good stuff to share with the Crypto community, point yourself over to cfp.cryptovillage.org and get your submit on! We're looking forwards to seeing what you've been working on.

DEF CON 25 Vendor Registration is OPEN!

DEF CON 25 Vendors image

If you have geek-friendly wares you'd like to get in front of tens of thousands of clued-up, engaged and highly caffeinated DEF CON types, might we suggest the vendor area at DEF CON 25? For that audience, you really can't beat it. Smart people with an interest in hacker stuff is literally all we got.

As always, vendor table space is limited, and will get claimed pretty quickly. Its a good idea to get your application in early to ensure your spot. The information you need to apply is available at defconvendors.com. Registration closes on June 1st, 2017, so don't delay.

DEF CON 25 Call for Demo Labs is Open!

DEF CON 25 demo labs open image

DEF CON Demo Labs are BACK! If you’ve got an open source project (tool or hardware) that you want to get in front of a huge, clued-in and interested audience, you’re gonna want to check out our Demo Labs page. Whether you’re looking for feedback, help or just getting the word out, we can offer you a 2-4 hour dedicated time slot to share at DEF CON 25. And one badge, if your project makes the cut, obvi. Get your info on the DL page and get your proposal in before June 1, and let’s make some demo magic!

Next DEF CON 25 CTF Qualifying Event is Approaching!

DEF CON 25 Plaid CTF Qualifier image

Friendly DEF CON 25 CTF reminder: The next qualifying event is PlaidCTF, an online jeopardy-style contest that's a mere 10 days away! You can get more infoz at plaidctf.com, but it's time to get on it. Fortune favors the bold.

Call for Contests, Events, and Villages is Closed!

DEF CON 25 CEV closed image

The Call for Contests/Events/Parties is now closed. If you submitted a proposal, expect a response soon. If you just want to know what kind of delights are in store for DEF CON 25 attendees, watch this space.

It's getting closer, people. Feel free to get amped.

Press Registration is Open for DEF CON 25!

DEF CON 25 Press Reg image

Friendly reminder to our friends in the fourth estate: Press Registration for DEF CON 25 is now officially OPEN! Spaces are limited, and speedy application improves your chances. The information you need to get your ducks properly aligned is on the DEF CON Press page. We've made some changes to streamline the process, so it's worth your time to check that out.

We look forward to hearing from you. It's gonna be a big year.

Sign Up for DEF CON 25 CTF Quals!

DEF CON 25 CTF Quals image

Attention CTF enthusiasts everywhere: Registration is open for the DEF CON 25 CTF competition! Please report to the web establishment of our friends and trusted associates at the Legitimate Business Syndicate for further instruction.

You can't win if you don't play, and you can't play if you don't register. Let DO THIS, shall we?

Social Engineer Village SECTF Applications Open!

DEF CON 25 SECTF image

Can you talk a skinny dog off a meat truck? Do 419 scammers get off the phone owing you money? If you've got the steely nerve and Social Engineering skill to play in the big leagues, you should know that the SECTF is accepting applications for DEF CON 25. Get in the ring and show off your superpowers!

DEF CON 25 Secret Stash: March Edition

DEF CON 25 Secret Stash March image

This month's profoundly rad design is here to hacker up your spring wardrobe! Dozens of DEF CON and hacker culture references packed together in the inimitable style of our own Mar Williams. Can you identify them all?

Limited edition, only available in the Secret Stash, so get yourself fresh while you can!

We're Working on Great Things for DC25!

DEF CON 25 DCTV image

One of the fun perks of staying in the host hotel at DEF CON is access to live, streaming talk content from the comfort of your room. DEF CON TV can really come in handy when a talk is over capacity, or when you need a little breather from the Vegas of it all.

This year, we’re hoping to expand the offering of DEF CON TV beyond the main venue. If you're staying in any of the partner hotels, you’ll not only get our D.C. Group rate, but you get DCTV as well! Huzzah! We’ll keep you informed via social media and the DEF CON 25 website when we have the green light.

Our block rate is sold out at Caesars, but you can still grab it at
Linq 
Paris
Bally's
Flamingo
Harrah's

We suggest you book promptly to ensure the preferred pricing - these will fill up quickly.

DEF CON 25 CTF Qualifying event, 0OPS CTF this Weekend!

DEF CON 25 ctf quals image

The next stop on the road to DEF CON 25 CTF glory is this weekend's 0OPS CTF. It's a wide open, jeopardy-style event you can learn about at https://ctf.0ops.net. Everybody gets an exciting sleepless weekend of network combat, but the winner gets a spot at the Big Show at DC25. Spring has sprung and the procrastinator's window is slowly closing. Gather your stoutest warriors and get your name in the arena, or forever wish you had tested yourself against the best.

Details and the full quals schedule are at legitbs.net.

DEF CON 25 Call for Entertainers is Now Live!

DEF CON 25 call for music image

Are you an entertainer? A singer of songs, a shredder of licks, a spinner of beats? Have you the skills to keep the sweaty masses in a rumpus till the breaking of dawn? If so, DEF CON has urgent need of your talents.

The DEF CON 25 Call for Entertainers is now live. Fill out the form, prove you have the goods, rock faces off at DEF CON's 25th Anniversary shindig. It's that simple. You've got til June 1 to get our attention.

DEF CON 25 Call for Papers Reminder!

DEF CON 25 CFP announce image

Pro Tip: if you want to give your CFP submission its best chance, don't wait for the last minute! Get it in early so that reviewers have a chance to give you feedback. If you have a good idea that needs some refinement, we're happy to help you get it right.

https://www.defcon.org/html/defcon-25/dc-25-cfp-index.html

DEF CON 25 BioHacking Village CFP is Open!

DEF CON 25 Biohacking Village logo image

This CFP announce is for lifehackers; not the ones who have a really good todo list app, but the ones who hack life. The DEF CON 25 Biohacking Village is looking for your presentation ideas. Grinders, transhumanists and  DIY biotech geeks of every description are encouraged to apply.

The Biohacking Village theme for 2017 is Medical Industry Disrupt, so special consideration goes to pitches that aim to revolutionize the practice of medicine. You have until May 28th to get your submissions in. We're looking forward to seeing what you're up to.

For all the details, go to defconbiohackingvillage.com

Call for Reviewers Closing Soon

DEF CON Call for Reviewers image

Your response to our call for reviewers was much bigger than we expected, so we’re closing it down Monday. Thanks to everyone who offered to help - we’ll be getting in touch with those who’ve been selected. We’ll keep the applications we received on file, and we’ll open this call back up before DEF CON 26.

If you’re still looking for volunteer reviewer opportunities, we encourage you to get in touch with the villages - most of them also field a large number of proposals that might be a perfect match to your expertise.

Thanks to the DEF CON community for always responding to our requests with so much love and enthusiasm. You rule.

Call for Contests, Events, Villages, & Parties is now Open!

DEF CON Call for CEV image

DEF CON 25 approaches. It more than approaches. DEF CON 25 looms. It hovers just beyond the near horizon, waiting to be awesome.

One key element of this awesome is all the superfun hackertainment we deliver in the form of Contests, Events, Villages and Parties. And the key element to pulling that together is YOU. All of that fun is 100% community-driven.

Every year we ask the DEF CON community for their best ideas for CON amusements, and we make the best ideas happen. This year, our 25th Anniversary year, we're hoping you're ready to respond and really step things up. Dig deep. Dream big. Seize this moment.

Everything you need to know to put your proposal together is on our CEV page. Go there, get amped, and submit your killer idea.

Let's get epic, people.

Reminder: DEF CON CFP Review Board AMA on Reddit Tonight!

DEF CON Call for Papers AMA image

Friendly reminder: If you've got any questions about the process of becoming a DEF CON speaker, don't miss the AMA today! Get yourself over to /r/defcon at 6pm PST today and get 'em answered by the DEF CON 25 CFP Review Board.

Get tips on what they're looking for, help with how to present your proposal and general encouragement to bring your ideas to the DEF CON community. Be there.

Next Quals Event for DEF CON 25 CTF Coming Up!

DEF CON 25 CTF Quals image

If you're a packet ninja on a quest for CTF immortality at DEF CON 25, you need to keep your eyes on the qualification schedule. No quals, no glory.

The next qualifying event is the online Jeopardy-style Bostonkey.party, happening this very week (Feb 25-27)! You can find info about this and all the remaining events in the schedule at legitbs.net, the online home of the upstanding citizens hosting this year's CTF.

We're expecting big things from you.

DEF CON CFP Review Board AMA on Reddit next Week!

DEF CON Call for Papers AMA image

The DEF CON 25 CFP Review Board will be hosting an AMA Wednesday, Feb 22 at 6pm PST. Bring your questions and get yourself up to speed. Meet the team that does the selecting, and learn tips that will give you an edge in getting your talk accepted.

Join us in /r/defcon next Wednesday!

Specialized Reviewers wanted
for DEF CON 25 CFP!

DEF CON Call for reviewers image

Greetz!

We're seeking specialized CFP Reviewers to join our DEF CON 25 CFP board this year. We have a fairly well rounded board, but we could use a few more to the team. Specifically, we'd like those more specialized in: Cryptography, Malware, Post-exploitation, Reverse Engineering, and Forensics. So if you can open a can of whoop ass with those skills, please apply.

All you have to do is write a cover letter telling us how you've been involved in the DEF CON community, what skills you can bring to the table, and where to find your resume. Please be aware being on the review board is a hard volunteer job. To review you need to spend hours reading submissions and providing feedback. There will be hundreds of emails, so you have to be committed. The reward, however, is having a hand in making DEF CON 25 amazing and the eternal gratitude of hackers all over the world. Which is nice.

Send your entries to talks@defcon.org if you want in.

Thanks,
Nikita

DEF CON Jackets on Sale!

DEF CON Jacket image

Pro Tip: DEF CON's eBay store has a 50 dollar price drop on some very stylish waterproof soft-shell jackets! Now there's no excuse for spending one more day in the same boring, skull-free outerwear. Fight the elements and crush the mid-winter blahs with style. Check 'em out !

DEF CON 25 Secret Stash for February!

DEF CON 25 February stash image

The Secret Stash is keeping you hacker fresh with more DEF CON 25 wearables! Both the tee and the sticker are custom, exclusive artwork available only from the Stash. Look fly and keep DEF CON close to your heart until we meet again in July!

DEF CON 25 Call for Papers and Call For Workshops are Open!

DEF CON 25 CFP announce image

Luminous humans of the DEF CON community, we interrupt your slow news week to bring you this urgent message:

The DEF CON 25 CFP is OPEN! And so is the Call for Workshops!

We realize that's kind of two messages. The common thread is that the machinery of DEF CON 25 awakes from its fitful rest, and it hungers. It hungers for your talk submissions as well as your workshop ideas.

To expedite the annual feeding of this beast, we've created a CFP index page that includes all of the many ways you can submit your work for consideration.

The time is upon us, people. The deadlines will arrive faster than you think. Get your stuff together, whip it into shape and get it in. We are only going to turn 25 once, and we want you to be a part of it.

DEF CON 25 January Secret Stash Reminder

DEF CON secret stash january image

Gentle reminder: The Secret Stash is back with more DEF CON 25 boss-level swag! Both the tee and the sticker are custom, exclusive artwork available only from the Stash. Get your 2017 look together with a versatile tee - fresh for all situations, from the boardroom to your secret lair.

Get your goodies at teespring.com/defconstashjanuary
Women's cut/sizes at teespring.com/defconstashjanuarywomen

Caesars is Sold Out, But Options Abound!

DEF CON Caesars Palace image

The early birds have captured all of the on-site worms: Caesars Palace is sold out for DEF CON 25.

Be of good cheer, however. You can still get our discounted room rate at the following nearby properties:

Linq
Paris
Bally's
Flamingo
Harrah's

DEF CON 25 is gonna be kind of a big deal, and we want you there. We suggest getting on that reservation post haste. The link for the DEF CON discount is https://resweb.passkey.com/go/SCDEF7 and the time for action is now.

DEF CON 25 CTF Quals Update!!

DEF CON 25 CTF Quals Update image

Attention all seekers of CTF glory - the qualification season is underway! The solid citizens of the Legitimate Business Syndicate have posted the information you need to get involved on their website at legitbs.net.

If you've got the goods, get in the arena. There's nothing between your squad and Capture the Flag supremacy but air, opportunity and the best players on Earth. Get you some.

DEF CON 25 Secret Stash for January!

DEF CON secret stash january image

The Secret Stash is back with more DEF CON 25 boss-level swag. Both the tee and the sticker are custom, exclusive artwork available only from the Stash. Get your 2017 look together with a versatile tee - fresh for all situations, from the boardroom to your secret lair.

Announcing the DEF CON 25 Theme!

DEF CON 25 logo image

Greetings, hacker fam. It's time to announce the theme for DEF CON 25!

DEF CON 25 theme image

Welcome to DEF CON's Silver Anniversary!

We're celebrating 25 years of warranty-voiding, boundary-expanding adventures in technological subversion, and looking forward to the next 25.

DEF CON 25 theme image

The theme this year is 'Community, Discovery and the Unintended Uses of Technology' and the vibe is retrofuturist - think maxed-out 8-bit grafx in a dark arcade, lovingly defaced websites in Netscape Navigator. A world where adventurous digital misfits are building a new world out of the pixels and info the Powers that Be leave behind.

DEF CON 25 theme image

We've come a long way together, from the obscurity of BBS life to Runner-Up for Time's Person of the Year. From 20 people at the CON to 20,000. From media scapegoat to – well, it's a work in progress.

Join us at Caesars Palace to look back at how we got here, and to imagine together where we go next.

A Gift for You!

DEF CON 25 wallpapers image

In the spirit of this festive season, DEF CON has a gift for you and your various screenz: wallpapers for everyone!

Designed by our very own Mar Williams and sized to fit many popular devices, these DEF CON 25 wallpapers will make your lock screen the talk of the town!

And while you're admiring your spiced-up mobile, remember that you can still get a T-shirt emblazoned with this very same artwork at teespring.com/defconstash, for the next several days.

The Latest

DEF CON 25 CTF Update!

DEF CON 25 CTF Update image

Heads up to all the CTF fans out there: the upstanding citizens of the Legitimate Business Syndicate have alerted us to some of the contests that will qualify for the DC25 CTF.

According to the Legitimate Business Syndicate (@legit_bs) Twitter feed, the following contests are confirmed as qualifiers:

PlaidCTF (@PlaidCTF)
Boston Key Party (@BkPCTF)
0CTF (@0opsCN)
33C3 CTF (@EatSleepPwnRpt)

If you're not in the dojo getting yourself into tournament shape, it's time to start making better choices.

DEF CON 25 Swag Pack Reminder!

DEF CON 25 swag pack image

Gentle reminder: The DEF CON Secret Stash exclusive T-shirt/sticker pack is available for a little while longer. The image comes from DEF CON staff artist Mar Williams and is only available through this offer.

Get yourself some DEF CON 25 swag hella early and tell people you come from the future.

Interested in a DEF CON/GoRuck Event?

DEF CON 24 IoT playlist image

Like #DEFCON? Like #GoRuck Events? Wanna put them together? Express your interest in the DEF CON/GoRuck Custom! http://buff.ly/2h7Th7F

Exclusive DEF CON 25 Swag Pack!

DEF CON 25 swag pack image

From now until DEF CON 25, we're offering monthly packages of exclusive, limited-edition DEF CON 25 swag.

The December pack is a crisp, fresh DEF CON 25 tee and a high-quality DC25 sticker. The design is courtesy of DEF CON staff artist Mar Williams, created especially for this package. Look sharp, gift like a boss and hide your laptop's shiny metal shame. Rock DEF CON 25 swag like you come from the future.


Return to Index

DEF CON 25 FAQ


This FAQ was created to help answer some questions you may have about this years DEF CON. If you need more info or questions regarding DEF CON please check out the general DEF CON FAQ list. Available here: https://www.defcon.org/html/links/dc-faq/dc-faq.html


When and where is DEF CON 25?

DEF CON is generally in the last week of July or first week of August in Las Vegas. DEF CON 25 will be held July 27-30, 2017, at Caesars Palace in Las Vegas. Many people arrive a day early, and many stay a day later. Again this year we will have some things running on Thursday.


Is DEF CON 25 canceled?

No.


How much is admission?

$260.00 USD, Cash for all four days. Everyone pays the same: The government, the media, the ‘well known hackers’, the unknown script kiddies. The only discount is for Goons and speakers, who get to work without paying for the privilege. We only accept cash - no checks, no money orders, no travelers checks. We don't want to be a target of any State or Federal fishing expeditions.


Can I pre-register for DEF CON?

No.


How many people will be there?

Last year we had more than 20,000 people at DEF CON! The last few years, attendence has been in the 15-19k range.


How much do rooms at Caesars Palace cost, and how do I reserve a room?

The DEF CON rate is available at the following hotels: Caesars Palace, Paris, Bally's, Flamingo and Quad. Check out the DEF CON 25 Venue page for all the details!


I can't afford that.

Try the Ride and Room sharing threads on the Forums.

You may also want to visit your Local DEF CON Groups meeting and see who you might want to bunk up with. It's important to mention you should use good judgment when sharing a room and consider who is sleeping next to you and who has access to your belongings. That said, there are a lot of great people looking to save a buck or pinch a penny, good luck.


Can I get a discount on DEF CON badges?

DEF CON charges one price regardless of your social status or affiliation. Please know that we depend on attendee income to pay the costs of the conference and don't have sponsors to help defray the expenses.

We sometimes get requests for discounts [students, veterans, children], unfortunately we don't want to try and validate if you are a current student, look at your ID to determine your age, decode military discharge papers, etc.

If you really want to attend DEF CON for free then do something for the con.

You could:
Submit a CFP and be an accepted speaker or workshop instructor.
Work on a contest, event, or village.
Qualify for CTF/Contests that include entry.
Find a team to become a Goon newbie.
Contribute to content, or perform some entertainment.


I need a letter of invite for my visa application, how do I get that?

In most cases, DEF CON can send a signed letter of invite, usually within a few short business days once we have all the info. If you also require verification of housing, we can put you in touch with someone to help you get your hotel stay organized, let us know if you need that.

Along with your request, please email us the following to info(at)defcon(.)org

Name as is on passport:
Passport number:
Country of issue:
Date of issue:
Date of expiration:
Country of origin:


How much is internet access in the rooms of Caesars Palace?

We'll let you know soon. Internet access is available for free in the convention area.


Is there a free network at DEF CON?

Why yes, DEF CON is FULLY network-enabled. Now that we've perfected the art of a stable hacker con network, we're ascending to a higher level - we're providing you a network that you feel SAFE in using! Since DEF CON 18 we're WPA2 encrypted over-the-air, with a direct trunk out to the Internet. No peer-to-peer, no sniffing, just straight to the net (and internal servers). We'll provide login credentials at Registration. We know the 3G airwaves will be saturated so we're putting our own cred on the line to give you a net that even we would put our own mobile phones on.

If you're feeling frisky, we'll still have the traditional "open" network for you - bring your laptop (we'd recommend a clean OS, fully patched--you know the procedure) because we don't police what happens on that net. Share & enjoy!


What about the smoking policy?

Due to the Clean Air Act in Las Vegas, the Vendor Area, Speaking rooms, and Hallways will be completely non-smoking in order to comply with the law. The Hotel will have designated smoking areas clearly posted. There is a discussion about it on the DEF CON Forums here: https://forum.defcon.org/showthread.php?t=8200
Any news and info will likely be posted there.


What is the age limit?

People have brought children to DEF CON - it is not recommended to do this unless you are going to constantly supervise them. It is generally an ‘adult’ atmosphere (language, booze, et cetera). If you've never been to DEF CON, you may want to refrain from bringing your children (unless they are demanding that you bring them). While there are no age limits, we have consistently cooperated with parents and/or private investigators who are looking for children that ‘ran away from home’ to go to DEF CON. You must be 18 years of age or older to reserve a hotel room and to check-in. A valid ID is required upon check-in. DEF CON 25 will have enforcement of the 21 or older rule in certain "private" parties with possible bouncers at the doors checking IDs. This is generally the rule in all areas where alcohol is being served. However, DEF CON does not take responsibility for anything potentially indecent or offensive your minor may witness or participate in. The underage attendee is the responsibility of his or her guardian or themselves. The presentations are open to all ages. Observation of contests as they take place on the contest floor is open to all ages. Competition in some contests may have age restrictions due to laws. There is plenty fun to be had without booze and gambling! There is a discussion regarding fun for those under 21 on the forums. https://forum.defcon.org/showthread.php?t=8232


I want to speak, how do I give a talk?

GREAT! We are looking for and give preference to: unique research, new tool releases, Ø-day attacks (with responsible disclosure), highly technical material, social commentaries, and ground breaking material of any kind. Want to screen a new hacking documentary or release research? Consider DEF CON. To submit a speech, read the Announcement and complete the DEF CON 25 Call for Papers Form: https://www.defcon.org/html/defcon-25/dc-25-cfp-form.html CFP forms and questions should get mailed to: talks/at/defcon.org


When does the CFP Close? Can I get an Extension?

DEF CON 25 Call For Papers will close on May 1, 2017.


How can I help or participate?

DEF CON is not a spectator sport! Before the con, during, and after there are chances for you to get involved. Below is a list of this years contests and events. This list may not be complete so check the forums to see what people are up to. Go to the forums for more info on Contests and Events: https://forum.defcon.org/forum/defcon/dc25-official-unofficial-parties-social-gatherings-events-contests


How do I become a Vendor?

Keep an eye out for the Vendor registration opening. If you want a space in our vendor area, you need to apply. Because of limited space and our attempt to have a diversity of vendors, you may not be able to get a booth. It is wise to think of staffing issues - if you are one person do you want to spend your entire time behind a vendors booth?


I'm press, how do I sign up, why can't I get in for free (I'm just doing my job)?

Please check out the DEF CON 25 Press Registration page (opening soon) if you wish press credentials. Lots of people come to DEF CON and are doing their job; security professionals, federal agents, and the press. It wouldn't be fair to DEF CON attendees if we exempted one group from paying. If you are a major network and plan on doing a two minute piece showing all the people with blue hair, you probably shouldn't bother applying for a press pass - you won't get one. If you are a security writer or from a real publication please submit, and someone will respond with an answer.


What should I bring to DEF CON?

It depends on what you're going to do at DEF CON. This is discussed in quite some depth on the unofficial DC FAQ, as well as a thread in the DC Forums. You may want to bring fancy (or outrageously silly) clothes for the Black and White Balls, annual Friday and Saturday night events where everyone shows off nifty attire. SWAG is Always recommended, people LOVE to trade! You never know when or where a t-shirt with your .org will come in handy. Government SWAG is a hot commodity, however, DT wishes to pillage those goods first! Its generally a good idea if you are a pale geek to have some sunscreen at the top of your list. Other honorable mentions are: Blister preventions, Band-aids, Gel shoe inserts, Personal cooling devices, Pain relievers and antacids, Bottle openers, Personal voice recorders, water filters, and last but not least an Alibi.


This FAQ didn't answer my questions, or was unclear, how can I get further information?

There is a forum discussion thread in which you can ask follow up questions. https://forum.defcon.org/showthread.php?t=6845


Please visit: https://www.defcon.org for previous conference archives, information, and speeches. Updated announcements will be posted to news groups, security mailing lists and this web site.

https://forum.defcon.org/ for a look at all the events and contests being planned for DEF CON 25. Join in on the action.

https://www.defcon.org/defconrss.xml for news and announcements surrounding DEF CON. Also check out our Twitter, Facebook, and G+ accounts for up to the minute news.


Return to Index

DEF CON FAQ


Frequently asked questions about DEF CON



What is DEF CON?

DEF CON is one of the oldest continuously running hacker conventions around, and also one of the largest.



How did DEF CON start?

Originally started in 1993, it was a meant to be a party for member of "Platinum Net", a Fido protocol based hacking network out of Canada. As the main U.S. hub I was helping the Platinum Net organizer (I forget his name) plan a closing party for all the member BBS systems and their users. He was going to shut down the network when his dad took a new job and had to move away. We talking about where we might hold it, when all of a sudden he left early and disappeared. I was just planning a party for a network that was shut down, except for my U.S. nodes. I decided what the hell, I'll invite the members of all the other networks my BBS (A Dark Tangent System) system was a part of including Cyber Crime International (CCI), Hit Net, Tired of Protection (ToP), and like 8 others I can't remember. Why not invite everyone on #hack? Good idea!



Where did the name come from?

The short answer is a combination of places. There as a SummerCon in the summer, a HoHoCon in the winter, a PumpCon during Halloween, etc. I didn't want any association with a time of year. If you are a Phreak, or just use your phone a lot you'll notes "DEF" is #3 on the phone. If you are into military lingo DEF CON is short for "Defense Condition." Now being a fan of the movie War Games I took note that the main character, David Lightman, lived in Seattle, as I do, and chose to nuke Las Vegas with W.O.P.R. when given the chance. Well I knew I was doing a con in Vegas, so it all just sort of worked out.

There are several resources that will give you an idea of what DEF CON is all about.

DEF CON Press: through the prism of the media
DEF CON Pics: visual evidence, thousands of pictures, some NSFW
DEF CON Groups: Local groups that meet
DEF CON Media archives: Speeches from DC 1 to the present, captured
Google: always a good research starting point
Just remember, DEF CON is what you make of it.



When and where is DEF CON?

DEF CON is generally in the last week of July or first week of August in Las Vegas. DEF CON 25 will be held July 27th through July 30th at Caesars Palace in Las Vegas. Many people arrive a day early, and many stay a day later.



Isn't there a DEF CON FAQ already?

Yes, an unofficial one. It's quite humorous, sometimes informative, and DEF CON takes no responsibility for its content. It can be found at http://defcon.stotan.org/faq/



What are the rules of DEF CON?

Physical violence is prohibited. We don't support illegal drug use. Minors should be accompanied by their parent(s) or guardian(s). Please refrain from doing anything that might jeopardize the conference or attendees such as lighting your hair on fire or throwing lit road flares in elevators. DEF CON Goons are there to answer your questions and keep everything moving. Hotel security is there to watch over their property. Each has a different mission, and it is wise to not anger the hotel people. Please be aware that if you engage in illegal activities there is a large contingency of feds that attend DEF CON. Talking about how you are going to bomb the RNC convention in front of an FBI agent is a Career Limiting Move!



Is DEF CON cancelled?

No.



What is there to do at DEF CON?

DEF CON is a unique experience for each con-goer. If you google around you'll find dozens of write-ups that will give you an idea of what people have experienced at DEF CON. Trust write-ups more than media articles about the con. Some people play capture the flag 24x7, while many people never touch a computer at DEF CON. Some people see every speech they can, while others miss all speeches. Other activities include contests, movie marathons, scavenger hunts, sleep deprivation, lock picking, warez trading, drunken parties, spot the fed contest, the official music events. Because DEF CON is what the attendees make of it, there are more events than even we are aware of. Half the fun is learning what happened at DEF CON after the fact!



I'm not a hacker, should I go to DEF CON?

Many people have different definitions of what is a ‘hacker’. I would recommend looking at previous years speeches, and write-ups from past attendees - this should give you a good idea if DEF CON is for you. This hacker FAQ might give you some insight into the matter as well. If you do not have any technical interests, DEF CON is probably not for you. Sure there is a lot of socializing you can do, but technology and hacking is the core of the con.



Do criminals go to DEF CON?

Yes. They also go to high school, college, work in your workplace, and the government. There are also lawyers, law enforcement agents, civil libertarians, cryptographers, and hackers in attendance. Ssshhh. Don't tell anyone.



What are Goons?

They are the staff at DEF CON. They have many roles including safety, speaker coordination, vendor room coordination, network operations, et cetera... Please try to be helpful to them if they make requests of you. If any goon tells you to move, please do so immediately as there may be safety issues they are attempting to address.



How can I help out or become a Goon?

The staff at DEF CON has grown organically. All positions have some degree of trust associated with them, so typically new goons are ‘inducted’ by friends of existing goons. There are many random points when goons need help and may ask people for help, generally for helping move stuff or other tasks that don't require high amounts of trust or unsupervised work. Just because you help out doesn't make you a goon. If you really want to be a goon, talk with one and see how much work they actually do (Hint: you may want to enjoy being at DEF CON, not working full-time at it). Last year the network group got a new Goon when a networking engineer was needed, and he came to the rescue. The intent behind the goons is not to be elitist, but to have a network of trusted people who can help run the conference - please do not feel upset if you are not chosen to be a goon.



How can I help or participate?

DEF CON is not a spectator sport! Before the con, during, and after there are chances for you to get involved. Before the con you can read about the contests and maybe sign up for one like Capture the Flag. There are artwork contests for shirts and posters. You can practice your lock pick skills, or just get your laptop all locked down and ready to do battle. Organize your .mp3s. Check out the DEF CON Forums to see what other people are up to. If you want to create your own event, you can do that as well - you will not get official space or sanctions, but virtually every official event at DEF CON started out as an unofficial event.



I would love to see XYZ event, how do I make this happen?

Virtually all events at DEF CON were conceived by the attendees. The DEF CON forums are a great place for recruiting help for an event you want to put on, and making sure your efforts aren't being duplicated. If it doesn't require resources from DEF CON (space, namely) you generally don't have to ask anyone’s permission. Most events are unofficial until they've been going on for a couple of years. Please let us know if you have an idea for an event, we may help facilitate or promote it. Email [suggestions at DEF CON dot org] to keep us in the loop.



How can I speak at DEF CON?

You can submit a response to our CFP (call for papers - currently closed). All entries are read and evaluated by a selection committee. We would love to have your submission. The call for papers usually opens in March and closes mid-May.



I'm press, how do I sign up, why can't I get in for free (I'm just doing my job)?

Please email press[at]defcon[d0t]org if you wish press credentials. Lots of people come to DEF CON and are doing their job; security professionals, federal agents, and the press. It wouldn't be fair to DEF CON attendees if we exempted one group from paying. If you are a major network and plan on doing a two minute piece showing all the people with blue hair, you probably shouldn't bother applying for a press pass - you won't get one. If you are a security writer or from a real publication please submit, and someone will respond with an answer.



I want to sell stuff, how do I do this?

If you want a space in our vendor area, you need to apply. Because of limited space and our attempt to have a diversity of vendors, you may not be able to get a booth. It is wise to think of staffing issues - if you are one person do you want to spend your entire time behind a vendors booth?



What are the different price rates?

Everyone pays the same: The government, the media, the ‘well known hackers’, the unknown script kiddies. The only discount is for Goons and speakers, who get to work without paying for the privilege.



How much is admission DEF CON, and do you take credit cards?

DEF CON 25 costs $260 USD cash. Do we take credit cards? Are you JOKING? No, we only accept cash - no checks, no money orders, no travelers checks. We don't want to be a target of any State or Federal fishing expeditions.



Can I pre-register for DEF CON?

No. We used to do this a long time ago, but found that managing the registration list, and preventing one 'Dr. Evil' from impersonating another 'Dr. Ev1l' too much of a hassle. Seeing how we would only take cash in the first place, and things becomes time consuming and easy to abuse. Cash at the door works every time.



Can I get a discount on DEF CON badges?

DEF CON charges one price regardless of your social status or affiliation. Please know that we depend on attendee income to pay the costs of the conference and don't have sponsors to help defray the expenses.

We sometimes get requests for discounts [students, veterans, children], unfortunately we don't want to try and validate if you are a current student, look at your ID to determine your age, decode military discharge papers, etc.

If you really want to attend DEF CON for free then do something for the con.

You could:
Submit a CFP and be an accepted speaker or workshop instructor.
Work on a contest, event, or village.
Qualify for CTF/Contests that include entry.
Find a team to become a Goon newbie.
Contribute to content, or perform some entertainment.


I need a letter of invite for my visa application, how do I get that?

In most cases, DEF CON can send a signed letter of invite, usually within a few short business days once we have all the info. If you also require verification of housing, we can put you in touch with someone to help you get your hotel stay organized, let us know if you need that.

Along with your request, please email us the following to info(at)defcon(.)org

Name as is on passport:
Passport number:
Country of issue:
Date of issue:
Date of expiration:
Country of origin:


DEF CON is too expensive, how can I afford it?

DEF CON is cheaper than many concerts, and certainly cheaper than many shows in Vegas. Many people have made an art and science out of coming to DEF CON very cheaply. Here are a couple of tips.

Travel: Buy airfare in advance, go Greyhound, Carpool, hitch-hike. (Note: this may be dangerous and/or illegal.)
Lodging: Share rooms - some people have up to 10 people they share a room with, find a hotel cheaper than the one that the conference is scheduled at, stay up for three days, etc. (note: this can be hazardous to your health.)
Food: Pack food for your trip, go off site to find food, eat in your hotel rooms, and look for cheap Vegas food at Casinos. (Look for deals and specials that are trying to get you in the door to gamble.) Booze: You don't need to drink. Brew your own and bring it. (It's been done.)
Entrance: $240 can be saved, mow some lawns. Try to go to another 3 day event for cheaper than this that offers so much. We have increased the fees slowly over the years, but also the amount and quality of events have increased.

Inevitably people will try to do some math and pretend that DT gets rich each DEF CON - they seem to lack the ability to subtract.



How many people typically attend DEF CON?

There have been roughly 15,000-18,000 attendees in the last few years of DEF CON. DEF CON 24 had a record showing with well over 20,000.



Is there a network at DEF CON?

Why yes, DEF CON is FULLY network-enabled. Now that we've perfected the art of a stable hacker con network, we're ascending to a higher level - we're providing you a network that you feel SAFE in using! Since DEF CON 18 we're WPA2 encrypted over-the-air, with a direct trunk out to the Internet. No peer-to-peer, no sniffing, just straight to the net (and internal servers). We'll provide login credentials at Registration. We know the LTE airwaves will be saturated so we're putting our own cred on the line to give you a net that even we would put our own mobile phones on.

If you're feeling frisky, we'll still have the traditional "open" network for you - bring your laptop (we'd recommend a clean OS, fully patched--you know the procedure) because we don't police what happens on that net. Share & enjoy!



What is the age limit?

People have brought children to DEF CON - it is not recommended to do this unless you are going to constantly supervise them. It is generally an ‘adult’ atmosphere (language, booze, et cetera). If you've never been to DEF CON, you may want to refrain from bringing your children (unless they are demanding that you bring them). While there are no age limits, we have consistently cooperated with parents and/or private investigators who are looking for children that ‘ran away from home’ to go to DEF CON. You will have to be 18 to reserve a room.

That said I think NullTone ties with the youngest person to attend DEF CON at 13 years old. Years later he is in college and set up the DEF CON Forums. See, DEF CON won't destroy you completely.



What is a DEF CON "Black Badge"?

The Black Badge is the highest award DEF CON gives to contest winners of certain events. CTF winners sometimes earn these, as well as Hacker Jeopardy winners. The contests that are awarded Black Badges vary from year to year, and a Black Badge allows free entrance to DEF CON for life, potentially a value of thousands of dollars.



How can I get a hold of DT? I tried to mail him and haven't seen a response yet.

DT doesn't dislike you, isn't trying to hurt your feelings, and bears you no ill will. The fact is he gets an unmanageable load of mail continually. Mailing him again may elicit a response. Try mailing FAQ (at) DEFCON.ORG if you have a general question that isn't answered here or in the forums.



What about having a DEF CON in XYZ city/country?

We’ve been in the city of sin since DC 1. We are not looking to franchise. It's always fun to see people organize conventions in their local areas, and if you do, we'll include you in our calendar, but not with the name "DEF CON".



Is it hot in Vegas?

Yes. Bring sunscreen (high SPF), do not fall asleep near the pool (lest you wake up to sunburn), and do not walk far in the sun unless you are experienced in dealing with extreme heat. The sun is dangerous in Las Vegas. Sleeping in lawn chairs is a sure way to wake up to severe burns in the morning when that bright yellow thing scorches your skin. Drink plenty of water and liquids - remember that alcohol will dehydrate you.



What should I bring?

It depends on what you're going to do at DEF CON. This is discussed in quite some depth on the unofficial DC FAQ, as well as a thread in the DC Forums. You may want to bring fancy (or outrageously silly) clothes for the official Music events, on Friday and Saturday nights, where everyone shows off nifty attire.



How much do rooms at Caesars Palace cost, and how do I reserve a room?

The DEF CON 25 group room registration is now live! We have room rates at six hotels starting as low as $49 per night, until they run out of rooms in our block.

You may either follow this link: https://resweb.passkey.com/go/SCDEF7

Do not worry if the form doesn't immediately show the discounted rate. To verify that you're getting our price you can mouse over the dates you've selected or begin the checkout process.


How much is internet access in the rooms of Caesars Palace?

We are looking into this. Free (and possibly more dangerous) internet access is available in the convention area.



Will Caesars Palace broadcast the speeches on their cable system?

More info as to the content will be available as planning ensues.



Will we have DEF CON branded poker chips?

You will have to attend DEF CON to find out.



Will conference attendees have entire floors of hotel rooms to themselves?

Probably not. The hotel is very cooperative in attempting to centralize the DEF CON attendees, for their convenience and ours, but there will be non-DEF CON attendees in hotel rooms next to us.



This FAQ didn't answer my questions, or was unclear, how can I get further information?

There is a forum discussion thread in which you can ask follow up questions.


Return to Index

Links to DEF CON 25 related pages


Main DEFCON site
DEFCON 25
DEFCON 25 Planning Forums
DEFCON 25 [Official / Unofficial] [Parties / Social Gatherings / Events / Contests] Forums
DEFCON 25 FAQ
DEFCON      FAQ
DEFCON 25 Recent News
DEFCON 25 Schedule and Speakers pages
DEFCON 25 DemoLabs Schedule
DEFCON 25 Workshops Schedule
Social Engineering Village
Wall of Sheep / Packet Hacking Village
Crypto and Privacy Village
IoT Village
ICS Village
Volting Machine Hacking Village
Recon Village
303 Skytalks google calandar
BioHacking Village
Car Hacking Village
Wireless Village
Hardware Hacking Village
defconparties
calibre ebook managment